From lkcl at lkcl.net Tue Jun 1 19:03:45 2004 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Tue, 1 Jun 2004 09:03:45 +0000 Subject: issue with SE/Linux - sshd not giving access to /dev/pts/[n] Message-ID: <20040601090345.GM8312@lkcl.net> hi there, i have an issue on my newly created Debian/SELinux/unstable system. i have pam 0.77 se1 installed ssh 3.8.1p1-4 (OpenSSH) and libselinux1 1.12-1. i can log in as root, fine. but i cannot log in as an ordinary user, and i had to grant special permission to the _user_ process (NOT sshd or pam before a setuid and exec is carried out) to access /dev/pts/0. in other words, if i understand this correctly, there is a bug somewhere in either sshd or pam where control of the tty is given at the wrong point, or is not given at all. (russell talks of relabelling the tty, i'm not sure what that would involve.) ... except if the user is root :) :) whereupon magically it works fiine :) okay, so does anyone on the openssh or pam lists understand what this might about? does it ring any bells? l. From dtucker at zip.com.au Tue Jun 1 19:52:29 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 01 Jun 2004 19:52:29 +1000 Subject: issue with SE/Linux - sshd not giving access to /dev/pts/[n] In-Reply-To: <20040601090345.GM8312@lkcl.net> References: <20040601090345.GM8312@lkcl.net> Message-ID: <40BC51DD.8090609@zip.com.au> Luke Kenneth Casson Leighton wrote: > but i cannot log in as an ordinary user, and i had to grant > special permission to the _user_ process (NOT sshd or pam > before a setuid and exec is carried out) to access > /dev/pts/0. By "user process" do you mean sshd running as the user logging in? If so, that's probably because of Privilege Separation[1]. Try retesting with "UsePrivilegeSeparation no" in sshd_config. When privsep is on, sshd starts running as the user quite early, leaving behind another process (the "monitor") running as root, while the unprivileged sshd does most of the work (network comms, protocol processing, compression and so on). When the user requests a pty, one is allocated by the monitor (pty allocation is a privileged operation on some platforms) and a descriptor is passed to the unprivileged child (the "slave"), which then forks, makes the pty its controlling tty runs the shell. This is probably what you're seeing. > in other words, if i understand this correctly, there is a > bug somewhere in either sshd or pam where control of the > tty is given at the wrong point, or is not given at all. It's not a bug, it's a Feature. [1] http://www.citi.umich.edu/u/provos/ssh/privsep.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lkcl at lkcl.net Tue Jun 1 20:32:14 2004 From: lkcl at lkcl.net (Luke Kenneth Casson Leighton) Date: Tue, 1 Jun 2004 10:32:14 +0000 Subject: issue with SE/Linux - sshd not giving access to /dev/pts/[n] In-Reply-To: <40BC51DD.8090609@zip.com.au> References: <20040601090345.GM8312@lkcl.net> <40BC51DD.8090609@zip.com.au> Message-ID: <20040601103214.GZ8312@lkcl.net> On Tue, Jun 01, 2004 at 07:52:29PM +1000, Darren Tucker wrote: > Luke Kenneth Casson Leighton wrote: > >but i cannot log in as an ordinary user, and i had to grant > >special permission to the _user_ process (NOT sshd or pam > >before a setuid and exec is carried out) to access > >/dev/pts/0. > > By "user process" do you mean sshd running as the user logging in? If > so, that's probably because of Privilege Separation[1]. Try retesting > with "UsePrivilegeSeparation no" in sshd_config. ah ha! let's see.... YEP! that does it. great! okay, so now in order to avoid one auditing experience or should i say something which requires special permissions to be allowed, i have to switch off something that is there for security reasons, ho hum. > When privsep is on, sshd starts running as the user quite early, leaving > behind another process (the "monitor") running as root, while the > unprivileged sshd does most of the work (network comms, protocol > processing, compression and so on). When the user requests a pty, one > is allocated by the monitor (pty allocation is a privileged operation on > some platforms) and a descriptor is passed to the unprivileged child > (the "slave"), which then forks, makes the pty its controlling tty runs > the shell. This is probably what you're seeing. *glurk*... i actually understood that. okay. the "expected" behaviour shall we say of the SE/linux auditing rules that russell has created is that only the sshd domain (where a domain correlates to a process, in this case the "monitor") has been given permission to do ioctl and read and write to the tty (/dev/pts/NN). and the "user" domain, i.e. after a fork() and set(e?)uid() / gid(), is most definitely NOT granted permission to read/write to ssh-specific ptys because only the sshd domain is allowed that. ... russell, et al, is there some way to reflect the above into SE/Linux auditing rules? l. > >in other words, if i understand this correctly, there is a > >bug somewhere in either sshd or pam where control of the > >tty is given at the wrong point, or is not given at all. > > It's not a bug, it's a Feature. > > [1] http://www.citi.umich.edu/u/provos/ssh/privsep.html :) ta. l. From dtucker at zip.com.au Wed Jun 2 00:18:19 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jun 2004 00:18:19 +1000 Subject: Sending immediate PAM auth failure messages via kbd-int Message-ID: <40BC902B.1080504@zip.com.au> Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction" block but with zero prompts (this is permitted by kbdinteract-06 section 3.4). The next question is whether or not it's a good idea to send extra info to a denied login. As a rule, sshd doesn't, but this condition only occurs if the admin explicitly configures PAM to behave this way. This won't happen with the recently re-added PAM-via-password authentication, only keyboard-interactive. This has an interesting side-effect the OpenSSH client: it immediately retries (since it's just a failed kbdint auth attempt) so the message is repeated 3 times. This can be fixed in the client (I have a 4-line patch that disables kbdint if it gets a messages with zero prompts) but I'm not sure it's the right thing to do. The server might have multiple keyboard-interactive "devices" and the next one might behave differently. Similarly, making sshd disable keyboard-interactive in this case doesn't seem right either, since a client might to choose to do something differently (like change username) in response to the message. Anyway, feel free discuss the patch, try it or pick it apart :-) -Daz. $ ssh -o preferredauthentications=keyboard-interactive localhost No user logins right now. No user logins right now. No user logins right now. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-pam-zeromsgs.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040602/2c7e903b/attachment.ksh From Bram at moolenaar.net Wed Jun 2 01:31:48 2004 From: Bram at moolenaar.net (Bram Moolenaar) Date: Tue, 01 Jun 2004 17:31:48 +0200 Subject: SANE 2004 Free Software Bazaar Message-ID: <200406011531.i51FVmPa002753@moolenaar.net> We (the NLUUG) are organising a conference in Amsterdam this September. During this SANE conference we have reserved an evening for a Free Software Bazaar. We invite many people to participate in this gathering of Free and Open Source software groups. The name "Bazaar" obviously originates from Eric Raymond's article: A place where software developers gather. A unique opportunity to meet people, discuss and share ideas. I thought you might be interested in the Bazaar. It would be very good if a few developers can show the latest news about OpenSSH. Perhaps also a good occasion to meet with people from your own group and users. The Bazaar takes place on Wednesday evening, September 29th, in Amsterdam. Richard M. Stallman will do a presentation before the Bazaar. Entrance is free! (*) What is possible at the Bazaar: - Man a booth (a table and billboard) and show what OpenSSH is currently working on. Give a demo on a laptop. There will be wireless network access. Sales of T-shirts, posters, etc. is possible, but no commercial activities. - Organise a BOF or lightning talks session. We have two rooms available. - Feel free to come up with other ideas. Please let me know ASAP whether a few people from OpenSSH would like to join the Bazaar and what we can reserve for you. We have limited space and we would like to mention in publications what groups will be present. Note: If you would like to join the conference, there is still the possibility to submit an abstract for the poster sessions. The deadline is June 7, that is next week! More information on the SANE website: www.sane.nl - Bram (*) If we succeed in finding a sponsor.... -- hundred-and-one symptoms of being an internet addict: 18. Your wife drapes a blond wig over your monitor to remind you of what she looks like. /// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net \\\ /// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ Project leader for A-A-P -- http://www.A-A-P.org /// \\\ Buy at Amazon and help AIDS victims -- http://ICCF.nl/click1.html /// From dan at doxpara.com Wed Jun 2 03:50:48 2004 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 01 Jun 2004 10:50:48 -0700 Subject: Sending immediate PAM auth failure messages via kbd-int In-Reply-To: <40BC902B.1080504@zip.com.au> References: <40BC902B.1080504@zip.com.au> Message-ID: <40BCC1F8.2000503@doxpara.com> Most versions of SSH1 would leak whether an account existed or not through high debug levels. I absolutely respect the need to have forced-ejection messages, but we should try to avoid this mechanism for information leakage. After all -- logins are encrypted, and therefore can't be readily noticed by an IDS. --Dan Darren Tucker wrote: > Hi. > One thing that people seem to want to do with PAM is to deny a > login immediately without interacting but return a message to the > user. (Some platforms implement, eg, /etc/nologin via PAM this way.) > Currently, sshd will just deny the login and the user will not be told > why. > > Attached it a patch that return a keyboard-interactive packet with > the message in the "instruction" block but with zero prompts (this is > permitted by kbdinteract-06 section 3.4). > > The next question is whether or not it's a good idea to send extra > info to a denied login. As a rule, sshd doesn't, but this condition > only occurs if the admin explicitly configures PAM to behave this > way. This won't happen with the recently re-added PAM-via-password > authentication, only keyboard-interactive. > > This has an interesting side-effect the OpenSSH client: it > immediately retries (since it's just a failed kbdint auth attempt) so > the message is repeated 3 times. This can be fixed in the client (I > have a 4-line patch that disables kbdint if it gets a messages with > zero prompts) but I'm not sure it's the right thing to do. The server > might have multiple keyboard-interactive "devices" and the next one > might behave differently. > > Similarly, making sshd disable keyboard-interactive in this case > doesn't seem right either, since a client might to choose to do > something differently (like change username) in response to the message. > > Anyway, feel free discuss the patch, try it or pick it apart :-) > > -Daz. > > $ ssh -o preferredauthentications=keyboard-interactive localhost > No user logins right now. > > No user logins right now. > > No user logins right now. > >------------------------------------------------------------------------ > >Index: auth-pam.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v >retrieving revision 1.105 >diff -u -p -r1.105 auth-pam.c >--- auth-pam.c 1 Jun 2004 01:28:20 -0000 1.105 >+++ auth-pam.c 1 Jun 2004 14:10:42 -0000 >@@ -93,6 +93,7 @@ struct pam_ctxt { > int pam_psock; > int pam_csock; > int pam_done; >+ int pam_pending_resp; > }; > > static void sshpam_free_ctx(void *); >@@ -590,7 +591,7 @@ sshpam_query(void *ctx, char **name, cha > switch (type) { > case PAM_PROMPT_ECHO_ON: > case PAM_PROMPT_ECHO_OFF: >- *num = 1; >+ ctxt->pam_pending_resp = *num = 1; > len = plen + strlen(msg) + 1; > **prompts = xrealloc(**prompts, len); > plen += snprintf(**prompts + plen, len, "%s", msg); >@@ -608,16 +609,27 @@ sshpam_query(void *ctx, char **name, cha > case PAM_SUCCESS: > case PAM_AUTH_ERR: > if (**prompts != NULL) { >- /* drain any accumulated messages */ > debug("PAM: %s", **prompts); >- buffer_append(&loginmsg, **prompts, >- strlen(**prompts)); >- xfree(**prompts); >- **prompts = NULL; >+ if (compat20 && type == PAM_AUTH_ERR) { >+ /* tell the user about it now */ >+ ctxt->pam_pending_resp = *num = 0; >+ *info = xrealloc(*info, len); >+ strlcpy(*info, **prompts, len); >+ xfree(**prompts); >+ **prompts = NULL; >+ xfree(msg); >+ return (0); >+ } else { >+ /* save for display later */ >+ buffer_append(&loginmsg, **prompts, >+ strlen(**prompts)); >+ xfree(**prompts); >+ **prompts = NULL; >+ } > } > if (type == PAM_SUCCESS) { > import_environments(&buffer); >- *num = 0; >+ ctxt->pam_pending_resp = *num = 0; > **echo_on = 0; > ctxt->pam_done = 1; > xfree(msg); >@@ -629,7 +641,7 @@ sshpam_query(void *ctx, char **name, cha > get_remote_name_or_ip(utmp_len, options.use_dns)); > /* FALLTHROUGH */ > default: >- *num = 0; >+ ctxt->pam_pending_resp = *num = 0; > **echo_on = 0; > xfree(msg); > ctxt->pam_done = -1; >@@ -656,10 +668,12 @@ sshpam_respond(void *ctx, u_int num, cha > default: > return (-1); > } >- if (num != 1) { >- error("PAM: expected one response, got %u", num); >+ if (num != ctxt->pam_pending_resp) { >+ error("PAM: expected %d responses, got %u", >+ ctxt->pam_pending_resp, num); > return (-1); >- } >+ } else if (num == 0) >+ return(-1); > buffer_init(&buffer); > buffer_put_cstring(&buffer, *resp); > if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { > > >------------------------------------------------------------------------ > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From agrewell at uwb.edu Wed Jun 2 08:42:43 2004 From: agrewell at uwb.edu (Aaron Grewell) Date: Tue, 01 Jun 2004 15:42:43 -0700 Subject: gssapi-with-mic and Win2K KDC? In-Reply-To: <40B7AFBB.659E634D@anl.gov> References: <1085763531.5302.1243.camel@cygnus.uwb.edu> <40B7795C.35FB1BEC@anl.gov> <1085768047.5302.1277.camel@cygnus.uwb.edu> <40B7AFBB.659E634D@anl.gov> Message-ID: <1086129763.20710.375.camel@cygnus.uwb.edu> > Try using "ssh -vvv -l adminaccount server.uwb.edu" > > I tried something using user at host and it failed, but -l user host works. Using -l or user at host doesn't seem to make a difference here, must be something configuration-related that I've missed. > What happened to gssapi-with-mic here? Does the sshd have > a keytab with the host/@ principal? > It does. > Did the user do a kinit to get a ticket? I did a successful kinit immediately before attempting the ssh connection. [localaccount at cygnus localaccount]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: adminaccount at UWB.EDU Valid starting Expires Service principal 06/01/04 10:08:59 06/01/04 20:09:06 krbtgt/UWB.EDU at UWB.EDU renew until 06/02/04 10:08:59 Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached > On my system, I get: > > debug1: Authentications that can continue: publickey,gssapi-with-mic,gssapi > debug3: start over, passed a different list publickey,gssapi-with-mic,gssapi > debug3: preferred gssapi-with-mic,gssapi,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: gssapi,publickey,keyboard-interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials Hmm. One of the things I noticed was that running sshd in debug mode "-D -ddd" and watching a connection attempt did not show anything about Kerberos or GSSAPI. I'm not sure what that means. I ran ldd against sshd and it is linked against my kerb libraries, so I'm not sure how to proceed. From dtucker at zip.com.au Wed Jun 2 10:10:06 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jun 2004 10:10:06 +1000 Subject: Sending immediate PAM auth failure messages via kbd-int In-Reply-To: <40BCC1F8.2000503@doxpara.com> References: <40BC902B.1080504@zip.com.au> <40BCC1F8.2000503@doxpara.com> Message-ID: <40BD1ADE.4030009@zip.com.au> Dan Kaminsky wrote: > Most versions of SSH1 would leak whether an account existed or not > through high debug levels. I absolutely respect the need to have > forced-ejection messages, but we should try to avoid this mechanism for > information leakage. After all -- logins are encrypted, and therefore > can't be readily noticed by an IDS. Surprisingly, it doesn't leak account information, at least if the nologin check is a requisite and is before the other auths. You get the same behaviour for accounts that exist and don't exist. It will return quicker if you let it get as far as, eg pam_unix.so, but that is the behaviour of the current code too. (The attached patch fixes that too, but I'm not sure if it has any side effects for non-PAM kbdint drivers). So, with the patch attached to this message and the one at the start of this thread, AFAICT there's no info leaks either way. $ ssh -o preferredauthentications=keyboard-interactive nosuch at localhost This is /etc/nologin. This is /etc/nologin. This is /etc/nologin. The auth section of the PAM stack: auth requisite pam_nologin.so auth requisite pam_stack.so service=system-auth -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-chall2-no-leak.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040602/e4b27f8d/attachment.ksh From dtucker at zip.com.au Wed Jun 2 12:21:07 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jun 2004 12:21:07 +1000 Subject: pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes" In-Reply-To: <003301c43d09$93cef370$230110ac@kurco> References: <003301c43d09$93cef370$230110ac@kurco> Message-ID: <40BD3993.9060704@zip.com.au> [sorry for the previous message, it escaped early] Kumaresh wrote: > We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a > non-root user with PAM [pam-kerberos] then I get the following error. > > debug3: PAM: opening session > debug1: PAM: reinitializing credentials > PAM: pam_setcred(): Failure setting user credentials > > This is particularly for non-root users with PrivSep YES. When I connect to > a root user with PrivSep YES or to a non-root user with PrivSep NO, then no > issues. This is tested on 3.7.1p2 and 3.8.1p1 and two versions behave > alike. This is not the case when USE_POSIX_THREADS is disabled and it works > for PrivSep yes and no for root and non-root users. > > Just to check the pid that call the pam_setcred in do_pam_setcred, I used > the getpid() call in the do_pam_setcred function and for both THREAD enabled > and disabled builds, the child pid and the pid that call this function are > the same and inspite of this similarity this problem is seen. Try reversing the order of do_pam_session() and do_pam_setcred() in session.c. Different PAM implementations expect different orders (sigh) and Trusted-mode HP-UX seems particularly picky about this. Solaris PAM and OpenPAM expect pam_setcred to be called before pam_open_session, whereas LinuxPAM expects the opposite. (HP-UX's PAM is based on Sun's). The Solaris 8 pam_setcred(3PAM) man page says: It is typically called after the user has been authenticated and after a session has been opened. See pam_authenticate(3PAM), pam_acct_mgmt(3PAM), and pam_open_session(3PAM). Whereas the LinuxPAM pam_setcred(3) man page says: This function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated and before a session is opened for the user (with pam_open_session(3)). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jun 2 12:28:59 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jun 2004 12:28:59 +1000 Subject: SSH : UsePAM yes and Password authentication In-Reply-To: <021601c4373d$d55e0d20$230110ac@kurco> References: <021601c4373d$d55e0d20$230110ac@kurco> Message-ID: <40BD3B6B.1000908@zip.com.au> Kumaresh wrote: [snip] > In order to achieve this, we like the sshd server to do the > keyboad-interactive feature for Password authentication also. That is., even > the normal password authentication it has to go through PAM. This is now in the current version, and the patch is available here: http://bugzilla.mindrot.org/show_bug.cgi?id=874 > First of all,what are the impacts for this change in design? Is this change > valid? In order for PasswordAuthentication to work with PAM, sshd must use a "blind" conversation function: ie every time PAM sends an echo-off prompt, it responds with the password, and pretty much anything else generates an error. This means that if you PAM modules that prompt twice and require different responses, prompt with echo on, or require the user to respond based on the content of the prompts (eg a real challenge-response system), it wont work. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jun 2 13:26:43 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jun 2004 13:26:43 +1000 Subject: pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes" In-Reply-To: <40BD3993.9060704@zip.com.au> References: <003301c43d09$93cef370$230110ac@kurco> <40BD3993.9060704@zip.com.au> Message-ID: <40BD48F3.7020706@zip.com.au> Darren Tucker wrote: > Try reversing the order of do_pam_session() and do_pam_setcred() in > session.c. Also try this patch, which removes the pam_setcred(..., PAM_REINITIALIZE_CRED) call and see if that helps. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-sshd-no_reinit_pam_creds.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040602/894b16ee/attachment.ksh From andreas at conectiva.com.br Wed Jun 2 13:46:04 2004 From: andreas at conectiva.com.br (Andreas) Date: Wed, 2 Jun 2004 00:46:04 -0300 Subject: gssapi-with-mic and Win2K KDC? In-Reply-To: <1086129763.20710.375.camel@cygnus.uwb.edu> References: <1085763531.5302.1243.camel@cygnus.uwb.edu> <40B7795C.35FB1BEC@anl.gov> <1085768047.5302.1277.camel@cygnus.uwb.edu> <40B7AFBB.659E634D@anl.gov> <1086129763.20710.375.camel@cygnus.uwb.edu> Message-ID: <20040602034604.GA8242@conectiva.com.br> On Tue, Jun 01, 2004 at 03:42:43PM -0700, Aaron Grewell wrote: > Hmm. One of the things I noticed was that running sshd in debug mode > "-D -ddd" and watching a connection attempt did not show anything about > Kerberos or GSSAPI. I'm not sure what that means. I ran ldd against > sshd and it is linked against my kerb libraries, so I'm not sure how to > proceed. You have to enable gssapi on the server, it's not on by default afaik, not even on the client (!). Check for "GSSAPIAuthentication yes" on both the server and the client. From gerwin at siemens.com Wed Jun 2 20:50:43 2004 From: gerwin at siemens.com (Gerwin Udo) Date: Wed, 2 Jun 2004 12:50:43 +0200 Subject: More than 10 open sessions Message-ID: <1A731486F9966F4FAB717053FB0F4702AFD358@pdbh9rba> Hi, we use OpenSSH_3.8.1p1 and we would like to change the complete printer Spool communication from Unix r-Commands to ssh "OpenSSH". Sometimes, we have problems, because of very high connection set-ups in extremely short time intervals, more than 10 open sessions. The connection set-up is partly declined with the error message: ssh_exchange_identification: Connection closed by remote host I think, our Problem is the Parameter "#define MAX_SESSIONS" in session.c. Have you scheduled to integrate the Parameter "MAX_SESSIONS" as a configuration Parameter in sshd_config? When not, is it possible to change the parameter "#define MAX_SESSIONS" in session.c from 10 to 30 or 50, without getting other Problems? Best regards Udo Gerwin Gruss Udo Gerwin -- __________________________________________________ Udo Gerwin Software Engineer Siemens Business Services SBS ORS GD AHS CC13 Riemekestr. 160, 33106 Paderborn Tel. +49 5251 8-25663 Fax +49 5251 8-25603 mailto:Gerwin at siemens.com __________________________________________________ From dtucker at zip.com.au Wed Jun 2 21:04:36 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Jun 2004 21:04:36 +1000 Subject: More than 10 open sessions In-Reply-To: <1A731486F9966F4FAB717053FB0F4702AFD358@pdbh9rba> References: <1A731486F9966F4FAB717053FB0F4702AFD358@pdbh9rba> Message-ID: <40BDB444.8030209@zip.com.au> Gerwin Udo wrote: > we use OpenSSH_3.8.1p1 and we would like to change the complete printer > Spool communication from Unix r-Commands to ssh "OpenSSH". Sometimes, we > have problems, because of very high connection set-ups in extremely > short time intervals, more than 10 open sessions. > The connection set-up is partly declined with the error message: > ssh_exchange_identification: Connection closed by remote host > > I think, our Problem is the Parameter "#define MAX_SESSIONS" in > session.c. If you're opening lots of ssh connections (as opposed to opening multiple sessions within a single connection) then the parameter you need to tweak in sshd_config is "MaxStartups". See the sshd_config man page for details. > Have you scheduled to integrate the Parameter "MAX_SESSIONS" as a > configuration Parameter in sshd_config? Maybe, it's not decided yet. > When not, is it possible to change the parameter "#define MAX_SESSIONS" > in session.c from 10 to 30 or 50, without getting other Problems? Probably, but I've never tried it. I don't think it will help in your case, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Jun 2 21:07:01 2004 From: markus at openbsd.org (Markus Friedl) Date: Wed, 2 Jun 2004 13:07:01 +0200 Subject: More than 10 open sessions In-Reply-To: <1A731486F9966F4FAB717053FB0F4702AFD358@pdbh9rba> References: <1A731486F9966F4FAB717053FB0F4702AFD358@pdbh9rba> Message-ID: <20040602110700.GA16222@folly> no, it's not related to MAX_SESSIONS it's more likely related to: MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime ex- pires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a proba- bility of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probability increases lin- early and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60). On Wed, Jun 02, 2004 at 12:50:43PM +0200, Gerwin Udo wrote: > Hi, > > we use OpenSSH_3.8.1p1 and we would like to change the complete printer > Spool communication from Unix r-Commands to ssh "OpenSSH". Sometimes, we > have problems, because of very high connection set-ups in extremely > short time intervals, more than 10 open sessions. > The connection set-up is partly declined with the error message: > ssh_exchange_identification: Connection closed by remote host > > I think, our Problem is the Parameter "#define MAX_SESSIONS" in > session.c. > Have you scheduled to integrate the Parameter "MAX_SESSIONS" as a > configuration Parameter in sshd_config? > When not, is it possible to change the parameter "#define MAX_SESSIONS" > in session.c from 10 to 30 or 50, without getting other Problems? > > Best regards > > Udo Gerwin > > > Gruss Udo Gerwin > > -- > __________________________________________________ > > Udo Gerwin > Software Engineer > Siemens Business Services > SBS ORS GD AHS CC13 > Riemekestr. 160, 33106 Paderborn > Tel. +49 5251 8-25663 > Fax +49 5251 8-25603 > mailto:Gerwin at siemens.com > __________________________________________________ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From s_manimaran14 at yahoo.com Thu Jun 3 04:23:30 2004 From: s_manimaran14 at yahoo.com (Manimaran Subbaraj) Date: Wed, 2 Jun 2004 11:23:30 -0700 (PDT) Subject: C library for SSH Message-ID: <20040602182330.44933.qmail@web14927.mail.yahoo.com> Hello, I have a client/server architecture in which they don't reside on the same NIS or NFS domains. I need to make a SSH connection to the server from an application running on client. Since the application is not interactive, I am looking for an option in which I could send the password as an argument to the SSH call. The application has its source codes in C programming language. Is there a C interface library for SSH available in IBM website, in which I could pass the password as an argument to a inbuilt routine to make a SSH connection? Or is there any other way I could workaround my requirement. Thanks, Mani __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ From scott.burch at camberwind.com Thu Jun 3 04:41:05 2004 From: scott.burch at camberwind.com (Scott Omar Burch) Date: Wed, 02 Jun 2004 13:41:05 -0500 Subject: C library for SSH In-Reply-To: <20040602182330.44933.qmail@web14927.mail.yahoo.com> References: <20040602182330.44933.qmail@web14927.mail.yahoo.com> Message-ID: <40BE1F41.4060206@camberwind.com> Manimaran, Use Public Key authentication with a key that doesn't have a passphrase or use a key with a passphrase and an agent..then your application won't need to send a password. Whatever you do don't store the private key on an NFS filesystem. -Scott Manimaran Subbaraj wrote: > Hello, > > I have a client/server architecture in which they > don't reside on the same NIS or NFS domains. I need to > make a SSH connection to the server from an > application running on client. Since the application > is not interactive, I am looking for an option in > which I could send the password as an argument to the > SSH call. The application has its source codes in C > programming language. > > Is there a C interface library for SSH available in > IBM website, in which I could pass the password as an > argument to a inbuilt routine to make a SSH > connection? Or is there any other way I could > workaround my requirement. > > Thanks, > Mani > > > > > > __________________________________ > Do you Yahoo!? > Friends. Fun. Try the all-new Yahoo! Messenger. > http://messenger.yahoo.com/ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Thu Jun 3 12:49:34 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Jun 2004 12:49:34 +1000 Subject: LinuxPAM and sshd: changing conversation function doesn't work but claims to. Message-ID: <40BE91BE.7000906@zip.com.au> Hi. I'm one of the OpenSSH developers, and I've done some of the work on sshd's PAM interface recently. I've discovered some behaviour peculiar to LinuxPAM that I can't explain: changing the conversation function does not appear to work, even though the pam_set_item() call claims to succeed. The previous conversation function is still called. Background: the PAM API is a poor fit for the SSH protocol, so the conversation function needs to do vastly different things at different points in the protocol. Instead of one enormous multi-mode function, sshd has what is probably a record number of different conversation functions (5, in the current development versions). One of these is a fairly generic "tty_conv" that interacts with the user directly on stdin/stdout and /dev/tty. Since the user doesn't get a pty until quite late in the login process, this function is only used for pam_chauthtok() in some cases, and always after sshd has forked to set up for the user's shell. The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's do_pam_chauthtok() in auth-pam.c): static struct pam_conv tty_conv = { pam_tty_conv, NULL }; [...] sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); debug("PAM: changing password"); sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); The conversation functions also have a debug() at the start announcing that they've been called and the number of messages passed. If I run the server[1] in debug mode with PAM enabled and privilege separation off, and connect with SSHv1 with an account that has an expired password, the code above will be called, and the debug messages will be sent to the client (since stdin/stdout is connected to the pty). Here's the output from the client: Password: Response: debug1: PAM: changing password debug3: PAM: sshpam_null_conv entering, 2 messages PAM: pam_chauthtok(): Authentication token manipulation error debug1: do_cleanup Connection to localhost closed. Despite pam_set_item claiming to succeed (it must have returned PAM_SUCCESS otherwise fatal() would have been called), tty_conv is *not* called by PAM, the previous conversation function is (which replies immediately with PAM_CONV_ERR and thus the pam_chauthtok fails). This is a Redhat 9 box with pam-0.75-48. Similar behaviour has also been observed on Debian. The same sshd code works OK on several other PAM platforms. I have not been able to replicate this behaviour in a minimal test case, but I'm hoping someone will be able to explain it. Thanks, -Daz. [1] To reproduce with OpenSSH 3.8.1p1 built with PAM enabled: # ./sshd -ddd -p 2022 -oUsePAM=yes -oUsePrivilegeSeparation=no # ssh -1 -p 2022 testuser at localhost -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jun 3 15:43:11 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Jun 2004 15:43:11 +1000 Subject: LinuxPAM and sshd: changing conversation function doesn't work but claims to. In-Reply-To: <40BE91BE.7000906@zip.com.au> References: <40BE91BE.7000906@zip.com.au> Message-ID: <40BEBA6F.2090009@zip.com.au> Darren Tucker wrote: [about PAM calling the wrong conversation function] > I have not been able to replicate this behaviour in a minimal test > case, but I'm hoping someone will be able to explain it. OK, here's a smallish testcase that demonstrates the problem, run on Redhat 9 and Solaris 8. Note that on Redhat, the call to chauthtok (incorrectly) generates a second call to my_conv1, whereas on Solaris myconv2 is (correctly) called in the second case. Thanks, -Daz. $ uname -svr; rpm -q pam Linux 2.4.20-31.9 #1 Tue Apr 13 17:41:45 EDT 2004 pam-0.75-48 $ gcc wrong-conv-function.c -lpam $ sudo ./a.out [673]: pam_start result 0 (Success) [673]: my_conv1 called [673]: pam_acct_mgmt result 12 (Authentication token is no longer valid; new one required.) [674]: pam_set_item result 0 (Success) [674]: my_conv1 called [674]: pam_chauthtok result 20 (Authentication token manipulation error) For comparison, here is the same code run on Solaris 8: $ uname -svr SunOS 5.8 Generic_117350-02 $ sudo ./a.out [20837]: pam_start result 0 (Success) [20837]: pam_acct_mgmt result 9 (Authentication failed) [20838]: pam_set_item result 0 (Success) [20838]: my_conv2 called [20838]: pam_chauthtok result 6 (Conversation failure) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jun 3 16:05:36 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Jun 2004 16:05:36 +1000 Subject: LinuxPAM and sshd: changing conversation function doesn't work but claims to. In-Reply-To: <40BEBA6F.2090009@zip.com.au> References: <40BE91BE.7000906@zip.com.au> <40BEBA6F.2090009@zip.com.au> Message-ID: <40BEBFB0.9060506@zip.com.au> Darren Tucker wrote: > OK, here's a smallish testcase that demonstrates the problem Hrm, attachment seems to have been stripped. It can also be found at: http://www.zip.com.au/~dtucker/openssh/wrong-conv-function.c -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From philip at lawatsch.at Thu Jun 3 22:46:10 2004 From: philip at lawatsch.at (Philip Lawatsch) Date: Thu, 03 Jun 2004 14:46:10 +0200 Subject: Weird behaviour with /dev/null Message-ID: <40BF1D92.9020804@lawatsch.at> Hi, It took me several hours to figure out what was going wrong with openssh on my systems. I had the following situation: Startet sshd, and it forked several times and then it died without any meaningful messages. If is start it with -d it works like a charm. The root of all these strange problems was that /dev/null was a regular file instead of the null device (my fault). Would it be possible to add some error message or something like this in case openssh can write to / use /dev/null? kind regards Philip Lawatsch From richard.bechler at siemens.com Fri Jun 4 19:24:00 2004 From: richard.bechler at siemens.com (Bechler Richard) Date: Fri, 4 Jun 2004 11:24:00 +0200 Subject: sharing a private key with other local users of the same group Message-ID: Hello, we're using the portable OpenSSH (3.8.1p1) with Linux, HP-UX and Solaris. After starting the ssh-agent and adding a private key, I changed the permissions of the socket to 0770, so other users of the same group have access to it. With HP-UX and Solaris this works fine, although with Linux and older OpenSSH versions (3.4p1/SuSE8.1,3.1p1/RedHat7.2). With 3.8.1p1 and Linux (SLES8-SuSE8.1) I got the following error message: Error reading response length from authentication socket. Attachement: strace output greetings, Richard Bechler (richard.bechler at siemens.com) From dtucker at zip.com.au Fri Jun 4 19:40:10 2004 From: dtucker at zip.com.au (Darren Tucker) Date: 04 Jun 2004 19:40:10 +1000 Subject: sharing a private key with other local users of the same group In-Reply-To: References: Message-ID: <1086342009.12046.6.camel@chimera.dodgy.net.au> On Fri, 2004-06-04 at 19:24, Bechler Richard wrote: > we're using the portable OpenSSH (3.8.1p1) with Linux, HP-UX and > Solaris. > After starting the ssh-agent and adding a private key, I changed the > permissions of the socket to 0770, so other users of the same group have > access to it. With HP-UX and Solaris this works fine, although with > Linux and older OpenSSH versions (3.4p1/SuSE8.1,3.1p1/RedHat7.2). > With 3.8.1p1 and Linux (SLES8-SuSE8.1) I got the following error > message: > Error reading response length from authentication socket. >From 3.5x, ssh-agent will use getsockopt([...] SO_PEERCRED) on platforms that have it (which includes most modern Linuxes) to determine the effective uid of the process talking to it, and will not answer if the process belongs to a different user. If you really want it to, you can disable this by, eg, putting "#undef SO_PEERCRED" at the bottom of defines.h. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From marquess at veridicalsystems.com Fri Jun 4 22:45:57 2004 From: marquess at veridicalsystems.com (Steve Marquess) Date: Fri, 04 Jun 2004 08:45:57 -0400 Subject: Patch for FIPS 140 mode - take 3 Message-ID: <40C06F05.5040603@veridicalsystems.com> Greetings. (Third try at sending this, the first two seemed to disappear without a trace. Perhaps use of MS Outlook was the problem, even though in plain text...? Or attachment too big (22Kb)? Would like to know...) The final source code and documentation package for a FIPS 140 validated mode of OpenSSL was recently submitted. Once the final certification is awarded by NIST, in a month or two hopefully, it will be possible to build FIPS 140 validated applications with the FIPS mode OpenSSL library. Ben Laurie and I have developed the attached patch that adapts OpenSSH-3.8p1 for use with the FIPS mode OpenSSL library. This patch as minimal as possible, to serve as a model for "FIPS-izing" applications and to satisfy the immediate needs of my client that co-sponsored the bulk of the validation effort. Some notes: 1) For practical purposes only static linking with the FIPS library is supported. The configure checks for static linking may not be portable to all platforms. 2) FIPS mode is enabled at runtime for ssh and sshd only. Properly speaking the auxiliary commands (ssh-keygen, ssh-add, etc.) should do so as well. 3) MD5 is not allowed in FIPS mode. For the specific case of shadow password support I enabled MD5 using a special API call intended for use with TLS. FIPS 140 will permit that since the shadow passwords are generated and maintained entirely outside of OpenSSH. However, the use of MD5 for passphrases is not allowed. As-is this patch will allow keys to be used only with null passphrases, and FIPS 140 doesn't allow that either (all keys input or output from an application must be encrypted with a FIPS 140 approved algorithm). So, passwords only and no keys. How about a SHA1 passphrase encryption option...? 4) The OpenSSL source code used to generate the FIPS mode library is, or soon will be, in the OpenSSL_0_9_7_stable branch. The documentation describing the building and use of the FIPS library has not been released yet pending approval by NIST, but will be included in the OpenSSL source distributions. 5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only 6) The FIPS_mode_set() call tries to self-seed using the non-FIPS PRNG, but doesn't get enough entropy on HP-UX (no EGD or /dev/urandom). So for ssh.c I moved the seed_rng() call forwards quite a bit, that may cause other problems. Also, the PRNG is awkwardly re-seeded for the child process with a new PID. Ben Laurie has suggested a helper function in OpenSSL to simplify those steps, but it isn't done yet. -Steve M. Steve Marquess DMLSS Technical Manager JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702 DSN 343-3933, COM 301-619-3933, FAX 301-619-7831 steve.marquess at det.amedd.army.mil -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040604/64d4d87c/attachment.ksh From dan at chalkie.org.uk Sat Jun 5 00:09:08 2004 From: dan at chalkie.org.uk (Dr. Daniel James White PhD) Date: Fri, 4 Jun 2004 17:09:08 +0300 Subject: fedora core 2 openssh, No credentials cache found Message-ID: Hi, I cant log into my Fedora core 2 box from another linux machine or an OSX machine It worked the very first time I tried then never since. I have downl?oaded the newest openssh sources, and done ./configure make make install as root but seems to still use the old openssh. I stopped and restarted the sshd any Ideas? cheers Dan I get this message with the -v flag on [daniel:~] dan% ssh -v -X -l dan modeling OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: Connecting to modeling [130.234.102.160] port 22. debug1: Connection established. debug1: identity file /Users/dan/.ssh/identity type -1 debug1: identity file /Users/dan/.ssh/id_rsa type -1 debug1: identity file /Users/dan/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2003-0693 debug1: Miscellaneous failure No credentials cache found debug1: Miscellaneous failure No credentials cache found debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP Connection closed by 130.234.102.160 debug1: Calling cleanup 0x1c440(0x0) [daniel:~] dan% Dr. Daniel James White BSc. (Hons.) PhD Cell Biology Department of biological and environmental science PO Box 35 University of Jyv?skyl? Jyv?skyl? FIN 40014 Finland +358 14 260 4183 (work) +358 468102840 (new mobile) NEW PHONE NUMBER!!! http://www.chalkie.org.uk dan at chalkie.org.uk white at cc.jyu.fi From jason at devrandom.org Sat Jun 5 01:36:02 2004 From: jason at devrandom.org (Jason McCormick) Date: Fri, 4 Jun 2004 11:36:02 -0400 Subject: fedora core 2 openssh, No credentials cache found In-Reply-To: References: Message-ID: <200406041136.02083.jason@devrandom.org> > but seems to still use the old openssh. > I stopped and restarted the sshd For Fedora (or any RPM-based distro) it's good practice to use RPM package management. The Fedora RPMs don't locate things like the stock compile does. The RPMs mimic the file locations and behavior of other things in the RedHat world (e.g. /usr/bin instead of /usr/local/bin). If you want the latest OpenSSH use the spec build file in the package. Basically do the following: 1) Put a copy of openssh-3.8.1p1.tar.gz in /usr/src/redhat/SOURCES 2) Put a copy of x11-ssh-askpass-1.2.4.1.tar.gz in /usr/src/redhat/SOURCES 3) Unpack openssh-3.8.1p1.tar.gz in a temporarly location (i.e. /tmp) 4) # cd contrib/redhat 5) Execute the rpmbuild command to build the OpenSSH packages using the information in openssh.spec (i.e. # rpmbuild -ba openssh.spec) 6) RPM will build the OpenSSH install and create the RPMs you need in /usr/src/redhat/RPMS 7) Install these and enjoy Chances are you OpenSSH install is now a mix of the stock Fedora-provided OpenSSH packages and your manual compile. Try this and see if you encounter additional problems. Also, be aware of the functionality change for the X11 cookies if you use X over SSH forwarding. -- Jason McCormick jason at devrandom.org GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From s_manimaran14 at yahoo.com Sat Jun 5 04:58:47 2004 From: s_manimaran14 at yahoo.com (Manimaran Subbaraj) Date: Fri, 4 Jun 2004 11:58:47 -0700 (PDT) Subject: C library for SSH In-Reply-To: <40BE1F41.4060206@camberwind.com> Message-ID: <20040604185847.77457.qmail@web14924.mail.yahoo.com> Scott, Thanks for your suggestion. In my case, now that SSH implementation is complete and I don't have the root privilage I won't be able to implement the same. What Iam looking for is, passing SSH password as an argument when making a SSH connection. The application making the SSH connection need to remain non-interactive. The application may run from any client (that resides in a seperate NIS/NFS domain) and need to communicate with the server with proper authentication. In this case the SSH password. -Mani --- Scott Omar Burch wrote: > Manimaran, > > Use Public Key authentication with a key that > doesn't have a passphrase > or use a key with a passphrase and an agent..then > your application won't > need to send a password. Whatever you do don't store > the private key on > an NFS filesystem. > > -Scott > > Manimaran Subbaraj wrote: > > Hello, > > > > I have a client/server architecture in which they > > don't reside on the same NIS or NFS domains. I > need to > > make a SSH connection to the server from an > > application running on client. Since the > application > > is not interactive, I am looking for an option in > > which I could send the password as an argument to > the > > SSH call. The application has its source codes in > C > > programming language. > > > > Is there a C interface library for SSH available > in > > IBM website, in which I could pass the password as > an > > argument to a inbuilt routine to make a SSH > > connection? Or is there any other way I could > > workaround my requirement. > > > > Thanks, > > Mani > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Friends. Fun. Try the all-new Yahoo! Messenger. > > http://messenger.yahoo.com/ > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ From Robert.Perez at cna.com Sat Jun 5 06:07:50 2004 From: Robert.Perez at cna.com (Perez,Robert) Date: Fri, 4 Jun 2004 15:07:50 -0500 Subject: Password aging problem Message-ID: Compile openssh-3.8p1 with gcc and the following flags --prefix=/tmp/build/sshd --with-ssl-dir=/tmp/build/lib --with-utmpx, no PAM. Everything complies correctly, and I changed sshd_config to use "UseLogin yes" When my client connects (using the newer ssh client too), I do not get the message that my password will expire in xx days, but sshd shows that it is picking up that info (next three lines) debug1: sys_auth_passwd: msg Last unsuccessful login: Thu May 13 15:11:10 2004 on ssh from mxpgh0.cna.com Last login: Fri Jun 4 19:31:33 2004 on /dev/pts/13 from loopback debug3: AIX/passwdexpired returned 0 msg Your password will expire: Thu Aug 5 21:53:44 2004 The client just shows c020914 at localhost's password: ***************************************************** ! ! ! ! ! WARNING ! ! ! ! ! Unauthorized access and use of this system is not permitted and is strictly prohibited by security policies, regulations, local and national laws. UNAUTHORIZED USERS ARE SUBJECT TO CRIMINAL AND CIVIL PENALTIES AS WELL AS COMPANY-INITIATED DISCIPLINARY PROCEEDINGS. ***************************************************** Last unsuccessful login: Thu May 13 10:11:10 CDT 2004 on ssh from mxpgh0.cna.com Last login: Fri Jun 4 14:35:02 CDT 2004 on ssh from loopback $ Do I need PAM compiled and enabled in the config file for passwd aging support? thanks E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. From gugo_m at hotmail.com Sat Jun 5 07:54:27 2004 From: gugo_m at hotmail.com (G M) Date: Fri, 04 Jun 2004 21:54:27 +0000 Subject: HELP: Installer files for ssh Message-ID: Hi everyone, This in no way is intended to be a spam, so I apologize in advance to all people who find this useless. I am trying to get a copy of the nsi script used to build OpenSSH installation file. I am trying to create a silent installation with some hardcoded values. Any info and help is GREATLY appreciated. Gugo _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee? Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From dtucker at zip.com.au Sat Jun 5 11:25:22 2004 From: dtucker at zip.com.au (Darren Tucker) Date: 05 Jun 2004 11:25:22 +1000 Subject: Password aging problem In-Reply-To: References: Message-ID: <1086398721.12046.14.camel@chimera.dodgy.net.au> On Sat, 2004-06-05 at 06:07, Perez,Robert wrote: > Compile openssh-3.8p1 with gcc and the following flags > --prefix=/tmp/build/sshd --with-ssl-dir=/tmp/build/lib --with-utmpx, no > PAM. > > Everything complies correctly, and I changed sshd_config to use > "UseLogin yes" You don't (well, shouldn't) need UseLogin. > When my client connects (using the newer ssh client too), I do not get > the message that my password will expire in xx days, but sshd shows that > it is picking up that info (next three lines) Try 3.8.1p1 with the attached patch. > Do I need PAM compiled and enabled in the config file for passwd aging > support? No. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-sshd-aixloginmsg.patch Type: text/x-patch Size: 687 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040605/76defdaa/attachment.bin From djm at mindrot.org Sat Jun 5 11:35:26 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 05 Jun 2004 11:35:26 +1000 Subject: Spamcop abuse reports for openssh-unix-dev messages Message-ID: <40C1235E.1040104@mindrot.org> Would the person(s) who is reporting the occasional spam messages relayed through this list to Spamcop please refrain from doing so, or unsubscribe? You were warned that the list is open when you subscribed *and* that a small amount of spam would make it through as a result. As a result of this: my friend, who has generously dontated the use of a co-located server to act as a relay for this list, has now had this server blacklisted and is having to justify himself to his hosting provider. -d From russell at coker.com.au Wed Jun 2 16:31:50 2004 From: russell at coker.com.au (Russell Coker) Date: Wed, 2 Jun 2004 16:31:50 +1000 Subject: issue with SE/Linux - sshd not giving access to /dev/pts/[n] In-Reply-To: <20040601090345.GM8312@lkcl.net> References: <20040601090345.GM8312@lkcl.net> Message-ID: <200406021631.50230.russell@coker.com.au> On Tue, 1 Jun 2004 19:03, Luke Kenneth Casson Leighton wrote: > i have an issue on my newly created Debian/SELinux/unstable system. > > i have pam 0.77 se1 installed > ssh 3.8.1p1-4 (OpenSSH) > and libselinux1 1.12-1. > > i can log in as root, fine. > > but i cannot log in as an ordinary user, and i had to grant > special permission to the _user_ process (NOT sshd or pam > before a setuid and exec is carried out) to access > /dev/pts/0. > > in other words, if i understand this correctly, there is a > bug somewhere in either sshd or pam where control of the > tty is given at the wrong point, or is not given at all. When you login the terminal must be given a type label that permits you access to it. Otherwise you can't access your terminal and get logged out. There is a bug in the SE Linux pam code or in sshd which results in the terminal not being correctly relabelled in some situations. Someone (maybe you) needs to debug this. I would guess that the PAM code is doing the wrong thing, the PAM code in question is in Fedora and in my repository for SE Linux Debian packages. It is not in the main-line PAM distribution because nothing happens there. So asking the pam-list is not going to do any good because probably no-one on that list has even seen the code in question. Same goes for the ssh list. Best to just debug the code yourself. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page From cawlfiel at austin.ibm.com Thu Jun 3 06:16:04 2004 From: cawlfiel at austin.ibm.com (cawlfiel) Date: Wed, 02 Jun 2004 15:16:04 -0500 Subject: gssapi-with-mic and Win2K KDC? References: <1085763531.5302.1243.camel@cygnus.uwb.edu> <40B7795C.35FB1BEC@anl.gov> <1085768047.5302.1277.camel@cygnus.uwb.edu> <40B7AFBB.659E634D@anl.gov> <1086129763.20710.375.camel@cygnus.uwb.edu> <20040602034604.GA8242@conectiva.com.br> Message-ID: <40BE3584.A47B141B@austin.ibm.com> I was experiencing a very similar-sounding problem. My client/server debug outputs didn't even show Kerberos or GSSAPI being tried. When we were testing 3.7.1p2, we didn't have to set any Kerberos/GSSAPI options on the client's /etc/ssh/ssh_config file... Kerberos auth worked fine as-is. Kerberos auth wasn't working for us on 3.8.1p1, so we tried to set GSSAPIAuthentication to yes on the 3.8.1p1 client. Even though we had #defined both KRB5 and GSSAPI, the 3.8.1p1 client kept reporting GSSAPIAuthentication as an unsupported option. I went into readconf.c and changed: if (options->gss_authentication == -1) options->gss_authentication = 0; to if (options->gss_authentication == -1) options->gss_authentication = 1; and after that, Kerberos works like a charm. Maybe that'll solve the problem you're experiencing as well? -Kevin Andreas wrote: > > On Tue, Jun 01, 2004 at 03:42:43PM -0700, Aaron Grewell wrote: > > Hmm. One of the things I noticed was that running sshd in debug mode > > "-D -ddd" and watching a connection attempt did not show anything about > > Kerberos or GSSAPI. I'm not sure what that means. I ran ldd against > > sshd and it is linked against my kerb libraries, so I'm not sure how to > > proceed. > > You have to enable gssapi on the server, it's not on by default afaik, > not even on the client (!). Check for "GSSAPIAuthentication yes" on both > the server and the client. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- ----------------------- Kevin Cawlfield AIX IP Security cawlfiel at austin.ibm.com ----------------------- From gabriel at wiccatech.com Sun Jun 6 05:31:14 2004 From: gabriel at wiccatech.com (gabriel russell) Date: Sat, 05 Jun 2004 15:31:14 -0400 Subject: [patch] sftp-server writes uploads to a temporary file then renames them when finished Message-ID: Well, my boss asked me to write this patch and I figured I'd share it in case someone else wanted to use it. It's clearly not for incorporating into the main tree. It would need to be configurable, and since there is no configuration system for sftp, it can't easily be. I could make it look for an environment variable for the tmp-name-suffix and use it's existence to indicate weather or not to use tmp files. - Gabriel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sftp-server_tmpfile.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040605/4105ce41/attachment.ksh From djm at mindrot.org Sun Jun 6 10:43:27 2004 From: djm at mindrot.org (Damien Miller) Date: Sun, 06 Jun 2004 10:43:27 +1000 Subject: [patch] sftp-server writes uploads to a temporary file then renames them when finished In-Reply-To: References: Message-ID: <40C268AF.6030607@mindrot.org> gabriel russell wrote: > Well, my boss asked me to write this patch and I figured I'd share it in > case someone else wanted to use it. It's clearly not for incorporating > into the main tree. This isn't going to be reliable because the filexfer protocol (sftp) doesn't really have a notion of an "upload" - it sees a open, a bunch of writes and a close. While this will usually represent an upload, it could also be modifications to a different file. You could make this a bit more robust by only activating it for creations or truncations. > It would need to be configurable, and since there is > no configuration system for sftp, it can't easily be. When I have made modifications to sftp-server that have required passing in configuration options, I just pass them on the commandline and use a wrapper script in sshd_config's SubSystem directive (because sshd_config doesn't allow the passing of commandline options to subsystems.) > I could make it look for an environment variable for the tmp-name-suffix > and use it's existence to indicate weather or not to use tmp files. You should just use mkstemp to give you a fd to a temporary file, rather than making something that could be clobbered by multiple simultaneous uploads. -d From gabriel at wiccatech.com Sun Jun 6 13:14:01 2004 From: gabriel at wiccatech.com (gabriel russell) Date: Sat, 05 Jun 2004 23:14:01 -0400 Subject: [patch] sftp-server writes uploads to a temporary file then renames them when finished In-Reply-To: <40C268AF.6030607@mindrot.org> References: <40C268AF.6030607@mindrot.org> Message-ID: Damien Miller wrote: > This isn't going to be reliable because the filexfer protocol (sftp) > doesn't really have a notion of an "upload" - it sees a open, a bunch > of writes and a close. While this will usually represent an upload, it > could also be modifications to a different file. You could make this > a bit more robust by only activating it for creations or truncations. I don't know when it's unreliable. I only work with a tmp file when the flags of the open are TRUNK|CREAT|WRITE. Thoes are the flags for a "normal" upload. Any other flag combination, even ones that write to a file, are left to work normally. > When I have made modifications to sftp-server that have required passing > in configuration options, I just pass them on the commandline and use > a wrapper script in sshd_config's SubSystem directive (because > sshd_config doesn't allow the passing of commandline options to > subsystems.) Hmm, nice idea. > You should just use mkstemp to give you a fd to a temporary file, rather > than making something that could be clobbered by multiple simultaneous > uploads. Yea, I think you are right. I had thought of this earlier, but I only worked on it this until I had my fill of coffee and had to go out side and get some sunshine. I think I'd like to default to making the tmp file hidden as well. I like how rsync names it's tmp files. I'll read how they do it and maybe I'll copy their methods. -G From james.freeman at smartsurf.org Sun Jun 6 13:45:26 2004 From: james.freeman at smartsurf.org (James Freeman) Date: Sun, 6 Jun 2004 13:45:26 +1000 Subject: RSA Authentication fails for localhost when not root - OK in 3.7 NOT_OK 3.8p1 Message-ID: In 3.7p1 you could, for a given user (say backup), generate an rsa_id key pair, place the .pub key into /home/backup/.ssh/authorized_keys and then you could ssh/scp localhost as the backup user and it worked as expected ie automatically authenticated using RSA. In 3.8p1 the behaviour has changed. For root you can do as described above ie if you add roots .pub key to /root/.ssh/authorised_keys you can ssh localhost as root and it will RSA authenticate. For any other user RSA authentication fails when you try to authenticate from/onto localhost. Why this was relevant in my case was simple laziness. I have a backup widget that takes a list of hosts to backup (including the real name of lacalhost) and call scp which as of 3.8p1 barfs on the authentication. It is of course trivial to bypass the scp for localhost. I am wondering if I was using a bug/feature of 3.7p1 as the behaviour is now different. Regards Dr James Freeman From Jefferson.Ogata at noaa.gov Mon Jun 7 05:26:26 2004 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Sun, 06 Jun 2004 15:26:26 -0400 Subject: C library for SSH In-Reply-To: <20040604185847.77457.qmail@web14924.mail.yahoo.com> References: <20040604185847.77457.qmail@web14924.mail.yahoo.com> Message-ID: <40C36FE2.30206@noaa.gov> Manimaran Subbaraj wrote: > Thanks for your suggestion. In my case, now that SSH > implementation is complete and I don't have the root > privilage I won't be able to implement the same. Why not? Unless pubkeyauthentication is actually disabled, you can use keypairs to your heart's content. > What Iam looking for is, passing SSH password as an > argument when making a SSH connection. The application > making the SSH connection need to remain > non-interactive. Putting passwords on the command line is always a terrible idea. If you really want to do something like this, either wrap SSH up with a pty control program such as expect, write a pty emulator in Perl using IO::Pty or IPC::Run, or use the Perl SSH library Net::SSH to write your own SSH client. > The application may run from any client (that resides > in a seperate NIS/NFS domain) and need to communicate > with the server with proper authentication. In this > case the SSH password. The application is badly designed, and SSH can't save you. One wonders why you're using SSH at all. -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) From kwelch at useractive.com Tue Jun 8 13:21:50 2004 From: kwelch at useractive.com (Kendell Welch) Date: Mon, 7 Jun 2004 22:21:50 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? Message-ID: Hi All, I'm Kendell, and I'm new to the list. I've been working on a SSH VPN client. I've noticed a possible glitch/bug with OpenSSH on various platforms (Linux and various BSD, but Windows seems to be OK for some reason.) The SSH VPN client can configure SSH tunnels using DNS names instead of IP addresses. It seems that if the client "rapidly" configures a number of tunnels using DNS names instead of IP addy's (say, 5-10 tunnels,) sshd hangs for a minute or more. Eventually sshd "comes back", but in the mean time, no terminal interaction or any other SSH traffic is sent from the server (based on Ethereal observation.) We put sshd into debug mode, and saw the hang was during DNS lookups. A colleague found that running sshd with the -4 option made the problem "go away" (this option forces sshd to run only in IPv4 mode...I think.) The problem manifests itself (at least on Linux) even if the Kernel is compiled with IPv6 support. Is there possibly some problem with support for IP and/or DNS lookup for SSH tunnels? My team and I are available for any questions regarding reproducing the problem, and/or other assistance. Thanks! Kendell Welch Vast Range Security http://www.vastrange.com/ P.S. For those of you with Windows 2K/XP, the problem can be demonstrated by using the free-trial version of Safe Passage from: http://www.vastrange.com/ From dtucker at zip.com.au Tue Jun 8 13:47:30 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 08 Jun 2004 13:47:30 +1000 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: References: Message-ID: <40C536D2.6080405@zip.com.au> Kendell Welch wrote: > Hi All, I'm Kendell, and I'm new to the list. > > I've been working on a SSH VPN client. I've noticed a possible > glitch/bug with OpenSSH on various platforms (Linux and various BSD, but > Windows seems to be OK for some reason.) Which Linux distributions/versions, which BSD's, which versions of OpenSSH compiled with which options? > The SSH VPN client can configure SSH tunnels using DNS names instead of IP > addresses. It seems that if the client "rapidly" configures a number of > tunnels using DNS names instead of IP addy's (say, 5-10 tunnels,) sshd > hangs for a minute or more. Eventually sshd "comes back", but in the mean > time, no terminal interaction or any other SSH traffic is sent from the > server (based on Ethereal observation.) It sounds like getaddrinfo() is blocking. Some glibc's are known to take a long time to resolve IPv4or6 addresses: http://www.openssh.com/faq.html#3.3. > We put sshd into debug mode, and saw the hang was during DNS lookups. A > colleague found that running sshd with the -4 option made the problem "go > away" (this option forces sshd to run only in IPv4 mode...I think.) [...] > P.S. For those of you with Windows 2K/XP, the problem can be demonstrated > by using the free-trial version of Safe Passage from: > http://www.vastrange.com/ The features for this list " Works with any SSH Server account with no special configurations" and "Securely encrypts any TCP/IP or DNS traffic via SSH keeping your transfered data safe and private." Does this mean that UDP is not supported? It sound like you're mapping connect() calls (and/or the Winsock equivalent) into direct-tcpip channel requests? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kwelch at useractive.com Tue Jun 8 15:11:17 2004 From: kwelch at useractive.com (Kendell Welch) Date: Tue, 8 Jun 2004 00:11:17 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C536D2.6080405@zip.com.au> References: <40C536D2.6080405@zip.com.au> Message-ID: Hi Darren...appreciate the response. Sounds like a possible glibc problem. See responses below: > Which Linux distributions/versions, which BSD's, which versions of > OpenSSH compiled with which options? > Will respond tomorrow with more precise versions/etc. (we did try some 20 different servers...some RH, some custom Linux, some BSD...basically everything we tried except for Windows .) > It sounds like getaddrinfo() is blocking. Some glibc's are known to > take a long time to resolve IPv4or6 addresses: > http://www.openssh.com/faq.html#3.3. > I hadn't seen that FAQ entry...will read up. > > (cut...) P.S. ... http://www.vastrange.com/ > > The features for this list " Works with any SSH Server account with no > special configurations" and "Securely encrypts any TCP/IP or DNS traffic > via SSH keeping your transfered data safe and private." > > Does this mean that UDP is not supported? Safe Passage will not tunnel UDP via SSH. It can configure SSH tunnels to DNS names which the client thinks is the IP address that Safe Passage is configured to tunnel. Safe Passage then negotiates the tunnel with the server, using the DNS name. Hence, the problem...if Safe Passage configures a lot of tunnels in rapid succession (i.e. when a user is using Safe Passage to tunnel to http://www.whatismyipaddress.com/ ... which has a lot of banners on different Domain Names,) the server "locks". > It sound like you're mapping > connect() calls (and/or the Winsock equivalent) into direct-tcpip > channel requests? Not at all...we're intercepting I/O calls (in kernel mode) to the ethernet adapter, and interacting accordingly. Safe Passage does not attempt to forward any UDP packets...however, it analyzes and responds to DNS requests from the client...if configured to do so. Thanks! Kendell From dtucker at zip.com.au Tue Jun 8 15:33:17 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 08 Jun 2004 15:33:17 +1000 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: References: <40C536D2.6080405@zip.com.au> Message-ID: <40C54F9D.2000007@zip.com.au> Kendell Welch wrote: > Darren Tucker wrote: >>It sound like you're mapping >>connect() calls (and/or the Winsock equivalent) into direct-tcpip >>channel requests? > > Not at all...we're intercepting I/O calls (in kernel mode) to the ethernet > adapter, and interacting accordingly. Safe Passage does not attempt to > forward any UDP packets...however, it analyzes and responds to DNS > requests from the client...if configured to do so. If you're only seeing ethernet frames then you'd need to have your own little TCP/IP stack to re-assemble the connections, right? Then map them to port forward requests? Just curious... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kwelch at useractive.com Tue Jun 8 16:57:47 2004 From: kwelch at useractive.com (Kendell Welch) Date: Tue, 8 Jun 2004 01:57:47 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C54F9D.2000007@zip.com.au> References: <40C536D2.6080405@zip.com.au> <40C54F9D.2000007@zip.com.au> Message-ID: > If you're only seeing ethernet frames then you'd need to have your own > little TCP/IP stack to re-assemble the connections, right? Then map > them to port forward requests? Just curious... yes Thanks! Kendell From kwelch at useractive.com Wed Jun 9 07:11:14 2004 From: kwelch at useractive.com (Kendell Welch) Date: Tue, 8 Jun 2004 16:11:14 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: References: Message-ID: Below are some details about a few of the servers on which I encountered the hanging DNS problem...I'm afraid that the BSD account I had trouble with is no longer available...Windows OpenSSH servers have never had the problem as best as I can tell. ---Machine 2--- Red Hat Linux release 8.0 (Psyche) Kernel: Linux 2.4.23-xfs glibc-2.2.93-5 glibc-devel-2.2.93-5 glibc-common-2.2.93-5 glibc-kernheaders-2.4-7.20 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f --------------- ---Machine 2--- Custom Distribution Kernel: Linux 2.4.25 Glibc Version 2.1 - that's the best answer I could get from our admin :P OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6g 9 Aug 2002 --------------- ---Machine 3--- Nomad Linux 2.0 Kernel: 2.4.25 #1 SMP Glibc Version 2.1 - that's the best answer I could get from our admin :P OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6g 9 Aug 2002 --------------- Thanks! Kendell On Mon, 7 Jun 2004, Kendell Welch wrote: > Hi All, I'm Kendell, and I'm new to the list. > > I've been working on a SSH VPN client. I've noticed a possible > glitch/bug with OpenSSH on various platforms (Linux and various BSD, but > Windows seems to be OK for some reason.) > > The SSH VPN client can configure SSH tunnels using DNS names instead of IP > addresses. It seems that if the client "rapidly" configures a number of > tunnels using DNS names instead of IP addy's (say, 5-10 tunnels,) sshd > hangs for a minute or more. Eventually sshd "comes back", but in the mean > time, no terminal interaction or any other SSH traffic is sent from the > server (based on Ethereal observation.) > > We put sshd into debug mode, and saw the hang was during DNS lookups. A > colleague found that running sshd with the -4 option made the problem "go > away" (this option forces sshd to run only in IPv4 mode...I think.) > > The problem manifests itself (at least on Linux) even if the Kernel is > compiled with IPv6 support. > > Is there possibly some problem with support for IP and/or DNS lookup > for SSH tunnels? > > My team and I are available for any questions regarding reproducing the > problem, and/or other assistance. > > Thanks! > Kendell Welch > Vast Range Security > http://www.vastrange.com/ > > P.S. For those of you with Windows 2K/XP, the problem can be demonstrated > by using the free-trial version of Safe Passage from: > http://www.vastrange.com/ > > From dtucker at zip.com.au Wed Jun 9 14:28:43 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 09 Jun 2004 14:28:43 +1000 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: References: Message-ID: <40C691FB.3060105@zip.com.au> Kendell Welch wrote: > Below are some details about a few of the servers on which I encountered > the hanging DNS problem...I'm afraid that the BSD account I had trouble > with is no longer available...Windows OpenSSH servers have never had the > problem as best as I can tell. [..] Try this test program to see how long various get*info operations take, it approximates what sshd will do. Feed it a list of names equivalent to what your clients are looking up, eg: $ ./a.out www.openssh.com www.openbsd.org openbsd.org www.ibm.com www.openssh.com:1383 getaddrinfo(0.458s) getnameinfo(0.000s) www.openbsd.org:966 getaddrinfo(0.502s) getnameinfo(0.000s) openbsd.org:2153 getaddrinfo(0.181s) getnameinfo(0.000s) www.ibm.com:2163 getaddrinfo(0.423s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) Also try with and without nscd running on your hosts. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- A non-text attachment was scrubbed... Name: getaddrinfospeed.c Type: text/x-csrc Size: 1603 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040609/787c3b71/attachment.bin From kwelch at useractive.com Wed Jun 9 15:27:44 2004 From: kwelch at useractive.com (Kendell Welch) Date: Wed, 9 Jun 2004 00:27:44 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C691FB.3060105@zip.com.au> References: <40C691FB.3060105@zip.com.au> Message-ID: Hi Darren, Below are my results...see comments after that. On Wed, 9 Jun 2004, Darren Tucker wrote: > Kendell Welch wrote: > > Below are some details about a few of the servers on which I encountered > > the hanging DNS problem...I'm afraid that the BSD account I had trouble > > with is no longer available...Windows OpenSSH servers have never had the > > problem as best as I can tell. > [..] > > Try this test program to see how long various get*info operations take, > it approximates what sshd will do. Feed it a list of names equivalent > to what your clients are looking up, eg: > > $ ./a.out www.openssh.com www.openbsd.org openbsd.org www.ibm.com Here is a copy-and-paste of my runs of your program (had to make a #include adjustment for time.h on my platform.) The second test is for all domains that I believe http://www.whatismyipaddress.com/ refers to (I have also changed the shell hostname for privacy reasons): ---BEGIN CLIP--- server:~> ./a.out www.openssh.com www.openbsd.org openbsd.org www.ibm.com www.openssh.com:1383 getaddrinfo(0.004s) getnameinfo(0.000s) www.openbsd.org:966 getaddrinfo(0.004s) getnameinfo(0.000s) openbsd.org:2153 getaddrinfo(0.002s) getnameinfo(0.000s) www.ibm.com:2163 getaddrinfo(0.107s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) getnameinfo(0.000s) server:~> ./a.out mirror.qkimg.net www.dsis.net cserver.mii.instacontent.net www.qksrv.net toolbarqueries.google.com media27.fastclick.net mirror.qkimg.net:1383 getaddrinfo(85.165s) getnameinfo(0.000s) www.dsis.net:966 getaddrinfo(0.147s) getnameinfo(0.000s) cserver.mii.instacontent.net:2153 getaddrinfo(85.161s) getnameinfo(0.000s) www.qksrv.net:2163 getaddrinfo(0.130s) getnameinfo(0.000s) toolbarqueries.google.com:3153 getaddrinfo(0.075s) getnameinfo(0.000s) getnameinfo(0.000s) media27.fastclick.net:3327 getaddrinfo(0.068s) getnameinfo(0.000s) server:~> ----END CLIP---- Noticing the slowness of getaddrinfo, specifically with mirror.qkimg.net, www.dsis.net, and cserver.mii.instacontent.net, I decided to run that same program only on those hosts: ---BEGIN CLIP--- server:~> ./a.out mirror.qkimg.net mirror.qkimg.net:1383 getaddrinfo(85.207s) getnameinfo(0.000s) server:~> ./a.out www.dsis.net www.dsis.net:1383 getaddrinfo(0.003s) getnameinfo(0.000s) server:~> ./a.out cserver.mii.instacontent.net cserver.mii.instacontent.net:1383 getaddrinfo(85.238s) getnameinfo(0.000s) server:~> ----END CLIP---- Clearly, there's a problem with at least two of these Domain Names. Is it misconfigured DNS? Your program appears to call pure libraries...is this a bug in glibc? Thanks for any input! Kendell From kwelch at useractive.com Wed Jun 9 15:32:03 2004 From: kwelch at useractive.com (Kendell Welch) Date: Wed, 9 Jun 2004 00:32:03 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C691FB.3060105@zip.com.au> References: <40C691FB.3060105@zip.com.au> Message-ID: > > Also try with and without nscd running on your hosts. > Almost missed this...will ask my admin tomorrow about nscd. Thanks! Kendell From dtucker at zip.com.au Wed Jun 9 15:52:07 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 09 Jun 2004 15:52:07 +1000 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: References: <40C691FB.3060105@zip.com.au> Message-ID: <40C6A587.4070602@zip.com.au> Kendell Welch wrote: > server:~> ./a.out mirror.qkimg.net > mirror.qkimg.net:1383 getaddrinfo(85.207s) getnameinfo(0.000s) [...] > Clearly, there's a problem with at least two of these Domain Names. Is it > misconfigured DNS? Your program appears to call pure libraries...is this > a bug in glibc? Looks like busted DNS for those problem domains. $ nslookup -silent > set type=soa > qkimg.net. Server: 192.168.32.1 Address: 192.168.32.1#53 Non-authoritative answer: qkimg.net origin = ns2.cj.com mail addr = techops.cj.com serial = 2003043009 refresh = 3600 retry = 900 expire = 604800 minimum = 3600 Authoritative answers can be found from: qkimg.net nameserver = ns2.cj.com. qkimg.net nameserver = ns3.cj.com. > server ns2.cj.com. Default server: ns2.cj.com. Address: 216.34.209.26#53 > set type=a > mirror.qkimg.net. Server: ns2.cj.com. Address: 216.34.209.26#53 Non-authoritative answer: mirror.qkimg.net canonical name = c.mii.instacontent.net. Name: c.mii.instacontent.net Address: 65.216.116.114 > set type=aaaa > mirror.qkimg.net. [..hangs..] ;; connection timed out; no servers could be reached > set class=chaos > set type=txt > version.bind Server: ns2.cj.com. Address: 216.34.209.26#53 VERSION.BIND text = "8.3.4-REL" tcpdump shows the AAAA requests being sent, but no answer is received. It looks like the DNS server just drops the requests rather than sending a negative reply. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kwelch at useractive.com Wed Jun 9 15:58:24 2004 From: kwelch at useractive.com (Kendell Welch) Date: Wed, 9 Jun 2004 00:58:24 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C6A587.4070602@zip.com.au> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> Message-ID: Hi Darren, Thanks for your investigation time! I see what you mean, and am now thinking along the same lines you are. Will forward to our admin team. Thanks Again! Kendell Welch http://www.vastrange.com/ > > Looks like busted DNS for those problem domains. > From gert at greenie.muc.de Wed Jun 9 21:25:13 2004 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 9 Jun 2004 13:25:13 +0200 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C6A587.4070602@zip.com.au>; from dtucker@zip.com.au on Wed, Jun 09, 2004 at 03:52:07PM +1000 References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> Message-ID: <20040609132513.E5363@greenie.muc.de> Hi, On Wed, Jun 09, 2004 at 03:52:07PM +1000, Darren Tucker wrote: > tcpdump shows the AAAA requests being sent, but no answer is received. > It looks like the DNS server just drops the requests rather than sending > a negative reply. Which is a well-known misbehaviour of some DNS server "implementations", unfortunately. If you're interested in more details, see the IETF-Draft draft-ietf-dnsop-ipv6-dns-issues-07.txt, section 3, "observed DNS implementation misbehaviour", and also (for further sources of surprise) draft-ietf-dnsop-misbehavior-against-aaaa-01. The essence of it is that there is not very much a client resolver can do about it - it can query v4 and v6 in parallel (which is something the C library would need to do internally) or just use v4 only, which would be an unfortunate step backwards. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From dan at doxpara.com Thu Jun 10 03:38:37 2004 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 09 Jun 2004 10:38:37 -0700 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C6A587.4070602@zip.com.au> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> Message-ID: <40C74B1D.2070300@doxpara.com> The fundamental issue, last I checked, is that there's traditionally a number of calls in sshd that if one channel blocks, the entire application freezes. I haven't tested this issue in years, but the two cases that were the most problematic were: 1) Opening a port forward to a non-existent IP, and 2) Doing a DNS lookup for a non-existent target. What was somewhat effective in mitigating this bug was to create some sort of process on the remote host that would forcibly create keepalive traffic in the server->client direction; something like: ssh user at host "watch echo foo" This is ultimately a fundamental weakness in the sshd architecture, and the only ironclad solution is to use one primary sshd for hosts that have proven themselves responsive, and then a variable size pool for new connections. To maintain correct semantics, the first connection to any host would have to go through the pool, while all future links could go through the primary link. It would be very expensive to run ten remote ssh daemons, though. Try not to do that :) --Dan From markus at openbsd.org Thu Jun 10 04:18:23 2004 From: markus at openbsd.org (Markus Friedl) Date: Wed, 9 Jun 2004 20:18:23 +0200 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C74B1D.2070300@doxpara.com> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> Message-ID: <20040609181822.GA1010@folly> On Wed, Jun 09, 2004 at 10:38:37AM -0700, Dan Kaminsky wrote: > 1) Opening a port forward to a non-existent IP, and no, this should not freeze with openssh's sshd. From djm at mindrot.org Thu Jun 10 08:11:05 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 10 Jun 2004 08:11:05 +1000 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C74B1D.2070300@doxpara.com> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> Message-ID: <40C78AF9.1040702@mindrot.org> Dan Kaminsky wrote: > 2) Doing a DNS lookup for a non-existent target. That will freeze, because there isn't a good cross-platform async DNS API. > This is ultimately a fundamental weakness in the sshd architecture, I don't think this is an architectural problem - we already do everything else in an event-driven manner, If there was a decent async DNS API we could do this too. It would be possible to fake one up - fork a child for DNS resolution and have it send back a list of { af, addr }. One would need to be careful wrt limits on the number of such children, reaping them, etc. > the only ironclad solution For now, don't use hostname is forwarding specifications. -d From kwelch at useractive.com Thu Jun 10 17:55:22 2004 From: kwelch at useractive.com (Kendell Welch) Date: Thu, 10 Jun 2004 02:55:22 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C7A477.1070206@doxpara.com> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> Message-ID: Hi All, I seems to me that the problem here is that some DNS servers don't respond to IPv6 DNS queries correctly (query type=aaaa)...perhaps I'm wrong. Now, I don't know how easy it would be to implement in a cross-platform mannar, but doesn't it seem reasonable that clients (aka. sshd servers) which are not configured for IPv6 addresses would have no need for looking up IPv6 addresses via DNS? Could sshd determine if the machine was configured with IPv6 addresses, and if not, simply not make IPv6 DNS requests??? Perhaps I'm ignorant of common (X)NIX programming (I'm a Windows API programmer,) but it seems to me that such a solution would avoid this problem. Thanks! Kendell On Wed, 9 Jun 2004, Dan Kaminsky wrote: > Damien Miller wrote: > > >Dan Kaminsky wrote: > > > > > > > >>2) Doing a DNS lookup for a non-existent target. > >> > >> > > > >That will freeze, because there isn't a good cross-platform async > >DNS > > > Well, there's always: > > a) Wrapping gethostbyname in a thread (requires server mods) > b) Executing "host" or "nslookup" over a channel. > > >>This is ultimately a fundamental weakness in the sshd architecture, > >> > >> > > > >I don't think this is an architectural problem - we already do > >everything else in an event-driven manner, If there was a decent > >async DNS API we could do this too. > > > > > > > It's totally an architectural problem, very much like that Cisco fault a > while back where unresolved packets in unassigned protocols would > eventually cause the entire system to fall over. If one channel kills > the rest, there's an architectural fault. > > Now, an easy or elegant to resolve fault, it ain't :-) > > >It would be possible to fake one up - fork a child for DNS resolution > >and have it send back a list of { af, addr }. One would need to be > >careful wrt limits on the number of such children, reaping them, etc. > > > > > > > *nods* > > >>the only ironclad solution > >> > >> > > > >For now, don't use hostname is forwarding specifications. > > > > > > > He needs to; it's insecure to trust local DNS (the #1 problem with > dynamic forwarding). > > --Dan > From gert at greenie.muc.de Thu Jun 10 18:35:53 2004 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 10 Jun 2004 10:35:53 +0200 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: ; from kwelch@useractive.com on Thu, Jun 10, 2004 at 02:55:22AM -0500 References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> Message-ID: <20040610103553.H5363@greenie.muc.de> Hi, On Thu, Jun 10, 2004 at 02:55:22AM -0500, Kendell Welch wrote: > I seems to me that the problem here is that some DNS servers don't respond > to IPv6 DNS queries correctly (query type=aaaa)... Yes. See the ietf-draft documents that I've mentioned. > Now, I don't know how easy it would be to implement in a cross-platform > mannar, but doesn't it seem reasonable that clients (aka. sshd servers) > which are not configured for IPv6 addresses would have no need for looking > up IPv6 addresses via DNS? > > Could sshd determine if the machine was configured with IPv6 addresses, > and if not, simply not make IPv6 DNS requests??? Perhaps I'm ignorant of > common (X)NIX programming (I'm a Windows API programmer,) but it seems to > me that such a solution would avoid this problem. Actually it will only help for servers that are IPv4-only - and on those, you can just run "sshd -4". The problem is worse for machines that have IPv4 and IPv6 connectivity (most of our servers do, and company-internal SSH traffic is mostly IPv6 nowadays), because you will still run into those problems when port- forwarding to hosts with broken DNS servers. In that scenario, the only workable approach is to complain to the people running the authoritative DNS servers for the "non-working" DNS zones... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From kwelch at useractive.com Fri Jun 11 05:47:02 2004 From: kwelch at useractive.com (Kendell Welch) Date: Thu, 10 Jun 2004 14:47:02 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <20040610103553.H5363@greenie.muc.de> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> <20040610103553.H5363@greenie.muc.de> Message-ID: Hi, > > Actually it will only help for servers that are IPv4-only - and on those, > you can just run "sshd -4". > Wouldn't it make more sense to offer a "sshd -6" option that people desiring IPv6 functionlity should enable? I understand that some or all of you may use IPv6 on your networks, but the vast majority of the Internet community does not...it seems to me that the exception should be IPv6, not IPv4. Thanks! Kendell From mouring at etoh.eviladmin.org Fri Jun 11 07:03:27 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 10 Jun 2004 16:03:27 -0500 (CDT) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: Message-ID: On Thu, 10 Jun 2004, Kendell Welch wrote: > Hi, > > > > > Actually it will only help for servers that are IPv4-only - and on those, > > you can just run "sshd -4". > > > > Wouldn't it make more sense to offer a "sshd -6" option that people > desiring IPv6 functionlity should enable? I understand that some or all > of you may use IPv6 on your networks, but the vast majority of the > Internet community does not...it seems to me that the exception should be > IPv6, not IPv4. > Both sshd and ssh supports -4/-6 to force it into one or the other mode. - Ben From gert at greenie.muc.de Fri Jun 11 07:14:50 2004 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 10 Jun 2004 23:14:50 +0200 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: ; from kwelch@useractive.com on Thu, Jun 10, 2004 at 02:47:02PM -0500 References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> <20040610103553.H5363@greenie.muc.de> Message-ID: <20040610231449.I5363@greenie.muc.de> Hi, On Thu, Jun 10, 2004 at 02:47:02PM -0500, Kendell Welch wrote: > > Actually it will only help for servers that are IPv4-only - and on those, > > you can just run "sshd -4". > > Wouldn't it make more sense to offer a "sshd -6" option that people > desiring IPv6 functionlity should enable? I understand that some or all > of you may use IPv6 on your networks, but the vast majority of the > Internet community does not...it seems to me that the exception should be > IPv6, not IPv4. Using whatever protocol available is the way forward. Every decent application should behave the way ssh/sshd do, without explicit enabling IP multiprotocol support. Fix the problem, not the symptoms. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From dan at doxpara.com Thu Jun 10 09:59:51 2004 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 09 Jun 2004 16:59:51 -0700 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C78AF9.1040702@mindrot.org> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> Message-ID: <40C7A477.1070206@doxpara.com> Damien Miller wrote: >Dan Kaminsky wrote: > > > >>2) Doing a DNS lookup for a non-existent target. >> >> > >That will freeze, because there isn't a good cross-platform async >DNS > Well, there's always: a) Wrapping gethostbyname in a thread (requires server mods) b) Executing "host" or "nslookup" over a channel. >>This is ultimately a fundamental weakness in the sshd architecture, >> >> > >I don't think this is an architectural problem - we already do >everything else in an event-driven manner, If there was a decent >async DNS API we could do this too. > > > It's totally an architectural problem, very much like that Cisco fault a while back where unresolved packets in unassigned protocols would eventually cause the entire system to fall over. If one channel kills the rest, there's an architectural fault. Now, an easy or elegant to resolve fault, it ain't :-) >It would be possible to fake one up - fork a child for DNS resolution >and have it send back a list of { af, addr }. One would need to be >careful wrt limits on the number of such children, reaping them, etc. > > > *nods* >>the only ironclad solution >> >> > >For now, don't use hostname is forwarding specifications. > > > He needs to; it's insecure to trust local DNS (the #1 problem with dynamic forwarding). --Dan From djm at mindrot.org Fri Jun 11 10:22:55 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 11 Jun 2004 10:22:55 +1000 (EST) Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40C7A477.1070206@doxpara.com> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> Message-ID: On Wed, 9 Jun 2004, Dan Kaminsky wrote: > It's totally an architectural problem, very much like that Cisco fault a > while back where unresolved packets in unassigned protocols would > eventually cause the entire system to fall over. If one channel kills > the rest, there's an architectural fault. I think you have a very different definition of "architectural": I mean that there is nothing in sshd's design that precludes implementation of this. The actual changes are fairly straightforward. As always, someone interested just needs to do the work. -d From steve.belt at freescale.com Sat Jun 12 03:03:43 2004 From: steve.belt at freescale.com (Steve Belt (rgpg70)) Date: Fri, 11 Jun 2004 12:03:43 -0500 Subject: LDAP issues with 3.8.1p1 Message-ID: <40C9E5EF.5000808@freescale.com> Hello, I have recently compiled and installed release 3.8.1p1. This was done on a Solaris 8 system using LDAP as its naming service. The new release, however, will not let me log in (as a regular user). I repeatedly get "Permission denied, please try again" messages. The root user, though, can log in okay. The same thing happened with the 3.7.1p2 release. The 3.6.1p1 release (which is currently running on the machine) works okay, however. All were compiled in the same manner (--prefix=/opt/openssh as the only arg). So, it seems something changed between the 3.6.1p1 release and the 3.7.1p2 release with regards to LDAP that affects user authentication. I was in hopes this would be "corrected" with the 3.8.1p1 release, but it seems it has not. Both the 3.7.1p2 and 3.8.1p1 releases, however, work fine on machines using NIS as the naming service. It would appear, then, that openssh is having trouble with the LDAP name service and user authentication. The root user is allowed access probably due to the fact that its account info is local to the machine (/etc/passwd), and is not obtained through the name service. Any help/info on running the current release of openssh with LDAP would be greatly appreciated. Thanks, -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From vdanen at linsec.ca Sat Jun 12 04:44:31 2004 From: vdanen at linsec.ca (Vincent Danen) Date: Fri, 11 Jun 2004 12:44:31 -0600 Subject: LDAP issues with 3.8.1p1 In-Reply-To: <40C9E5EF.5000808@freescale.com> References: <40C9E5EF.5000808@freescale.com> Message-ID: <6021C714-BBD7-11D8-9CC9-000A9598BFB2@linsec.ca> On Jun 11, 2004, at 11:03 AM, Steve Belt (rgpg70) wrote: > I have recently compiled and installed release 3.8.1p1. This was done > on a Solaris 8 system using LDAP as its naming service. The new > release, however, will not let me log in (as a regular user). I > repeatedly get "Permission denied, please try again" messages. The > root user, though, can log in okay. The same thing happened with the > 3.7.1p2 release. The 3.6.1p1 release (which is currently running on > the machine) works okay, however. All were compiled in the same > manner (--prefix=/opt/openssh as the only arg). > > So, it seems something changed between the 3.6.1p1 release and the > 3.7.1p2 release with regards to LDAP that affects user authentication. > I was in hopes this would be "corrected" with the 3.8.1p1 release, but > it seems it has not. Both the 3.7.1p2 and 3.8.1p1 releases, however, > work fine on machines using NIS as the naming service. It would > appear, then, that openssh is having trouble with the LDAP name > service and user authentication. The root user is allowed access > probably due to the fact that its account info is local to the machine > (/etc/passwd), and is not obtained through the name service. > > Any help/info on running the current release of openssh with LDAP > would be greatly appreciated. You have to enable UsePAM. I'm assuming you're using pam_ldap and nss_ldap for your authentication. This has been discussed previously on the list. Setting UsePAM yes should do the trick for you. -- OpenSLS - Secure Linux Server: http://opensls.org/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040611/572388b1/attachment.bin From dan at doxpara.com Sat Jun 12 05:14:42 2004 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 11 Jun 2004 12:14:42 -0700 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> Message-ID: <40CA04A2.7060907@doxpara.com> Damien Miller wrote: >On Wed, 9 Jun 2004, Dan Kaminsky wrote: > > > >>It's totally an architectural problem, very much like that Cisco fault a >>while back where unresolved packets in unassigned protocols would >>eventually cause the entire system to fall over. If one channel kills >>the rest, there's an architectural fault. >> >> > >I think you have a very different definition of "architectural": I mean >that there is nothing in sshd's design that precludes implementation of >this. The actual changes are fairly straightforward. > >As always, someone interested just needs to do the work. > >-d > > What I meant by this being an architectural fault is that while sshd invocations are entirely independent (one session dying does not kill the entire server, IIS4/5 style), a particular sshd invocation cooperatively shares resources across its list of channels. That means that if any individual channel blocks, for any reason, all freeze. If each channel was managed by an individual thread, the architectural fault would be resolved. Note, I didn't say this was a good idea -- just that it would make it impossible for any particular channel to affect traffic outside of its own context, except through the rich library of non-deterministic bugs threading is famous for :) We can, and I'm sure eventually will include some sort of async DNS support in sshd. That will solve this particular malady, wherein an external server can by withholding a DNS response cease the flow of execution within sshd. But the architectural fault is that sshd trusts that certain functions will necessarily return in a reasonable amount of time, and that's simply not necessarily the case. I have found that forcing the remote server to have some server->client communication on a regular basis can kick me out of certain loops. Perhaps an alarm/signal combo might be helpful...? --Dan From djm at mindrot.org Sat Jun 12 11:27:20 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 12 Jun 2004 11:27:20 +1000 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40CA04A2.7060907@doxpara.com> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> <40CA04A2.7060907@doxpara.com> Message-ID: <40CA5BF8.4030405@mindrot.org> Dan Kaminsky wrote: > What I meant by this being an architectural fault is that while sshd > invocations are entirely independent (one session dying does not kill > the entire server, IIS4/5 style), a particular sshd invocation > cooperatively shares resources across its list of channels. That means > that if any individual channel blocks, for any reason, all freeze. I don't know what you mean: the channels are built around non-blocking sockets and each channel has its own independant buffering. A stalling connect or write on a channel will not stall the others. The only thing that causes such stalls is DNS lookups at the moment. > If each channel was managed by an individual thread, the architectural > fault would be resolved. This isn't an architectural flaw - it is just normal event-driven programming. The fact that DNS isn't yet properly event driven in our implementation is a bug, not an indictment of the model. > I have found that forcing the remote server to have some server->client > communication on a regular basis can kick me out of certain loops. > Perhaps an alarm/signal combo might be helpful...? {Client,Server}AliveInterval -d From markus at openbsd.org Sat Jun 12 18:09:59 2004 From: markus at openbsd.org (Markus Friedl) Date: Sat, 12 Jun 2004 10:09:59 +0200 Subject: problem with DNS lookups on non-IPv4-only-mode? In-Reply-To: <40CA04A2.7060907@doxpara.com> References: <40C691FB.3060105@zip.com.au> <40C6A587.4070602@zip.com.au> <40C74B1D.2070300@doxpara.com> <40C78AF9.1040702@mindrot.org> <40C7A477.1070206@doxpara.com> <40CA04A2.7060907@doxpara.com> Message-ID: <20040612080959.GA2311@folly> On Fri, Jun 11, 2004 at 12:14:42PM -0700, Dan Kaminsky wrote: > If each channel was managed by an individual thread, the architectural > fault would be resolved. Note, I didn't say this was a good idea so i'm adding, that this is not a good idea. and it's not an architectural fault. the standard resolver API is blocking, but we won't add an extra resolver, like squid does. From info at 55dvd.net Thu Jun 10 22:21:21 2004 From: info at 55dvd.net (info at 55dvd.net) Date: Thu, 10 Jun 2004 21:21:21 +0900 Subject: =?iso-2022-jp?b?GyRCTCQhIT41ISFHJyEhOS0hITlwISEiKCEhIVpMNU5BGyhC?= =?iso-2022-jp?b?GyRCJEc9UDJxJCgkayEqIVsbKEI=?= Message-ID: <200406101221.i5ACLLp14511@koi51.net> ???????????????????????????????????????? ?????????????????????? ?????????????????????????????????????? ???????????? ????????????????????????????????????? ????info at 55dvd.net ???????????????????????????????????????? ??????????????? ????? http://194.4610.com/1063 ?????????????????????????????? ?????????????http://194.4610.com/1063 ??????????????????????????????? ?????????????????(^^)??http://194.4610.com/1063 [??] ???????????????????????????????????? ??????????????? ????????????? 34?????? ????? ?? ???????? ??????? ???????? ?????? ????????? ???? http://194.4610.com/1063 ????????????? 38????OL ????? ????????? ???????? ?????? ???? [?]?????????????? ???? http://194.4610.com/1063 ????????????? 43?????? ?????? ??????? ????????? ?????? ????????(^^) ???? http://194.4610.com/1063 ????????????? 28?????? ?????? ??????? ???????? ?????? [?]???????? ???? http://194.4610.com/1063 ?????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????http://194.4610.com/1063 ???? ??????????????????????????(^^) From dvschweiger at web.de Mon Jun 14 10:45:29 2004 From: dvschweiger at web.de (David Schweiger) Date: Mon, 14 Jun 2004 02:45:29 +0200 Subject: Xprint support in OpenSSH? Message-ID: <396033170@web.de> Hello, Does OpenSSH have any plans yet to extend the existing X11 forwarding support to include Xprint - the XOrg standard for printing? Documentation can be found at http://xprint.mozdev.org/docs/ The only change required to have Xprint support is to forward the X print server connection referenced by the XPSERVERLIST environment variable similar to the video display server referenced by the DISPLAY environment variable. Thanks, David (please keep me in the CC: when replying to the list, I am not subscribed to openssh-unix-dev at mindrot.org) ____________________________________________________ Aufnehmen, abschicken, nah sein - So einfach ist WEB.DE Video-Mail: http://freemail.web.de/?mc=021200 From djm at mindrot.org Mon Jun 14 11:05:24 2004 From: djm at mindrot.org (Damien Miller) Date: Mon, 14 Jun 2004 11:05:24 +1000 Subject: Xprint support in OpenSSH? In-Reply-To: <396033170@web.de> References: <396033170@web.de> Message-ID: <40CCF9D4.90401@mindrot.org> David Schweiger wrote: > Hello, > > Does OpenSSH have any plans yet to extend the existing X11 forwarding > support to include Xprint - the XOrg standard for printing? > Documentation can be found at http://xprint.mozdev.org/docs/ > > The only change required to have Xprint support is to forward the X > print server connection referenced by the XPSERVERLIST environment > variable similar to the video display server referenced by the > DISPLAY environment variable. We don't have any plans to support this at present - IIRC the protocol only allows forwarding of a single X channel. There was some discussion on the ietf-ssh at netbsd.org mailing list back in April on the issue of multiple X forwardings, but it seems to have fizzled out without producing a complete spec. -d From gleydson at server2.ssh.org Tue Jun 15 00:02:10 2004 From: gleydson at server2.ssh.org (gleydson at server2.ssh.org) Date: Mon, 14 Jun 2004 11:02:10 -0300 Subject: take it Message-ID: <20040614140136.90F2627C187@shitei.mindrot.org> i hope thats not true! -------------- next part -------------- A non-text attachment was scrubbed... Name: description.zip Type: application/x-zip-compressed Size: 25481 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040614/05bb78d3/attachment.bin From debian-user-portuguese at lists.debian.org Tue Jun 15 06:21:15 2004 From: debian-user-portuguese at lists.debian.org (debian-user-portuguese at lists.debian.org) Date: Mon, 14 Jun 2004 17:21:15 -0300 Subject: abuse? Message-ID: <20040614202059.AAF9D27C187@shitei.mindrot.org> in your mind? -------------- next part -------------- A non-text attachment was scrubbed... Name: image_class_photos.zip Type: application/x-zip-compressed Size: 25503 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040614/bb828329/attachment.bin From jvijayku at cisco.com Tue Jun 15 19:14:46 2004 From: jvijayku at cisco.com (Jayarama Vijay Kumar) Date: Tue, 15 Jun 2004 14:44:46 +0530 Subject: ssh daemon fails to call pam when user does not exist in /etc/passwd Message-ID: <40CEBE06.4020802@cisco.com> Hi We recenlty ugraded to openssh-3.7.1p2. Our architecture is ssh daemon uses pam module which sends request to remote radius/tacacs+ servers based on configuration. Now if I create the user in /etc/passwd, then ssh daemon calls pam and everthing works fine. But if the user is not present in /etc/passwd, then ssh daemon is not calling pam. The debug log is given below. All these were working in prior versions. Any idea why there is dependency on local user accounts ? I have also given sshd's pam file Any help is greatly appreciated vijay debug log ======= debug1: userauth-request for user jvijayku service ssh-connection method none debug1: attempt 0 failures 0 Illegal user jvijayku from 64.104.131.187 input_userauth_request: illegal user jvijayku debug1: PAM: initializing for "jvijayku" debug3: Trying to reverse map address 64.104.131.187. debug1: PAM: setting PAM_RHOST to "64.104.131.187" debug1: PAM: setting PAM_TTY to "ssh" debug2: input_userauth_request: try method none Failed none for illegal user jvijayku from 64.104.131.187 port 33729 ssh2 debug1: userauth-request for user jvijayku service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=jvijayku devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 Postponed keyboard-interactive for illegal user jvijayku from 64.104.131.187 port 33729 ssh2 debug3: ssh_msg_recv entering PAM file ======= # Disallows other than root logins when /etc/nologin exists # (Replaces the `NOLOGINS_FILE' option from login.defs) auth requisite pam_nologin.so auth required pam_env.so auth [authinfo_unavail=ignore auth_err=done success=done default=ok] /isan/lib/libpam_aaa_auth.so # Standard Un*x authentication. The "nullok" line allows passwordless # accounts. auth required pam_unix.so nullok likeauth try_first_pass account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard noenv password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok shadow md5 password required /lib/security/pam_deny.so From djm at mindrot.org Tue Jun 15 19:32:28 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Jun 2004 19:32:28 +1000 Subject: ssh daemon fails to call pam when user does not exist in /etc/passwd In-Reply-To: <40CEBE06.4020802@cisco.com> References: <40CEBE06.4020802@cisco.com> Message-ID: <40CEC22C.5000102@mindrot.org> Jayarama Vijay Kumar wrote: > Hi > We recenlty ugraded to openssh-3.7.1p2. Our architecture is > ssh daemon uses pam module which sends request to remote > radius/tacacs+ servers based on configuration. > Now if I create the user in /etc/passwd, then ssh daemon calls pam and > everthing works fine. > But if the user is not present in /etc/passwd, then ssh daemon is not > calling pam. The debug log is given below. All these were working in > prior versions. Any idea why there is dependency on local user accounts > ? I have also given sshd's pam file This behaviour is by-design and we don't have any intentions of changing it. If your non-local login system doesn't support getpw* it won't work with OpenSSH (we aren't unique in this position). If you want to support non-local accounts then you need to use some NSS system (e.g. NIS, LDAP or on-the-fly getpw synthesis). -d From dtucker at zip.com.au Tue Jun 15 19:33:13 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 15 Jun 2004 19:33:13 +1000 Subject: ssh daemon fails to call pam when user does not exist in /etc/passwd In-Reply-To: <40CEBE06.4020802@cisco.com> References: <40CEBE06.4020802@cisco.com> Message-ID: <40CEC259.1070208@zip.com.au> Jayarama Vijay Kumar wrote: > We recenlty ugraded to openssh-3.7.1p2. Our architecture is > ssh daemon uses pam module which sends request to remote > radius/tacacs+ servers based on configuration. > Now if I create the user in /etc/passwd, then ssh daemon calls pam and > everthing works fine. > But if the user is not present in /etc/passwd, then ssh daemon is not > calling pam. The debug log is given below. All these were working in > prior versions. Any idea why there is dependency on local user accounts > ? I have also given sshd's pam file I posted a patch for this a while back (attached). It's only been lightly tested but it's worth a try. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-chall2-no-leak.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040615/c6299c7a/attachment.ksh From djm at mindrot.org Tue Jun 15 19:44:19 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 Jun 2004 19:44:19 +1000 Subject: ssh daemon fails to call pam when user does not exist in /etc/passwd In-Reply-To: <40CEC22C.5000102@mindrot.org> References: <40CEBE06.4020802@cisco.com> <40CEC22C.5000102@mindrot.org> Message-ID: <40CEC4F3.9040100@mindrot.org> Damien Miller wrote: > Jayarama Vijay Kumar wrote: > >>Hi >> We recenlty ugraded to openssh-3.7.1p2. Our architecture is >> ssh daemon uses pam module which sends request to remote >>radius/tacacs+ servers based on configuration. >> Now if I create the user in /etc/passwd, then ssh daemon calls pam and >>everthing works fine. >> But if the user is not present in /etc/passwd, then ssh daemon is not >>calling pam. The debug log is given below. All these were working in >>prior versions. Any idea why there is dependency on local user accounts >>? I have also given sshd's pam file > > > This behaviour is by-design and we don't have any intentions of changing > it. I should clarify: if we don't go through all the motions (calling into PAM, etc) for non-existent accounts then that is a bug. This is done to defeat timing attacks, not to provide support for systems where accounts aren't visible to getpw* -d From dtucker at zip.com.au Tue Jun 15 19:52:35 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 15 Jun 2004 19:52:35 +1000 Subject: ssh daemon fails to call pam when user does not exist in /etc/passwd In-Reply-To: <40CEC259.1070208@zip.com.au> References: <40CEBE06.4020802@cisco.com> <40CEC259.1070208@zip.com.au> Message-ID: <40CEC6E3.20500@zip.com.au> Darren Tucker wrote: [about PAM without getpwnam()] > I posted a patch for this a while back (attached). It's only been > lightly tested but it's worth a try. Correction: this patch will cause PAM to be called for keyboard-interactive in that case (so it won't leak information about whether or not the account is permitted to log in) but it still won't actually permit the login. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jvijayku at cisco.com Tue Jun 15 20:08:49 2004 From: jvijayku at cisco.com (Jayarama Vijay Kumar) Date: Tue, 15 Jun 2004 15:38:49 +0530 Subject: ssh daemon fails to call pam when user does not exist in /etc/passwd In-Reply-To: <40CEC6E3.20500@zip.com.au> References: <40CEBE06.4020802@cisco.com> <40CEC259.1070208@zip.com.au> <40CEC6E3.20500@zip.com.au> Message-ID: <40CECAB1.7090305@cisco.com> Darren Tucker wrote: > Darren Tucker wrote: > [about PAM without getpwnam()] > >> I posted a patch for this a while back (attached). It's only been >> lightly tested but it's worth a try. > > > Correction: this patch will cause PAM to be called for > keyboard-interactive in that case (so it won't leak information about > whether or not the account is permitted to log in) but it still won't > actually permit the login. > I just tested the patch. Though it manages to call pam, the login is not completed. It looks like we need to somehow get non-local account info thru getpwnam. thanx for the help. vijay From dvschweiger at web.de Wed Jun 16 06:43:44 2004 From: dvschweiger at web.de (David Schweiger) Date: Tue, 15 Jun 2004 22:43:44 +0200 Subject: EMails from mindrot.org blocked by web.de ? Message-ID: <397889258@web.de> Hello, I can see my previous posting and Damiens reply but I never got his answer nor does it help to subscribe to the openssh-unix-dev at mindrot.org list. The subscription confirmation never appears in my inbox. Maybe you and the web.de admins can sort the problems out. Thanks, David _______________________________________________________________ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 From djm at mindrot.org Wed Jun 16 08:06:26 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 16 Jun 2004 08:06:26 +1000 Subject: EMails from mindrot.org blocked by web.de ? In-Reply-To: <397889258@web.de> References: <397889258@web.de> Message-ID: <40CF72E2.9000108@mindrot.org> David Schweiger wrote: > Hello, > > I can see my previous posting and Damiens reply but I never got his > answer nor does it help to subscribe to the > openssh-unix-dev at mindrot.org list. The subscription confirmation > never appears in my inbox. Maybe you and the web.de admins can sort > the problems out. It may have something to so with this virus[1] - a large number of them (around 20/hour) have forged my email address as the sender (and I see only the bounces). This is for web.de to sort out - life is too short for me to go chasing every site that refuses openssh-unix-dev@ mail because of a broken spam filtering policy. -d [1] http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/ From agiri at sj.symbol.com Wed Jun 16 09:03:24 2004 From: agiri at sj.symbol.com (Amba giri) Date: Tue, 15 Jun 2004 16:03:24 -0700 Subject: Question on undefined reference to 'crypt' Message-ID: Hello I have openssl-0.9.7d installed and when I attempt a make install on SSH(v3.8p1), I get the following error: .../openbsd-compat/xcrypt.c(76): undefined reference to 'crypt' Can anyone help me get past this problem ? Thank you in advance... Amba Giri Symbol Technologies, San Jose P: 408-528-2721 E:agiri at sj.symbol.com Symbol. The Enterprise Mobility Company. From stuge-openssh-unix-dev at cdy.org Wed Jun 16 09:06:40 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 16 Jun 2004 01:06:40 +0200 Subject: Question on undefined reference to 'crypt' In-Reply-To: References: Message-ID: <20040615230640.GB30549@foo.birdnet.se> On Tue, Jun 15, 2004 at 04:03:24PM -0700, Amba giri wrote: > Hello > > I have openssl-0.9.7d installed and when I attempt a make > install on SSH(v3.8p1), I get the following error: > .../openbsd-compat/xcrypt.c(76): undefined reference to 'crypt' > > Can anyone help me get past this problem ? Try ./configure --with-md5-passwords and see if the make works. //Peter From mouring at etoh.eviladmin.org Wed Jun 16 09:22:35 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Jun 2004 18:22:35 -0500 (CDT) Subject: Question on undefined reference to 'crypt' In-Reply-To: Message-ID: Would we care to tell us what OS and what ./configure options you used? - Ben On Tue, 15 Jun 2004, Amba giri wrote: > Hello > > I have openssl-0.9.7d installed and when I attempt a make install on SSH(v3.8p1), I get the following error: > .../openbsd-compat/xcrypt.c(76): undefined reference to 'crypt' > > Can anyone help me get past this problem ? > > Thank you in advance... > > > > > > Amba Giri > Symbol Technologies, San Jose > P: 408-528-2721 > E:agiri at sj.symbol.com > Symbol. The Enterprise Mobility Company. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Wed Jun 16 09:24:27 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Jun 2004 09:24:27 +1000 Subject: Question on undefined reference to 'crypt' In-Reply-To: References: Message-ID: <40CF852B.4080706@zip.com.au> Amba giri wrote: > I have openssl-0.9.7d installed and when I attempt a make install on SSH(v3.8p1), I get the following error: > .../openbsd-compat/xcrypt.c(76): undefined reference to 'crypt' > > Can anyone help me get past this problem ? Depends on what platform you're using, most likely you just need to add "--with-ldflags=-lcrypt" to you configure line. If that fixes it, tell us what your platform is and what ./config.guess reports and we can make configure do it automatically. You might like to use 3.8.1p1 rather than 3.8p1, it's newer and (probably :-) has a few less bugs. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jun 16 14:03:15 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Jun 2004 14:03:15 +1000 Subject: Make AIX login message handling consistent. Message-ID: <40CFC683.20800@zip.com.au> Hi. There's a couple of minor problems with the way port-aix.c handles the messages returned by AIX's authentication routines. I think we handle the native ones OK, but third-party modules might behave differently. It tests OK for me, I would appreciate testing by anyone using AIX (esp. anyone using something other than the standard password auth modules). a) The message from a successful authenticate() is not sent to the user. (The native password modules don't return anything). b) There is one code path where the message is not free()ed. (It only leaks a few bytes on a successful authentication if passwordexpired() returns a warning message, but it should be fixed.) c) The auth routines *may* return a NULL pointer rather than a pointer to a message. Most don't, and I think we handle all of the ones that might, but we should handle all of them. d) The debug message from loginsuccess() was inconsistent with the rest. e) There were some spaces instead of tabs. I've already commited that change since I didn't want to mix code and whitespace changes. To fix a)-c), I used the following construct: result = function(...); if (msg != NULL) buffer_append(&loginmsg, msg, strlen(msg)); else msg = xstrdup("(none)"); aix_remove_embedded_newlines(msg); debug("AIX/function returned %d msg %s", result, msg); xfree(msg); The message needs to be appended to loginmsg before we trash the newlines, otherwise they'll look funny. It seemed simpler to xstrdup the "none" message for the NULL case and then print and free it unconditionally. I think this is tidier (but marginally less efficient) than my first attempt which looked roughly like: debug("AIX/function returned %d msg %s", result, msg != NULL ? msg : "(none)"); if (msg != NULL) xfree(msg) The loginrestrictions() code in auth.c should probably get similar treatment (and be moved to port-aix.c too). Comments? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-aixmsg.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040616/dd3e62e0/attachment.ksh From dtucker at zip.com.au Wed Jun 16 14:07:52 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Jun 2004 14:07:52 +1000 Subject: Send login messages to stderr not stdout Message-ID: <40CFC798.80705@zip.com.au> Hi all. The old (~3.6.x) PAM code used to send PAM messages to stderr, whereas the new generic loginmsg code sends them to stdout, and it sends an extra newline. I think stderr is probably right, but the extra \n should probably be removed either way. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-loginmsg-stderr.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040616/05213d5c/attachment.ksh From dvschweiger at web.de Wed Jun 16 15:41:37 2004 From: dvschweiger at web.de (David Schweiger) Date: Wed, 16 Jun 2004 07:41:37 +0200 Subject: Xprint support in OpenSSH? In-Reply-To: <40CCF9D4.90401@mindrot.org> References: <396033170@web.de> <40CCF9D4.90401@mindrot.org> Message-ID: Damien Miller wrote: > David Schweiger wrote: > >>Hello, >> >>Does OpenSSH have any plans yet to extend the existing X11 forwarding >>support to include Xprint - the XOrg standard for printing? >>Documentation can be found at http://xprint.mozdev.org/docs/ >> >>The only change required to have Xprint support is to forward the X >>print server connection referenced by the XPSERVERLIST environment >>variable similar to the video display server referenced by the >>DISPLAY environment variable. > > > We don't have any plans to support this at present - IIRC the protocol > only allows forwarding of a single X channel. You do only have to forward the ports if I interpret http://xprint.mozdev.org/docs/Xprint_FAQ.html#manual_xprint_forwarding_via_ssh correctly. From dtucker at zip.com.au Wed Jun 16 15:51:27 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Jun 2004 15:51:27 +1000 Subject: Move AIX loginrestrictions test to port-aix.c Message-ID: <40CFDFDF.3070500@zip.com.au> Hi All. This patch moves the AIX-specific loginrestrictions() test and associated code to port-aix.c and replaces it with a generic hook (in case any other platforms need this kind of functionality). Comments? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-aix-loginrestrictions.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040616/cc61a5ed/attachment.ksh From deai_1968 at yahoo.co.jp Wed Jun 16 23:05:59 2004 From: deai_1968 at yahoo.co.jp (=?ISO-2022-JP?B?GyRCTDVOQSRHPlIycCQ3JF4kOSEjGyhCIA==?=) Date: Wed, 16 Jun 2004 22:05:59 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhC?= Message-ID: <20040616.1305580970@deai_1968-yahoo.co.jp> ?????????? ????????? ?640-0413 ???????????862-7 TEL:0736?64?6132 ??????? stopmail at yy-net.co.jp ?????????????????? ????????YY-NET??????????????? ???????????????? ??????????????????? ?????????????????????? ????????????????1?????????? ??????18????????????? ?????????????????????????? ????????????? ??????????????????? ????????http://www.yy-net.co.jp ?????????????????????????? From marquess at veridicalsystems.com Wed Jun 16 23:29:22 2004 From: marquess at veridicalsystems.com (Steve Marquess) Date: Wed, 16 Jun 2004 09:29:22 -0400 Subject: Patch for FIPS 140 mode - take 3 In-Reply-To: <40D0315D.2040609@roumenpetrov.info> References: <40C06F05.5040603@veridicalsystems.com> <40D0315D.2040609@roumenpetrov.info> Message-ID: <40D04B32.2030306@veridicalsystems.com> Roumen Petrov wrote: > Hi All, > > Steve, patch look very nice and simple. Thanks for taking the time to look it over. I write it knowing there would be room for improvement, hoping to stimulate discussion by those more familiar with OpenSSH than I. All of your suggestions look good to me; more detailed comments follow. > My suggestions about patch are as follows: > > 1.) What about to allow fips mode to be set in config files or with -o > command line option ? Works for me. Usually there would be no no reason to run sshd in a non-FIPS mode if you need FIPS mode at all, but it wouldn't hurt. > > 2.) File fips.h is only one line. > Instead of '#include "fips.h"' we can put 'extern int fips_mode;' in > mac.c, cipher.c and etc. > > 3.) Where is best plase to put variable fips_mode ? Might is better to > put it in cipher.c ? I wasn't sure of the cleanest way to implement fips_mode, so just went for the obvious. > 4.1.) What about when config files or command line explicitly set macs > option and FIPS is disabled from command line or config file{s} ? > Sample: ssh{d} ... -o macs=... -y ... > I cannot agree with changes in myproposal.h/mac.c/readconf.c/servconf.c. > Steve, in ssh.c/sshd.c/ you must check allowed macs after > fill_default_[server_]options. > Might is better to check at end of the fill methods. > Only in fips mode when option.macs is NULL you musts set explicitly to > "hmac-sha1,hmac-sha1-96". > > 4.2) Same as 5.1. for ciphers. > > Proposed solution is to add fips_mode to option structures(readconf.h > rservconf.h). > a.) Initialize it as to -1. > b.) Use lines like following > #ifdef OPENSSL_FIPS > { "fipsmode", {s|o}FipsMode } > #else > { "fipsmode", {s|o}Unsupported } > #endif > c.) in fill_default .... methods > if (options->fipsmode == -1) > #ifdef OPENSSL_FIPS > options->fipsmode = 1; > #else > options->fipsmode = 0; > #endif > fipsmode = options->fipsmode; > d.) at end of fill... methods to validate macs and ciphers and to set > them explicitly to non-NULL only in fipsmode. Looks like a cleaner approach. > 5.) What hapen with key fingerprints when MD5 is disabled ? MD5 is a problem; NIST doesn't like it. MD5 can be used only where plain text would be allowable. It is permitted in TLS, for example, because SHA1 is used in addition to MD5. The passphrases for keys can't be used in FIPS mode, for example. The simple generation and display of MD5 fingerprints isn't necessarily forbidden, but the _use_ of the result for any security related function is. Ideally I'd like to see a SHA1 option for passphrases and fingerprints. That's a big and intrusive mod worthy of more discussion. Any chance it could happen? > 6.) Should ssh-keyscan be FIPS 140 aware and when yes what's happen > when server has rsa1 key ? Probably, as should ssh-add and ssh-keygen. I was being lazy there, plus my immediate requirement is for ssh and sshd only. > 7.) Might in FIPS mode ssh protocol version 1 must be always disabled ? > Please see sshd.c and servconf.c. Well, I considered protocol version 2 only because version 1 is essentially forbidden for government use, i.e. wherever you would care about FIPS mode. > 8.) Should we clear datafellows flag SSH_BUG_RSASIGMD5 in method > compat_datafellows from compat.c or when flag is set should we accept > connection ? > Please see ssh-rsa.c. Over my head, I'll have to study this one. > 9.) What about to use configure option --with-ssl-static(fips build > request must set implicitly static_crypto_lib="yes") ? > As example in configure.ac we can use (note following lines are writen > from scratch): > ================================================= > .... > #request explicit link with static crypto lib. > static_crypto_lib="no" > AC_ARG_WITH(ssl-static, > [ --with-ssl-static ], > [ > if test "x$withval" != "xno" ; then > static_crypto_lib="yes" > fi > ] > ) > .... > if test "x$ac_cv_fips" = "xyes" ; then > static_crypto_lib="yes" > fi > if "x$static_crypto_lib="xyes"; then > case "$host" in > *-*-hpux11*) LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-Bstatic > -lcrypto -Wl,-Bdynamic /'` > ;; > *-*-linux*) > LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-aarchive -lcrypto > -Wl,-adefault /'` > ;; > *) > AC_MSG_ERROR([FIXME: crypto lib static linking]) > esac > fi > .... > ================================================= Yep, looks cleaner. > 10.) At end of configure is good to show that FIPS is enabled. Agreed! Guys, please let me know if you'd like me to work some more on cleaning up my patch, or if someone else would like to take this and run with it. Thanks, -Steve M. From openssh at roumenpetrov.info Wed Jun 16 21:39:09 2004 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 16 Jun 2004 14:39:09 +0300 Subject: Patch for FIPS 140 mode - take 3 In-Reply-To: <40C06F05.5040603@veridicalsystems.com> References: <40C06F05.5040603@veridicalsystems.com> Message-ID: <40D0315D.2040609@roumenpetrov.info> Hi All, Steve, patch look very nice and simple. Markus, what is you opinion about FIPS support in OpenSSH ? My suggestions about patch are as follows: 1.) What about to allow fips mode to be set in config files or with -o command line option ? 2.) File fips.h is only one line. Instead of '#include "fips.h"' we can put 'extern int fips_mode;' in mac.c, cipher.c and etc. 3.) Where is best plase to put variable fips_mode ? Might is better to put it in cipher.c ? 4.1.) What about when config files or command line explicitly set macs option and FIPS is disabled from command line or config file{s} ? Sample: ssh{d} ... -o macs=... -y ... I cannot agree with changes in myproposal.h/mac.c/readconf.c/servconf.c. Steve, in ssh.c/sshd.c/ you must check allowed macs after fill_default_[server_]options. Might is better to check at end of the fill methods. Only in fips mode when option.macs is NULL you musts set explicitly to "hmac-sha1,hmac-sha1-96". 4.2) Same as 5.1. for ciphers. Proposed solution is to add fips_mode to option structures(readconf.h rservconf.h). a.) Initialize it as to -1. b.) Use lines like following #ifdef OPENSSL_FIPS { "fipsmode", {s|o}FipsMode } #else { "fipsmode", {s|o}Unsupported } #endif c.) in fill_default .... methods if (options->fipsmode == -1) #ifdef OPENSSL_FIPS options->fipsmode = 1; #else options->fipsmode = 0; #endif fipsmode = options->fipsmode; d.) at end of fill... methods to validate macs and ciphers and to set them explicitly to non-NULL only in fipsmode. 5.) What hapen with key fingerprints when MD5 is disabled ? 6.) Should ssh-keyscan be FIPS 140 aware and when yes what's happen when server has rsa1 key ? 7.) Might in FIPS mode ssh protocol version 1 must be always disabled ? Please see sshd.c and servconf.c. 8.) Should we clear datafellows flag SSH_BUG_RSASIGMD5 in method compat_datafellows from compat.c or when flag is set should we accept connection ? Please see ssh-rsa.c. 9.) What about to use configure option --with-ssl-static(fips build request must set implicitly static_crypto_lib="yes") ? As example in configure.ac we can use (note following lines are writen from scratch): ================================================= .... #request explicit link with static crypto lib. static_crypto_lib="no" AC_ARG_WITH(ssl-static, [ --with-ssl-static ], [ if test "x$withval" != "xno" ; then static_crypto_lib="yes" fi ] ) .... if test "x$ac_cv_fips" = "xyes" ; then static_crypto_lib="yes" fi if "x$static_crypto_lib="xyes"; then case "$host" in *-*-hpux11*) LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-Bstatic -lcrypto -Wl,-Bdynamic /'` ;; *-*-linux*) LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-aarchive -lcrypto -Wl,-adefault /'` ;; *) AC_MSG_ERROR([FIXME: crypto lib static linking]) esac fi .... ================================================= 10.) At end of configure is good to show that FIPS is enabled. Steve Marquess wrote: > Greetings. > > (Third try at sending this, the first two seemed to disappear without > a trace. > Perhaps use of MS Outlook was the problem, even though in plain > text...? Or > attachment too big (22Kb)? Would like to know...) > > The final source code and documentation package for a FIPS 140 > validated mode > of OpenSSL was recently submitted. Once the final certification is > awarded by > NIST, in a month or two hopefully, it will be possible to build FIPS 140 > validated applications with the FIPS mode OpenSSL library. > > Ben Laurie and I have developed the attached patch that adapts > OpenSSH-3.8p1 > for use with the FIPS mode OpenSSL library. This patch as minimal as > possible, > to serve as a model for "FIPS-izing" applications and to satisfy the > immediate > needs of my client that co-sponsored the bulk of the validation effort. > > Some notes: > > 1) For practical purposes only static linking with the FIPS library is > supported. The configure checks for static linking may not be > portable to all > platforms. > > 2) FIPS mode is enabled at runtime for ssh and sshd only. Properly > speaking > the auxiliary commands (ssh-keygen, ssh-add, etc.) should do so as well. > > 3) MD5 is not allowed in FIPS mode. For the specific case of shadow > password > support I enabled MD5 using a special API call intended for use with > TLS. FIPS > 140 will permit that since the shadow passwords are generated and > maintained > entirely outside of OpenSSH. However, the use of MD5 for passphrases > is not > allowed. As-is this patch will allow keys to be used only with null > passphrases, > and FIPS 140 doesn't allow that either (all keys input or output from an > application must be encrypted with a FIPS 140 approved algorithm). So, > passwords only and no keys. > > How about a SHA1 passphrase encryption option...? > > 4) The OpenSSL source code used to generate the FIPS mode library is, > or soon > will be, in the OpenSSL_0_9_7_stable branch. The documentation > describing the > building and use of the FIPS library has not been released yet pending > approval > by NIST, but will be included in the OpenSSL source distributions. > > 5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only > > 6) The FIPS_mode_set() call tries to self-seed using the non-FIPS > PRNG, but > doesn't get enough entropy on HP-UX (no EGD or /dev/urandom). So for > ssh.c I > moved the seed_rng() call forwards quite a bit, that may cause other > problems. > Also, the PRNG is awkwardly re-seeded for the child process with a new > PID. Ben > Laurie has suggested a helper function in OpenSSL to simplify those > steps, but > it isn't done yet. > > -Steve M. > > Steve Marquess > DMLSS Technical Manager JMLFDC, 623 Porter Street, Ft. Detrick, MD > 21702 > DSN 343-3933, COM 301-619-3933, FAX 301-619-7831 > steve.marquess at det.amedd.army.mil > >[SNIP] > From djm at mindrot.org Thu Jun 17 00:15:08 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 17 Jun 2004 00:15:08 +1000 Subject: Connection caching? In-Reply-To: <4094A631.3050609@kegel.com> References: <4094A631.3050609@kegel.com> Message-ID: <40D055EC.6090805@mindrot.org> Dan Kegel wrote: > Hey all, > on the distcc mailing list, a thread about load balancing > got a bit out of hand, and we started thinking about > moving fsh-like connection caching into ssh itself FYI OpenSSH has connection sharing in CVS now. It isn't well tested beyond a couple of platforms: OpenBSD (obviously), Linux and OSX and parts of it are still subject to change - in particular the protocol spoken between the "master" ssh connection and its sharing clients. It certainly won't do anything fancy, like opportunisticly starting up a connection if one doesn't already exist - but we want to get the guts of it well tested before we add features (if we ever do). The sort of thrashing that distcc would likely put it through would be welcome. It has certainly been useful enough to change the way that I use ssh :) (hint: set up aliaes for master and client connections in .ssh/config) -d From dank at kegel.com Thu Jun 17 00:41:09 2004 From: dank at kegel.com (Dan Kegel) Date: Wed, 16 Jun 2004 07:41:09 -0700 Subject: Connection caching? In-Reply-To: <40D055EC.6090805@mindrot.org> References: <4094A631.3050609@kegel.com> <40D055EC.6090805@mindrot.org> Message-ID: <40D05C05.40608@kegel.com> Damien Miller wrote: > FYI OpenSSH has connection sharing in CVS now. It isn't well tested > beyond a couple of platforms: OpenBSD (obviously), Linux and OSX and > parts of it are still subject to change - in particular the protocol > spoken between the "master" ssh connection and its sharing clients. > > It certainly won't do anything fancy, like opportunisticly starting up > a connection if one doesn't already exist - but we want to get the guts > of it well tested before we add features (if we ever do). The sort of > thrashing that distcc would likely put it through would be welcome. > > It has certainly been useful enough to change the way that I use ssh :) > > (hint: set up aliaes for master and client connections in .ssh/config) Now I have a leg to stand on when the security folks ask me what I'm going to do about source code privacy. I'll try it out when I get a chance. Thanks! - Dan -- My technical stuff: http://kegel.com My politics: see http://www.misleader.org for examples of why I'm for regime change From agiri at sj.symbol.com Thu Jun 17 10:20:03 2004 From: agiri at sj.symbol.com (Amba giri) Date: Wed, 16 Jun 2004 17:20:03 -0700 Subject: Fwd: Re: Question on undefined reference to 'crypt' Message-ID: Hello Thanks for your response. The platform is lynxos. However when I add --with-ldflags=-lcrypt I get the following error: WS5000# ./configure --with-ssl-dir=/usr/local --with-ldflags=-lcrypt checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for executable suffix... checking for object suffix... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking build system type... i386-unknown-lynxos checking host system type... i386-unknown-lynxos checking whether byte ordering is bigendian... no checking for mawk... no checking for gawk... gawk checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD compatible install... /bin/install -c checking for ar... /bin/ar checking for perl5... no checking for perl... /usr/bin/perl checking for sed... /bin/sed checking for ent... no checking for bash... /bin/bash checking for ksh... (cached) /bin/bash checking for sh... (cached) /bin/bash checking for sh... /bin/sh checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for _LARGE_FILES value needed for large files... no checking for login... /bin/login checking for passwd... /bin/passwd checking for gcc option to accept ANSI C... none needed checking for inline... inline checking compiler and flags for sanity... no configure: error: *** compiler cannot create working executables, check config.log *** I have attached the config.log file. Basically the 'crypt' library is not being found. I did not have this problem until I rebuilt Openssl-0.9.7d. Amba >>> Darren Tucker 06/15/04 04:24PM >>> Amba giri wrote: > I have openssl-0.9.7d installed and when I attempt a make install on SSH(v3.8p1), I get the following error: > .../openbsd-compat/xcrypt.c(76): undefined reference to 'crypt' > > Can anyone help me get past this problem ? Depends on what platform you're using, most likely you just need to add "--with-ldflags=-lcrypt" to you configure line. If that fixes it, tell us what your platform is and what ./config.guess reports and we can make configure do it automatically. You might like to use 3.8.1p1 rather than 3.8p1, it's newer and (probably :-) has a few less bugs. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. ________________________________________________________________________ This email has been scanned for computer viruses. From dtucker at zip.com.au Thu Jun 17 11:50:32 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 17 Jun 2004 11:50:32 +1000 Subject: Fwd: Re: Question on undefined reference to 'crypt' In-Reply-To: References: Message-ID: <40D0F8E8.1050409@zip.com.au> Amba giri wrote: > Thanks for your response. The platform is lynxos. However when I add --with-ldflags=-lcrypt > > I get the following error: [...] > configure: error: *** compiler cannot create working executables, check config.log *** In that case you need to find the library that crypt() lives in and add that instead of -lcrypt. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Thu Jun 17 16:26:12 2004 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Thu, 17 Jun 2004 09:26:12 +0300 Subject: EMails from mindrot.org blocked by web.de ? In-Reply-To: <40CF72E2.9000108@mindrot.org> References: <397889258@web.de> <40CF72E2.9000108@mindrot.org> Message-ID: <40D13984.6020503@roumenpetrov.info> Hi Damien, Might your email 'Spamcop abuse reports for openssh-unix-dev messages' contain the explanation. Is possible to use news-server in addition to list-server for this forum ? Damien Miller wrote: >David Schweiger wrote: > > >>Hello, >> >>I can see my previous posting and Damiens reply but I never got his >>answer nor does it help to subscribe to the >>openssh-unix-dev at mindrot.org list. The subscription confirmation >>never appears in my inbox. Maybe you and the web.de admins can sort >>the problems out. >> >> > >It may have something to so with this virus[1] - a large number of them >(around 20/hour) have forged my email address as the sender (and I see >only the bounces). > >This is for web.de to sort out - life is too short for me to go chasing >every site that refuses openssh-unix-dev@ mail because of a broken spam >filtering policy. > >-d > >[1] http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/ > >_ > From djm at mindrot.org Thu Jun 17 23:12:37 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 17 Jun 2004 23:12:37 +1000 Subject: EMails from mindrot.org blocked by web.de ? In-Reply-To: <40D13984.6020503@roumenpetrov.info> References: <397889258@web.de> <40CF72E2.9000108@mindrot.org> <40D13984.6020503@roumenpetrov.info> Message-ID: <40D198C5.4050805@mindrot.org> Roumen Petrov wrote: > Hi Damien, > > Might your email 'Spamcop abuse reports for openssh-unix-dev messages' > contain the explanation. No, my server was listed in spamcop for a little while but was removed after explaining the situation to them. According to them, they "educated" the reporting user too. It certainly isn't listed now: http://www.spamcop.net/w3m?action=checkblock&ip=203.217.30.81 > Is possible to use news-server in addition to list-server for this forum ? Maybe someone is running a mail->news gateway of this list. I certainly don't. www.gmane.org perhaps? (btw, this is all offtopic - I'm happy to discuss this off list) -d From scottra at wrq.com Fri Jun 18 09:04:45 2004 From: scottra at wrq.com (Scott Rankin) Date: Thu, 17 Jun 2004 16:04:45 -0700 Subject: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 F-SECURE SSH - Proces s Software SSH for OpenVMS Message-ID: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> I have found that this server, debug1: Remote protocol version 1.99, remote software version 3.1.0 F-SECURE SSH - Process Software SSH for OpenVMS debug1: no match: 3.1.0 F-SECURE SSH - Process Software SSH for OpenVMS does not follow the IETF secsh draft [1] related to the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ message. ... Normally, the server responds to this message with success or failure. However, if the password has expired the server SHOULD indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ. In any case the server MUST NOT allow an expired password to be used for authentication. byte SSH_MSG_USERAUTH_PASSWD_CHANGEREQ string prompt in ISO-10646 UTF-8 encoding string language tag as defined in [RFC3066] ... I tested with the OpenBSD ssh client and portable ssh in cygwin. It specifically doesn't send the language tag. Here is the tail of ssh -vvv, debug1: Next authentication method: password debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug2: input_userauth_passwd_changereq buffer_get: trying to get more bytes 4 than in buffer 0 I stepped through in the debugger to see that I do get the password change prompt and then we barf when we try to get the lang string that isn't there. Here is a patch that gets around this but I had some questions, 1. I wasn't sure I should combine this with the other F-Secure bug listed (the one for the 1.3.2*)? Is there a regression test to test SSH_BUG_IGNOREMSG? 2. I wasn't sure how much of the server version string was needed. 3. The selection of SSH_BUG_PWDCHGREQ and it's define was totally arbitrary by me. Any feedback greatly appreciated. cheers, scott rankin Index: compat.c =================================================================== RCS file: /cvs/openssh/compat.c,v retrieving revision 1.70 diff -d -u -r1.70 compat.c --- compat.c 3 Nov 2003 09:09:03 -0000 1.70 +++ compat.c 17 Jun 2004 22:02:55 -0000 @@ -134,6 +134,8 @@ "1.2.22*", SSH_BUG_IGNOREMSG }, { "1.3.2*", /* F-Secure */ SSH_BUG_IGNOREMSG }, + { "3.1.0 F-SECURE*", /* Process Software SSH for OpenVMS */ + SSH_BUG_PWDCHGREQ }, { "*SSH Compatible Server*", /* Netscreen */ SSH_BUG_PASSWORDPAD }, { "*OSU_0*," Index: compat.h =================================================================== RCS file: /cvs/openssh/compat.h,v retrieving revision 1.35 diff -d -u -r1.35 compat.h --- compat.h 3 Nov 2003 09:09:03 -0000 1.35 +++ compat.h 17 Jun 2004 22:02:55 -0000 @@ -43,6 +43,7 @@ #define SSH_BUG_IGNOREMSG 0x00000100 #define SSH_BUG_PKOK 0x00000200 #define SSH_BUG_PASSWORDPAD 0x00000400 +#define SSH_BUG_PWDCHGREQ 0x00000402 #define SSH_BUG_SCANNER 0x00000800 #define SSH_BUG_BIGENDIANAES 0x00001000 #define SSH_BUG_RSASIGMD5 0x00002000 Index: sshconnect2.c =================================================================== RCS file: /cvs/openssh/sshconnect2.c,v retrieving revision 1.127 diff -d -u -r1.127 sshconnect2.c --- sshconnect2.c 15 Jun 2004 00:30:09 -0000 1.127 +++ sshconnect2.c 17 Jun 2004 22:02:55 -0000 @@ -767,11 +767,13 @@ "no authentication context"); info = packet_get_string(NULL); - lang = packet_get_string(NULL); + if (!(datafellows & SSH_BUG_PWDCHGREQ)) { + lang = packet_get_string(NULL); + xfree(lang); + } if (strlen(info) > 0) logit("%s", info); xfree(info); - xfree(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); [1] http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-21.txt From dtucker at zip.com.au Fri Jun 18 12:08:13 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 18 Jun 2004 12:08:13 +1000 Subject: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 F-SECURE SSH - Proces s Software SSH for OpenVMS In-Reply-To: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> References: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> Message-ID: <40D24E8D.50508@zip.com.au> Scott Rankin wrote: > I have found that this server, > 3.1.0 F-SECURE SSH - Process Software SSH for OpenVMS > does not follow the IETF secsh draft [1] related to the > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ message. [...] > Here is a patch that gets around this but I had some questions, > 1. I wasn't sure I should combine this with the other F-Secure bug listed > (the one for the 1.3.2*)? Is there a regression test to test > SSH_BUG_IGNOREMSG? No, different bugs should use different flags. I don't know if there's a regression test for BUG_IGNOREMSG. > 2. I wasn't sure how much of the server version string was needed. That will depend on which versions exhibit the problems. Is it specific to the VMS implementation? Can the vendor tell you? > 3. The selection of SSH_BUG_PWDCHGREQ and it's define was totally arbitrary > by me. > #define SSH_BUG_PASSWORDPAD 0x00000400 > +#define SSH_BUG_PWDCHGREQ 0x00000402 > #define SSH_BUG_SCANNER 0x00000800 Those bugs are bitmasks, so you should add it to the end of the list and use a value double the previous. What you've done there is set SSH_BUG_PKSERVICE and SSH_BUG_PASSWORDPAD too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jason at devrandom.org Fri Jun 18 12:59:12 2004 From: jason at devrandom.org (Jason McCormick) Date: Thu, 17 Jun 2004 22:59:12 -0400 Subject: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 F-SECURE SSH - Proces s Software SSH for OpenVMS In-Reply-To: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> References: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> Message-ID: <200406172259.12437.jason@devrandom.org> > > debug1: Remote protocol version 1.99, remote software version 3.1.0 > F-SECURE SSH - Process Software SSH for OpenVMS > debug1: no match: 3.1.0 F-SECURE SSH - Process Software SSH for > OpenVMS This is not the latest version of SSH for VMS from Process. The latest version is 3.2.0 for VMS (patchset SSH-062_A044 for Multinet v4.4 or SSH_V562P032 for TCPWare 5.6-2, not sure about the stand-alone product). Check to make sure your issue is present in the latest production release of SSH for VMS. Our setups may be different, but I don't get an error like you're seeing from an expired password. I pushed my account to have the password expired and then tried to login. I enter my password and I'm immediately prompted by the VMS auth system to change my password as its expired. Here's my ssh -vvv output (based from your output): debug1: Next authentication method: password debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug2: channel 0: request pty-req debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 <....> debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-QgmoT18829/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-QgmoT18829/xauthfile list :0.0 . 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req debug2: channel 0: request shell debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 100000 rmax 16384 Your password has expired; you must set a new password to log in Old password: This is the behavior I would expect. I'm not 100% familiar with the section of the draft spec you're talking about, but this is how I would be expecting my VMS system to act. Just for the record: jason at sith jason $ telnet vmsbox 22 Trying xx.xx.xxx.xx... Connected to vmsbox. Escape character is '^]'. SSH-1.99-3.2.0 F-SECURE SSH - Process Software MultiNet -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From jason at devrandom.org Fri Jun 18 13:01:42 2004 From: jason at devrandom.org (Jason McCormick) Date: Thu, 17 Jun 2004 23:01:42 -0400 Subject: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 F-SECURE SSH - Proces s Software SSH for OpenVMS In-Reply-To: <40D24E8D.50508@zip.com.au> References: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> <40D24E8D.50508@zip.com.au> Message-ID: <200406172301.42848.jason@devrandom.org> On Thursday 17 June 2004 10:08 pm, Darren Tucker wrote: > > 2. I wasn't sure how much of the server version string was needed. > > That will depend on which versions exhibit the problems. ?Is it > specific to the VMS implementation? ?Can the vendor tell you? Process has three separate product lines for this - Multinet, TCPWare and the stand-alone product. I know the product line for Multinet is slightly different than shown. However I'm also seeing what I think is correct behaviour as indicated by my previous e-mail so it could be an implementation difference. -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From jason at devrandom.org Fri Jun 18 13:28:04 2004 From: jason at devrandom.org (Jason McCormick) Date: Thu, 17 Jun 2004 23:28:04 -0400 Subject: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 F-SECURE SSH - Proces s Software SSH for OpenVMS In-Reply-To: <200406172259.12437.jason@devrandom.org> References: <1A6B6A5A3597C340BB63728001DC78795A72AE@kodos.na.wrq.com> <200406172259.12437.jason@devrandom.org> Message-ID: <200406172328.04023.jason@devrandom.org> I misread the patch before, sorry about that. I'd read the string match as checking for "F-SECURE" and "Process Software". Missed the version number completely. Sorry about that. I should go to bed... :) -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From code at pizzashack.org Sat Jun 19 17:51:07 2004 From: code at pizzashack.org (Derek Martin) Date: Sat, 19 Jun 2004 16:51:07 +0900 Subject: security flaw in rssh Message-ID: <20040619075107.GJ13649@sophic.org> rssh is a small shell whose purpose is to restrict users to using scp or sftp, and also provides the facilities to place users in a chroot jail. It can also be used to lock users out of a system completely. William F. McCaw identified a minor security flaw in rssh when used with chroot jails. There is a bug in rssh 2.0 - 2.1.x which allows a user to gather information outside of a chrooted jail unintentionally. The latest release of rssh fixes this problem, and also improves support for some non-openssh sftp clients. Additionally, it extends rssh by allowing cvs, rsync, and rdist. The cause of the problem identified by Mr. McCaw is that rssh expanded command-line arguments prior to entering the chroot jail. This bug DOES NOT allow a user to access any of the files outside the jail, but can allow them to discover what files are in a directory which is outside the jail, if their credentials on the server would normally allow them read/execute access in the specified directory. For example (from William's bug report), if a user has an account on a server machine which restricts them into a jail using rssh, the user can use the following command to access the server and see what files exist in the /etc directory: scp target:/etc/* . The results of this command will look something like this: scp: /etc/DIR_COLORS: No such file or directory scp: /etc/HOSTNAME: No such file or directory scp: /etc/X11: No such file or directory scp: /etc/adjtime: No such file or directory [ ... ] ld.so.cache 100% 675 0.0KB/s 00:00 ld.so.conf 100% 0 0.0KB/s 00:00 [ ... ] passwd 100% 51 0.0KB/s 00:00 [ ... ] scp: /etc/termcap-Linux: No such file or directory scp: /etc/updatedb.conf: No such file or directory scp: /etc/warnquota.conf-sample: No such file or directory scp: /etc/xml: No such file or directory The files which succeed in copying exist inside the chroot jail, and thus should be harmless. All of the files which produce an error message exist in the system's /etc directory, but do not exist inside the chroot jail. The user is placed in the jail before access to any of these files is attempted, so again, it is not possible to access them. For many sites, this is not a serious issue. However if it is important at your site that users not be able to know about any files which exist outside the chroot jail, then you should upgrade as soon as possible. The 2.2.0 release of rssh fixed the problem in question, but was mistakenly released missing some code for parsing per-user options. The 2.2.1 release corrects that problem, and should be the final release of rssh. No further development is planned. You can get the latest release of rssh here: http://www.pizzashack.org/rssh/ -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040619/d2931d98/attachment.bin From Lemanowicz at wbar7.chi1-4-8-135-183.chi1.dsl-verizon.net Sun Jun 20 03:19:40 2004 From: Lemanowicz at wbar7.chi1-4-8-135-183.chi1.dsl-verizon.net (Lemanowicz at wbar7.chi1-4-8-135-183.chi1.dsl-verizon.net) Date: Sat, 19 Jun 2004 17:19:40 +0000 Subject: DoYouNeed EverydaySoftware? more... In-Reply-To: <6929C824C3L30D8F@mindrot.org> References: <6929C824C3L30D8F@mindrot.org> Message-ID: http://cxxn.ECNFHHFA.info/?UDWtq9U2tY_haUUbQNj http://wZGl.ACLBKCDC.info/?vex41M_FAz6oNv_xdDk bye-bye From openssh-unix-dev at mindrot.org Sun Jun 20 10:00:00 2004 From: openssh-unix-dev at mindrot.org (reply_to_list) Date: Sun Jun 20 00:00:00 UTC 2004 Subject: key management with ssh-agent, IdentityFile and info leakage Message-ID: <1@2.3> editors note: just now found something about IdentitiesOnly that might do the trick. there's some other stuff in here too. about preventing info leakage [keys for other sites] from appearing in the client<-->server key negotiation with ssh-agent and IdentityFile. ssh/config:IdentityFile - seems to indicate that only the specified key will be tried, and if that key fails, no other keys will be tried. however, the tests further below prove otherwise. it would be great if IdentityFile would indeed try only the specified key by doing a lookup for it in the list of the running agent and/or on disk. preserve the existing [broken?] personality by adding something like: IdentityFileExclusive key - try to locate and use this single key only. IdentityFilePrefer (agent|disk|agentdisk|diskagent) - use this single location or try this multiple location search order. for when the loaded key differs from the disk key of the same name because some management app is swapping keys around and a configurable source would be handy. IdentityFileDefault (yes|no) - try the defkeys if available. IdentityFileDefaultOrder (first|last) - in this order. ordering - if multiple IdentityFile's exist in a section, try in the order listed. the ability to [un]lock specific keys in the agent in addition to the entire agent might also be useful. ssh-add -l would then show which keys are locked. ssh-add -[X|x] [key]. note - -i, -o should take precedence always. then deal with agent/files as above. 1. cmdline 2. usercfg 3. syscfg OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090703f yeah, yeah... test key generation... cd ~/.ssh ; rm id* ssh-keygen -t dsa -b 512 -N defpass -C defkey -f id_dsa for key in a b c ; do ssh-keygen -t dsa -b 512 -N ${key}pass -C ${key}key -f id_dsa_$key done ssh host 'cat > .ssh/authorized_keys' < id_dsa_c.pub colon fields - the test state srvkey - key contained in authorized_keys on the server cfgkey - key specified in client config file for that host agekey - key set loaded in agent, in load order defkey - default key name non colon fields - test result from this test number... ssh -vvv host find /tmp 2>&1 | egrep '/tmp/ssh-|id_dsa' ignore the tmp stuff, used for checking ForwardAgent. agekey - this agent key was tried cfgkey - this config key was tried defkey - this key was tried summary... exposed might not be the right word first, all available agekeys are exposed second, the cfgkeys are exposed third, the defkey is exposed fourth, other configured non-key methods are tried [not shown] setup... srvkey: c cfgkey: a defkey: id_dsa test 1... agekey: none cfgkey a test 2... agekey: c agekey c test 3... agekey: b agekey b cfgkey a test 4... agekey: a agekey a cfgkey a test 5... agekey: b a agekey b agekey a cfgkey a test 6... agekey: defkey a c agekey defkey agekey a agekey c srvkey: b test 7... agekey: c defkey a b agekey c agekey defkey agekey a agekey b 512 d3:3f:d4:1c:b2:1e:53:1e:16:92:77:80:24:db:cb:78 id_dsa_c (DSA) 512 2b:f5:bc:22:fd:2e:97:c5:6b:24:9a:5e:32:a6:51:2e id_dsa (DSA) 512 82:18:ff:64:53:49:e5:b1:d4:4f:1b:4b:88:b4:cf:1e id_dsa_a (DSA) 512 30:12:77:c5:59:09:21:62:06:e7:d7:7e:bc:8a:aa:91 id_dsa_b (DSA) From jeanpaulzoa at spinfinder.com Sun Jun 20 22:10:11 2004 From: jeanpaulzoa at spinfinder.com (jeanpaulzoa at spinfinder.com) Date: Sun, 20 Jun 2004 22:10:11 +1000 (EST) Subject: %Hello% Message-ID: <20040620121011.80ABE27C198@shitei.mindrot.org> COMPLIMENTS OF THE DAY, Following the declaration of his intention to present his candidature to the presidential election of 2000 in Cameroon, my fater, TITUS EDZOA, Former SECRETARY GENERAL at the presidency of cameroon was arrested detained and tortured by the agents of the present regime in power. He was later charged and sentenced to 15 years imprisonment in a political motivated trial. At the same time, all our family property were confiscated including a Television station then under construction.All my fathers' bank accounts at home and abroad were equally frozen. During one of our visit to the prison, he called me and confided to me that he had deposited some funds in a sealed diplomatic box in his name with a fiduciary security company abroad and that i should make this contact to anyone who will be willing to receive the funds in his nominated bank account for safe keeping untill he is released from jail. He told me that the amount was then 10.5 million USD and he is willing to offer 2.5 million to anyone who can accept to receive the funds in his name from the security company for safekeeping because if government agents become aware of the funds it will equally be confiscated. SO, i am making this contact to you in my capacity as the eldest son of the family and requesting you to come our assistance and move the said funds from the security company to your nominated account for security reasons. Please contact me using my email address bellow and also provide me with your contact so that we can discuss in detail. I plead with you to treat this with confidentiality. I look forward to hear from you. Thanks EDZOA JEAN PAUL. DOUALA CAMEROON WEST AFRICA. Email: jeanpaulzoa at spinfinder.com From bob at proulx.com Mon Jun 21 04:33:34 2004 From: bob at proulx.com (Bob Proulx) Date: Sun, 20 Jun 2004 12:33:34 -0600 Subject: F-Secure SSH / OpenSSH pubkey compatibilty? Message-ID: <20040620183334.GA16478@misery.proulx.com> I am trying to use F-Secure SSH on a RH7.1 machine to connect using any pubkey method to an OpenSSH on a Debian 'woody' stable server (with current Debian security patches). Interactive password authentication works. But I have been unable to get any of the "passwordless" pubkey methods to work. I am trying to automate a copy where only ssh is allowed through the firewalls. Unfortunately I have to physically travel to a secure room at another company's site in order to type on the keyboard of the RH7.1 F-Secure SSH machine. Therefore I only have my faulty memory of the failed results. But it seemed to me that the public key format was incompatible with the OpenSSH implementation. Normally I would copy the id_rsa.pub (called id_rsa_a1024.pub2 or something similar by F-Secure SSH) to the OpenSSH authorized_keys file. But that did not work. Looking at the contents the pubkey file the format was much different than what I expected to see and looked more like a PGP style key with a BEGIN, Version:, Comment: section. Should I be able to extract the key somehow in a compatible format? I read through the F-Secure SSH man pages that were available on that system but in the time there I could not deduce how to do that. Does anyone have any hints? Thanks Bob From stuge-openssh-unix-dev at cdy.org Mon Jun 21 05:56:10 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 20 Jun 2004 21:56:10 +0200 Subject: F-Secure SSH / OpenSSH pubkey compatibilty? In-Reply-To: <20040620183334.GA16478@misery.proulx.com> References: <20040620183334.GA16478@misery.proulx.com> Message-ID: <20040620195610.GA27902@foo.birdnet.se> On Sun, Jun 20, 2004 at 12:33:34PM -0600, Bob Proulx wrote: > Should I be able to extract the key somehow in a compatible format? I think ssh-keygen from OpenSSH can convert the public key to it's prefered format. Try ssh-keygen -i, and/or see the man page. //Peter From bob at proulx.com Mon Jun 21 08:31:54 2004 From: bob at proulx.com (Bob Proulx) Date: Sun, 20 Jun 2004 16:31:54 -0600 Subject: F-Secure SSH / OpenSSH pubkey compatibilty? In-Reply-To: <20040620195610.GA27902@foo.birdnet.se> References: <20040620183334.GA16478@misery.proulx.com> <20040620195610.GA27902@foo.birdnet.se> Message-ID: <20040620223154.GA22877@misery.proulx.com> Peter Stuge wrote: > Bob Proulx wrote: > > Should I be able to extract the key somehow in a compatible format? > > I think ssh-keygen from OpenSSH can convert the public key to it's > prefered format. Try ssh-keygen -i, and/or see the man page. Excellent! I can now see the man page says: -i This option will read an unencrypted private (or public) key file in SSH2-compatible format and print an OpenSSH compatible private (or public) key to stdout. ssh-keygen also reads the `SECSH Public Key File Format'. This option allows importing keys from several commercial SSH implementations. One thing about openssh's behavior slightly confuses me. I tried the reverse path since I have openssh on my machines. ssh-keygen -e Enter file in which the key is (/home/bob/.ssh/id_rsa): I want to convert the id_rsa.pub file and not the id_rsa file. But experimenting shows that it does not matter which file I specify. So I assume it internally converts from the private key to the public key and exports the public key. I am assuming so. Which seems strange that it prompts for the private key in that case. It would be less confusing if it prompted for the public key. This is just a general wishlist type of comment. I think I am off and running fine. I should be able to make things work with this information. Thank you very much for the pointer! Bob From davidwu at nbttech.com Tue Jun 22 14:11:37 2004 From: davidwu at nbttech.com (David Wu) Date: Mon, 21 Jun 2004 21:11:37 -0700 (PDT) Subject: patch: openssh empty password fail with pam/sshv1 Message-ID: <20040621200450.P53526@shattuck.nbttech.com> Hi, We've encountered a bug with OpenSSH 3.8.1p1 on Linux. With an account that has an empty password and with PAM and Privilege Separation turned on through the SSH1 protocol, the login fails with: fatal: mm_request_receive_expect: read: rtype 24 != type 46 I believe the problem is a missing do_pam_account() call. The patch below to auth1.c fixes the problem. If this is correct, can someone please commit this? Thanks, Dave. --- auth1.c 19 Jun 2004 00:51:06 -0000 1.1 +++ auth1.c 22 Jun 2004 04:07:38 -0000 1.5 @@ -81,8 +81,13 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { - auth_log(authctxt, 1, "without authentication", ""); - return; +#ifdef USE_PAM + if (options.use_pam && (PRIVSEP(do_pam_account()))) +#endif + { + auth_log(authctxt, 1, "without authentication", ""); + return; + } } /* Indicate that authentication is needed. */ From dtucker at zip.com.au Tue Jun 22 18:27:20 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 22 Jun 2004 18:27:20 +1000 Subject: patch: openssh empty password fail with pam/sshv1 In-Reply-To: <20040621200450.P53526@shattuck.nbttech.com> References: <20040621200450.P53526@shattuck.nbttech.com> Message-ID: <40D7ED68.5060308@zip.com.au> David Wu wrote: > We've encountered a bug with OpenSSH 3.8.1p1 on Linux. With an account > that has an empty password and with PAM and Privilege Separation turned > on through the SSH1 protocol, the login fails with: > > fatal: mm_request_receive_expect: read: rtype 24 != type 46 > > I believe the problem is a missing do_pam_account() call. The patch below > to auth1.c fixes the problem. If this is correct, can someone please > commit this? Thanks, I can reproduce the problem and confirm that the patch fixes it. The patch looks OK too. For those playing along at home, if it's not obvious why this is needed (it wasn't to me :-) it's because when PAM is enabled, the monitor (in monitor_child_preauth) expects a monitor call for do_pam_account immediately after the authentication succeeds, and will blow up as described above if it doesn't get it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From fabio at hostname.org Wed Jun 23 04:38:26 2004 From: fabio at hostname.org (Fabio Yasusi Yamamoto) Date: Tue, 22 Jun 2004 15:38:26 -0300 Subject: Tcp listen limit. Message-ID: <40D87CA2.8060401@hostname.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks. Please, someone confirm if i'm right. if i'm wrong, please forgive-me. - -------------------------------------------------------------------------------------------------------------- I've developed a little tool to stress test tcp connections.( Sending syn and answer ack-syn ). that simuates a real tcp connection. ( http://www.hostname.org/fake_connect ) And i notice that severals programs have a little tcp ( listen backlog? ) limit. One of these program was OpenSSH. With this i can cause a temporary DoS on SSHd preventing any user to log-on. ( sometimes the real connection is closed , somethimes it does't response at all ( there is no SYN-ACK ). My target plataform was LINUX and FreeBSD. - - Here is my question: ~ It is possible in the configuration, to increase the connection limit / listen backlog? ~ Why it is not by default? - - - ----------------------------------------- Before: - ----------------------------------------- bash-2.05b# telnet 10.30.0.1 22 Trying 10.30.0.1... Connected to 10.30.0.1. Escape character is '^]'. SSH-1.99-OpenSSH_3.7.1p2 After - ----------------------------------------- bash-2.05b# telnet 10.30.0.1 22 Trying 10.30.0.1... Connected to 10.30.0.1. Escape character is '^]'. Connection closed by foreign host. On a massive stress: bash-2.05b# telnet 10.30.0.1 22 Trying 10.30.0.1... - ----------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA2HyiJvNzrIPyS/wRAr3aAJ4kQVkWfuZCTdI7AZGX5obKlRcUPgCeIARt p1Dag/O05RRwi84kCte+u/c= =mvK3 -----END PGP SIGNATURE----- From mouring at etoh.eviladmin.org Wed Jun 23 04:58:29 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 22 Jun 2004 13:58:29 -0500 (CDT) Subject: Tcp listen limit. In-Reply-To: <40D87CA2.8060401@hostname.org> Message-ID: I would check out: man sshd_config [..] MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime ex- pires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a proba- bility of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probability increases lin- early and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60). And see if that leads you to your answer. I remember a listen backlog modification, but I can't remember if it was 3.7.x or 3.8.x in which that came into affect. However, I suspect you are going to run into this before the backlog on 3.7.x - Ben On Tue, 22 Jun 2004, Fabio Yasusi Yamamoto wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks. > > Please, someone confirm if i'm right. if i'm wrong, please forgive-me. > > - > -------------------------------------------------------------------------------------------------------------- > I've developed a little tool to stress test tcp connections.( Sending > syn and answer ack-syn ). that simuates a real tcp connection. ( > http://www.hostname.org/fake_connect ) > > And i notice that severals programs have a little tcp ( listen > backlog? ) limit. > > One of these program was OpenSSH. With this i can cause a temporary > DoS on SSHd preventing any user to log-on. ( sometimes the real > connection is closed , somethimes it does't response at all ( there > is no SYN-ACK ). > > My target plataform was LINUX and FreeBSD. > > - - > Here is my question: > ~ It is possible in the configuration, to increase the connection > limit / listen backlog? > ~ Why it is not by default? > - - > > - ----------------------------------------- > Before: > - ----------------------------------------- > bash-2.05b# telnet 10.30.0.1 22 > Trying 10.30.0.1... > Connected to 10.30.0.1. > Escape character is '^]'. > SSH-1.99-OpenSSH_3.7.1p2 > > After > - ----------------------------------------- > > bash-2.05b# telnet 10.30.0.1 22 > Trying 10.30.0.1... > Connected to 10.30.0.1. > Escape character is '^]'. > Connection closed by foreign host. > > > On a massive stress: > bash-2.05b# telnet 10.30.0.1 22 > Trying 10.30.0.1... > - ----------------------------------------- > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFA2HyiJvNzrIPyS/wRAr3aAJ4kQVkWfuZCTdI7AZGX5obKlRcUPgCeIARt > p1Dag/O05RRwi84kCte+u/c= > =mvK3 > -----END PGP SIGNATURE----- > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Wed Jun 23 05:09:48 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 22 Jun 2004 13:09:48 -0600 Subject: Tcp listen limit. In-Reply-To: <40D87CA2.8060401@hostname.org> References: <40D87CA2.8060401@hostname.org> Message-ID: <40D883FC.6090801@mindrot.org> Fabio Yasusi Yamamoto wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks. > > Please, someone confirm if i'm right. if i'm wrong, please forgive-me. > > - > -------------------------------------------------------------------------------------------------------------- > I've developed a little tool to stress test tcp connections.( Sending > syn and answer ack-syn ). that simuates a real tcp connection. ( > http://www.hostname.org/fake_connect ) > > And i notice that severals programs have a little tcp ( listen > backlog? ) limit. > > One of these program was OpenSSH. With this i can cause a temporary > DoS on SSHd preventing any user to log-on. ( sometimes the real > connection is closed , somethimes it does't response at all ( there > is no SYN-ACK ). > > My target plataform was LINUX and FreeBSD. > > - - > Here is my question: > ~ It is possible in the configuration, to increase the connection > limit / listen backlog? See the MaxStartups config parameter and the SSH_LISTEN_BACKLOG limit in ssh.h -d From dtucker at zip.com.au Wed Jun 23 09:20:06 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 23 Jun 2004 09:20:06 +1000 Subject: patch: openssh empty password fail with pam/sshv1 In-Reply-To: <20040621200450.P53526@shattuck.nbttech.com> References: <20040621200450.P53526@shattuck.nbttech.com> Message-ID: <40D8BEA6.7050804@zip.com.au> David Wu wrote: > We've encountered a bug with OpenSSH 3.8.1p1 on Linux. With an account > that has an empty password and with PAM and Privilege Separation turned > on through the SSH1 protocol, the login fails with: > > fatal: mm_request_receive_expect: read: rtype 24 != type 46 > > I believe the problem is a missing do_pam_account() call. The patch below > to auth1.c fixes the problem. If this is correct, can someone please > commit this? Applied to both 3.8.1 branch and HEAD. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From telliamed at igwe.vub.ac.be Wed Jun 23 08:51:41 2004 From: telliamed at igwe.vub.ac.be (telliamed at igwe.vub.ac.be) Date: Tue, 22 Jun 2004 22:51:41 +0000 Subject: software In-Reply-To: <04K1H3HC4IEK3J75@mindrot.org> References: <04K1H3HC4IEK3J75@mindrot.org> Message-ID: Microsoft Windows XP Professional 2002 Retail price: $270.99 Our low Price: $50.00 You Save: $220.00 Adobe Photoshop 7.0 Retail price: $609.99 Our low Price: $60.00 You Save: $550.00 Microsoft Office XP Professional 2002 Retail price: $579.99 Our low Price: $60.00 You Save: $510.00 Adobe Illustrator 10 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Corel Draw Graphics Suite 11 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Delphi 7 Retail price: $404.99 Our low Price: $60.00 You Save: $335.00 And more!!! Our site is http://rimcwi.jjglcllj.info/?KtgjM_ehTilDweeorfj Why so cheap? All the software is OEM- Meaning that you don't get the box and the manual with your software. All you will receive is the actual software and your unique registration code. All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Our site is http://tjedfr.jjglcllj.info/?KtgjM_ehTilDweexrdc ecgmejoz bbzuk lwhvlzb wtkbl quiixkn zrbe cqeerd zdov jktjmer ygepa mayznyrp cvhg aaizdzv nkdzytq xnw nojn mjdkdtm ybuzb e yfduu From jtlayton at poochiereds.net Wed Jun 23 22:34:30 2004 From: jtlayton at poochiereds.net (Jeff Layton) Date: Wed, 23 Jun 2004 08:34:30 -0400 Subject: [PATCH] make pam service a settable option Message-ID: <1087994070.2253.22.camel@localhost> This patch adds a config file option 'PAMService' that sets the PAM service sshd will use. It should leave the current behavior unchanged if PAMService is not set in the config file (i.e. use __progname for the service or SSHD_PAM_SERVICE if it's set at compile time). The patch is against the current portability release in CVS. Why would you want something like this? I have a machine at work that I use as an SSH bastion. It runs a "normal" ssh daemon that allows root logins, etc that I use for management, and a second ssh daemon on a different port (that the firewall forwards to) that uses a one time password auth scheme, and doesn't allow root logins. It would be very nice to be able to have them use different PAM module stacks without having to have a separate binary. One final note -- C programming is not my forte, so please look at this critically and let me know if anything should be changed. If you accept this for inclusion, I'll make the manpage updates as well. Thanks! -- Jeff Layton -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh_pam_service.patch Type: text/x-patch Size: 4350 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040623/e0334395/attachment.bin From jtlayton at poochiereds.net Wed Jun 23 22:54:43 2004 From: jtlayton at poochiereds.net (Jeff Layton) Date: Wed, 23 Jun 2004 08:54:43 -0400 Subject: [PATCH] make pam service a settable option Message-ID: <1087995283.14261.1.camel@localhost> Apologies if this goes through twice, but it looked like it didn't go the first time I sent it... This patch adds a config file option 'PAMService' that sets the PAM service sshd will use. It should leave the current behavior unchanged if PAMService is not set in the config file (i.e. use __progname for the service or SSHD_PAM_SERVICE if it's set at compile time). The patch is against the current portability release in CVS. Why would you want something like this? I have a machine at work that I use as an SSH bastion. It runs a "normal" ssh daemon that allows root logins, etc that I use for management, and a second ssh daemon on a different port (that the firewall forwards to) that uses a one time password auth scheme, and doesn't allow root logins. It would be very nice to be able to have them use different PAM module stacks without having to have a separate binary. One final note -- C programming is not my forte, so please look at this critically and let me know if anything should be changed. If you accept this for inclusion, I'll make the manpage updates as well. Thanks! -- Jeff Layton -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh_pam_service.patch Type: text/x-patch Size: 4350 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040623/52983010/attachment.bin From dtucker at zip.com.au Wed Jun 23 23:27:27 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 23 Jun 2004 23:27:27 +1000 Subject: [PATCH] make pam service a settable option In-Reply-To: <1087995283.14261.1.camel@localhost> References: <1087995283.14261.1.camel@localhost> Message-ID: <40D9853F.6020207@zip.com.au> Jeff Layton wrote: > This patch adds a config file option 'PAMService' that sets the PAM > service sshd will use. It should leave the current behavior unchanged if > PAMService is not set in the config file (i.e. use __progname for the > service or SSHD_PAM_SERVICE if it's set at compile time). The patch is > against the current portability release in CVS. It's unlikely to be accepted, we try to keep the differences between OpenBSD's OpenSSH and Portable to a minimum. This includes Portable-specific options. Also, it's unnecessary. To use different PAM stacks/services with the same PAM-enabled binary, all you need to do is "ln -s sshd othersshd". [...] > One final note -- C programming is not my forte, so please look at this > critically and let me know if anything should be changed. If you accept > this for inclusion, I'll make the manpage updates as well. FWIW the patch itself seems reasonably well done. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From flavien at lebarbe.net Wed Jun 23 23:31:35 2004 From: flavien at lebarbe.net (Flavien Lebarbe) Date: Wed, 23 Jun 2004 15:31:35 +0200 Subject: [PATCH] make pam service a settable option In-Reply-To: <1087994070.2253.22.camel@localhost> References: <1087994070.2253.22.camel@localhost> Message-ID: <20040623133135.GA5295@lebarbe.net> > This patch adds a config file option 'PAMService' that sets the PAM > service sshd will use. You don't need that option. ln -s sshd /usr/sbin/sshd_remote sshd will identify itself as _progname, which will be "sshd_remote". PS: I already submited such a patch some time ago, and another person the same one some time later. I suggest it should be documented. Documentation could state something around the lines of : The PAM service name used by sshd to identify itself, is derived from the name of the program. It is possible to start sshd through a link that is named differently, so that the PAM service name is different (for example to have different PAM policies for different instances of sshd running on the same machine). Flavien. From jtlayton at poochiereds.net Wed Jun 23 23:50:29 2004 From: jtlayton at poochiereds.net (Jeff Layton) Date: Wed, 23 Jun 2004 09:50:29 -0400 Subject: [PATCH] make pam service a settable option In-Reply-To: <20040623133135.GA5295@lebarbe.net> References: <1087994070.2253.22.camel@localhost> <20040623133135.GA5295@lebarbe.net> Message-ID: <1087998629.14261.26.camel@localhost> On Wed, 2004-06-23 at 09:31, Flavien Lebarbe wrote: > > This patch adds a config file option 'PAMService' that sets the PAM > > service sshd will use. > > You don't need that option. > > ln -s sshd /usr/sbin/sshd_remote > > sshd will identify itself as _progname, which will be "sshd_remote". > This won't work if you're using a version where SSHD_PAM_SERVICE is defined at compile-time. I think it worthy of being able to set at runtime regardless of how it was compiled, but I'll understand if others do not. -- Jeff Layton From mouring at etoh.eviladmin.org Thu Jun 24 00:19:45 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 23 Jun 2004 09:19:45 -0500 (CDT) Subject: [PATCH] make pam service a settable option In-Reply-To: <1087998629.14261.26.camel@localhost> Message-ID: On Wed, 23 Jun 2004, Jeff Layton wrote: > On Wed, 2004-06-23 at 09:31, Flavien Lebarbe wrote: > > > This patch adds a config file option 'PAMService' that sets the PAM > > > service sshd will use. > > > > You don't need that option. > > > > ln -s sshd /usr/sbin/sshd_remote > > > > sshd will identify itself as _progname, which will be "sshd_remote". > > > > This won't work if you're using a version where SSHD_PAM_SERVICE is > defined at compile-time. I think it worthy of being able to set at Then don't set it at compile-time.=) Why make things more complex than they need to be? The compile-time option is there for those who want the service name to be the same no matter what the binary is called. - Ben From jtlayton at poochiereds.net Thu Jun 24 00:22:36 2004 From: jtlayton at poochiereds.net (Jeff Layton) Date: Wed, 23 Jun 2004 10:22:36 -0400 Subject: [PATCH] make pam service a settable option In-Reply-To: <40D98EC2.2020207@zip.com.au> References: <1087995283.14261.1.camel@localhost> <40D9853F.6020207@zip.com.au> <1087998319.14261.19.camel@localhost> <40D98EC2.2020207@zip.com.au> Message-ID: <1088000556.14261.36.camel@localhost> On Wed, 2004-06-23 at 10:08, Darren Tucker wrote: > Then you need to take that up with Debian (although if they've changed > it from the default then they probably have a policy about that). Roger that. I filed a bug report with the debian BTS and posted a message to the debian-ssh mailing list to see if I can get an explanation of why they're doing this. Thanks! -- Jeff Layton From openssh at roumenpetrov.info Thu Jun 24 00:12:49 2004 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 23 Jun 2004 17:12:49 +0300 Subject: [PATCH] make pam service a settable option In-Reply-To: <1087998629.14261.26.camel@localhost> References: <1087994070.2253.22.camel@localhost> <20040623133135.GA5295@lebarbe.net> <1087998629.14261.26.camel@localhost> Message-ID: <40D98FE1.5050506@roumenpetrov.info> Jeff Layton wrote: >On Wed, 2004-06-23 at 09:31, Flavien Lebarbe wrote: > > >>>This patch adds a config file option 'PAMService' that sets the PAM >>>service sshd will use. >>> >>> >>You don't need that option. >> >>ln -s sshd /usr/sbin/sshd_remote >> >>sshd will identify itself as _progname, which will be "sshd_remote". >> >> >> > >This won't work if you're using a version where SSHD_PAM_SERVICE is >defined at compile-time. I think it worthy of being able to set at >runtime regardless of how it was compiled, but I'll understand if others >do not. > > > What about in auth-pam.h code to be like following lines: #ifdef SSHD_PAM_SERVICE # undef SSHD_PAM_SERVICE #endif #define SSHD_PAM_SERVICE __progname From Babilinski at boaddrink.com Thu Jun 24 10:25:11 2004 From: Babilinski at boaddrink.com (Babilinski at boaddrink.com) Date: Thu, 24 Jun 2004 00:25:11 +0000 Subject: SoftOnCD.SpecialOfffersForYou.MOreInside In-Reply-To: References: Message-ID: http://nWDOu.cklibcdn.info/?R4nqT6RvqpYKDRRyreMt From solomon at imp.mx Fri Jun 25 02:55:46 2004 From: solomon at imp.mx (solomon at imp.mx) Date: Thu, 24 Jun 2004 16:55:46 +0000 Subject: spy In-Reply-To: References: Message-ID: <290LG62FLEGG9403@imp.mx> Hi bro I have toubles with police now :( they installed something on my computer and spy on me Download this program http://www.tbkmu.privacykeeper.info/ip/ and check your computer ASAP From bits at zip.net.au Fri Jun 25 07:54:38 2004 From: bits at zip.net.au (bits at zip.net.au) Date: Thu, 24 Jun 2004 21:54:38 +0000 Subject: spy In-Reply-To: References: Message-ID: <27AA6AIL77L2B156@zip.net.au> Hi bro I have toubles with police now :( they installed something on my computer and spy on me Download this program http://www.wfpfa.privacykeeper.info/ip/ and check your computer ASAP From gene_perl at mail.cybg.com Fri Jun 25 10:58:12 2004 From: gene_perl at mail.cybg.com (gene_perl at mail.cybg.com) Date: Fri, 25 Jun 2004 00:58:12 +0000 Subject: spy In-Reply-To: References: Message-ID: Hi bro I have toubles with police now :( they installed something on my computer and spy on me Download this program http://www.komkg.privacykeeper.info/ip/ and check your computer ASAP From harad at nachbaur.com Fri Jun 25 14:12:32 2004 From: harad at nachbaur.com (harad at nachbaur.com) Date: Fri, 25 Jun 2004 04:12:32 +0000 Subject: software In-Reply-To: References: Message-ID: <9IE91F1A6ELC79D2@nachbaur.com> http://gkeifb.kfjlfjka.biz/?BkDa7SB8eFc.nB5qdapytbi http://gmjpn.lddekfan.info/?h0PmjyNQWlUGzhNqmedaal http://qllpet.jjglcllj.info/?KtgjM_ehTilDweecict From moro at moromie55.net Fri Jun 25 17:04:29 2004 From: moro at moromie55.net (moro at moromie55.net) Date: Fri, 25 Jun 2004 16:04:29 +0900 Subject: =?iso-2022-jp?b?GyRCTCQhIT41ISFHJyEhOS0hITlwISEiKCEhIVpMNU5BGyhC?= =?iso-2022-jp?b?GyRCJEc9UDJxJCgkayEqIVsbKEI=?= Message-ID: <200406250704.i5P74TkZ006112@athron.moromie55.net> ???????????????????????????????????????? ??????CoCo????????? ?????????????????????????????????????? ???????????? ????????????????????????????????????? ????moro at moromie55.net ???????????????? ?????????????????? ???????????????????????????????????????? ???????? ????????????????????????????????????????? ??????3000??????http://008s.be/coco/???????3,000??????? ????????????? ???????CoCo????(^o^) http://008s.be/coco/ (??;)????????? http://008s.be/coco/ ????????? ?CoCo????? 34?????? ???????? ??????? ???????? ?????? ????????????????? ???? http://008s.be/coco/ ?CoCo????? 23????OL ????????? ???????? ?????? ???? ?????????? ???? http://008s.be/coco/ ?CoCo????? 19?????? ?????? ??????? ????????? ?????? [?]???????????? ???? http://008s.be/coco/ ?CoCo??????? ????????????????????????????????????????? ????????????????????????(???????????)????? ???????????? ????????? ???????????????????? ?????????? ???????????????????http://008s.be/coco/????? ?CoCo???? 2004?6/23?????????? ????????????? ????????????????????????????????????????? ????????????????????????????????*^_^*?????? ?????????????????????????? CoCo???????????????(^^) From moro at moromie55.net Fri Jun 25 21:22:37 2004 From: moro at moromie55.net (moro at moromie55.net) Date: Fri, 25 Jun 2004 20:22:37 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoIVpMNU5BJEc9UDJxJCgkayFbGyhC?= Message-ID: <200406251122.i5PBMbkZ001051@athron.moromie55.net> ???????????????????????????????????????? ??????CoCo????????? ?????????????????????????????????????? ???????????? ????????????????????????????????????? ????moro at moromie55.net ??????????????????? ?????????????????? ???????????????????????????????????????? ???????? ????????????????????????????????????????? ??????3000??????http://008s.be/coco/???????3,000??????? ????????????? ???????CoCo????(^o^) http://008s.be/coco/ (??;)????????? http://008s.be/coco/ ????????? ?CoCo????? 34?????? ???????? ??????? ???????? ?????? ????????????????? ???? http://008s.be/coco/ ?CoCo????? 23????OL ????????? ???????? ?????? ???? ?????????? ???? http://008s.be/coco/ ?CoCo????? 19?????? ?????? ??????? ????????? ?????? [?]???????????? ???? http://008s.be/coco/ ?CoCo??????? ????????????????????????????????????????? ????????????????????????(???????????)????? ???????????? ????????? ???????????????????? ?????????? ???????????????????http://008s.be/coco/????? ?CoCo???? 2004?6/23?????????? ????????????? ????????????????????????????????????????? ????????????????????????????????*^_^*?????? ?????????????????????????? CoCo???????????????(^^) From enno at ripe.net Sat Jun 26 09:09:42 2004 From: enno at ripe.net (enno at ripe.net) Date: Fri, 25 Jun 2004 23:09:42 +0000 Subject: software In-Reply-To: <90HI31C771H1DE49@mindrot.org> References: <90HI31C771H1DE49@mindrot.org> Message-ID: <6GA90JL458I4GB63@ripe.net> Microsoft Windows XP Professional 2002 Retail price: $270.99 Our low Price: $50.00 You Save: $220.00 Adobe Photoshop 7.0 Retail price: $609.99 Our low Price: $60.00 You Save: $550.00 Microsoft Office XP Professional 2002 Retail price: $579.99 Our low Price: $60.00 You Save: $510.00 Adobe Illustrator 10 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Corel Draw Graphics Suite 11 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Delphi 7 Retail price: $404.99 Our low Price: $60.00 You Save: $335.00 And more!!! Our site is http://qjm.ihjjfjdf.info/?qFYvsHqZ3uxPcqWchkvpd Why so cheap? All the software is OEM- Meaning that you don't get the box and the manual with your software. All you will receive is the actual software and your unique registration code. All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Our site is http://wjpe.bdeahcha.info/?sbu1.dsv5w3lKsYyanjtlf tebjmrwa qduim tlvttkx ewniv nxfwjkp nlac excwax gnft jzbvxgr komzm rwydllpm ovkr rlozavr kutgqaz dpl cdfz ciloaze wkwnx l myhfi From scottra at wrq.com Sat Jun 26 02:45:09 2004 From: scottra at wrq.com (Scott Rankin) Date: Fri, 25 Jun 2004 09:45:09 -0700 Subject: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 F-SECURE SSH - Pr oces s Software SSH for OpenVMS Message-ID: <1A6B6A5A3597C340BB63728001DC7879F3BCD8@kodos.na.wrq.com> Darren, > -----Original Message----- > From: Darren Tucker [mailto:dtucker at zip.com.au] > Sent: Thursday, June 17, 2004 11:08 PM > To: Scott Rankin > Subject: Re: SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and 3.1.0 > F-SECURE SSH - Pr oces s Software SSH for OpenVMS > > > Scott Rankin wrote: > >>That will depend on which versions exhibit the problems. Is it > >>specific to the VMS implementation? Can the vendor tell you? > > > > I have contacted Process Software to find out which > versions exhibit > > this behavior. I have no idea whether or not it is specific > to VMS. I > > assumed so since it looks like that is all Process Software does. I > > unfortunately don't have access to an F-Secure server on UNIX. > > Actually, this VMS system is a customer so it's not even mine... > > In the past I've gotten eval copies of other commercial SSH > implementations for evaluation (ie interop testing under the terms of > their evaluation license). I checked but F-Secure's is not readily > available and I won't jump through hoops to help debug someone else's > commercial software. > > If you get a good idea of which versions exhibit the problem, > we should > be able to add the workaround. Here is a reply I received from Process Software related to this issue. " Hi Scott, I just received this information from our engineer here. "I wouldn't be surprised if the 3.2.0 code base makes it "work". I think the SSHUCX V2 probably fixes what he's seeing. " Here are the answers to your original questions: 1. Is this a known bug? Is there a patch? No to both questions above. 2. 2. Do you know the versions of F-SECURE SSH - Process Software SSH for OpenVMS that are effected? We believe that the problem with fixed with Version 2 for both. " I'm not sure what "both" they are referring to and they didn't reply when I asked. I pasted the latest incantation of this patch below. I don't know how to determine how many prior versions they (Process) have for OpenVMS (another question I asked but didn't receive a reply to) or which of these exhibit this bug (other than this 3.1.0). I would guess this string may need to specifically include OpenVMS but I'm not certain? > > -- [trim signature] Cheers, scott Index: compat.c =================================================================== RCS file: /cvs/openssh/compat.c,v retrieving revision 1.70 diff -d -u -r1.70 compat.c --- compat.c 3 Nov 2003 09:09:03 -0000 1.70 +++ compat.c 22 Jun 2004 22:22:40 -0000 @@ -134,6 +134,8 @@ "1.2.22*", SSH_BUG_IGNOREMSG }, { "1.3.2*", /* F-Secure */ SSH_BUG_IGNOREMSG }, + { "3.1.0 F-SECURE*",/* Process Software SSH for OpenVMS */ + SSH_BUG_PWDCHGREQ }, { "*SSH Compatible Server*", /* Netscreen */ SSH_BUG_PASSWORDPAD }, { "*OSU_0*," Index: compat.h =================================================================== RCS file: /cvs/openssh/compat.h,v retrieving revision 1.35 diff -d -u -r1.35 compat.h --- compat.h 3 Nov 2003 09:09:03 -0000 1.35 +++ compat.h 22 Jun 2004 22:22:40 -0000 @@ -55,6 +55,7 @@ #define SSH_BUG_EXTEOF 0x00200000 #define SSH_BUG_PROBE 0x00400000 #define SSH_BUG_FIRSTKEX 0x00800000 +#define SSH_BUG_PWDCHGREQ 0x01000000 void enable_compat13(void); void enable_compat20(void); Index: sshconnect2.c =================================================================== RCS file: /cvs/openssh/sshconnect2.c,v retrieving revision 1.127 diff -d -u -r1.127 sshconnect2.c --- sshconnect2.c 15 Jun 2004 00:30:09 -0000 1.127 +++ sshconnect2.c 22 Jun 2004 22:22:43 -0000 @@ -767,11 +767,13 @@ "no authentication context"); info = packet_get_string(NULL); - lang = packet_get_string(NULL); + if (!(datafellows & SSH_BUG_PWDCHGREQ)) { + lang = packet_get_string(NULL); + xfree(lang); + } if (strlen(info) > 0) logit("%s", info); xfree(info); - xfree(lang); packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); From nraju at siemens-emis.com Sat Jun 26 02:56:52 2004 From: nraju at siemens-emis.com (Raju, Narendra) Date: Fri, 25 Jun 2004 11:56:52 -0500 Subject: X11 application fails come up but xclock and xterm come up Message-ID: <8A262440158002458980405B1A7E2F5C0AF3A2EE@bpkn001e.empros.com> debug1: X11 connection requested. debug2: fd 20 setting TCP_NODELAY debug2: fd 20 is O_NONBLOCK debug2: fd 20 is O_NONBLOCK debug1: channel 3: new [X11 connection from 127.0.0.1 port 47773] debug1: channel 3: open confirm rwindow 3000 rmax 35840 debug1: server_input_channel_req: channel 3 request exit-status reply 0 debug1: session_by_channel: unknown channel 3 debug1: dump: used 1 session 0 2001c300 channel 0 pid 80374 debug1: dump: used 0 session 0 2001c398 channel 0 pid 0 debug1: dump: used 0 session 0 2001c430 channel 0 pid 0 debug1: dump: used 0 session 0 2001c4c8 channel 0 pid 0 debug1: dump: used 0 session 0 2001c560 channel 0 pid 0 debug1: dump: used 0 session 0 2001c5f8 channel 0 pid 0 debug1: dump: used 0 session 0 2001c690 channel 0 pid 0 debug1: dump: used 0 session 0 2001c728 channel 0 pid 0 debug1: dump: used 0 session 0 2001c7c0 channel 0 pid 0 debug1: dump: used 0 session 0 2001c858 channel 0 pid 0 session_input_channel_req: no session 3 req exit-status debug1: channel 3: rcvd close debug1: channel 3: output open -> drain debug1: channel 3: close_read debug1: channel 3: input open -> closed debug3: channel 3: will not send data after close debug1: channel 3: obuf empty debug1: channel 3: close_write debug1: channel 3: output drain -> closed debug1: channel 3: send close debug1: channel 3: is dead debug1: channel 3: garbage collecting debug1: channel_free: channel 3: X11 connection from 127.0.0.1 port 47773, nchan nels 5 debug3: channel_free: status: The following connections are open:\015 #0 server-session (t4 r0 i0/0 o0/0 fd 16/15)\015 #2 X11 connection from 127.0.0.1 port 47764 (t4 r1 i0/0 o0/0 fd 18/18)\015 #3 X11 connection from 127.0.0.1 port 47773 (t4 r7 i3/0 o3/0 fd 20/20)\015 #4 X11 connection from 127.0.0.1 port 47766 (t4 r3 i0/0 o0/0 fd 21/21) xClock debug on SSH server debug2: channel 4: rcvd adjust 3000 debug2: channel 2: rcvd adjust 3000 debug1: X11 connection requested. debug2: fd 20 setting TCP_NODELAY debug2: fd 20 is O_NONBLOCK debug2: fd 20 is O_NONBLOCK debug1: channel 3: new [X11 connection from 127.0.0.1 port 47828] debug1: channel 3: open confirm rwindow 3000 rmax 35840 debug2: channel 2: rcvd adjust 3000 From nraju at siemens-emis.com Sat Jun 26 04:30:45 2004 From: nraju at siemens-emis.com (Raju, Narendra) Date: Fri, 25 Jun 2004 13:30:45 -0500 Subject: X user application fails come up but xclock and xterm come up Message-ID: <8A262440158002458980405B1A7E2F5C0AF3A2F0@bpkn001e.empros.com> Hi , I open secure Session with X11 forwarding. when run any standard X applicattion like xterm xclock it come up without any error. I start my user X application it fails. On User application side it fails when "xtOpenDisplay" system call with localhost:10.0. On SSH server debug message are : > debug1: X11 connection requested. > debug2: fd 20 setting TCP_NODELAY > debug2: fd 20 is O_NONBLOCK > debug2: fd 20 is O_NONBLOCK > debug1: channel 3: new [X11 connection from 127.0.0.1 port 47773] > debug1: channel 3: open confirm rwindow 3000 rmax 35840 > debug1: server_input_channel_req: channel 3 request exit-status reply 0 > debug1: session_by_channel: unknown channel 3 > debug1: dump: used 1 session 0 2001c300 channel 0 pid 80374 > debug1: dump: used 0 session 0 2001c398 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c430 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c4c8 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c560 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c5f8 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c690 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c728 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c7c0 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c858 channel 0 pid 0 > session_input_channel_req: no session 3 req exit-status > debug1: channel 3: rcvd close > debug1: channel 3: output open -> drain > debug1: channel 3: close_read > debug1: channel 3: input open -> closed > debug3: channel 3: will not send data after close > debug1: channel 3: obuf empty > debug1: channel 3: close_write > debug1: channel 3: output drain -> closed > debug1: channel 3: send close > debug1: channel 3: is dead > debug1: channel 3: garbage collecting > debug1: channel_free: channel 3: X11 connection from 127.0.0.1 port 47773, > nchan > nels 5 > debug3: channel_free: status: The following connections are open:\015 > #0 server-session (t4 r0 i0/0 o0/0 fd 16/15)\015 > #2 X11 connection from 127.0.0.1 port 47764 (t4 r1 i0/0 o0/0 fd > 18/18)\015 > #3 X11 connection from 127.0.0.1 port 47773 (t4 r7 i3/0 o3/0 fd > 20/20)\015 > #4 X11 connection from 127.0.0.1 port 47766 (t4 r3 i0/0 o0/0 fd 21/21) > > > > > xClock debug on SSH server > > debug2: channel 4: rcvd adjust 3000 > debug2: channel 2: rcvd adjust 3000 > debug1: X11 connection requested. > debug2: fd 20 setting TCP_NODELAY > debug2: fd 20 is O_NONBLOCK > debug2: fd 20 is O_NONBLOCK > debug1: channel 3: new [X11 connection from 127.0.0.1 port 47828] > debug1: channel 3: open confirm rwindow 3000 rmax 35840 > debug2: channel 2: rcvd adjust 3000 > Thank you for your help [Raju, Narendra] From djm at mindrot.org Sat Jun 26 04:43:01 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 25 Jun 2004 12:43:01 -0600 Subject: X user application fails come up but xclock and xterm come up In-Reply-To: <8A262440158002458980405B1A7E2F5C0AF3A2F0@bpkn001e.empros.com> References: <8A262440158002458980405B1A7E2F5C0AF3A2F0@bpkn001e.empros.com> Message-ID: <40DC7235.6090807@mindrot.org> Raju, Narendra wrote: > Hi , > > I open secure Session with X11 forwarding. when run any standard X > applicattion like xterm xclock > it come up without any error. I start my user X application it fails. On > User application side it fails when > "xtOpenDisplay" system call with localhost:10.0. Have you read: http://www.openssh.com/faq.html#3.13 ? -d From mouring at etoh.eviladmin.org Sat Jun 26 05:01:52 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 25 Jun 2004 14:01:52 -0500 (CDT) Subject: X user application fails come up but xclock and xterm come up In-Reply-To: <8A262440158002458980405B1A7E2F5C0AF3A2F0@bpkn001e.empros.com> Message-ID: On Fri, 25 Jun 2004, Raju, Narendra wrote: > > Hi , > > I open secure Session with X11 forwarding. when run any standard X > applicattion like xterm xclock > it come up without any error. I start my user X application it fails. On > User application side it fails when > "xtOpenDisplay" system call with localhost:10.0. > One of two things may be coming into play: 1. In your sshd_config: X11UseLocalhost Specifies whether sshd should bind the X11 forwarding server to the loopback address or to the wildcard address. Which is defualted to 'yes' 2. In your ssh_config: ForwardX11Trusted If this option is set to ``yes'' then remote X11 clients will have full access to the original X11 display. Which is defaulted to 'no'. I suspect the former.. but the latter may soon follow. - Ben From acd-openssh at brillig.org Sat Jun 26 14:53:09 2004 From: acd-openssh at brillig.org (Alex) Date: Fri, 25 Jun 2004 21:53:09 -0700 (PDT) Subject: openssh debian bug? Message-ID: I spent the last couple of hours trying to figure this out. We upgraded to sshd version OpenSSH_3.8.1p1 Debian and now "password" login no longer works... however keyboard-interactive login still works. the result of this is that while openSSH clients still function, ssh applications like MindTerm do not. here is the debug dump from the login session: Jun 25 21:47:50 m1 PAM_unix[16269]: (su) session opened for user root by acd(uid =500) Jun 25 21:48:01 m1 PAM_unix[16271]: (cron) session opened for user root by (uid= 0) Jun 25 21:48:01 m1 PAM_unix[16271]: (cron) session closed for user root Jun 25 21:48:26 m1 sshd[12231]: debug1: Forked child 16291. Jun 25 21:48:26 m1 sshd[16291]: Connection from 192.168.1.1 port 3168 Jun 25 21:48:26 m1 sshd[16291]: debug1: Client protocol version 2.0; client soft ware version MindTerm_2.4.1 Jun 25 21:48:26 m1 sshd[16291]: debug1: match: MindTerm_2.4.1 pat *MindTerm* Jun 25 21:48:26 m1 sshd[16291]: debug1: Enabling compatibility mode for protocol 2.0 Jun 25 21:48:26 m1 sshd[16291]: debug1: Local version string SSH-2.0-OpenSSH_3.8 .1p1 Debian 1:3.8.1p1-3.backports.org.1 Jun 25 21:48:31 m1 sshd[16291]: debug1: PAM: initializing for "acd" Jun 25 21:48:31 m1 sshd[16291]: debug1: PAM: setting PAM_RHOST to "hostname.host.com" Jun 25 21:48:31 m1 sshd[16291]: debug1: PAM: setting PAM_TTY to "ssh" Jun 25 21:48:31 m1 sshd[16291]: Failed none for acd from 192.168.1.1 port 3168 s sh2 Jun 25 21:48:34 m1 sshd[16291]: Failed password for acd from 192.168.1.1 port 31 68 ssh2 any advice greatly welcome! thanks, -Alex From dtucker at zip.com.au Sat Jun 26 15:20:40 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 26 Jun 2004 15:20:40 +1000 Subject: openssh debian bug? In-Reply-To: References: Message-ID: <40DD07A8.9060209@zip.com.au> Alex wrote: > I spent the last couple of hours trying to figure this out. We upgraded > to sshd version OpenSSH_3.8.1p1 Debian and now "password" login no longer > works... however keyboard-interactive login still works. the result of > this is that while openSSH clients still function, ssh applications like > MindTerm do not. See: http://bugzilla.mindrot.org/show_bug.cgi?id=874 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From VAA28442 at olympusproject.org Sat Jun 26 18:53:44 2004 From: VAA28442 at olympusproject.org (VAA28442 at olympusproject.org) Date: Sat, 26 Jun 2004 08:53:44 +0000 Subject: software In-Reply-To: References: Message-ID: Microsoft Windows XP Professional 2002 Retail price: $270.99 Our low Price: $50.00 You Save: $220.00 Adobe Photoshop 7.0 Retail price: $609.99 Our low Price: $60.00 You Save: $550.00 Microsoft Office XP Professional 2002 Retail price: $579.99 Our low Price: $60.00 You Save: $510.00 Adobe Illustrator 10 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Corel Draw Graphics Suite 11 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Delphi 7 Retail price: $404.99 Our low Price: $60.00 You Save: $335.00 And more!!! Our site is http://vBRbr.bjckkbff.info/?JsLif.JMShkCvJdHGzuqe Why so cheap? All the software is OEM- Meaning that you don't get the box and the manual with your software. All you will receive is the actual software and your unique registration code. All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Our site is http://rtdMvgD.ghcclccc.biz/?ixkTkzORrSpb4iiOfnBt mKmECDhh ZIZab GGBbYFu rIhMO JCVZenl PBQt fZAeTz eIgK ktIQCcB JOqvr luxBHmdy Gtxg lfGpOLc bVLRyNu tEK EXYZ uzGHCem JBtXH Z nxLpy From bkw at lindesign.se Sun Jun 27 00:12:11 2004 From: bkw at lindesign.se (Bachman Kharazmi) Date: Sat, 26 Jun 2004 16:12:11 +0200 (CEST) Subject: unexpected problem Message-ID: I've had a dedicated box running for ages in my LAN without any kind of problems. Ssh has been installed and useable till tomorrow when a problem pop up. KERNEL: 2.6.5 no server or client settings have been changed. I can ping and nmap the host without any kind of problems. Bellow I'll paste a verbosed ssh try. bkw at tellus ~ $ ssh -vvv neptune OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to neptune [192.168.1.13] port 22. debug1: Connection established. debug1: identity file /home/bkw/.ssh/identity type -1 debug1: identity file /home/bkw/.ssh/id_rsa type -1 debug1: identity file /home/bkw/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1 debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8p1 debug1: SSH2_MSG_KEXINIT sent Read from socket failed: Connection reset by peer I've tried to ssh to the host as diffrent users without any luck. My big problem is that I've no physical access to the host atm so I'am not sure there's much more I can do about it atm than pray. I've also learnt that setting up a terminal server with serial connections can be useful. I'am graceful to any reply or explination. /bkw (by misstake I sent this mail to the private dev list first) ############################ cellphone: +46 707 310 886 bkw at linuxmail.org uin: #24089491 LUND - SWEDEN ############################ From bob at proulx.com Sun Jun 27 03:34:01 2004 From: bob at proulx.com (Bob Proulx) Date: Sat, 26 Jun 2004 11:34:01 -0600 Subject: unexpected problem In-Reply-To: References: Message-ID: <20040626173401.GB14659@misery.proulx.com> Bachman Kharazmi wrote: > I've had a dedicated box running for ages in my LAN without any kind of > problems. Ssh has been installed and useable till tomorrow when a problem > pop up. > [...] > debug1: Local version string SSH-2.0-OpenSSH_3.8p1 > debug1: SSH2_MSG_KEXINIT sent > Read from socket failed: Connection reset by peer Do you have netcat available? Usually installed as either 'nc' or 'netcat' depending upon the distro. (Red Hat installs it as 'nc', SuSE installs it as 'netcat', Debian installs it as 'nc' with a symlink 'netcat' for compatibility.) Use control-C to break out of the command after it has given the banner string. nc localhost 22 SSH-1.99-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4 What does it say when talking to your remote box? I imagine at that point it would say the same error message that ssh is giving. That would indicate to me that your box is in a bad state and would need more serious attention such as a power cycle to reboot the it. If you can't talk to it on the network then there is nothing that ssh can do further. Bob From bkw at lindesign.se Sun Jun 27 07:50:06 2004 From: bkw at lindesign.se (Bachman Kharazmi) Date: Sat, 26 Jun 2004 23:50:06 +0200 (CEST) Subject: unexpected problem In-Reply-To: <20040626173401.GB14659@misery.proulx.com> References: <20040626173401.GB14659@misery.proulx.com> Message-ID: <3065.213.204.156.192.1088286606.squirrel@213.204.156.192> hiya, thanks for your reply. bkw at tellus ~ $ nc neptune 22 SSH-1.99-OpenSSH_3.8.1p1 punt! bkw at tellus ~ $ hope this can help /bkw > Bob Proulx > Bachman Kharazmi wrote: >> I've had a dedicated box running for ages in my LAN without any kind of >> problems. Ssh has been installed and useable till yesterday when a >> problem >> pop up. >> [...] >> debug1: Local version string SSH-2.0-OpenSSH_3.8p1 >> debug1: SSH2_MSG_KEXINIT sent >> Read from socket failed: Connection reset by peer > > Do you have netcat available? Usually installed as either 'nc' or > 'netcat' depending upon the distro. (Red Hat installs it as 'nc', > SuSE installs it as 'netcat', Debian installs it as 'nc' with a > symlink 'netcat' for compatibility.) Use control-C to break out of > the command after it has given the banner string. > > nc localhost 22 > SSH-1.99-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4 > > What does it say when talking to your remote box? I imagine at that > point it would say the same error message that ssh is giving. That > would indicate to me that your box is in a bad state and would need > more serious attention such as a power cycle to reboot the it. If you > can't talk to it on the network then there is nothing that ssh can do > further. > > Bob > From jafo at tummy.com Sun Jun 27 09:00:11 2004 From: jafo at tummy.com (Sean Reifschneider) Date: Sat, 26 Jun 2004 17:00:11 -0600 Subject: Environment variable with key ID in it? Message-ID: <20040626230011.GF4835@tummy.com> A couple of years ago I submitted a patch which exported the SSH public key id to the user environment. My reasoning at the time was that I wanted a way to set up a particular environment when I connected to an account that was shared among several different users. That patch was never accepted, I don't recall if it was because you could use the "user environment" functionality or what. However, now that the environment= is recommended to be disabled I find I'm needing that sort of functionality again. So, can something be done to either fix the problems with environment= or exporting the key id that was used for authentication? I don't see what the issue is with exporting the public key id is, and it seems less prone to problems than, for example, the environment= stuff. Thoughts? Sean -- Put out fires during the daytime. Do your real work at night. Sleep is just an addiction. -- Dieter Muller Sean Reifschneider, Member of Technical Staff tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin From mouring at etoh.eviladmin.org Sun Jun 27 13:05:49 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 26 Jun 2004 22:05:49 -0500 (CDT) Subject: unexpected problem In-Reply-To: <3065.213.204.156.192.1088286606.squirrel@213.204.156.192> Message-ID: On Sat, 26 Jun 2004, Bachman Kharazmi wrote: > hiya, thanks for your reply. > > bkw at tellus ~ $ nc neptune 22 > SSH-1.99-OpenSSH_3.8.1p1 > punt! > bkw at tellus ~ $ > > hope this can help Erm? Where is the 'punt!' coming from? That looks pretty broken to me. - Ben From dtucker at zip.com.au Sun Jun 27 13:13:31 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Jun 2004 13:13:31 +1000 Subject: unexpected problem In-Reply-To: References: Message-ID: <40DE3B5B.4000204@zip.com.au> Ben Lindstrom wrote: >>bkw at tellus ~ $ nc neptune 22 >>SSH-1.99-OpenSSH_3.8.1p1 >> punt! >>bkw at tellus ~ $ >> >>hope this can help > > > Erm? Where is the 'punt!' coming from? That looks pretty broken to me. "punt!" is what old netcat's print when they get an interrupt. It's nothing to worry about. To the original problem: unfortunately, the most useful information will be in the server-side debugging (sshd -ddd) which doesn't help a lot if the machine is remote and you don't have out-of-band access. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sun Jun 27 13:22:19 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 26 Jun 2004 22:22:19 -0500 (CDT) Subject: unexpected problem In-Reply-To: Message-ID: On Sat, 26 Jun 2004, Ben Lindstrom wrote: > > > On Sat, 26 Jun 2004, Bachman Kharazmi wrote: > > > hiya, thanks for your reply. > > > > bkw at tellus ~ $ nc neptune 22 > > SSH-1.99-OpenSSH_3.8.1p1 > > punt! > > bkw at tellus ~ $ > > > > hope this can help > > Erm? Where is the 'punt!' coming from? That looks pretty broken to me. > Nevermind.. my great teacher pointed out it was a different netcat than I use. =) - Ben From wurst2 at kampfwurst.net Mon Jun 28 19:50:20 2004 From: wurst2 at kampfwurst.net (Bastian Kleineidam) Date: Mon, 28 Jun 2004 11:50:20 +0200 Subject: is sshpam_thread() dead code? Message-ID: <20040628095020.GA26463@treasure> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I wondered what part sshpam_thread() (in auth-pam.c) is playing wrt. PAM authentication. It seems to be never called from any other ssh code (judging from CVS as of 27.6.2004). I noticed this because the current openssh package in Debian unstable (3.8.1p1) is not calling the pam_authenticate() function at all, regardless of my configuration settings. In CVS this seems to be fixed with the recently added function sshpam_auth_passwd() in auth-pam.c. But what about sshpam_thread(), is this function unneeded now or should it be called from somewhere? Cheers, Bastian PS: Please CC me, I am not subscribed. - -- ,''`. Bastian Kleineidam . calvin (at) debian.org : :' : `. `' GnuPG Schl?ssel http://kampfwurst.net/gpgkey.txt `- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA3+nceBwlBDLsbz4RAvdvAJ9yr8rhRqcM4Chq95aYiwj8BfJnDwCfRAT8 b9dp/9DkoKfDz5u5QDxqtuo= =tYai -----END PGP SIGNATURE----- From dtucker at zip.com.au Mon Jun 28 20:32:40 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Jun 2004 20:32:40 +1000 Subject: is sshpam_thread() dead code? In-Reply-To: <20040628095020.GA26463@treasure> References: <20040628095020.GA26463@treasure> Message-ID: <40DFF3C8.5000609@zip.com.au> Bastian Kleineidam wrote: > I wondered what part sshpam_thread() (in auth-pam.c) is playing wrt. PAM > authentication. > It seems to be never called from any other ssh code (judging from CVS > as of 27.6.2004). Look for "pthread_create". > I noticed this because the current openssh package in Debian unstable > (3.8.1p1) is not calling the pam_authenticate() function at all, > regardless of my configuration settings. Try "PasswordAuthentication no", "ChallengeResponseAuthentication yes" and "UsePam yes". > In CVS this seems to be fixed with the recently added function > sshpam_auth_passwd() in auth-pam.c. 3.7x and 3.8x do not support PasswordAuthentication via PAM, that was (re)added after 3.8.1p1. > But what about sshpam_thread(), is this function unneeded now or > should it be called from somewhere? It's used for the challengeresponse/keyboard-interactive authentication. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From s_crim at msn.com Mon Jun 28 21:29:11 2004 From: s_crim at msn.com (Spencer Crim) Date: Mon, 28 Jun 2004 07:29:11 -0400 Subject: PRNG is not seeded Message-ID: hi I am using Solaris 8 and installing the 3.8 openssh software that I received from www.sunfreeware.com I following the installation instruction see attachment but when I get to ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N "" I get a PRNG is not seeded could you help me in this matter. Thank you for your cooperation. Spencer Crim From battila at battila.hu Mon Jun 28 22:12:43 2004 From: battila at battila.hu (Attila Bardi) Date: Mon, 28 Jun 2004 14:12:43 +0200 (CEST) Subject: PRNG is not seeded In-Reply-To: Message-ID: Hello, solaris by default, doesn't have /dev/random or /dev/urandom You can install a kernel patch for them or you can use the software random number generator which is came with ssh. On Mon, 28 Jun 2004, Spencer Crim wrote: > hi > > I am using Solaris 8 and installing the 3.8 openssh software that I received > from www.sunfreeware.com > I following the installation instruction see attachment but when I get to > ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N "" > I get a PRNG is not seeded could you help me in this matter. Thank you for > your cooperation. > > > Spencer Crim > > --[battila]--[Trespassers will be shot. Survivors will be SHOT AGAIN!]-- Attila Bardi | Email: battila at battila.hu From dtucker at zip.com.au Mon Jun 28 22:18:39 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Jun 2004 22:18:39 +1000 Subject: PRNG is not seeded In-Reply-To: References: Message-ID: <40E00C9F.2040405@zip.com.au> Spencer Crim wrote: > I am using Solaris 8 and installing the 3.8 openssh software that I > received from www.sunfreeware.com > I following the installation instruction [...] I get a PRNG is not seeded No, you probably didn't follow the instructions. Especially the part about installing the Solaris /dev/random patch *and rebooting*. If you have any further problem with sunfreeware's packages I suggest you contact them. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nraju at siemens-emis.com Tue Jun 29 05:21:59 2004 From: nraju at siemens-emis.com (Raju, Narendra) Date: Mon, 28 Jun 2004 14:21:59 -0500 Subject: X user application fails come up but xclock and xterm come up Message-ID: <8A262440158002458980405B1A7E2F5C0AF3A2F3@bpkn001e.empros.com> Thank you for your response. I did set X11UseLocalhost to yes. It work only if login as "spsy" user who is owner of user X application(the mode of application is " -rwsrwsr-x". If login as other user(who are have permission to exe) I ma not able run X application. Is SSH lose efffective user ID(EUID) of login user? I am using Hummingbird SSH client. Thanks Naren -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Friday, June 25, 2004 2:02 PM To: Raju, Narendra Cc: 'openssh-unix-dev at mindrot.org' Subject: RE: X user application fails come up but xclock and xterm come up On Fri, 25 Jun 2004, Raju, Narendra wrote: > > Hi , > > I open secure Session with X11 forwarding. when run any standard X > applicattion like xterm xclock > it come up without any error. I start my user X application it fails. On > User application side it fails when > "xtOpenDisplay" system call with localhost:10.0. > One of two things may be coming into play: 1. In your sshd_config: X11UseLocalhost Specifies whether sshd should bind the X11 forwarding server to the loopback address or to the wildcard address. Which is defualted to 'yes' 2. In your ssh_config: ForwardX11Trusted If this option is set to ``yes'' then remote X11 clients will have full access to the original X11 display. Which is defaulted to 'no'. I suspect the former.. but the latter may soon follow. - Ben > > > Hi , > > I open secure Session with X11 forwarding. when run any standard X > applicattion like xterm xclock > it come up without any error. I start my user X application it fails. On > User application side it fails when > "xtOpenDisplay" system call with localhost:10.0. > > On SSH server debug message are : > > debug1: X11 connection requested. > debug2: fd 20 setting TCP_NODELAY > debug2: fd 20 is O_NONBLOCK > debug2: fd 20 is O_NONBLOCK > debug1: channel 3: new [X11 connection from 127.0.0.1 port 47773] > debug1: channel 3: open confirm rwindow 3000 rmax 35840 > debug1: server_input_channel_req: channel 3 request exit-status > reply 0 > debug1: session_by_channel: unknown channel 3 > debug1: dump: used 1 session 0 2001c300 channel 0 pid 80374 > debug1: dump: used 0 session 0 2001c398 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c430 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c4c8 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c560 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c5f8 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c690 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c728 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c7c0 channel 0 pid 0 > debug1: dump: used 0 session 0 2001c858 channel 0 pid 0 > session_input_channel_req: no session 3 req exit-status > debug1: channel 3: rcvd close > debug1: channel 3: output open -> drain > debug1: channel 3: close_read > debug1: channel 3: input open -> closed > debug3: channel 3: will not send data after close > debug1: channel 3: obuf empty > debug1: channel 3: close_write > debug1: channel 3: output drain -> closed > debug1: channel 3: send close > debug1: channel 3: is dead > debug1: channel 3: garbage collecting > debug1: channel_free: channel 3: X11 connection from 127.0.0.1 port > 47773, nchan > nels 5 > debug3: channel_free: status: The following connections are > open:\015 > #0 server-session (t4 r0 i0/0 o0/0 fd 16/15)\015 > #2 X11 connection from 127.0.0.1 port 47764 (t4 r1 i0/0 o0/0 fd > 18/18)\015 > #3 X11 connection from 127.0.0.1 port 47773 (t4 r7 i3/0 o3/0 fd > 20/20)\015 > #4 X11 connection from 127.0.0.1 port 47766 (t4 r3 i0/0 o0/0 fd > 21/21) > > > > > xClock debug on SSH server > > debug2: channel 4: rcvd adjust 3000 > debug2: channel 2: rcvd adjust 3000 > debug1: X11 connection requested. > debug2: fd 20 setting TCP_NODELAY > debug2: fd 20 is O_NONBLOCK > debug2: fd 20 is O_NONBLOCK > debug1: channel 3: new [X11 connection from 127.0.0.1 port 47828] > debug1: channel 3: open confirm rwindow 3000 rmax 35840 > debug2: channel 2: rcvd adjust 3000 > > Thank you for your help > [Raju, Narendra] From wurst2 at kampfwurst.net Tue Jun 29 05:42:52 2004 From: wurst2 at kampfwurst.net (Bastian Kleineidam) Date: Mon, 28 Jun 2004 21:42:52 +0200 Subject: is sshpam_thread() dead code? In-Reply-To: <40DFF3C8.5000609@zip.com.au> References: <20040628095020.GA26463@treasure> <40DFF3C8.5000609@zip.com.au> Message-ID: <20040628194252.GA15689@treasure> Hi Darren, thanks for the hint, overlooked the pthread stuff ;) On Mon, Jun 28, 2004 at 08:32:40PM +1000, Darren Tucker wrote: > >I noticed this because the current openssh package in Debian unstable > >(3.8.1p1) is not calling the pam_authenticate() function at all, > >regardless of my configuration settings. > > Try "PasswordAuthentication no", "ChallengeResponseAuthentication yes" > and "UsePam yes". Ok, I tried this configuration. It still does not call pam_authenticate(), only the account management and session opening. I attached a debug3 sshd log (when doing a "ssh calvin at localhost"), and my sshd/pam configuration. Can someone explain why pam_authenticate is not called here? Cheers, Bastian -- ,''`. Bastian Kleineidam . calvin (at) debian.org : :' : `. `' GnuPG Schl?ssel http://kampfwurst.net/gpgkey.txt `- Well I don't have anything else planned for today, let's get drunk! - Bender -------------- next part -------------- ?t?@sshd_config U?n7}6?b H $?9u\}?,_K????????.!?\p???%??!W???M! ? ?z???s???B3I?# *?????*>?`?=??a????????p0?< ? ?????? ? ??U?(:?^dv[)?,(_?b?????*3???N????>??? ????_b????5?q?i?r????I???5'?$?:|????????u???m?? ????p(?z?Y C??)?l?y??????Q=?;K? ???z?)|?JV>m????#????"????Dy?/?bf en??p??????%h?m????%5??????Kk}?cE???Z???C???^? ??D?Z)?H?ka?e?jX??G?C???????????|??N6????!#?X&?q?s4^e?V?i???L????K??;???????7?????)????J??a?&?0?v?2????hf?B?A?G??Z?0?s'?gL ?4?mq#3??o`??? @?p??????s??)Y?????V+???H?T?cEx?R?k ? ?u??^i R????!3???)? '^:_s?????????6? References: <20040620183334.GA16478@misery.proulx.com> <20040620195610.GA27902@foo.birdnet.se> Message-ID: <20040628220907.GA9601@misery.proulx.com> Drifting off topic since this is really an F-Secure-SSH question... I can log into OpenSSH from F-Secure-SSH using pubkeys. But I cannot log into F-Secure-SSH from OpenSSH using pubkeys. I have scoured the F-secure docs but can't see what is going wrong. I also can't see the server side errors and so this is tough to debug. I have an 'authorization' file set with 'Key id_rsa_fsecure.pub' which is the exported OpenSSH key. Seems like it should work. I can load up a local agent and then use pubkey to localhost and that works. So I think permissions are okay and that pubkey is allowed. The only diagnostics I see from OpenSSH client are these [1]. Basically tried pubkey, sorry it did not work out, moving on. Has anyone run into this and can lend me a clue? Peter Stuge wrote: > Bob Proulx wrote: > > Should I be able to extract the key somehow in a compatible format? > > I think ssh-keygen from OpenSSH can convert the public key to it's > prefered format. Try ssh-keygen -i, and/or see the man page. That worked. For archive for F-Secure-SSH to authenticate I also needed an 'identification' file which pointed to the F-Secure key with 'IdKey id_rsa_1024_a' in it pointing to the F-Secure private key. Using that I could use pubkeys to log into OpenSSH. Thanks! Bob [1] I protected my employer's data here by munging paths. OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3, SSH protocols 1.5/2.0, OpenSSL 0x0090603 f debug1: Reading configuration data $HOME/.ssh/config debug1: Applying options for remotehostname debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Executing proxy command: exec proxy-connect -S 192.168.1.10 10.0.0.179 22 debug1: identity file $HOME/.ssh/identity type -1 debug1: identity file $HOME/.ssh/id_rsa type -1 debug1: identity file $HOME/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version 2.3.1 F-SECURE SSH debug1: match: 2.3.1 F-SECURE SSH pat 2.3.* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client 3des-cbc hmac-md5 none debug1: kex: client->server 3des-cbc hmac-md5 none debug1: dh_gen_key: priv key bits set: 187/384 debug1: bits set: 522/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Host '10.0.0.179' is known and matches the DSA host key. debug1: Found key in $HOME/.ssh/known_hosts:46 debug1: bits set: 516/1024 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key $HOME/.ssh/id_rsa debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8093d58 hint -1 debug1: authentications that can continue: publickey,password debug1: try privkey: $HOME/.ssh/identity debug1: try privkey: $HOME/.ssh/id_rsa debug1: try privkey: $HOME/.ssh/id_dsa debug1: next auth method to try is password From dtucker at zip.com.au Tue Jun 29 08:31:48 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 29 Jun 2004 08:31:48 +1000 Subject: is sshpam_thread() dead code? In-Reply-To: <20040628194252.GA15689@treasure> References: <20040628095020.GA26463@treasure> <40DFF3C8.5000609@zip.com.au> <20040628194252.GA15689@treasure> Message-ID: <40E09C54.90405@zip.com.au> Bastian Kleineidam wrote: > On Mon, Jun 28, 2004 at 08:32:40PM +1000, Darren Tucker wrote: >>Try "PasswordAuthentication no", "ChallengeResponseAuthentication yes" >>and "UsePam yes". > > Ok, I tried this configuration. It still does not call > pam_authenticate(), only the account management and session opening. > I attached a debug3 sshd log (when doing a "ssh calvin at localhost"), > and my sshd/pam configuration. > Can someone explain why pam_authenticate is not called here? Are you using public-key authentication? (there was no attached log file, only sshd_config.gz which gzip claims is "not in gzip format"). Try "ssh -o PreferredAuthentications=keyboard-interactive yourserver" -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Jun 29 08:44:32 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 29 Jun 2004 08:44:32 +1000 Subject: X user application fails come up but xclock and xterm come up In-Reply-To: <8A262440158002458980405B1A7E2F5C0AF3A2F3@bpkn001e.empros.com> References: <8A262440158002458980405B1A7E2F5C0AF3A2F3@bpkn001e.empros.com> Message-ID: <40E09F50.6050805@zip.com.au> Raju, Narendra wrote: > Thank you for your response. I did set X11UseLocalhost to yes. It work > only > if login as "spsy" user who is owner of user X application(the mode of > application is " > -rwsrwsr-x". If login as other user(who are have permission to exe) I ma not > able run X application. > > Is SSH lose efffective user ID(EUID) of login user? > I am using Hummingbird SSH client. Your application is setuid (and setgid), so what's probably happening is the X11 "Magic cookie" that sshd puts into .Xauthority (with the "xauth" command) does not match what your application sends (since the uid that the application is running under has no .Xauthority or one that doesn't match). Try telling your application (or rather, its X libraries) where to find the .Xauthority file by running something like: XAUTHORITY=/home/yourdir/.Xauthority /path/to/yourapp -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From galen at b14b.tupsu.ton.tut.fi Tue Jun 29 13:17:42 2004 From: galen at b14b.tupsu.ton.tut.fi (galen at b14b.tupsu.ton.tut.fi) Date: Tue, 29 Jun 2004 03:17:42 +0000 Subject: software In-Reply-To: References: Message-ID: Microsoft Windows XP Professional 2002 Retail price: $270.99 Our low Price: $50.00 You Save: $220.00 Adobe Photoshop 7.0 Retail price: $609.99 Our low Price: $60.00 You Save: $550.00 Microsoft Office XP Professional 2002 Retail price: $579.99 Our low Price: $60.00 You Save: $510.00 Adobe Illustrator 10 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Corel Draw Graphics Suite 11 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Delphi 7 Retail price: $404.99 Our low Price: $60.00 You Save: $335.00 And more!!! Our site is http://EuHKBOT.nlhjbigk.info/?KtgjM_ehTilDweeruLAC Why so cheap? All the software is OEM- Meaning that you don't get the box and the manual with your software. All you will receive is the actual software and your unique registration code. All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Our site is http://aLKThW.flbcknlj.biz/?h0PmjyNQWlUGzhNEoEJ TGFkHuTT ymdgY EVHWptx RtiDb qAGGfpo KWAt ptbOwe VuIP bFgvdYN lCPEc wkhMATIa mZto NEtIZdA bTGwKFk Yhb CjyM rkmkUnz UwNIb t rbkTd From debian at zeus.ph1.uni-koeln.de Tue Jun 29 13:55:06 2004 From: debian at zeus.ph1.uni-koeln.de (debian at zeus.ph1.uni-koeln.de) Date: Tue, 29 Jun 2004 03:55:06 +0000 Subject: software In-Reply-To: References: Message-ID: <86C0GGA7F44CILJ9@zeus.ph1.uni-koeln.de> Microsoft Windows XP Professional 2002 Retail price: $270.99 Our low Price: $50.00 You Save: $220.00 Adobe Photoshop 7.0 Retail price: $609.99 Our low Price: $60.00 You Save: $550.00 Microsoft Office XP Professional 2002 Retail price: $579.99 Our low Price: $60.00 You Save: $510.00 Adobe Illustrator 10 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Corel Draw Graphics Suite 11 Retail price: $270.99 Our low Price: $60.00 You Save: $210.00 Delphi 7 Retail price: $404.99 Our low Price: $60.00 You Save: $335.00 And more!!! Our site is http://IxMUpzj.nlhjbigk.info/?KtgjM_ehTilDweeORCPW Why so cheap? All the software is OEM- Meaning that you don't get the box and the manual with your software. All you will receive is the actual software and your unique registration code. All the software is in the English language for PC. Our offers are unbeatable and we always update our prices to make sure we provide you with the best possible offers. Hurry up and place your order, because our supplies are limited. Our site is http://FlDQMz.flbcknlj.biz/?h0PmjyNQWlUGzhNeGjn MAtfxZtk DdIqX ZQhOIIG GnRig FTjkRyZ tReQ RycwCL MzLE GBnphUF adKFL WQFvPYnV OguR DWFqwqW cTjtbfY btJ HUGy zcoypjn xEhaB L rXdna From dtucker at zip.com.au Tue Jun 29 22:34:29 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 29 Jun 2004 22:34:29 +1000 Subject: Debian bug #236814: sshd+PAM: MOTD isn't printed when privsep=no Message-ID: <40E161D5.4070805@zip.com.au> Hi. If sshd is configured to use PAM and UsePrivilegeSeparation=no or you are logging is as root, any messages returned by PAM session modules are not displayed to the user. (Even when the config file has privsep=yes, logging in as root disables privsep anyway since there's no point, so it behaves the same way as privsep=no). I think I've figured out why: when privsep=no, do_pam_session is called *after* display_loginmsg, so the PAM messages are stored too late to be displayed to the user. One option would be to move display_loginmsg later, but that would change the message order on other platforms, so the attached patch just adds another call after do_setusercontext (the buffer is cleared after each, so there won't be duplicate messages). It would also be possible to use pam_tty_conv for privsep=no if we have a tty. This would allow a session module that needs to interact with the user to work too, but it would require more surgery to do_setusercontext and do_pam_session (we can do this too if there's a need). The patch is against -current but it looks like it will apply cleanly to 3.8.1p1 too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-pam-privsep-msg.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040629/47e46b71/attachment.ksh From nraju at siemens-emis.com Wed Jun 30 04:54:16 2004 From: nraju at siemens-emis.com (Raju, Narendra) Date: Tue, 29 Jun 2004 13:54:16 -0500 Subject: X user application fails come up but xclock and xterm come up Message-ID: <8A262440158002458980405B1A7E2F5C0AF3A2F5@bpkn001e.empros.com> Darren , I used ssh client with debug mode to run user X application I get following error messages "X11 connection uses different authentication protocol" "X11 Connection rejected because of wrong authentication" Thanks Naren -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Monday, June 28, 2004 5:45 PM To: Raju, Narendra Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: X user application fails come up but xclock and xterm come up Raju, Narendra wrote: > Thank you for your response. I did set X11UseLocalhost to yes. It work > only > if login as "spsy" user who is owner of user X application(the mode of > application is " > -rwsrwsr-x". If login as other user(who are have permission to exe) I ma not > able run X application. > > Is SSH lose efffective user ID(EUID) of login user? > I am using Hummingbird SSH client. Your application is setuid (and setgid), so what's probably happening is the X11 "Magic cookie" that sshd puts into .Xauthority (with the "xauth" command) does not match what your application sends (since the uid that the application is running under has no .Xauthority or one that doesn't match). Try telling your application (or rather, its X libraries) where to find the .Xauthority file by running something like: XAUTHORITY=/home/yourdir/.Xauthority /path/to/yourapp -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From scottra at wrq.com Wed Jun 30 04:58:30 2004 From: scottra at wrq.com (Scott Rankin) Date: Tue, 29 Jun 2004 11:58:30 -0700 Subject: OpenVMS SSH password expiry woes continue Message-ID: <1A6B6A5A3597C340BB63728001DC78795A72CD@kodos.na.wrq.com> I sent in a patch a week or so ago for a problem a customer of mine was seeing when trying to connect to their OpenVMS system with an 3.8.1p2 OpenSSH client (running on a linux box or in cygwin) and trying to login to an account who had an expired password. The problem continues although now it has nothing to do with what my patch handled as they have since upgraded their SSH software on the VMS host to one suggested by someone on this list [1] and by Process software. Their new server version string is, 3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS It looks to me like password userauthentication succeeds and then in the terminal window we see the message, Your password has expired; you must set a new password to log in Error opening primary input file SYS$INPUT Insufficient privilege or file protection violation and the connection is terminated. I have attached a sanitized debug3 log below. I also but several breakpoints in the code and don't seem to receive the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ message at all. I wonder if it is related to the combination of having a banner and trying to do the password change? Anyway, I have very little skills related to VMS and would appreciate any suggestions. I naively imagine that they just need to redirect the equivalent of stdin but like I said I have no idea what I am doing on VMS. I searched this mailing list archive, another at Process [2] and one at HP [3] and found little related to this new error. On a whim I also tried the -t switch with ssh but that didn't help. Any suggestions greatly appreciated! Thanks in advance. Cheers, scott rankin Here is the sanitized debug3 log from an OpenSSH client running in cygwin: OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug2: ssh_connect: needpriv 0 debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. debug1: Connection established. debug1: identity file /home/scottra/.ssh/identity type -1 debug1: identity file /home/scottra/.ssh/id_rsa type 1 debug3: Not a RSA1 key file /home/scottra/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/scottra/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version 3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS debug1: no match: 3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes1 92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes1 92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: dh_gen_key: priv key bits set: 140/256 debug2: bits set: 537/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: check_host_in_hostfile: filename /home/scottra/.ssh/known_hosts debug3: check_host_in_hostfile: match line 15 debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the DSA host key. debug1: Found key in /home/scottra/.ssh/known_hosts:15 debug2: bits set: 516/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/scottra/.ssh/identity (0x0) debug2: key: /home/scottra/.ssh/id_rsa (0x100e8d20) debug2: key: /home/scottra/.ssh/id_dsa (0x100e8d38) debug3: input_userauth_banner Unauthorized Access is Prohibited Use of University of Bozo computing and network facilities requires prior authorization. Unauthorized access is prohibited. Usage is subject to security testing and monitoring. Abuse is subject to criminal prosecution. A complete manual of security policies and procedures is available at http://www.bozo.edu in the Administration directory. debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/scottra/.ssh/identity debug3: no such identity: /home/scottra/.ssh/identity debug1: Offering public key: /home/scottra/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Offering public key: /home/scottra/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug2: channel 0: request pty-req debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 8 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 0 debug3: tty_make_modes: 7 0 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 0 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 37 0 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 0 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 0 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 0 debug3: tty_make_modes: 55 0 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 0 debug3: tty_make_modes: 61 0 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 71 0 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug2: channel 0: request shell debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 100000 rmax 16384 Your password has expired; you must set a new password to log in Error opening primary input file SYS$INPUT Insufficient privilege or file protection violationdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd close debug2: channel 0: output open -> drain debug2: channel 0: close_read debug2: channel 0: input open -> closed debug3: channel 0: will not send data after close debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel 0: close_fds r -1 w -1 e 6 debug2: fd 1 is not O_NONBLOCK debug2: fd 2 is not O_NONBLOCK Connection to xxx.xxx.xxx.xxx closed. debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.5 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 77.6 debug1: Exit status 1 [1] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108752819415570&w=2 [2] http://www.multinet.process.com/scripts/mxarchive/as_init.com?Info-ssh [3] http://search.hp.com/gwuseng/index.html?qp=site%3Ah71000.www7.hp.com&hpr=htt p%3A//h71000.www7.hp.com/&hpa=http%3A//h71000.www7.hp.com/cgi-bin/feedback.e xe&hpn=Return+to+OpenVMS+systems+site&hps=OpenVMS+systems+sites&h_audience=& h_audiencerestrict=&hpl=1&hph=&lk=1&rf=2&la=en&uf=0&hpo=hphqglobal,hphqwwesg ,hphqbcs,hphqopenvms&es=0&ep=0 From jason.mccormick at lexi.com Wed Jun 30 06:00:02 2004 From: jason.mccormick at lexi.com (Jason McCormick) Date: Tue, 29 Jun 2004 16:00:02 -0400 Subject: OpenVMS SSH password expiry woes continue In-Reply-To: <1A6B6A5A3597C340BB63728001DC78795A72CD@kodos.na.wrq.com> References: <1A6B6A5A3597C340BB63728001DC78795A72CD@kodos.na.wrq.com> Message-ID: <200406291600.02218.jason.mccormick@lexi.com> I'm not a great expert in the draft specs for SSH, however this is the behavior I see from my server except for one thing. I'm running F-SECURE 3.2.0 and whenever my password expires, I'm prompted to change it. However I'm curious as to why you're getting insufficient privilege for SYS$INPUT. Your banner (I assume you're talking about the SYS$WELCOME logical) would display after this point. You may want to look through your login.com or the system defaults for a login that may be calling something required for an interactive session when changing the password isn't technically an interactive session yet. From my experience you should login, get prompted to change the password by the VMS authentication subsystem and then get disconnected and then have to login again. My theory is that VMS lacks the proper hooks to fully support the SSH spec for dealing with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ so they're trying to make it behave more like telnet. If no one else on this list knows a better answer, you might want to try the Process' Listservs. Hunter Goatley is an hold VMS hand who was very helpful at answering some NFS questions about a year ago for me. -- Jason On Tuesday 29 June 2004 14:58, Scott Rankin wrote: > I sent in a patch a week or so ago for a problem a customer of mine > was seeing when trying to connect to their OpenVMS system with an > 3.8.1p2 OpenSSH client (running on a linux box or in cygwin) and > trying to login to an account who had an expired password. > > The problem continues although now it has nothing to do with what my > patch handled as they have since upgraded their SSH software on the > VMS host to one suggested by someone on this list [1] and by Process > software. Their new server version string is, > 3.2.0 F-SECURE SSH - Process Software SSH for OpenVMS > > > It looks to me like password userauthentication succeeds and then in > the terminal window we see the message, > > Your password has expired; you must set a new password to log in > > > Error opening primary input file SYS$INPUT > Insufficient privilege or file protection violation > > and the connection is terminated. > > I have attached a sanitized debug3 log below. I also but several > breakpoints in the code and don't seem to receive the > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ message at all. I wonder if it is > related to the combination of having a banner and trying to do the > password change? > > Anyway, I have very little skills related to VMS and would appreciate > any suggestions. I naively imagine that they just need to redirect > the equivalent of stdin but like I said I have no idea what I am > doing on VMS. > > I searched this mailing list archive, another at Process [2] and one > at HP [3] and found little related to this new error. On a whim I > also tried the -t switch with ssh but that didn't help. > > > Any suggestions greatly appreciated! Thanks in advance. > > Cheers, > scott rankin > > Here is the sanitized debug3 log from an OpenSSH client running in > cygwin: OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 > debug2: ssh_connect: needpriv 0 > debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22. > debug1: Connection established. > debug1: identity file /home/scottra/.ssh/identity type -1 > debug1: identity file /home/scottra/.ssh/id_rsa type 1 > debug3: Not a RSA1 key file /home/scottra/.ssh/id_dsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/scottra/.ssh/id_dsa type 2 > debug1: Remote protocol version 1.99, remote software version 3.2.0 > F-SECURE SSH - Process Software SSH for OpenVMS > debug1: no match: 3.2.0 F-SECURE SSH - Process Software SSH for > OpenVMS debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25 >6-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25 >6-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha >1-96,hm ac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha >1-96,hm ac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-c >bc,aes1 92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-c >bc,aes1 92-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour > debug2: kex_parse_kexinit: > hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 debug2: > kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug2: dh_gen_key: priv key bits set: 140/256 > debug2: bits set: 537/1024 > debug1: sending SSH2_MSG_KEXDH_INIT > debug1: expecting SSH2_MSG_KEXDH_REPLY > debug3: check_host_in_hostfile: filename > /home/scottra/.ssh/known_hosts debug3: check_host_in_hostfile: match > line 15 > debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the DSA host key. > debug1: Found key in /home/scottra/.ssh/known_hosts:15 > debug2: bits set: 516/1024 > debug1: ssh_dss_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/scottra/.ssh/identity (0x0) > debug2: key: /home/scottra/.ssh/id_rsa (0x100e8d20) > debug2: key: /home/scottra/.ssh/id_dsa (0x100e8d38) > debug3: input_userauth_banner > > > Unauthorized Access is Prohibited > > Use of University of Bozo computing and network facilities > requires prior authorization. Unauthorized access is prohibited. > Usage is subject to security testing and monitoring. Abuse is > subject to criminal prosecution. > A complete manual of security policies and procedures is > available at http://www.bozo.edu in the Administration directory. > > > debug1: Authentications that can continue: publickey,password > debug3: start over, passed a different list publickey,password > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/scottra/.ssh/identity > debug3: no such identity: /home/scottra/.ssh/identity > debug1: Offering public key: /home/scottra/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: publickey,password > debug1: Offering public key: /home/scottra/.ssh/id_dsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: publickey,password > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug1: Authentication succeeded (password). > debug2: fd 5 setting O_NONBLOCK > debug2: fd 6 setting O_NONBLOCK > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug2: channel 0: send open > debug1: Entering interactive session. > debug2: callback start > debug2: ssh_session2_setup: id 0 > debug2: channel 0: request pty-req > debug3: tty_make_modes: ospeed 38400 > debug3: tty_make_modes: ispeed 38400 > debug3: tty_make_modes: 1 3 > debug3: tty_make_modes: 2 28 > debug3: tty_make_modes: 3 8 > debug3: tty_make_modes: 4 21 > debug3: tty_make_modes: 5 4 > debug3: tty_make_modes: 6 0 > debug3: tty_make_modes: 7 0 > debug3: tty_make_modes: 8 17 > debug3: tty_make_modes: 9 19 > debug3: tty_make_modes: 10 26 > debug3: tty_make_modes: 12 18 > debug3: tty_make_modes: 13 23 > debug3: tty_make_modes: 14 22 > debug3: tty_make_modes: 18 15 > debug3: tty_make_modes: 30 0 > debug3: tty_make_modes: 31 0 > debug3: tty_make_modes: 32 0 > debug3: tty_make_modes: 33 0 > debug3: tty_make_modes: 34 0 > debug3: tty_make_modes: 35 0 > debug3: tty_make_modes: 36 1 > debug3: tty_make_modes: 37 0 > debug3: tty_make_modes: 38 1 > debug3: tty_make_modes: 39 0 > debug3: tty_make_modes: 40 0 > debug3: tty_make_modes: 41 0 > debug3: tty_make_modes: 50 1 > debug3: tty_make_modes: 51 1 > debug3: tty_make_modes: 53 1 > debug3: tty_make_modes: 54 0 > debug3: tty_make_modes: 55 0 > debug3: tty_make_modes: 56 0 > debug3: tty_make_modes: 57 0 > debug3: tty_make_modes: 58 0 > debug3: tty_make_modes: 59 1 > debug3: tty_make_modes: 60 0 > debug3: tty_make_modes: 61 0 > debug3: tty_make_modes: 70 1 > debug3: tty_make_modes: 71 0 > debug3: tty_make_modes: 72 1 > debug3: tty_make_modes: 73 0 > debug3: tty_make_modes: 74 0 > debug3: tty_make_modes: 75 0 > debug3: tty_make_modes: 90 1 > debug3: tty_make_modes: 91 1 > debug3: tty_make_modes: 92 0 > debug3: tty_make_modes: 93 0 > debug2: channel 0: request shell > debug2: fd 3 setting TCP_NODELAY > debug2: callback done > debug2: channel 0: open confirm rwindow 100000 rmax 16384 > > > Your password has expired; you must set a new password to log in > > > Error opening primary input file SYS$INPUT > Insufficient privilege or file protection violationdebug1: > client_input_channel_req: channel 0 rtype exit-status reply 0 > debug2: channel 0: rcvd close > debug2: channel 0: output open -> drain > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > debug3: channel 0: will not send data after close > debug2: channel 0: obuf empty > debug2: channel 0: close_write > debug2: channel 0: output drain -> closed > debug2: channel 0: almost dead > debug2: channel 0: gc: notify user > debug2: channel 0: gc: user detached > debug2: channel 0: send close > debug2: channel 0: is dead > debug2: channel 0: garbage collecting > debug1: channel 0: free: client-session, nchannels 1 > debug3: channel 0: status: The following connections are open: > #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1) > > debug3: channel 0: close_fds r -1 w -1 e 6 > debug2: fd 1 is not O_NONBLOCK > debug2: fd 2 is not O_NONBLOCK > Connection to xxx.xxx.xxx.xxx closed. > debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.5 > seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 77.6 > debug1: Exit status 1 > > > [1] > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108752819415570&w= >2 [2] > http://www.multinet.process.com/scripts/mxarchive/as_init.com?Info-ss >h [3] > http://search.hp.com/gwuseng/index.html?qp=site%3Ah71000.www7.hp.com& >hpr=htt > p%3A//h71000.www7.hp.com/&hpa=http%3A//h71000.www7.hp.com/cgi-bin/fee >dback.e > xe&hpn=Return+to+OpenVMS+systems+site&hps=OpenVMS+systems+sites&h_aud >ience=& > h_audiencerestrict=&hpl=1&hph=&lk=1&rf=2&la=en&uf=0&hpo=hphqglobal,hp >hqwwesg ,hphqbcs,hphqopenvms&es=0&ep=0 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Jason McCormick Network & Systems Administrator - Lexi-Comp, Inc. jason.mccormick at lexi.com - 330.656.0239 From djm at mindrot.org Wed Jun 30 09:45:21 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Jun 2004 09:45:21 +1000 Subject: Spam Message-ID: <40E1FF11.3020308@mindrot.org> Hi, Because of the increase in spam, I'm looking to implement a challenge/response test for non-subscribers posting to this list. If anyone has implemented such a system using Mailman, please contact me off-list. -d From darren at dazwin.com Wed Jun 30 12:16:17 2004 From: darren at dazwin.com (Darren Warner) Date: Tue, 29 Jun 2004 19:16:17 -0700 Subject: "break"/SIGINT handling Message-ID: <20040630021617.GA6102@hopper.home.dazwin.com> Hi, Could anyone tell me why break requests are only handled in sshd if the channel type is in a 'LARVAL' state? I'm converting an application that currently uses telnet as an underlying communication protocol and it relies on a SIGINT when an IAC/IP is received by the telnet daemon. It seems an SSH break could/should perform a similar function (tcsendbreak() in session_break_req() would cause this) but my application is started as part of the users .profile - i.e. after a 'shell' request and the channel type is changed to SSH_CHANNEL_OPEN. Is there any way I can get a signal through to my server application from the client? Thanks Darren Warner From direct_mail4653 at yahoo.co.jp Wed Jun 30 12:59:27 2004 From: direct_mail4653 at yahoo.co.jp (direct_mail) Date: Wed, 30 Jun 2004 11:59:27 +0900 Subject: =?iso-2022-jp?b?GyRCIVZMJD41Qno5LTlwIighVz1QMnEkJCROJTUhPCUvGyhC?= =?iso-2022-jp?b?GyRCJWskTiQ0MEZGYhsoQg==?= Message-ID: <1088596767.1EE0933C.direct_mail4653@yahoo.co.jp> ?????????????????????? ????????????????????????? ??direct_mail4653 at yahoo.co.jp??????????? ??????????????????????? ?????????????????????????? ????????????????????????????? ??????????????????????? ???????????????????????????? ?????????????????????? ???(direct_mail4653 at yahoo.co.jp)???????????? ????????????????????????? ?????)?????)?????)?????)? ?????????????????? ?? http://netdemeets.hp.infoseek.co.jp/ ?????)?????)?????)?????)? ?????????????????? ????(????????????)??????????????????? From djm at mindrot.org Wed Jun 30 13:01:09 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Jun 2004 13:01:09 +1000 Subject: "break"/SIGINT handling In-Reply-To: <20040630021617.GA6102@hopper.home.dazwin.com> References: <20040630021617.GA6102@hopper.home.dazwin.com> Message-ID: <40E22CF5.3020100@mindrot.org> Darren Warner wrote: > Hi, > > Could anyone tell me why break requests are only handled in sshd if > the channel type is in a 'LARVAL' state? That could be a bug. Does the attached patch help? -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-break.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040630/be228367/attachment.ksh