From waspswarm at gmail.com Fri Oct 1 01:34:20 2004 From: waspswarm at gmail.com (scott rankin) Date: Thu, 30 Sep 2004 08:34:20 -0700 Subject: X11 Forwarding troubles with OpenSSH client and OpenVMS host In-Reply-To: <415BAD46.5060802@zip.com.au> References: <489b43e204092911227fbe3f27@mail.gmail.com> <415BAD46.5060802@zip.com.au> Message-ID: <489b43e204093008342c15870d@mail.gmail.com> Darren et.al, Thanks for the response. Comments inline. On Thu, 30 Sep 2004 16:52:54 +1000, Darren Tucker wrote: > scott rankin wrote: > [about a problem w/ssh + OpenVMS] > > The problem I am seeing is that when issued as a remote command over > > X11 forwarding, I get an X Toolkit Error: Can't Open display. If I > > just connect with X11 forwarding enabled, get an interactive shell and > > then run the X client, it displays back. > > I suspect your VMS system's SSH server does not pass $DISPLAY or (its > equivalent) to the commands run non-interactively. I initially suspected this and should have mentioned that I tested your suggestion below. > > Try the VMS equivalent of "ssh yourhost 'echo $DISPLAY'" ("SHOW DISPLAY" > ?) to display the variables and compare it with the same command run in > an interactive session. It doesn't seem to be set in either case which puzzles me but then again many things about the OpenVMS system puzzle me ;). $ ssh -t -X BOZO at vmshost 'show display' BOZO at vmshost's password: %DECW-W-OPENIN, error opening DECW$DISPLAY as input -SYSTEM-W-NOSUCHDEV, no such device available Connection to vmshost closed. $ ssh -t -X BOZO at vmshost BOZO at vmshost's password: Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3-2 SETTING PROMPT AND TERM FOR INTERACTIVE SESSION %SET-W-NOTSET, error modifying FTA216: -SET-I-UNKTERM, unknown terminal type Hello BOZO Welcome to vmshost vmshost_[BOZO]>show display %DECW-W-OPENIN, error opening DECW$DISPLAY as input -SYSTEM-W-NOSUCHDEV, no such device available vmshost_[BOZO]> > > Not much to suggest other than talking to the vendor of that software... > > -- [trim sig] I'll let you know if I hear anything positive from HP or figure it out but I'm not holding my breath. cheers, scott From alexakr2003 at yahoo.com Fri Oct 1 05:12:04 2004 From: alexakr2003 at yahoo.com (Alexander K.) Date: Thu, 30 Sep 2004 12:12:04 -0700 (PDT) Subject: A banner. Message-ID: <20040930191204.35990.qmail@web53808.mail.yahoo.com> Hi, I am using OpenSSH 3.6.2. Banner printed to stderr. There are also some errors that can discovered only when checking stderr output (even when sftp return status is 0). I have script which using sftp in batch mode to perform some actions. When there is a banner in use, I have no way to detect the errors correctly. Please advise. Alexander. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From bdc at vinc17.org Fri Oct 1 08:41:17 2004 From: bdc at vinc17.org (bdc at vinc17.org) Date: Thu, 30 Sep 2004 22:41:17 +0000 Subject: 31 In-Reply-To: <2L7724K4FEGC28EL@mindrot.org> References: <2L7724K4FEGC28EL@mindrot.org> Message-ID: New Q E M on http://dlbb.futureplan.biz/ 3D Home Architect V 6 Deluxe - 15.00 Microsoft OneNote - 50.00 Visual C++ 6.0 Professional - 70.00 Adobe Acrobat V 6.0 Professional PC - 100.00 Pinnacle Instant CD/DVD version 8 - 25.00 Adobe PageMaker plug-in PC - 25.00 Spam Killer V 5.0 & Virusscan V 8.0 - 40.00 VMware Workstation 4.5 Linux - 70.00 Norton Password Manager 2004 - 25.00 Microsoft Word 2003 - 55.00 Norton Password Manager 2004 - 25.00 Adobe Premiere V 7.0 Professional PC - 100.00 Microsoft OneNote - 50.00 Microsoft Encarta 2005 Encyclopedia DELUXE - 25.00 Adobe GoLive CS V 7.0 PC - 70.00 Maya 5.0 Mac - 150.00 Microsoft SQL Server 2005 - 95.00 Autodesk Civil Design 2004 - 80.00 Autodesk Inventor Series 7 - 130.00 Roxio Easy Media Creator 7 - 30.00 QuarkXPress 6 Mac - 110.00 Autodesk Raster Design 2005 - 100.00 Microsoft InfoPath 2003 - 40.00 Autodesk Raster Design 2005 - 100.00 Macromedia Fireworks MX 2004 - 60.00 Microsoft Windows 2000 Professional - 50.00 Corel WordPerfect Office V 12 - 80.00 Adobe Pagemaker V 7.0 PC - 80.00 Corel XMetaL Developer - 110.00 Symantec Norton Antivirus 2004 Professional - 15.00 DVD X Maker - 25.00 Utilities Mac 8.0 - 20.00 Adobe InCopy CS Mac - 60.00 From dtucker at zip.com.au Fri Oct 1 14:36:52 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 01 Oct 2004 14:36:52 +1000 Subject: A banner. In-Reply-To: <20040930191204.35990.qmail@web53808.mail.yahoo.com> References: <20040930191204.35990.qmail@web53808.mail.yahoo.com> Message-ID: <415CDEE4.2000801@zip.com.au> Alexander K. wrote: > I am using OpenSSH 3.6.2. > Banner printed to stderr. There are also some errors > that can discovered only when checking stderr output > (even when sftp return status is 0). I have script > which using sftp in batch mode to perform some > actions. When there is a banner in use, I have no way > to detect the errors correctly. Newer ssh's (>= 3.8x, I think) allow suppression of the banner on the client side with "ssh -q". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sbulut at taos.com Fri Oct 1 14:48:53 2004 From: sbulut at taos.com (Serdar Bulut) Date: Thu, 30 Sep 2004 21:48:53 -0700 Subject: Contributing to OpenSSH Message-ID: <452A0B4D994AEA48AC56B3276DFB0B2F76F17A@stingray.taos.local> Hi, I am an open-source developer and was a PhD candidate in Artificial Intelligence in USC Electrical Engineering Department and left the program this year. My open-source is a MUD game that I distribute under BSD license at http://anatoliamud.sourceforge.net. As you all know that "RequiredAuthentications" configuration in Commercial SSH equivalent has not been implemented for OpenSSH yet, and there's even a note in auth2.c saying: "/* XXX todo: check if multiple auth methods are needed */". I am currently writing/building my own open-ssh server into my MUD game and I have gotten quite familiar with the OpenSSH code. I was wondering if I can write the code piece for the "RequiredAuthentications" server option. In addition if you want, I can re-arrange the server configuration options so that it will use "AllowedAuthentications" instead of having separate PasswordAuthentication, PubkeyAuthentication, etc. -Serdar Bulut Senior Technical Consultant TAOS (408) 330 2634 http://www.taos.com From dtucker at zip.com.au Fri Oct 1 18:12:39 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 01 Oct 2004 18:12:39 +1000 Subject: A banner. In-Reply-To: <415CDEE4.2000801@zip.com.au> References: <20040930191204.35990.qmail@web53808.mail.yahoo.com> <415CDEE4.2000801@zip.com.au> Message-ID: <415D1177.6030907@zip.com.au> Darren Tucker wrote: > Alexander K. wrote: > >> I am using OpenSSH 3.6.2. >> Banner printed to stderr. There are also some errors >> that can discovered only when checking stderr output >> (even when sftp return status is 0). [...] > Newer ssh's (>= 3.8x, I think) allow suppression of the banner on the > client side with "ssh -q". Should have also added: the equivalent long option is sftp -o LogLevel=QUIET yourserver BTW, what's failing that's not being detected? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rlatham_hb at swchsc.on.ca Fri Oct 1 20:04:21 2004 From: rlatham_hb at swchsc.on.ca (Roger P. Latham) Date: Fri, 01 Oct 2004 15:04:21 +0500 Subject: We sell regalis for an affordable price Message-ID: <4ec601c4a79e$f0cef188$a42a95fb@newgen.net.ph> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://888-luvu.com/sup/ Best regards, Jeremy Stones No thanks: http://888-luvu.com/rm.html From maryellen_dixonzs at gapp.pl Sat Oct 2 04:33:19 2004 From: maryellen_dixonzs at gapp.pl (Maryellen Dixon) Date: Fri, 01 Oct 2004 18:33:19 +0000 Subject: =?iso-8859-1?q?Get_v=ECagra_for_a_great_price=2E?= Message-ID: Hi, We have a new offer for you. Buy cheap V?agra through our online store. - Private online ordering - No prescription required - World wide shipping Order your drugs offshore and save over 70%! Click here: http://888-luvu.com/meds/ Best regards, Donald Cunfingham No thanks: http://888-luvu.com/rm.html From djm at mindrot.org Sun Oct 3 11:12:20 2004 From: djm at mindrot.org (Damien Miller) Date: Sun, 03 Oct 2004 11:12:20 +1000 Subject: IPv6 + user@ipaddress In-Reply-To: <20040929170519.8B0AE131D0@gonk.nwgeeks.com> References: <20040929170519.8B0AE131D0@gonk.nwgeeks.com> Message-ID: <415F51F4.9060906@mindrot.org> Healy wrote: > Using: > Solaris 8.0 > OpenSSH OpenSSH_3.8p1 > > > I believe I may have found a bug when dealing with restricting user at ipv6address > in cases when adjacent colons do not expand to multiple fields. > > For example: > If I have any of the following entries in sshd_config, it will let me in: > > user at 1234:0234:0234:0000:0234:1234:1234:1234 > user at 1234:234:234:0000:234:1234:1234:1234 > user at 1234:234:234:0:234:1234:1234:1234 > > However, if I reduce the address as much as possible, to the below entry it will > reject my login attempt: We will need server debug logs if we are to help here, but I suspect a bug in your systems getnameinfo(). Have you applied all your OS patches? -d From kolya at MIT.EDU Sun Oct 3 12:03:07 2004 From: kolya at MIT.EDU (Nickolai Zeldovich) Date: Sat, 2 Oct 2004 22:03:07 -0400 (EDT) Subject: [patch] tell user about hosts with same key Message-ID: The attached patch implements a feature that would make my interaction with ssh somewhat more secure. When connecting to a host whose key is not in the known_hosts file, this patch makes ssh tell the user about any other hosts in the known_hosts file that have the same key. For example, if I have host A in my known_hosts file, and try to connect to host B which is an alias for A, ssh will tell me that host A has the same key as B. As a result, I'm better informed in whether to say "yes" or "no" -- if I know that B really is an alias for A, then I can safely say yes without having to verify the fingerprint. Apologies for the slightly crude coding style, but I was in a hurry and, unfortunately, probably won't have time to clean it up this month. -- kolya -------------- next part -------------- --- sshconnect.c 2004/10/02 21:27:29 1.1 +++ sshconnect.c 2004/10/02 22:01:52 @@ -716,7 +716,7 @@ "have requested strict checking.", type, host); goto fail; } else if (options.strict_host_key_checking == 2) { - char msg1[1024], msg2[1024]; + char msg1[1024], msg2[1024], msg_same_key[1024]; if (show_other_keys(host, host_key)) snprintf(msg1, sizeof(msg1), @@ -724,6 +724,29 @@ " known for this host."); else snprintf(msg1, sizeof(msg1), "."); + + HostList *keyhosts = NULL; + keyhosts = find_hosts_by_key(user_hostfile, host_key, keyhosts); + keyhosts = find_hosts_by_key(system_hostfile, host_key, keyhosts); + if (keyhosts != NULL) { + snprintf(msg_same_key, sizeof(msg_same_key), + "The following hosts are already known to " + "have the same key:\n"); + + HostList *x; + for (x = keyhosts; x; x = x->next) { + if (sizeof(msg_same_key) < + strlen(msg_same_key) + strlen(x->host) + 3) + break; + strcat(msg_same_key, "\t"); + strcat(msg_same_key, x->host); + strcat(msg_same_key, "\n"); + } + free_hostlist(keyhosts); + } else { + msg_same_key[0] = '\0'; + } + /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); msg2[0] = '\0'; @@ -740,10 +763,11 @@ snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" + "%s" "%s key fingerprint is %s.\n%s" "Are you sure you want to continue connecting " "(yes/no)? ", - host, ip, msg1, type, fp, msg2); + host, ip, msg1, msg_same_key, type, fp, msg2); xfree(fp); if (!confirm(msg)) goto fail; --- hostfile.c 2004/10/02 21:27:21 1.1 +++ hostfile.c 2004/10/02 21:57:04 @@ -197,6 +197,115 @@ found, numret)); } +void +free_hostlist(HostList *l) +{ + HostList *n; + + for (; l != NULL; l = n) { + n = l->next; + free(l->host); + free(l); + } +} + +static HostList * +add_host_to_hostlist(HostList *l, char *hostname) +{ + HostList *n = malloc(sizeof(*n)); + n->host = malloc(strlen(hostname) + 1); + sprintf(n->host, "%s", hostname); + n->next = l; + return n; +} + +HostList * +find_hosts_by_key(const char *filename, const Key *search_key, HostList *initial_hosts) +{ + Key *found; + FILE *f; + char line[8192]; + int linenum = 0; + u_int kbits; + char *cp, *cp2; + HostList *hostlist; + char *thishost = NULL; + u_int thishostlen; + + debug3("find_hosts_by_key: filename %s", filename); + + /* Open the file containing the list of known hosts. */ + f = fopen(filename, "r"); + if (!f) + return initial_hosts; + + hostlist = initial_hosts; + found = key_new(search_key->type); + + /* Go through the file. */ + while (fgets(line, sizeof(line), f)) { + cp = line; + linenum++; + + /* Skip any leading whitespace, comments and empty lines. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp || *cp == '#' || *cp == '\n') + continue; + + /* Find the end of the host name portion. */ + for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++) + ; + + /* Remember the host portion. */ + if (thishost != NULL) + free(thishost); + thishostlen = (u_int) (cp2 - cp); + thishost = malloc(thishostlen + 1); + memcpy(thishost, cp, thishostlen); + thishost[thishostlen] = '\0'; + + /* Skip host name. */ + cp = cp2; + + /* + * Extract the key from the line. This will skip any leading + * whitespace. Ignore badly formatted lines. + */ + if (!hostfile_read_key(&cp, &kbits, found)) + continue; + + if (!hostfile_check_key(kbits, found, thishost, filename, linenum)) + continue; + + /* Check if the current key is the same as the given key. */ + if (key_equal(search_key, found)) { + /* Ok, they match. */ + debug3("find_hosts_by_key: match line %d", linenum); + cp = thishost; + while (cp < thishost + thishostlen) { + for (cp2 = cp; + *cp2 != ',' && cp2 < thishost + thishostlen; + cp2++) + ; + + if (cp2 < thishost + thishostlen) + *cp2 = '\0'; + + hostlist = add_host_to_hostlist(hostlist, cp); + cp = cp2 + 1; + } + } + } + + /* Clear variables and close the file. */ + fclose(f); + if (thishost != NULL) + free(thishost); + + return hostlist; +} + int lookup_key_in_hostfile_by_type(const char *filename, const char *host, int keytype, Key *found, int *numret) --- hostfile.h 2004/10/02 21:45:51 1.1 +++ hostfile.h 2004/10/02 21:56:52 @@ -18,11 +18,18 @@ HOST_OK, HOST_NEW, HOST_CHANGED, HOST_FOUND } HostStatus; +typedef struct HostList { + char *host; + struct HostList *next; +} HostList; + int hostfile_read_key(char **, u_int *, Key *); HostStatus check_host_in_hostfile(const char *, const char *, const Key *, Key *, int *); int add_host_to_hostfile(const char *, const char *, const Key *); int lookup_key_in_hostfile_by_type(const char *, const char *, int, Key *, int *); +HostList *find_hosts_by_key(const char *, const Key *, HostList *); +void free_hostlist(HostList *); #endif From Emaillists at freemail.soim.com Mon Oct 4 05:32:19 2004 From: Emaillists at freemail.soim.com (Peter) Date: Sun, 3 Oct 2004 12:32:19 -0700 Subject: Opt-in Marketing Message-ID: <20041003104902.56BF327C188@shitei.mindrot.org> Email is the best growing marketing tool. We offer E-Marketing with quality service. 1. Target Email Addresses We can provide target e-mail addresses you need, which are compiled only on your order. We will customize your customer email addresses. * We have millions of email addresses in a wide variety of categories. 2. Send out Target Emails for you We can send your email message to your target customers! We will customize your email addresses and send your message for you. * We can Bullet Proof your Web Site $ dedicated server. Hope to hear from you soon. Regards! Peter www.oy8.com Support at oy8.com Take your address: Http://66.177.43.06/off.html From yath at yath.eu.org Sun Oct 3 21:03:22 2004 From: yath at yath.eu.org (Sebastian Schmidt) Date: Sun, 3 Oct 2004 13:03:22 +0200 Subject: [PATCH] PreferAskpass in ssh_config Message-ID: <20041003110322.GA1697@eniac.lan.yath.eu.org> Moin, attached is a patch, which adds a new configuration option "PreferAskpass" to the ssh config. ssh{,-add,-keygen,-agent} will use ssh-askpass to prompt for passwords, if this option is set to "yes", and if ssh-askpass is available. Default for "PreferAskpass" is "no". Pacth is against current CVS. Sebastian -- signature intentionally left blank. -------------- next part -------------- Index: Makefile.in =================================================================== RCS file: /cvs/openssh/Makefile.in,v retrieving revision 1.265 diff -u -r1.265 Makefile.in --- Makefile.in 30 Aug 2004 11:33:02 -0000 1.265 +++ Makefile.in 3 Oct 2004 10:58:49 -0000 @@ -70,7 +70,7 @@ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ - entropy.o scard-opensc.o gss-genr.o + entropy.o scard-opensc.o gss-genr.o readconf.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o Index: readconf.c =================================================================== RCS file: /cvs/openssh/readconf.c,v retrieving revision 1.109 diff -u -r1.109 readconf.c --- readconf.c 17 Jul 2004 06:12:08 -0000 1.109 +++ readconf.c 3 Oct 2004 10:58:52 -0000 @@ -106,7 +106,7 @@ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, + oSendEnv, oControlPath, oControlMaster, oPreferAskpass, oDeprecated, oUnsupported } OpCodes; @@ -197,6 +197,7 @@ { "sendenv", oSendEnv }, { "controlpath", oControlPath }, { "controlmaster", oControlMaster }, + { "preferaskpass", oPreferAskpass }, { NULL, oBadOption } }; @@ -774,6 +775,10 @@ intptr = &options->control_master; goto parse_yesnoask; + case oPreferAskpass: + intptr = &options->prefer_askpass; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -917,6 +922,7 @@ options->num_send_env = 0; options->control_path = NULL; options->control_master = -1; + options->prefer_askpass = -1; } /* @@ -1039,6 +1045,8 @@ options->server_alive_count_max = 3; if (options->control_master == -1) options->control_master = 0; + if (options->prefer_askpass == -1) + options->prefer_askpass = 0; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ Index: readconf.h =================================================================== RCS file: /cvs/openssh/readconf.h,v retrieving revision 1.56 diff -u -r1.56 readconf.h --- readconf.h 17 Jul 2004 06:12:08 -0000 1.56 +++ readconf.h 3 Oct 2004 10:58:52 -0000 @@ -111,6 +111,7 @@ char *control_path; int control_master; + int prefer_askpass; } Options; Index: readpass.c =================================================================== RCS file: /cvs/openssh/readpass.c,v retrieving revision 1.28 diff -u -r1.28 readpass.c --- readpass.c 17 Jun 2004 15:19:03 -0000 1.28 +++ readpass.c 3 Oct 2004 10:58:53 -0000 @@ -30,6 +30,9 @@ #include "pathnames.h" #include "log.h" #include "ssh.h" +#include "readconf.h" + +extern Options options; static char * ssh_askpass(char *askpass, const char *msg) @@ -103,7 +106,9 @@ int rppflags, use_askpass = 0, ttyfd; rppflags = (flags & RP_ECHO) ? RPP_ECHO_ON : RPP_ECHO_OFF; - if (flags & RP_USE_ASKPASS) + if (flags & RP_USE_ASKPASS || + (options.prefer_askpass && getenv(SSH_ASKPASS_ENV) && + !(flags & RP_ECHO))) use_askpass = 1; else if (flags & RP_ALLOW_STDIN) { if (!isatty(STDIN_FILENO)) Index: ssh-add.c =================================================================== RCS file: /cvs/openssh/ssh-add.c,v retrieving revision 1.77 diff -u -r1.77 ssh-add.c --- ssh-add.c 17 Jul 2004 04:07:42 -0000 1.77 +++ ssh-add.c 3 Oct 2004 10:58:54 -0000 @@ -48,6 +48,7 @@ #include "authfile.h" #include "pathnames.h" #include "misc.h" +#include "readconf.h" /* argv0 */ extern char *__progname; @@ -68,6 +69,11 @@ /* we keep a cache of one passphrases */ static char *pass = NULL; + +Options options; + +uid_t original_real_uid; + static void clear_pass(void) { @@ -311,12 +317,30 @@ AuthenticationConnection *ac = NULL; char *sc_reader_id = NULL; int i, ch, deleting = 0, ret = 0; + char buf[256]; + struct passwd *pw; __progname = ssh_get_progname(argv[0]); init_rng(); seed_rng(); SSLeay_add_all_algorithms(); + + /* Read options */ + initialize_options(&options); + + pw = getpwuid(original_real_uid = getuid()); + if (!pw) { + logit("You don't exist, go away!"); + exit(1); + } + + snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, + _PATH_SSH_USER_CONFFILE); + (void)read_config_file(buf, "", &options, 1); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", + &options, 0); + fill_default_options(&options); /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); Index: ssh-agent.c =================================================================== RCS file: /cvs/openssh/ssh-agent.c,v retrieving revision 1.134 diff -u -r1.134 ssh-agent.c --- ssh-agent.c 11 Sep 2004 05:18:05 -0000 1.134 +++ ssh-agent.c 3 Oct 2004 10:58:56 -0000 @@ -51,6 +51,8 @@ #include "compat.h" #include "log.h" #include "misc.h" +#include "pathnames.h" +#include "readconf.h" #ifdef SMARTCARD #include "scard.h" @@ -111,6 +113,11 @@ /* Default lifetime (0 == forever) */ static int lifetime = 0; +Options options; + +uid_t original_real_uid; + + static void close_socket(SocketEntry *e) { @@ -1015,6 +1022,8 @@ extern char *optarg; pid_t pid; char pidstrbuf[1 + 3 * sizeof pid]; + char buf[256]; + struct passwd *pw; /* drop */ setegid(getgid()); @@ -1030,6 +1039,19 @@ __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); + + initialize_options(&options); + pw = getpwuid(original_real_uid = getuid()); + if (!pw) { + logit("You don't exist, go away!"); + exit(1); + } + snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, + _PATH_SSH_USER_CONFFILE); + (void)read_config_file(buf, "", &options, 1); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", + &options, 0); + fill_default_options(&options); while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { switch (ch) { Index: ssh-keygen.c =================================================================== RCS file: /cvs/openssh/ssh-keygen.c,v retrieving revision 1.122 diff -u -r1.122 ssh-keygen.c --- ssh-keygen.c 17 Jul 2004 06:12:08 -0000 1.122 +++ ssh-keygen.c 3 Oct 2004 10:58:59 -0000 @@ -17,6 +17,7 @@ #include #include +#include "ssh.h" #include "xmalloc.h" #include "key.h" #include "rsa.h" @@ -27,6 +28,7 @@ #include "pathnames.h" #include "log.h" #include "misc.h" +#include "readconf.h" #ifdef SMARTCARD #include "scard.h" @@ -84,6 +86,11 @@ int gen_candidates(FILE *, int, int, BIGNUM *); int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); +Options options; + +uid_t original_real_uid; + + static void ask_filename(struct passwd *pw, const char *prompt) { @@ -788,7 +795,7 @@ main(int ac, char **av) { char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2; - char out_file[MAXPATHLEN], *reader_id = NULL; + char out_file[MAXPATHLEN], *reader_id = NULL, buf[256]; char *resource_record_hostname = NULL; Key *private, *public; struct passwd *pw; @@ -812,7 +819,7 @@ seed_rng(); /* we need this for the home * directory. */ - pw = getpwuid(getuid()); + pw = getpwuid(original_real_uid = getuid()); if (!pw) { printf("You don't exist, go away!\n"); exit(1); @@ -821,6 +828,14 @@ perror("gethostname"); exit(1); } + + snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, + _PATH_SSH_USER_CONFFILE); + (void)read_config_file(buf, "", &options, 1); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", + &options, 0); + fill_default_options(&options); + while ((opt = getopt(ac, av, "degiqpclBRvxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) { Index: ssh_config.5 =================================================================== RCS file: /cvs/openssh/ssh_config.5,v retrieving revision 1.38 diff -u -r1.38 ssh_config.5 --- ssh_config.5 30 Jun 2004 12:38:52 -0000 1.38 +++ ssh_config.5 3 Oct 2004 10:59:04 -0000 @@ -518,6 +518,12 @@ .It Cm Port Specifies the port number to connect on the remote host. Default is 22. +.It Cm PreferAskpass +If set to +.Dq yes , +ssh-askpass(1) will be used (if available) instead of prompting for +passwords on tty. The default is +.Dq no . .It Cm PreferredAuthentications Specifies the order in which the client should try protocol 2 authentication methods. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041003/620c19f3/attachment.bin From mouring at etoh.eviladmin.org Mon Oct 4 02:19:56 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 3 Oct 2004 11:19:56 -0500 (CDT) Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: <20041003110322.GA1697@eniac.lan.yath.eu.org> Message-ID: And this solves what real world problem? - Ben On Sun, 3 Oct 2004, Sebastian Schmidt wrote: > Moin, > > attached is a patch, which adds a new configuration option > "PreferAskpass" to the ssh config. > ssh{,-add,-keygen,-agent} will use ssh-askpass to prompt for passwords, if > this option is set to "yes", and if ssh-askpass is available. > > Default for "PreferAskpass" is "no". > > Pacth is against current CVS. > > > Sebastian > -- > signature intentionally left blank. > From rich at rich-paul.net Mon Oct 4 15:18:25 2004 From: rich at rich-paul.net (Rich) Date: Mon, 4 Oct 2004 01:18:25 -0400 Subject: BUG: ssh-agent unlinks sockets/files it doesn't own. Message-ID: <20041004051825.GA6372@rich-paul.net> I've noticed a problem in the openssh sources. It can most easily be replicated as follows: > [rich at goblin] sl=1 ~ > 01:05:47$ ssh-agent -a ~/.ssh/agent.sock > SSH_AUTH_SOCK=/home/rich/.ssh/agent.sock; export SSH_AUTH_SOCK; > SSH_AGENT_PID=553; export SSH_AGENT_PID; > echo Agent pid 553; > > [rich at goblin] sl=1 ~ > 01:05:50$ ssh-agent -a ~/.ssh/agent.sock > bind: Address already in use > > [rich at goblin] sl=1 ~ > 01:05:53$ ssh-agent -a ~/.ssh/agent.sock > SSH_AUTH_SOCK=/home/rich/.ssh/agent.sock; export SSH_AUTH_SOCK; > SSH_AGENT_PID=558; export SSH_AGENT_PID; > echo Agent pid 558; The first ssh-agent survives the ordeal, but finds itself unreachable, and without purpose. I would suggest a couple of changes: 1) unless bind has been successful, don't unlink the socket. 2) teach ssh-agent to either die or rebind if his socket disappears. my pref would probably be death, as I find it more elegant than killing it with ssh-agent -k. The first probably wise for good manners, even though the second will solve the problem. note that: > su > ssh-agent -a /etc/passwd would probably have unpleasant repercussions. From djm at mindrot.org Mon Oct 4 16:35:49 2004 From: djm at mindrot.org (Damien Miller) Date: Mon, 04 Oct 2004 16:35:49 +1000 Subject: BUG: ssh-agent unlinks sockets/files it doesn't own. In-Reply-To: <20041004051825.GA6372@rich-paul.net> References: <20041004051825.GA6372@rich-paul.net> Message-ID: <4160EF45.8090405@mindrot.org> Rich wrote: > The first ssh-agent survives the ordeal, but finds itself unreachable, > and without purpose. > > I would suggest a couple of changes: > > 1) unless bind has been successful, don't unlink the socket. Yes, I agree. Patch attached. > 2) teach ssh-agent to either die or rebind if his socket disappears. > my pref would probably be death, as I find it more elegant than > killing it with ssh-agent -k. I don't think it can easily tell if its socket has been unlinked. It is probably unnecessary if 1 is done anyway. > The first probably wise for good manners, even though the second will > solve the problem. note that: > >>su >>ssh-agent -a /etc/passwd > > would probably have unpleasant repercussions. so would "rm -f /etc/passwd", so I think this falls into the case of "don't do that" :) -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: agentunlink.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041004/ef124527/attachment.ksh From alain.morel at ig-edu.univ-paris13.fr Mon Oct 4 16:57:32 2004 From: alain.morel at ig-edu.univ-paris13.fr (alain.morel at ig-edu.univ-paris13.fr) Date: Mon, 4 Oct 2004 08:57:32 +0200 Subject: scp does not works under solaris Message-ID: <1096873052.4160f45cd64a8@webmail.ig-edu.univ-paris13.fr> OS : solaris8 with update patches Station : Sparc Ultra5 device /dev/random installed openssl version : openssl-0.9.7d openssh version : openssh-3.9p1 My configuration : ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=sshd40 --with-ssl-dir=/usr/lib ssh works but when I lauch scp I have the following error sylow[root]<45>scp README thales:/ Enter passphrase for key '/.ssh/id_dsa': ld.so.1: scp: fatal: libz.so: open failed: No such file or directory Killed lost connection But libz.so exist and is detected at configure time: sylow[root]<46>ls -l /usr/lib/libz* lrwxrwxrwx 1 root root 11 nov 7 2001 /usr/lib/libz.so -> ./libz.so.1 -rwxr-xr-x 1 root bin 70064 oct 4 2003 /usr/lib/libz.so.1 -rwxr-xr-x 1 root bin 66645 juin 10 2002 /usr/lib/libz.so.1.1.4 I also compile with the following line ( with explicit zlib option ) : ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=sshd40 --with-ssl-dir=/usr/lib --with-zlib=/usr/lib I have the same error What does happen and is this problem known? Thank you for a response Thanh you also to openssh team. Sincerly yours Alain MOREL Universite Paris13 Institut Galilee - SERCAL 99 Avenue Jean-Baptiste Clement 93430 Villetaneuse Tel : 33 1 49 40 36 19 From dtucker at zip.com.au Mon Oct 4 18:34:18 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 04 Oct 2004 18:34:18 +1000 Subject: scp does not works under solaris In-Reply-To: <1096873052.4160f45cd64a8@webmail.ig-edu.univ-paris13.fr> References: <1096873052.4160f45cd64a8@webmail.ig-edu.univ-paris13.fr> Message-ID: <41610B0A.8030700@zip.com.au> alain.morel at ig-edu.univ-paris13.fr wrote: [...] > ssh works but when I lauch scp I have the following error > > sylow[root]<45>scp README thales:/ > Enter passphrase for key '/.ssh/id_dsa': > ld.so.1: scp: fatal: libz.so: open failed: No such file or directory > Killed > lost connection > But libz.so exist and is detected at configure time: Perhaps LD_LIBRARY_PATH is set wrong for non-interactive logins, or someone fiddled with crle(1)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From JJanzer at talisentech.com Mon Oct 4 23:42:30 2004 From: JJanzer at talisentech.com (Janzer, John) Date: Mon, 4 Oct 2004 08:42:30 -0500 Subject: FW: ssh proxying vs. tunnelling Message-ID: <71CB8EDA1C104F47AEAECCF1D847454601496DC1@sl01exch.Talisentech.l ocal> I have tunneling working successfully to 'proxy' ssh client traffic through a gateway machine down to an end server in such a way that the client thinks it is talking to the gateway machine.? Here is my setup: ? Server:? running sshd listening to port 'xxx' - machine name ?? command run:? sshd -p xxx ? Gateway:? running tunnel to server - machine name ?? command run:? ssh -L 22::xxx -N -f ? Client:? run sftp to gateway, which tunnels forward to server: ?? command run:? sftp ? This works great, however, the authentication occurs down on the end server machine.? I'd like to have the authentication occur at the gateway machine instead.? I realize I would have to run sshd on the gateway to do this, but is there a way to set this up so that the user on the client machine doesn't have to authenticate twice? ? I'm using OpenSSH 3.9p1, with OpenSSL 0.9.7d, and the machines are all running Solaris. ? My requirement is to have authentication occur at the gateway level, and then proxy traffic to allow an sftp session between the client and server.? I also need to keep the interface on the client end "ftp-like". ? Thanks in advance! John Janzer ? From yath at yath.eu.org Tue Oct 5 00:47:07 2004 From: yath at yath.eu.org (Sebastian Schmidt) Date: Mon, 4 Oct 2004 16:47:07 +0200 Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: References: <20041003110322.GA1697@eniac.lan.yath.eu.org> Message-ID: <20041004144707.GA5258@eniac.lan.yath.eu.org> On Sun, Oct 03, 2004 at 11:19:56AM -0500, Ben Lindstrom wrote: > And this solves what real world problem? No keyboard grab when being prompted for passwords (w/o key auth) or for passphrases (when generating one with ssh-keygen), etc. -- signature intentionally left blank. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041004/bf0ccadb/attachment.bin From mouring at etoh.eviladmin.org Tue Oct 5 01:05:56 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 4 Oct 2004 10:05:56 -0500 (CDT) Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: <20041004144707.GA5258@eniac.lan.yath.eu.org> Message-ID: On Mon, 4 Oct 2004, Sebastian Schmidt wrote: > On Sun, Oct 03, 2004 at 11:19:56AM -0500, Ben Lindstrom wrote: > > And this solves what real world problem? > > No keyboard grab when being prompted for passwords (w/o key auth) or for > passphrases (when generating one with ssh-keygen), etc. ssh-keygen doesn't use ssh-agent.. So again I ask what are you talking about? - Ben From djm at mindrot.org Tue Oct 5 07:20:59 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 05 Oct 2004 07:20:59 +1000 Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: References: Message-ID: <4161BEBB.5020902@mindrot.org> Ben Lindstrom wrote: > > On Mon, 4 Oct 2004, Sebastian Schmidt wrote: > > >>On Sun, Oct 03, 2004 at 11:19:56AM -0500, Ben Lindstrom wrote: >> >>>And this solves what real world problem? >> >>No keyboard grab when being prompted for passwords (w/o key auth) or for >>passphrases (when generating one with ssh-keygen), etc. > > > ssh-keygen doesn't use ssh-agent.. So again I ask what are you talking > about? No, but ssh-keygen does use read_passphrase() and can therefore use SSH_ASKPASS. Try: ssh-keygen -f /tmp/xk -t rsa < /dev/null From yath at yath.eu.org Tue Oct 5 07:46:54 2004 From: yath at yath.eu.org (yath at yath.eu.org) Date: Mon, 4 Oct 2004 23:46:54 +0200 Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: References: <20041004144707.GA5258@eniac.lan.yath.eu.org> Message-ID: <20041004214654.GB5258@eniac.lan.yath.eu.org> On Mon, Oct 04, 2004 at 10:05:56AM -0500, Ben Lindstrom wrote: > > > And this solves what real world problem? > > No keyboard grab when being prompted for passwords (w/o key auth) or for > > passphrases (when generating one with ssh-keygen), etc. > ssh-keygen doesn't use ssh-agent.. So again I ask what are you talking > about? That's exactly the point. All programs use read_passphrase(), but only ssh-add tells read_passphrase() to use ssh-askpass. So if I *want*, e.g. ssh-keygen to use ssh-askpass, I simply set $SSH_USE_ASKPASS to "prefer". ssh-askpass has nothing to do with ssh-agent (just that it's only used in conjunction with ssh-add), so why not use it for all other password prompts (if the user wants so)? You *cannot* say "well, then do key auth" - I have to type at least the password for logging in to the remote host (scp id_foo.pub) from the tty, and maybe two times my (new) passphrase when generating a key pair. So why shouldn't we give the user the possibility to use a more secure mechanism to enter passwords? Just suppose focus-follows-mouse and an IRC client. Seba 'having seen mouse cursors moving w/o moving the mouse' stian. -- signature intentionally left blank. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041004/a077f67f/attachment.bin From yath at yath.eu.org Tue Oct 5 07:51:47 2004 From: yath at yath.eu.org (yath at yath.eu.org) Date: Mon, 4 Oct 2004 23:51:47 +0200 Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: <4161BEBB.5020902@mindrot.org> References: <4161BEBB.5020902@mindrot.org> Message-ID: <20041004215147.GC5258@eniac.lan.yath.eu.org> On Tue, Oct 05, 2004 at 07:20:59AM +1000, Damien Miller wrote: > > ssh-keygen doesn't use ssh-agent.. So again I ask what are you talking > > about? > No, but ssh-keygen does use read_passphrase() and can therefore use > SSH_ASKPASS. Try: > ssh-keygen -f /tmp/xk -t rsa < /dev/null Yes, this works only if read_passphrase() is unable to allocate a tty. The /dev/null redirect is a hack. SSH_USE_ASKPASS just changes the default behaviour ("try tty, else ssh-askpass") to "try ssh-askpass if available, if not, read from tty". $USER could say in his ~/.bashrc: export SSH_ASKPASS=/usr/bin/ssh-askpass export SSH_USE_ASKPASS=prefer This provides a more secure way to enter passwords read by read_passphrase(). And no need for redirecting stdin (and I don't really want this on an interactive ssh session) Sebastian -- signature intentionally left blank. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041004/957012b3/attachment.bin From mouring at etoh.eviladmin.org Tue Oct 5 09:35:03 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 4 Oct 2004 18:35:03 -0500 (CDT) Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: <20041004215147.GC5258@eniac.lan.yath.eu.org> Message-ID: On Mon, 4 Oct 2004 yath at yath.eu.org wrote: [..] > export SSH_ASKPASS=/usr/bin/ssh-askpass > export SSH_USE_ASKPASS=prefer > > This provides a more secure way to enter passwords read by ^^^^^^^^^^^^^^^^^^^^^ Actually I could argue differently. Ssh-askpass should be looked at as more of a UI nicety and not as a "secure feature". Shell variables are easily redefined and anytime you call out to an external command you always run a higher risk of "misplaced" senstive information occurring If the whole reason is to "gain security". Then I have to say this patch is worthless, since ssh-askpass is no more secure than native read stuff out of the keyboard buffer by the orignal code. In fact, I'd rather see SSH_ASKPASS && DISPLAY be honored without having some additional variable. That way there is no need to add in parsing of ssh_config/config into commands that should be by default standalone. > read_passphrase(). And no need for redirecting stdin (and I don't really > want this on an interactive ssh session) > > Sebastian > -- > signature intentionally left blank. > - Ben From cbar44 at tsg.cbot.com Wed Oct 6 03:28:42 2004 From: cbar44 at tsg.cbot.com (Christopher L. Barnard) Date: Tue, 5 Oct 2004 12:28:42 -0500 (CDT) Subject: What does this error mean and can I fix it. Message-ID: This is true with OpenSsh 3.8p1 and OpenSsh 3.9p1. I am running on Sun Solaris servers, both Solaris 8 and Solaris 9. I send all ssh syslog messages to local3 via the sshd_config file. I periodically get in my error logs the line: Oct 4 15:29:36 wintermute sshd[14517]: [ID 800047 local3.error] error: Could not get shadow information for NOUSER I do not think this is interfering with any user. I would like to get rid of these false positive errors, but I have not been able to track down what this error is stating. Can any of you provide assistance in determining what this means. Thank you. Christopher L. Barnard Lead Systems Administrator (312) 347-4901 Technology and Data Prod., The Chicago Board of Trade cbarnard at tsg.cbot.com http://www.cs.uchicago.edu/~cbarnard PGP public key available via MIT PGP keyserver or on my web page From logsnaath at gmx.net Wed Oct 6 04:40:43 2004 From: logsnaath at gmx.net (Logu) Date: Tue, 5 Oct 2004 11:40:43 -0700 Subject: What does this error mean and can I fix it. References: Message-ID: <000401c4ab0c$cef42300$e9820d0f@Loguhp> > > This is true with OpenSsh 3.8p1 and OpenSsh 3.9p1. I am running on Sun > Solaris servers, both Solaris 8 and Solaris 9. > > I send all ssh syslog messages to local3 via the sshd_config file. I > periodically get in my error logs the line: > > Oct 4 15:29:36 wintermute sshd[14517]: [ID 800047 local3.error] error: > Could not get shadow information for NOUSER > > I do not think this is interfering with any user. I would like to get rid > of these false positive errors, but I have not been able to track down > what this error is stating. Can any of you provide assistance in > determining what this means. Thank you. > I guess, this is because your system is not shadow passwd enabled but you have the required tools for shadow passwd are installed. The shadow file operation related calls like getspnam() act differently in different systems. In some systems these calls falls back to checking /etc/passwd file when /etc/shadow is not available and in some they dont. Hence a check for the status of the system (shadow passwd enabled or disabled) in the code will be helpful. -Logu From i_becker_nd at iz.maus.de Wed Oct 6 19:23:12 2004 From: i_becker_nd at iz.maus.de (Issac Becker) Date: Wed, 06 Oct 2004 16:23:12 +0700 Subject: Vardenafil, the newest anti impotence drug, as seen on tv Message-ID: Hello, Buy Generic Levitra at the lowest prices you will find on the Internet! Vardenafil the active ingredient in Levitra is the newest anti impotence drug available, and is proven to have a higher success rate, and less sideeffects than viagra. - Private online ordering - No prescription required - World wide shipping Order your drugs offshore and save 60%-90%! Read more here: http://zap-internet.com/lev/?levi Best regards, Ron Stevens No thanks: http://zap-internet.com/rm.html From dtucker at zip.com.au Wed Oct 6 19:55:29 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 06 Oct 2004 19:55:29 +1000 Subject: What does this error mean and can I fix it. In-Reply-To: <000401c4ab0c$cef42300$e9820d0f@Loguhp> References: <000401c4ab0c$cef42300$e9820d0f@Loguhp> Message-ID: <4163C111.6040900@zip.com.au> Logu wrote: >>This is true with OpenSsh 3.8p1 and OpenSsh 3.9p1. I am running on Sun >>Solaris servers, both Solaris 8 and Solaris 9. >> >>I send all ssh syslog messages to local3 via the sshd_config file. I >>periodically get in my error logs the line: >> >>Oct 4 15:29:36 wintermute sshd[14517]: [ID 800047 local3.error] error: >>Could not get shadow information for NOUSER >> >>I do not think this is interfering with any user. I would like to get rid >>of these false positive errors, but I have not been able to track down >>what this error is stating. Can any of you provide assistance in >>determining what this means. Thank you. It's most likely a failed logon attempt on an account without an entry in /etc/passwd and /etc/shadow. If you're seeing them on an Internet-facing machine it's possible they're caused by the password-guessing worm (which tries accounts like "admin" and "guest") doing the rounds: http://marc.theaimsgroup.com/?l=full-disclosure&m=109078144002874 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cbar44 at tsg.cbot.com Thu Oct 7 03:36:45 2004 From: cbar44 at tsg.cbot.com (Christopher L. Barnard) Date: Wed, 6 Oct 2004 12:36:45 -0500 (CDT) Subject: What does this error mean and can I fix it. In-Reply-To: <4163C111.6040900@zip.com.au> References: <000401c4ab0c$cef42300$e9820d0f@Loguhp> <4163C111.6040900@zip.com.au> Message-ID: Bingo. (Although this happens on many machines, and they are all internal.). When someone mistypes their login name and so is attempting to log in with a nonexistent account, the session is logged at .info for the invalid user and at .error for failure to get the shadow info. Thanks for your help. Its incredible what you can find in your logs if you know what you are looking for... Christopher L. Barnard On Wed, 6 Oct 2004, Darren Tucker wrote: > Logu wrote: > >>This is true with OpenSsh 3.8p1 and OpenSsh 3.9p1. I am running on Sun > >>Solaris servers, both Solaris 8 and Solaris 9. > >> > >>I send all ssh syslog messages to local3 via the sshd_config file. I > >>periodically get in my error logs the line: > >> > >>Oct 4 15:29:36 wintermute sshd[14517]: [ID 800047 local3.error] error: > >>Could not get shadow information for NOUSER > >> > >>I do not think this is interfering with any user. I would like to get rid > >>of these false positive errors, but I have not been able to track down > >>what this error is stating. Can any of you provide assistance in > >>determining what this means. Thank you. > > It's most likely a failed logon attempt on an account without an entry > in /etc/passwd and /etc/shadow. > > If you're seeing them on an Internet-facing machine it's possible > they're caused by the password-guessing worm (which tries accounts like > "admin" and "guest") doing the rounds: > http://marc.theaimsgroup.com/?l=full-disclosure&m=109078144002874 > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From djm at mindrot.org Thu Oct 7 20:31:22 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 07 Oct 2004 20:31:22 +1000 Subject: BUG: ssh-agent unlinks sockets/files it doesn't own. In-Reply-To: <4160EF45.8090405@mindrot.org> References: <20041004051825.GA6372@rich-paul.net> <4160EF45.8090405@mindrot.org> Message-ID: <41651AFA.6050405@mindrot.org> Damien Miller wrote: > Rich wrote: > > >>The first ssh-agent survives the ordeal, but finds itself unreachable, >>and without purpose. >> >>I would suggest a couple of changes: >> >>1) unless bind has been successful, don't unlink the socket. > > Yes, I agree. Patch attached. The patch has been committed and will be in tomorrow's (20041007) snapshot. -d From vinschen at redhat.com Thu Oct 7 23:25:30 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 7 Oct 2004 15:25:30 +0200 Subject: [PATCH] permanently_set_uid: Don't try restoring gid on Cygwin In-Reply-To: <20040922183616.GI17670@cygbert.vinschen.de> References: <20040922183616.GI17670@cygbert.vinschen.de> Message-ID: <20041007132530.GO6702@cygbert.vinschen.de> Ping? Corinna On Sep 22 20:36, Corinna Vinschen wrote: > Hi, > > the below patch solves the same problem for gids as has already been > solved for uids. Windows has no concept of permanently changing the > identity. It's always possible to revert to the original identity. > > Thanks, > Corinna > > > Index: uidswap.c > =================================================================== > RCS file: /cvs/openssh_cvs/uidswap.c,v > retrieving revision 1.44 > diff -p -u -r1.44 uidswap.c > --- uidswap.c 24 Feb 2004 02:17:30 -0000 1.44 > +++ uidswap.c 22 Sep 2004 18:17:44 -0000 > @@ -200,10 +200,12 @@ permanently_set_uid(struct passwd *pw) > fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); > #endif > > +#ifndef HAVE_CYGWIN > /* Try restoration of GID if changed (test clearing of saved gid) */ > if (old_gid != pw->pw_gid && > (setgid(old_gid) != -1 || setegid(old_gid) != -1)) > fatal("%s: was able to restore old [e]gid", __func__); > +#endif > > /* Verify GID drop was successful */ > if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) { -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From scanell at jpl.nasa.gov Fri Oct 8 06:34:21 2004 From: scanell at jpl.nasa.gov (scanell) Date: Thu, 07 Oct 2004 13:34:21 -0700 Subject: openssh & kerberos & gssapi Message-ID: <4165A84D.4070508@jpl.nasa.gov> I have configured openssh --with-kerberos5= --with-pam --with-tcp-wrapper=, but when I expire my kerberos password, I do not get a challenge to change my password for kerberos... anyone have any thoughts. I tried modifying the Make file to include -DGSSAPI -DHAVE_GSSAPI_GSSAPI_H -DHAVE_GSSAPI_GSSAPI_GENERIC_H because I noticed that the gssapi options for both ssh_config and sshd_config did not work, but then it still didn't do anything after including these variables.... which by the way, the configure program did not address gssapi !! I am working with openssh3.9-p1 PS it would be nice to get a ticket with kinit and have openssh support single-sign-on and kerberos password change on expired passwords as it does with /etc/passwd and /etc/shadow. This is currently in a Solaris 9 environment. Stephen E. Canell DISCLAIMER: JPL now requires notice in all electronic communication that all personal and professional opinions presented herein are my own and do not, in any way, represent the opinion or policy of JPL. From roland.mainz at nrubsig.org Fri Oct 8 12:20:37 2004 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Fri, 08 Oct 2004 04:20:37 +0200 Subject: Xprint support in OpenSSH? References: <396033170@web.de> <40CCF9D4.90401@mindrot.org> Message-ID: <4165F975.7E7F2E0@nrubsig.org> Damien Miller wrote: > > Does OpenSSH have any plans yet to extend the existing X11 forwarding > > support to include Xprint - the XOrg standard for printing? > > Documentation can be found at http://xprint.mozdev.org/docs/ > > > > The only change required to have Xprint support is to forward the X > > print server connection referenced by the XPSERVERLIST environment > > variable similar to the video display server referenced by the > > DISPLAY environment variable. > > We don't have any plans to support this at present - IIRC the protocol > only allows forwarding of a single X channel. You don't need to forward multiple X11 connections, it's usually sufficient to forward the matching ports for the Xprint servers as they are - like cupsd and lpd - shared between multiple users on a per-host or per-network basis ((there are exceptions like MacOSX/Darwin where both video and print Xservers are started per-user instance) - and you can't steal keystrokes etc. as Xprt is non-interactive (no keyboard, no mouse) - the worst thing which could be done (in theory!) would be to submit another print job to a printer) and modify the XPSERVERLIST environment variable on the other side. In theory this can be done via wrapper scripts but the task is non-trivial - direct support within OpenSSH would be much more painless than the wrapper script hack. > There was some discussion on the ietf-ssh at netbsd.org mailing list back > in April on the issue of multiple X forwardings, but it seems to have > fizzled out without producing a complete spec. Is the discussion somewhere archived ? ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;) From senthilkumar_sen at hotpop.com Sat Oct 9 02:08:44 2004 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Fri, 8 Oct 2004 21:38:44 +0530 Subject: OpenSSH -3.9 connection delay Message-ID: <040701c4ad51$174fd2c0$220110ac@sekco> Hello, We are moving from OpenSSH-3.8 to OpenSSH-3.9 in our organization.We came across a feature that this latest version re-exec itself for every new connection.It would be beneficial if anyone throw light on this feature about its advantages and purpose.This makes considerable connection delay as two times seeding takes place.We also came across that -r disbales re-exec of sshd.We suspect some execute time randomisations are taking place,but what exactly is happening here?what is the new level security imposed here? Thanks, Sen --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.772 / Virus Database: 519 - Release Date: 10/5/2004 From tusker at tusker.org Sat Oct 9 16:19:32 2004 From: tusker at tusker.org (Damien Mascord) Date: Sat, 09 Oct 2004 14:19:32 +0800 Subject: Traffic monitoring/ip acct of SSH sessions Message-ID: <416782F4.5090002@tusker.org> Hi guys, I am looking for an IP accounting solution which will allow me to monitor how much traffic is used per ssh session, ie, scp, sftp, the shell itself, etc etc. Is there something similar to rssh that may work in this manner ? I know there exists kernel patches for user level IPAC, though I am using virtual users (ie, NSS stuff without /etc/passwd entries), and I don't see anyway to monitor these NSS users. If anyone has any pointers to where to look, or ways of restricting a persons IP usage within a SSH session, please let me know! Thanks in advance, Damien -- Damien Mascord (tusker at tusker dot org) GPG key 2CB181BE / 93B2 EF21 0C7C F022 F467 7966 219E 92B3 2CB1 81BE From wstafford_lm at northampton.ac.uk Sun Oct 10 04:09:32 2004 From: wstafford_lm at northampton.ac.uk (Ward Stafford) Date: Sat, 09 Oct 2004 23:09:32 +0500 Subject: We sell regalis for an affordable price Message-ID: <3a5601c4ae2b$5c4c24db$24dda544@ewsa.com.pl> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://zap-internet.com/sup/ Best regards, Jeremy Stones No thanks: http://zap-internet.com/rm.html From dwmw2 at infradead.org Sun Oct 10 21:29:34 2004 From: dwmw2 at infradead.org (David Woodhouse) Date: Sun, 10 Oct 2004 12:29:34 +0100 Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: References: Message-ID: <1097407774.6525.590.camel@baythorne.infradead.org> On Sun, 2004-10-03 at 11:19 -0500, Ben Lindstrom wrote: > And this solves what real world problem? It looks like it would remove the need for the horrid little wrapper hack I have which disassociates from the controlling tty before running ssh, purely to ensure that $SSH_ASKPASS gets invoked. This is useful for pine, for example, where attempts to use the tty by ssh are always going to fail. You _always_ want to use an external program. I also use it for automatic invocation of skey -- the script I use for ssh-askpass actually uses the real askpass utility to ask for the skey passphrase, then generates the response appropriately. -- dwmw2 From poutingbowdlerize at webtv.net Sun Oct 10 19:32:47 2004 From: poutingbowdlerize at webtv.net (Christy Miller) Date: Sun, 10 Oct 2004 18:32:47 +0900 Subject: WHAT ARE YOU AFRA|D 0F? Message-ID: <200410100932.i9A8hBZG025019@dns1.maxion.co.kr> http://Cla|1is_V||aggar_C00O0OdeIne_Xana1x_Vallum_.......and___m000O0re http://Xana|x_VaI|um_.......and___mO000Ore http://XanaIx_Va|1um_Cla|1is_.......and___m0O000re YOUR S0lUT|ON |S HERE http://credulousness.divwwx.com./as#meritorious From oliver at linux-kernel.at Mon Oct 11 20:43:50 2004 From: oliver at linux-kernel.at (Oliver Falk) Date: Mon, 11 Oct 2004 12:43:50 +0200 Subject: PermitRoot without-password doesn't work if AllowUsers user1 user2 set, but root not included; Also some bug in auth.c (Me thinks) Message-ID: <200410111041.i9BAfagA024778@pils.linux-kernel.at> Hi list! I have some machines running openssh 3.9p1. AllowUsers is set to my users, that are allowed to login. If I set PermitRoot without-password, but do not include root in AllowUsers, root is not able to login with pubkey. I do not want to set root in AllowUsers, since the without-password option should check this allready, I think... So I made a small patch that allows me to login as root without-password, without adding root to the AllowUsers list. I also think, that auth.c has a bug regarding without-password, because it strcmp's method with 'password', but this should be 'without-password', I believe... For more information, have a look at the second junk of the patch... Maybe nobody needs this 'feature', but if anyone does... :-) Best, Oliver PS: Please do reply to my adress, since I'm not subscribed on this list! From beellisonxv at szm.sk Mon Oct 11 21:29:20 2004 From: beellisonxv at szm.sk (Bernard E. Ellison) Date: Mon, 11 Oct 2004 05:29:20 -0600 Subject: We sell regalis for an affordable price Message-ID: Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://zap-internet.com/sup/ Best regards, Jeremy Stones No thanks: http://zap-internet.com/rm.html From dtucker at zip.com.au Mon Oct 11 21:42:44 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 11 Oct 2004 21:42:44 +1000 Subject: PermitRoot without-password doesn't work if AllowUsers user1 user2 set, but root not included; Also some bug in auth.c (Me thinks) In-Reply-To: <200410111041.i9BAfagA024778@pils.linux-kernel.at> References: <200410111041.i9BAfagA024778@pils.linux-kernel.at> Message-ID: <416A71B4.2060203@zip.com.au> Oliver Falk wrote: > I have some machines running openssh 3.9p1. > AllowUsers is set to my users, that are allowed to login. > If I set PermitRoot without-password, but do not include root in AllowUsers, > root is not able to login with pubkey. I do not want to set root in > AllowUsers, since the without-password option should check this allready, I > think... So I made a small patch that allows me to login as root > without-password, without adding root to the AllowUsers list. > > I also think, that auth.c has a bug regarding without-password, because it > strcmp's method with 'password', but this should be 'without-password', I > believe... Not unless the IETF SSH working group have changed the name of the authentication method :-) > For more information, have a look at the second junk of the > patch... The patch didn't make it to the list (non-text attachments are stripped out and I suspect yours had the wrong MIME type or something). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:03 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:03 +0530 Subject: ALERT - GroupShield ticket number OA482_1097509999_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D6B@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: nusrata at noida.hcltech.com.zip File: nusrata at noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1885 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/952d12ec/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:03 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:03 +0530 Subject: ALERT - GroupShield ticket number OA480_1097509999_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D6A@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: opg at noida.hcltech.com.zip File: opg at noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1879 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/455d2a68/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:04 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:04 +0530 Subject: ALERT - GroupShield ticket number OA494_1097510038_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D70@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: nitink at noida.hcltech.com.zip File: nitink at noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1885 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/11ab0305/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:03 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:03 +0530 Subject: ALERT - GroupShield ticket number OA479_1097509993_EXCH-03_3 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D69@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: noida.hcltech.com File: noida.hcltech.com Infected? No Repaired? No Blocked? Yes Deleted? No Virus Name: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1853 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/a5fb2f21/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:04 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:04 +0530 Subject: ALERT - GroupShield ticket number OA484_1097510017_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D6C@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: noida.hcltech.com.zip File: noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1877 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/cd26861e/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:04 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:04 +0530 Subject: ALERT - GroupShield ticket number OA488_1097510022_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D6E@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: nitinsu at noida.hcltech.com.zip File: nitinsu at noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1885 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/cb93efa3/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:03 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:03 +0530 Subject: ALERT - GroupShield ticket number OA478_1097509988_EXCH-03_3 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D68@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: noida.hcltech.com File: noida.hcltech.com Infected? No Repaired? No Blocked? Yes Deleted? No Virus Name: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1853 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/5bbe0359/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:04 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:04 +0530 Subject: ALERT - GroupShield ticket number OA495_1097510043_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D71@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: nitingk at noida.hcltech.com.zip File: nitingk at noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1881 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/de5c6f58/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:04 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:04 +0530 Subject: ALERT - GroupShield ticket number OA491_1097510037_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D6F@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: nitins at noida.hcltech.com.zip File: nitins at noida.hcltech.com.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1885 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/c6c17363/attachment.bin From NAINOIDAEXCH-03 at noida.hcltech.com Tue Oct 12 01:54:04 2004 From: NAINOIDAEXCH-03 at noida.hcltech.com (GroupShield for Exchange (EXCH-03)) Date: Mon, 11 Oct 2004 21:24:04 +0530 Subject: ALERT - GroupShield ticket number OA486_1097510017_EXCH-03_1 was generated Message-ID: <267988DEACEC5A4D86D5FCD780313FBBA30D6D@exch-03.noida.hcltech.com> Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: nitingk at noida.hcltech.com From: openssh-unix-dev at mindrot.org Sent: -2017484928,29667242 Subject: Message could not be delivered Attachment Details:- Attachment Name: readme.zip File: readme.zip Infected? Yes Repaired? No Blocked? No Deleted? No Virus Name: W32/Mydoom.o at MM!zip -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 1881 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041011/821b5252/attachment.bin From bocci at fi.infn.it Tue Oct 12 19:52:30 2004 From: bocci at fi.infn.it (Andrea Bocci) Date: Tue, 12 Oct 2004 11:52:30 +0200 Subject: Suggestion: YUM RPM headers Message-ID: <1097574750.416ba95e7d92f@postino.fi.infn.it> Simple suggestion from an OpenSSH user to the guys who package and make available the RPMs for Portable OpenSSH: why don't you also add a YUM (RPM) headers to the ftp/http distributions ? If any help/manpower is needed, I volunteer :-) .Andrea. PS. Please cc: me, I'm not on the list. -- fwyzard at member.fsf.org Free Software Foundation Associate Member ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From jbebel at ncsu.edu Wed Oct 13 00:33:45 2004 From: jbebel at ncsu.edu (Joel Ebel) Date: Tue, 12 Oct 2004 10:33:45 -0400 Subject: daemon() failed Message-ID: <416BEB49.7010903@ncsu.edu> A friend of mine is having an issue running sshd as a daemon. I don't have full access to this box, so troubleshooting may be difficult, but from what I can gather, the call to daemon() is failing. sshd -D works fine, but sshd -e returns "daemon() failed: Success" , which is in and of itself funny. This is Slackware 10.0, with openssh 3.8.1p1 and glibc 2.3.2. I have several slack 10 boxes with this same combination that work fine, so he must have done something funny, but I can't figure out what. I reinstalled both openssh and glibc to make sure they were all there, and ran ldconfig. It didn't fix the problem. I'm kind of stumped as to why the call to daemon() would fail. Any ideas? Thanks, Joel From dtucker at zip.com.au Wed Oct 13 00:53:07 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 13 Oct 2004 00:53:07 +1000 Subject: daemon() failed In-Reply-To: <416BEB49.7010903@ncsu.edu> References: <416BEB49.7010903@ncsu.edu> Message-ID: <416BEFD3.5030203@zip.com.au> Joel Ebel wrote: > A friend of mine is having an issue running sshd as a daemon. I don't > have full access to this box, so troubleshooting may be difficult, but > from what I can gather, the call to daemon() is failing. sshd -D works > fine, but sshd -e returns "daemon() failed: Success" That probably means the daemon() call returned a failure error code but did not set errno. > which is in and > of itself funny. This is Slackware 10.0, with openssh 3.8.1p1 and glibc > 2.3.2. I have several slack 10 boxes with this same combination that > work fine, so he must have done something funny, but I can't figure out > what. I reinstalled both openssh and glibc to make sure they were all > there, and ran ldconfig. It didn't fix the problem. I'm kind of > stumped as to why the call to daemon() would fail. Any ideas? Check config.h for HAVE_DAEMON, if it's set try commenting it out and rebuilding (make clean && make). This will use OpenSSH's own replacement function. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From oplehto at csc.fi Wed Oct 13 03:15:55 2004 From: oplehto at csc.fi (Olli-Pekka Lehto) Date: Tue, 12 Oct 2004 20:15:55 +0300 Subject: Pseudo-terminal notification and quiet logging Message-ID: <416C114B.7010105@csc.fi> Is there any reason why the notification: "Pseudo-terminal will not be allocated because stdin is not a terminal." should appear in ssh even when quiet mode is enabled? Looking at the ssh.c source the log_init is called just after this notification. Why shouldn't this be the other way around? I tested this with openssh-3.6.1p2 but it seems to be this way still in the latest snapshot. regards, Olli-Pekka Lehto From clement_ld at freedom2surf.co.uk Wed Oct 13 09:46:38 2004 From: clement_ld at freedom2surf.co.uk (Angelo Clement) Date: Tue, 12 Oct 2004 16:46:38 -0700 Subject: We sell regalis for an affordable price Message-ID: <102c01c4b0b5$6ee72d1f$9d7db6f4@simon.pp.fi> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://virtual-apple.com/sup/ Best regards, Jeremy Stones No thanks: http://virtual-apple.com/rm.html From jbebel at ncsu.edu Wed Oct 13 12:35:55 2004 From: jbebel at ncsu.edu (Joel Ebel) Date: Tue, 12 Oct 2004 22:35:55 -0400 Subject: daemon() failed In-Reply-To: <416BEB49.7010903@ncsu.edu> References: <416BEB49.7010903@ncsu.edu> Message-ID: <416C948B.3040402@ncsu.edu> We figured this one out. Apparently, /dev/null had gotten corrupted. So if you run into this problem on Linux, check to make sure /dev/null is actually a character device and has permissions 666. Joel Joel Ebel wrote: > A friend of mine is having an issue running sshd as a daemon. I don't > have full access to this box, so troubleshooting may be difficult, but > from what I can gather, the call to daemon() is failing. sshd -D works > fine, but sshd -e returns "daemon() failed: Success" , which is in and > of itself funny. This is Slackware 10.0, with openssh 3.8.1p1 and glibc > 2.3.2. I have several slack 10 boxes with this same combination that > work fine, so he must have done something funny, but I can't figure out > what. I reinstalled both openssh and glibc to make sure they were all > there, and ran ldconfig. It didn't fix the problem. I'm kind of > stumped as to why the call to daemon() would fail. Any ideas? > > Thanks, > Joel > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From henk at applieddata.net Wed Oct 13 14:02:17 2004 From: henk at applieddata.net (henk at applieddata.net) Date: Wed, 13 Oct 2004 04:02:17 +0000 Subject: Softqware In-Reply-To: <9HG9I7KD26457GA2@mindrot.org> References: <9HG9I7KD26457GA2@mindrot.org> Message-ID: New Q E M on http://ztdn.futureplan.biz/ Alias WaveFront Maya Plugin - 30.00 Peachtree Complete Accounting 2005 - 95.00 Builder Enterprise 1.0 - 110.00 QuickClean - 20.00 Sitekeeper Suite 3.1 - 25.00 Macromedia Flash MX Professional 2004 Mac - 70.00 Nero Mix Advanced Media Recording - 50.00 Macromedia Fontographer 4.1 PC - 50.00 QuarkXPress 6 Passport Mac - 120.00 RedHat Linux 7.3 - 60.00 Macromedia FreeHand MX for MAC - 50.00 Roxio PhotoSuite 7 - 25.00 McAfee Internet Security Suite 6.0 - 25.00 Pinnacle TitleDeko Pro 2.0 - 50.00 Games X Copy - 25.00 Visual InterDev 6.0 Professional - 80.00 Norton Password Manager 2004 - 25.00 Adobe SmartSound 6.5 - 20.00 Roxio PhotoSuite 7 - 25.00 Nero Mix Advanced Media Recording - 50.00 Corel WordPerfect Family Pack 5 - 25.00 Corel XMetaL Developer - 110.00 Macromedia Fireworks MX 2004 - 60.00 Games X Copy - 25.00 Parental Controls 1.0 - 20.00 McAfee Internet Security Suite 6.0 - 25.00 Borland CodeWright 7.5 - 65.00 Macromedia RoboDemo 5 - 49.00 Adobe Premiere plug-in PC - 30.00 Corel Painter 8 - 70.00 Autodesk Civil Design 2005 - 85.00 FileMaker Professional 7 Mac - 80.00 Adobe Photoshop CS V 8.0 PC - 80.00 From jrhamdzuffwnme at ulaval.ca Wed Oct 13 15:56:14 2004 From: jrhamdzuffwnme at ulaval.ca (Paige Holden ) Date: Wed, 13 Oct 2004 07:56:14 +0200 Subject: i love you Message-ID: <20041013050019.CF3D327C187@shitei.mindrot.org> ----6263715307556855 Content-Type:html; charset="ISO-8859-1" B;uy meds for 8O% 1ess than in regular st0re Or;der H;ere http://www.offshorecenral.biz/ Open here I flung the shutter, when, with many a flirt and flutter, On a shadowy something far away, Paige ----6263715307556855-- From ged at jubileegroup.co.uk Thu Oct 14 02:50:30 2004 From: ged at jubileegroup.co.uk (Ged Haywood) Date: Wed, 13 Oct 2004 17:50:30 +0100 (BST) Subject: Mirror problems. Message-ID: Hi there, I just tried a couple of ftp mirrors to grab the latest OpenSSH. ftp://ftp.solnet.ch/mirror/OpenBSD/OpenSSH/portable/ replies with a 550 and ftp://ftp.dragonbsd.swiss-anime.ch/pub/OpenBSD/OpenSSH/portable/ doesn't seem to have been updated since May. They were the first two I tried. Why me??? :) 73, Ged. From mouring at etoh.eviladmin.org Thu Oct 14 03:22:24 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 13 Oct 2004 12:22:24 -0500 (CDT) Subject: Mirror problems. In-Reply-To: Message-ID: On Wed, 13 Oct 2004, Ged Haywood wrote: > Hi there, > > I just tried a couple of ftp mirrors to grab the latest OpenSSH. > > ftp://ftp.solnet.ch/mirror/OpenBSD/OpenSSH/portable/ > > replies with a 550 and > solnet.ch looks to have stop mirroring: ftp://ftp.solnet.ch/mirror/OpenBSD/README We have stopped mirroring OpenBSD Please visit www.openbsd.org for another mirror nearby Your SolNet Team So we should pull it off the portable.html page. > ftp://ftp.dragonbsd.swiss-anime.ch/pub/OpenBSD/OpenSSH/portable/ > > doesn't seem to have been updated since May. > Looks like the whole OpenBSD/ mirror there isn't active any more. Would need to check with others > They were the first two I tried. Why me??? :) > You've been bad in a former life? Or bad luck of the draw? - Ben From gbromley at intstar.com Tue Oct 12 20:32:23 2004 From: gbromley at intstar.com (Gareth Bromley) Date: Tue, 12 Oct 2004 11:32:23 +0100 (BST) Subject: Feature request(s) for OpenSSH Message-ID: As subject: I'd like to suggest the following additions to OpenSSH to add extra logging and security features around tunneling 1) When a SSH Tunnel is set up the SSH server should log (with an appropriate LogLevel setting VERBOSE, DEBUG?) the user and the dest ip/port combination setup, to enable sensible auditing controls to be in place for forwarded connections. 2) Add a new sshd_config option to control port forwarding based based on forwarded destination IPs and ports e.g. AllowForwardingTo *:80 AllowForwardingTo 1.2.3.4:8080 AllowForwardingTo 6.7.8.9 DenyForwardingTo * 3) If possible restrict forwarding on a per group/user basis at the global configuration level, rather than on an individual basis in there authorized_keys file. Cheers Gareth From bigwill at MIT.EDU Sat Oct 16 05:28:16 2004 From: bigwill at MIT.EDU (Will Stockwell) Date: Fri, 15 Oct 2004 15:28:16 -0400 (EDT) Subject: OpenSSH current CVS build issue Message-ID: Hi, When following the install instructions in README, I get the following build error: cc -O2 -DKRB5 -I/usr/include/kerberosV -DGSSAPI -I/usr/src/usr.bin/ssh/ssh/.. -c /usr/src/usr.bin/ssh/ssh/../sshconnect2.c /usr/src/usr.bin/ssh/ssh/../sshconnect2.c: In function `input_userauth_pk_ok': /usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: dereferencing pointer to incomplete type /usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: structure has no member named `idlist' *** Error code 1 Stop in /usr/src/usr.bin/ssh/ssh. *** Error code 1 Stop in /usr/src/usr.bin/ssh. The current OpenSSH CVS source tree broken in some way or am I missing something? Please CC bigwill at mit.edu with any responses as I'm not a list member. Will From djm at mindrot.org Sat Oct 16 12:34:47 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Oct 2004 12:34:47 +1000 Subject: OpenSSH current CVS build issue In-Reply-To: References: Message-ID: <417088C7.8070605@mindrot.org> Will Stockwell wrote: > Hi, > > When following the install instructions in README, I get the following > build error: > > cc -O2 -DKRB5 -I/usr/include/kerberosV -DGSSAPI > -I/usr/src/usr.bin/ssh/ssh/.. -c > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c: In function > `input_userauth_pk_ok': > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: dereferencing pointer to > incomplete type > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: structure has no member > named `idlist' > *** Error code 1 What platform are you using? From tchilders_xm at arved.de Sun Oct 17 05:02:07 2004 From: tchilders_xm at arved.de (Ty T. Childers) Date: Sat, 16 Oct 2004 19:02:07 +0000 Subject: Louis Vuitton Replicas Message-ID: Genuine Replicas Watches - http://pac.kikv.com/replica/sales/ We have the following brands available in our wide selection as well: Rolex Carrier Bvlgari Frank Muller Harry Winston Chopard Patek Philippe Vacheron Constantin Breguet A.lange & Sohne Glashute Original Audemars Piguet Roger Dubuis Blancpain Jaeger-lecoultre IWC Zenith Officine Panerai Alain Silberstein Chronoswiss Breitling Omega Tag Heuer Ikepod Eberhard Tudor Sinn Visit: - http://jnu.kikv.com/replica/sales/ From bigwill at MIT.EDU Sun Oct 17 06:50:42 2004 From: bigwill at MIT.EDU (Will Stockwell) Date: Sat, 16 Oct 2004 16:50:42 -0400 (EDT) Subject: OpenSSH current CVS build issue In-Reply-To: <417088C7.8070605@mindrot.org> Message-ID: i386. Will On Sat, 16 Oct 2004, Damien Miller wrote: > Will Stockwell wrote: > > Hi, > > > > When following the install instructions in README, I get the following > > build error: > > > > cc -O2 -DKRB5 -I/usr/include/kerberosV -DGSSAPI > > -I/usr/src/usr.bin/ssh/ssh/.. -c > > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c > > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c: In function > > `input_userauth_pk_ok': > > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: dereferencing pointer to > > incomplete type > > /usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: structure has no member > > named `idlist' > > *** Error code 1 > > What platform are you using? > From djm at mindrot.org Sun Oct 17 08:27:51 2004 From: djm at mindrot.org (Damien Miller) Date: Sun, 17 Oct 2004 08:27:51 +1000 Subject: OpenSSH current CVS build issue In-Reply-To: References: Message-ID: <4171A067.8090005@mindrot.org> Will Stockwell wrote: > i386. What OS? Are you determined to provide as little information as you can? Or do we have to play 20 questions in order to help you? > On Sat, 16 Oct 2004, Damien Miller wrote: > > >>Will Stockwell wrote: >> >>>Hi, >>> >>>When following the install instructions in README, I get the following >>>build error: >>> >>>cc -O2 -DKRB5 -I/usr/include/kerberosV -DGSSAPI >>>-I/usr/src/usr.bin/ssh/ssh/.. -c >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c: In function >>>`input_userauth_pk_ok': >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: dereferencing pointer to >>>incomplete type >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: structure has no member >>>named `idlist' >>>*** Error code 1 >> >>What platform are you using? >> > > > > From bigwill at MIT.EDU Sun Oct 17 08:54:27 2004 From: bigwill at MIT.EDU (Will Stockwell) Date: Sat, 16 Oct 2004 18:54:27 -0400 (EDT) Subject: OpenSSH current CVS build issue In-Reply-To: <4171A067.8090005@mindrot.org> Message-ID: My apologies. This is freshly-installed OpenBSD 3.5 on i386. I had already assumed the discussion to be in the context of OpenBSD. I'm buliding OpenSSH current from CVS in /usr/src/usr.bin/ssh/ as indiciated in my build message. Additionally, a standard OpenSSH 3.9 tree produces an identical error, so I'm led to believe my build environment is not correctly setup rather than the code being broken. For instance, do I require the whole of /usr/src from CVS for the build to work correctly or something else specifically unrelated to the source code producing the error? Will On Sun, 17 Oct 2004, Damien Miller wrote: > Will Stockwell wrote: > > i386. > > What OS? > > Are you determined to provide as little information as you can? Or do we > have to play 20 questions in order to help you? > > > On Sat, 16 Oct 2004, Damien Miller wrote: > > > > > >>Will Stockwell wrote: > >> > >>>Hi, > >>> > >>>When following the install instructions in README, I get the following > >>>build error: > >>> > >>>cc -O2 -DKRB5 -I/usr/include/kerberosV -DGSSAPI > >>>-I/usr/src/usr.bin/ssh/ssh/.. -c > >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c > >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c: In function > >>>`input_userauth_pk_ok': > >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: dereferencing pointer to > >>>incomplete type > >>>/usr/src/usr.bin/ssh/ssh/../sshconnect2.c:460: structure has no member > >>>named `idlist' > >>>*** Error code 1 > >> > >>What platform are you using? > >> > > > > > > > > > > From djm at mindrot.org Sun Oct 17 08:58:12 2004 From: djm at mindrot.org (Damien Miller) Date: Sun, 17 Oct 2004 08:58:12 +1000 Subject: OpenSSH current CVS build issue In-Reply-To: References: Message-ID: <4171A784.6030201@mindrot.org> Will Stockwell wrote: > My apologies. This is freshly-installed OpenBSD 3.5 on i386. I had > already assumed the discussion to be in the context of OpenBSD. I'm > buliding OpenSSH current from CVS in /usr/src/usr.bin/ssh/ as indiciated > in my build message. You need to apply this patch to build OpenSSH 3.9 or newer on OpenBSD < 3.6: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd35_3.9.patch -d From geos at epost.de Sun Oct 17 21:43:39 2004 From: geos at epost.de (Georg Schwarz) Date: Sun, 17 Oct 2004 13:43:39 +0200 Subject: OpenSSH 3.9.1 fix for IRIX 5.3 cc Message-ID: <1glsw99.1qt3qt22mm62M@geos.net.eu.org> Hi, the following patch to cipher.c enables OpenSSH 3.9.1 to compile on IRIX 5.3 with the native IDO cc: --- cipher.c.orig 2004-10-17 12:04:10.000000000 +0200 +++ cipher.c 2004-10-17 13:43:22.000000000 +0200 @@ -76,15 +76,15 @@ u_int key_len; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, + { "none", SSH_CIPHER_NONE, 8, 0, (const EVP_CIPHER *(*)(void)) EVP_enc_null }, + { "des", SSH_CIPHER_DES, 8, 8, (const EVP_CIPHER *(*)(void)) EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, - { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, - { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, - { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, (const EVP_CIPHER *(*)(void)) EVP_des_ede3_cbc }, + { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, (const EVP_CIPHER *(*)(void)) EVP_bf_cbc }, + { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, (const EVP_CIPHER *(*)(void)) EVP_cast5_cbc }, + { "arcfour", SSH_CIPHER_SSH2, 8, 16, (const EVP_CIPHER *(*)(void)) EVP_rc4 }, #if OPENSSL_VERSION_NUMBER < 0x00907000L { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, @@ -92,11 +92,11 @@ { "rijndael-cbc at lysator.liu.se", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, #else - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, (const EVP_CIPHER *(*)(void)) EVP_aes_128_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, (const EVP_CIPHER *(*)(void)) EVP_aes_192_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, (const EVP_CIPHER *(*)(void)) EVP_aes_256_cbc }, { "rijndael-cbc at lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + SSH_CIPHER_SSH2, 16, 32, (const EVP_CIPHER *(*)(void)) EVP_aes_256_cbc }, #endif #if OPENSSL_VERSION_NUMBER >= 0x00905000L { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, @@ -104,7 +104,7 @@ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, #endif #if defined(EVP_CTRL_SET_ACSS_MODE) - { "acss at openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, + { "acss at openssh.org", SSH_CIPHER_SSH2, 16, 5, (const EVP_CIPHER *(*)(void)) EVP_acss }, #endif { NULL, SSH_CIPHER_INVALID, 0, 0, NULL } }; @@ -415,7 +415,7 @@ Cipher *c = cc->cipher; int plen = 0; - if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { + if (c->evptype == (const EVP_CIPHER *(*)(void)) EVP_rc4 || c->evptype == (const EVP_CIPHER *(*)(void)) EVP_acss) { plen = EVP_X_STATE_LEN(cc->evp); if (dat == NULL) return (plen); @@ -430,7 +430,7 @@ Cipher *c = cc->cipher; int plen; - if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { + if (c->evptype == (const EVP_CIPHER *(*)(void)) EVP_rc4 || c->evptype == (const EVP_CIPHER *(*)(void)) EVP_acss) { plen = EVP_X_STATE_LEN(cc->evp); memcpy(EVP_X_STATE(cc->evp), dat, plen); } This is because OpenSSL does not define these function pointers as const, and the IRIX 5.3 IDO cc is quite picky on such details and refuses to compile otherwise. The second patch is for the same reason. While not strictly necessary here, it does away with some annoying warnings for the same reasons. --- mac.c.orig 2004-10-17 12:39:46.000000000 +0200 +++ mac.c 2004-10-17 12:41:04.000000000 +0200 @@ -39,12 +39,12 @@ const EVP_MD * (*mdfunc)(void); int truncatebits; /* truncate digest if != 0 */ } macs[] = { - { "hmac-sha1", EVP_sha1, 0, }, - { "hmac-sha1-96", EVP_sha1, 96 }, - { "hmac-md5", EVP_md5, 0 }, - { "hmac-md5-96", EVP_md5, 96 }, - { "hmac-ripemd160", EVP_ripemd160, 0 }, - { "hmac-ripemd160 at openssh.com", EVP_ripemd160, 0 }, + { "hmac-sha1", (const EVP_MD *(*)(void)) EVP_sha1, 0, }, + { "hmac-sha1-96", (const EVP_MD *(*)(void)) EVP_sha1, 96 }, + { "hmac-md5", (const EVP_MD *(*)(void)) EVP_md5, 0 }, + { "hmac-md5-96", (const EVP_MD *(*)(void)) EVP_md5, 96 }, + { "hmac-ripemd160", (const EVP_MD *(*)(void)) EVP_ripemd160, 0 }, + { "hmac-ripemd160 at openssh.com", (const EVP_MD *(*)(void)) EVP_ripemd160, 0 }, { NULL, NULL, 0 } }; This issue might apply to other non-gcc compilers as well. I'd appreciate your feedback. Georg -- Georg Schwarz http://home.pages.de/~schwarz/ geos at epost.de +49 177 8811442 From sem_trywait at sutch.com Sun Oct 17 22:11:20 2004 From: sem_trywait at sutch.com (sem_trywait at sutch.com) Date: Sun, 17 Oct 2004 12:11:20 +0000 Subject: Softmware In-Reply-To: <9JD939EB3CJFJ41L@mindrot.org> References: <9JD939EB3CJFJ41L@mindrot.org> Message-ID: <3JG8872477F94G7D@sutch.com> New Q E M on http://ymuz.futureplan.biz/ Quicken 2004 Premier Home and Business - 40.00 Microsoft Exchange 2003 Server - Enterprise Edition - 90.00 CorelDraw Graphics Suite V 11 PC - 70.00 Adobe FrameMaker 7.1 - 100.00 Diskeeper 8 Professional - 25.00 DVD X Point - 25.00 MSDN Universal Subscription 7.0 - 110.00 Parental Controls 1.0 - 20.00 Adobe Encore DVD V 1.5 PC - 90.00 Microsoft Outlook 2003 - 25.00 Adobe Illustrator plug-in PC - 30.00 Personal Firewall Plus - 20.00 Adobe Premiere plug-in PC - 30.00 Macromedia ColdFusion MX 6.1 Enterprise Mac - 129.00 Autodesk 3ds max 6 - 140.00 Autodesk OnSite Enterprise 2.5 - 50.00 VMware GSX Server 3 Linux - 150.00 Pinnacle Hollywood FX Pro - 50.00 FileMaker Developer 7 - 100.00 3D Home Architect V 6 Deluxe - 15.00 Roxio PhotoSuite 7 - 25.00 Adobe Acrobat V 6.0 Professional Mac - 100.00 Corel KnockOut 2 - 50.00 Adobe Dimensions 3.0 Mac - 60.00 Corel Bryce 5 - 50.00 Delphi 7 Architect - 70.00 Red Hat Enterprise Linux ES Standard Edition - 115.00 Microsoft SQL Server 2005 - 95.00 Borland JDataStore v7.0 Server - 120.00 Adobe PhotoDeluxe 4.0 - 25.00 Corel Bryce 5 - 50.00 Symantec Personal Firewall Mac 3.0 - 20.00 Macromedia ColdFusion MX 6.1 Enterprise Mac - 129.00 From mariusz at gniazdowski.info Mon Oct 18 06:34:33 2004 From: mariusz at gniazdowski.info (Mariusz Gniazdowski) Date: Sun, 17 Oct 2004 22:34:33 +0200 Subject: Bug with compression in SCP? Message-ID: <20041017203432.GA16492@mg.localdomain> Hi When compression is turned off in sshd ('Compression no') then trying to scp some file on that serwer ends with error: "Received disconnect from [some IP]: 2: Packet integrity error. lost connection" Using pscp (version for linux) or scp -1 helps. Is scp turning compression on even without -C ? -- Mariusz Gniazdowski From gsaibala at corp.untd.com Mon Oct 18 16:32:19 2004 From: gsaibala at corp.untd.com (Garimella, Sai Balasubramanyam) Date: Mon, 18 Oct 2004 12:02:19 +0530 Subject: ssh-keyscan hangs in close_wait state Message-ID: <4D8B620F4FDA414982B23A3E7F6A8EF102828825@hydmail01.hyd.corp.int.untd.com> Hi folks I am running openssh-3.7.1 on my servers most of them are Solaris and Linux built. I run ssh-keyscan , some times it seems to be hanging ( even with -T option enabled) in close_wait state. can you please point me to any patch that is available or any work around for this problem ? thanks, Sai. From dwmw2 at infradead.org Mon Oct 18 17:24:24 2004 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 18 Oct 2004 08:24:24 +0100 Subject: [PATCH] PreferAskpass in ssh_config In-Reply-To: References: Message-ID: <1098084264.5102.15.camel@localhost.localdomain> On Mon, 2004-10-04 at 18:35 -0500, Ben Lindstrom wrote: > In fact, I'd rather see SSH_ASKPASS && DISPLAY be honored without having > some additional variable. That way there is no need to add in parsing of > ssh_config/config into commands that should be by default standalone. Agreed. The invoked ssh-askpass program can still open and use the controlling tty if it wants to. -- dwmw2 From open at simple.be Tue Oct 19 04:11:01 2004 From: open at simple.be (Brett Hamilton) Date: Mon, 18 Oct 2004 11:11:01 -0700 (PDT) Subject: disable password authentication per user Message-ID: I would like disable password authentication in sshd for particular users, without locking their UNIX password, and without requiring all users to use PubkeyAuthentication. I cannot find a documented way to accomplish this in OpenSSH. Is it currently possible? If not, I think this would be a very useful feature to add. I believe that each user should have some control of which authentication methods are allowed to login to their account, within the limits set by the server's sshd_config. For users with special privileges, this feature (like PermitRootLogin) could increase security without restricting the options for normal users. I'm not sure what the best way to implement this, but perhaps the user's authorized_keys file could contain a line that meant: "If no keys match, then apply these settings. One of those settings could be: disable-password-authentication. Thanks, --Brett From wknox at mitre.org Tue Oct 19 04:39:35 2004 From: wknox at mitre.org (William R. Knox) Date: Mon, 18 Oct 2004 14:39:35 -0400 (EDT) Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: <41318F46.6000802@zip.com.au> References: <20040827184248.GA815@modulo.internal> <41318F46.6000802@zip.com.au> Message-ID: I have noticed this behavior under Solaris 8 as well. There doesn't appear to be a Bugzilla entry for it, and I see that it is not in the latest SNAP available. Has this patch to ssh.c been helpful to anyone? It seems to fix it under Solaris, for what that's worth. Is it likely to be included in the future? Should I open up the bug? Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Sun, 29 Aug 2004, Darren Tucker wrote: > Date: Sun, 29 Aug 2004 18:09:42 +1000 > From: Darren Tucker > To: Glen Nakamura > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH-3.9p1 permanently_set_uid behavior on Linux > > Glen Nakamura wrote: > > I'm curious about the following code at line 203 in uidswap.c: > > > > /* Try restoration of GID if changed (test clearing of saved gid) */ > > if (old_gid != pw->pw_gid && > > (setgid(old_gid) != -1 || setegid(old_gid) != -1)) > > fatal("%s: was able to restore old [e]gid", __func__); > > > > This causes permanently_set_uid to fail in the following case: > > > > $ su > > Password: ???????? > > # newgrp bin > > # ssh remotehost > > permanently_set_uid: was able to restore old [e]gid > > # > > > > Is this the desired behavior or should the code special case running as root? > > It's desired behaviour for permanently_set_uid(), but it should be > special-cased in ssh and ssh-keysign (because uid==0 *is* special: > unlike most uids it can set its gid to whatever it wants). > > I think something like the attached is needed (applies to -current but > the changes are simple to backport to 3.9p1). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-ssh-ruid2.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041018/9d0d49f8/attachment.ksh -------------- next part -------------- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Tue Oct 19 09:43:58 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 19 Oct 2004 09:43:58 +1000 Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: References: <20040827184248.GA815@modulo.internal> <41318F46.6000802@zip.com.au> Message-ID: <4174553E.90609@zip.com.au> William R. Knox wrote: > I have noticed this behavior under Solaris 8 as well. There doesn't appear > to be a Bugzilla entry for it, and I see that it is not in the latest SNAP > available. Has this patch to ssh.c been helpful to anyone? It seems to fix > it under Solaris, for what that's worth. Is it likely to be included in > the future? Should I open up the bug? You can if you want, but dealing with this is on my to-do list. I'm not sure if that patch is the best way to deal with it, or if permanently_set_uid() should skip the restore test if pw_uid == 0. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Oct 19 09:50:22 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 19 Oct 2004 09:50:22 +1000 Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: <4174553E.90609@zip.com.au> References: <20040827184248.GA815@modulo.internal> <41318F46.6000802@zip.com.au> <4174553E.90609@zip.com.au> Message-ID: <417456BE.7060300@mindrot.org> Darren Tucker wrote: > You can if you want, but dealing with this is on my to-do list. I'm not > sure if that patch is the best way to deal with it, or if > permanently_set_uid() should skip the restore test if pw_uid == 0. I think it should just skip the test when root pw->pw_uid== 0. -d From dtucker at zip.com.au Tue Oct 19 09:58:02 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 19 Oct 2004 09:58:02 +1000 Subject: disable password authentication per user In-Reply-To: References: Message-ID: <4174588A.4070305@zip.com.au> Brett Hamilton wrote: > I would like disable password authentication in sshd for particular users, > without locking their UNIX password, and without requiring all users to > use PubkeyAuthentication. I cannot find a documented way to accomplish > this in OpenSSH. Is it currently possible? Not within OpenSSH itself. I you're using PAM, however, you could arrange for PAM to do it by having the sshd auth stack reject those users (sshd's public-key authentication will still work). For example, if you're using a LinuxPAM, putting this into the first line of /etc/pam.d/sshd ought to do it (all one line, untested): auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/nopasswdusers -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Oct 19 10:11:00 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 19 Oct 2004 10:11:00 +1000 Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: <417456BE.7060300@mindrot.org> References: <20040827184248.GA815@modulo.internal> <41318F46.6000802@zip.com.au> <4174553E.90609@zip.com.au> <417456BE.7060300@mindrot.org> Message-ID: <41745B94.10903@zip.com.au> Damien Miller wrote: > I think it should just skip the test when root pw->pw_uid== 0. How's this? Tests OK for me on Linux. (The Cygwin stuff is from a patch Corinna sent a while back to deal with a similar problem there, I thought I'd kill two birds with one stone :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-uidswap.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041019/07a4fffa/attachment.ksh From Patrice.Gonthier at alcatel.fr Tue Oct 19 22:22:30 2004 From: Patrice.Gonthier at alcatel.fr (Patrice.Gonthier at alcatel.fr) Date: Tue, 19 Oct 2004 14:22:30 +0200 Subject: launch ssh-add with a passphrase as parameter Message-ID: Hello, I have the following problem. I have an application which is running and which has already request a passphrase to the user. This application needs to launch ssh agent and ssh add, but I do not want to be prompt again for the passphrase. My private key is of course encrypted with the passphrase. How can I do ? My only idea for the moment is to change the variable value of ask_passphrase and to redirect it to a program that I will write. This program will request to my running application the passphrase. Does anybody see a more simple way ? Thank you by advance Patrice From wknox at mitre.org Tue Oct 19 23:05:48 2004 From: wknox at mitre.org (William R. Knox) Date: Tue, 19 Oct 2004 09:05:48 -0400 (EDT) Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: <41745B94.10903@zip.com.au> References: <20040827184248.GA815@modulo.internal> <41318F46.6000802@zip.com.au> <4174553E.90609@zip.com.au> <417456BE.7060300@mindrot.org> <41745B94.10903@zip.com.au> Message-ID: That patch also works fine on Solaris 8 (though I suspect that doesn't surprise anyone). The "test case" posted back in August (http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=109363273418104&w=2) passes with this patch. Thanks very much, Darren and Damien. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Tue, 19 Oct 2004, Darren Tucker wrote: > Date: Tue, 19 Oct 2004 10:11:00 +1000 > From: Darren Tucker > To: Damien Miller > Cc: William R. Knox , openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH-3.9p1 permanently_set_uid behavior on Linux > > Damien Miller wrote: > > I think it should just skip the test when root pw->pw_uid== 0. > > How's this? Tests OK for me on Linux. > > (The Cygwin stuff is from a patch Corinna sent a while back to deal with > a similar problem there, I thought I'd kill two birds with one stone :-) > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-uidswap.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041019/e2729f96/attachment.ksh From jacklynvalentine_ma at jeffersonhunt.co.uk Wed Oct 20 00:24:48 2004 From: jacklynvalentine_ma at jeffersonhunt.co.uk (Jacklyn Valentine) Date: Tue, 19 Oct 2004 21:24:48 +0700 Subject: =?iso-8859-1?q?Get_v=ECagra_for_a_great_price=2E?= Message-ID: <44c101c4b5e7$49f2a75a$1c619aa3@nlk.anet.cz> Hi, We have a new offer for you. Buy cheap V?agra through our online store. - Private online ordering - No prescription required - World wide shipping Order your drugs offshore and save over 70%! Click here: http://koolrx.com/meds/ Best regards, Donald Cunfingham No thanks: http://koolrx.com/rm.html From stuge-openssh-unix-dev at cdy.org Wed Oct 20 04:27:15 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 19 Oct 2004 20:27:15 +0200 Subject: launch ssh-add with a passphrase as parameter In-Reply-To: References: Message-ID: <20041019182715.GA24623@foo.birdnet.se> On Tue, Oct 19, 2004 at 02:22:30PM +0200, Patrice.Gonthier at alcatel.fr wrote: > Does anybody see a more simple way ? Perhaps making your other application use ssh-agent is easier than the other way around? I don't know.. //Peter From azahn at hep.uchicago.edu Wed Oct 20 05:51:23 2004 From: azahn at hep.uchicago.edu (Andrew Zahn) Date: Tue, 19 Oct 2004 14:51:23 -0500 Subject: how to get 3.9 to use RSA1 as default? Message-ID: <4175703B.6000208@hep.uchicago.edu> Hi, I am having a problem on some systems that use RSA1 I am asked for a password even though I am in the authorized_keys file. If I use the "-1" option then I can log in password-free. How can this be enabled as the default? Thanks Andrew From mouring at etoh.eviladmin.org Wed Oct 20 07:06:10 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 19 Oct 2004 16:06:10 -0500 (CDT) Subject: how to get 3.9 to use RSA1 as default? In-Reply-To: <4175703B.6000208@hep.uchicago.edu> Message-ID: RSA1 is only for ssh v1 protocol. RSA/DSA are for v2 protocol. On Tue, 19 Oct 2004, Andrew Zahn wrote: > Hi, > I am having a problem on some systems that use RSA1 I am asked for a > password even though I am in the authorized_keys file. If I use the "-1" > option then I can log in password-free. How can this be enabled as the > default? > > Thanks > Andrew > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Wed Oct 20 07:44:05 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 20 Oct 2004 07:44:05 +1000 Subject: how to get 3.9 to use RSA1 as default? In-Reply-To: <4175703B.6000208@hep.uchicago.edu> References: <4175703B.6000208@hep.uchicago.edu> Message-ID: <41758AA5.9020308@mindrot.org> Andrew Zahn wrote: > Hi, > I am having a problem on some systems that use RSA1 I am asked for a > password even though I am in the authorized_keys file. If I use the "-1" > option then I can log in password-free. How can this be enabled as the > default? If you really want to use SSH protocol 1, then you can put "Protocol 1" in your ~/.ssh/config file From djm at mindrot.org Wed Oct 20 07:47:29 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 20 Oct 2004 07:47:29 +1000 Subject: launch ssh-add with a passphrase as parameter In-Reply-To: References: Message-ID: <41758B71.4090403@mindrot.org> Patrice.Gonthier at alcatel.fr wrote: > Hello, > > I have the following problem. > I have an application which is running and which has already request a > passphrase to the user. > > This application needs to launch ssh agent and ssh add, but I do not want > to be prompt again for the passphrase. > My private key is of course encrypted with the passphrase. > > How can I do ? Abuse SSH_ASKPASS: cat > ~/.ssh/key-passphrase << EOF your passphrase goes here EOF chmod 0600 .ssh/key-passphrase cat > ~/.ssh/add-passphrase.sh << EOF #!/bin/sh cat ~/.ssh/key-passphrase << EOF EOF chmod 0700 ~/.ssh/add-passphrase.sh DISPLAY=junk SSH_ASKPASS=~/.ssh/add-passphrase.sh ssh-add Looking for anyone who's had success using the Dynamic Window patch on Solaris. I've had problems with inconsistent data xfer speeds which stem from wscale being reset during the TCP handshake. I've gotten a workaround from Sun but the fix sets up static buffer sizes between two hosts and prevents them from being changed by any application. Not very Dynamic... I was wondering if anyone else has any feedback. From xeper at quantentunnel.de Thu Oct 21 05:03:17 2004 From: xeper at quantentunnel.de (Georg Bege) Date: Wed, 20 Oct 2004 21:03:17 +0200 Subject: ssh_config, AddressFamily Message-ID: <200410202103.22600.xeper@quantentunnel.de> Hello I was wondering why I cant set inet6,inet - like Protocol version 2,1 - it would be nice if I would be able to set a kind of prefer mode for IPv6 as for protocol 2. But only one argument is accepted: inet6, inet or any. At least that is what the manpage tells me, I also tested it - no way. Why is this feature not included? Will it be included? If you think it's my mistake then please tell me how I can force openssh to prefer inet6 but not to use inet6 only. Thank you, any answer will be appreciated. My Operating System: Gentoo GNU/Linux Installed package: * net-misc/openssh Latest version available: 3.9_p1 Latest version installed: 3.9_p1 Size of downloaded files: 929 kB Homepage: http://www.openssh.com/ Description: Port of OpenBSD's free SSH release License: as-is shodan ~ # ssh -v OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 Cheers Georg Bege -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041020/54f4d651/attachment.bin From jander at hundredacrewood.org Thu Oct 21 02:31:16 2004 From: jander at hundredacrewood.org (Jeff Anderson) Date: Wed, 20 Oct 2004 12:31:16 -0400 Subject: Controlling ssh from an external program Message-ID: <200410201231.16758.jander@hundredacrewood.org> Hi - I am working on a remote administration tool, and I would like to be able to control ssh/scp via an external program. I know the standard answer to this is to use expect, however this is NOT an option. The next standard answer is to use an empty passphrase or ssh-agent, but I cannot guarantee that the remote system will have a keypair, so I need to be able to fallback on password authentication if that fails. The controlling program needs to be able to feed the password to ssh/scp. Additionally, I can only use an unmodified version of openssh (i.e. whatever version is available on the system that the admin tool is run from). Any ideas????? ========================================================== Jeff Anderson From dtucker at zip.com.au Thu Oct 21 07:20:41 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 21 Oct 2004 07:20:41 +1000 Subject: Controlling ssh from an external program In-Reply-To: <200410201231.16758.jander@hundredacrewood.org> References: <200410201231.16758.jander@hundredacrewood.org> Message-ID: <4176D6A9.4070106@zip.com.au> Jeff Anderson (by way of Jeff Anderson ) wrote: > I am working on a remote administration tool, and I would like to be able to > control ssh/scp via an external program. I know the standard answer to this > is to use expect, however this is NOT an option. > > The next standard answer is to use an empty passphrase or ssh-agent, but I > cannot guarantee that the remote system will have a keypair, so I need to be > able to fallback on password authentication if that fails. The controlling > program needs to be able to feed the password to ssh/scp. > > > Additionally, I can only use an unmodified version of openssh (i.e. whatever > version is available on the system that the admin tool is run from). > > Any ideas????? Abuse the SSH_ASKPASS mechanism, eg: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=109822418603321 Alternatively, have your tool allocate a pty, run ssh with the pty as its controlling terminal and then feed the password to the pty (yes, this is reinventing the wheel called "expect"). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Patrice.Gonthier at alcatel.fr Thu Oct 21 17:20:30 2004 From: Patrice.Gonthier at alcatel.fr (Patrice.Gonthier at alcatel.fr) Date: Thu, 21 Oct 2004 09:20:30 +0200 Subject: On Windows, launch ssh-add with a passphrase as parameter Message-ID: Hello, Our need: On windows, I have an application which is running on windows and which has already request a passphrase to the user. This application needs to launch ssh agent and ssh add, but I do not want to be prompt again for the passphrase. My private key is of course encrypted with the passphrase. Our idea My only idea is to force, by a re-direction the passphrase as input of ask_passphrase. The tests done: We have made some test on windows. It seems the askpass program is only executed when the ssh has no terminal. But, on windows, it seems that ssh is always started in a console window and ssh-add not calls askpass program always. Conclusion Can somebody help us ? Thank you by advance Patrice From ssing at amkor.com Fri Oct 22 12:29:30 2004 From: ssing at amkor.com (ssing at amkor.com) Date: Thu, 21 Oct 2004 19:29:30 -0700 Subject: OpenSSH password expiration Message-ID: Hi, we are running into an issue with changing expired passwords through SSH connection. We always have to tell our users to use telnet to change the password. We want to completely shutdown telnet on all of our systems, because of this issue we are not able to shut it down. Is there a known issue with OpenSSH, or am I just missing some configuration. Thanks in advance for your help. -Sandeep From dtucker at zip.com.au Fri Oct 22 12:36:56 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 22 Oct 2004 12:36:56 +1000 Subject: OpenSSH password expiration In-Reply-To: References: Message-ID: <41787248.7010109@zip.com.au> ssing at amkor.com wrote: > Hi, we are running into an issue with changing expired passwords through > SSH connection. We always have to tell our users to use telnet to change > the password. We want to completely shutdown telnet on all of our systems, > because of this issue we are not able to shut it down. Is there a known > issue with OpenSSH, or am I just missing some configuration. This has been fixed since OpenSSH 3.8x. What version are you using and on which platform(s)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From ssing at amkor.com Sat Oct 23 02:02:29 2004 From: ssing at amkor.com (ssing at amkor.com) Date: Fri, 22 Oct 2004 09:02:29 -0700 Subject: OpenSSH password expiration Message-ID: Hi Darren, we are running 3.9p1 and 3.8.1p1 on Solaris 7 and Solaris 8 systems, respectively. I recently tested it again and could not get it to work. I cleared my password in NIS+ and when I tried to ssh into our NIS+ master server (hexadecimal), it will not give me an option to choose new password (see below). However, when I use telnet, I was able to change my password. Is there some special PAM or OpenSSH configuration that I need to use? I have been googling on this subject and could not find any solution. Thanks for your help. -Sandeep SSH ==== # ssh -l ssing hexadecimal ssing at hexadecimal's password: Permission denied, please try again. ssing at hexadecimal's password: telnet ===== # telnet hexadecimal Trying 10.57.2.43... Connected to hexadecimal.amkor.com. Escape character is '^]'. Authorized Use Only *** YOU HAVE ACCESSED A RESTRICTED SITE *** ******************************************************** This system is for the use of authorized users only. Utilization of this computer system without authority, or in excess of granted authority is in violation of State and Federal laws. Violators will be prosecuted to the fullest extent. Please be advised that use constitutes consent to monitoring. (Elec Comm Priv Act, 18 USC 2701-2711) ******************************************************** login: ssing Choose a new password. New password: Re-enter new password: Enter login(NIS+) password: Darren Tucker on 10/21/2004 07:36:56 PM To: Sandeep Singh/CHAZ/AAWW at Amkor cc: openssh-unix-dev at mindrot.org Subject: Re: OpenSSH password expiration ssing at amkor.com wrote: > Hi, we are running into an issue with changing expired passwords through > SSH connection. We always have to tell our users to use telnet to change > the password. We want to completely shutdown telnet on all of our systems, > because of this issue we are not able to shut it down. Is there a known > issue with OpenSSH, or am I just missing some configuration. This has been fixed since OpenSSH 3.8x. What version are you using and on which platform(s)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Oct 23 12:18:36 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 23 Oct 2004 12:18:36 +1000 Subject: OpenSSH password expiration In-Reply-To: References: Message-ID: <4179BF7C.2050306@zip.com.au> ssing at amkor.com wrote: > Hi Darren, we are running 3.9p1 and 3.8.1p1 on Solaris 7 and Solaris 8 > systems, respectively. I recently tested it again and could not get it to > work. I cleared my password in NIS+ and when I tried to ssh into our NIS+ > master server (hexadecimal), it will not give me an option to choose new > password (see below). However, when I use telnet, I was able to change my > password. Is there some special PAM or OpenSSH configuration that I need > to use? That should work, so there's a problem somewhere. Do you have PAM enabled? (./configure --with-pam and "UsePAM yes" in your sshd_config). If not then you'll probably need to enable it. (It ought to work without UsePAM too, but I don't know how NIS+ will interact with the shadow password expiry routines). Please send a server side debug (eg "/path/to/sshd -ddde -p 2022" and connect with "ssh -p 2022 yourserver") for 3.9p1. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From f_g_land_fk at advodata.be Sat Oct 23 13:39:14 2004 From: f_g_land_fk at advodata.be (Frieda G. Land) Date: Sat, 23 Oct 2004 03:39:14 +0000 Subject: What's in your louis vuitton handbag? Message-ID: Do you want a Rolex Watch? http://njd.okiez.com/replica/sales/ From code at pizzashack.org Sat Oct 23 18:48:29 2004 From: code at pizzashack.org (Derek Martin) Date: Sat, 23 Oct 2004 17:48:29 +0900 Subject: rssh: pizzacode security alert Message-ID: <20041023084829.GA16819@sophic.org> PIZZACODE SECURITY ALERT program: rssh risk: low[*] problem: string format vulnerability in log.c details: rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. Additioanlly, running rsync, rdist, and cvs are supported, and access can be configured on a per-user basis using a simple text-based configuration file. The rssh homepage is here: http://www.pizzashack.org/rssh/ Florian Schilhabel has identified a format string bug which can allow an attacker to run arbitrary code from an account configured to use rssh. [*]In general the risk is low, as in most cases the user can only compromise their own account. The risk is mittigated by the fact that before this bug can be exploited, the user must log in successfully through ssh. This means that either the user is known to the system (and therefore the administrators), or that the system is probably already compromised. However, on some older systems with broken implementations of the setuid() family of functions, a root compromise may be possible with certain configurations of rssh. Specifically, if rssh is configured to use a chroot jail, it will exec() rssh_chroot_helper, which must be setuid root in order to call chroot(). Normally, rssh_chroot_helper calls setuid(getuid()) and drops privileges before any of the logging functions are called, making a root compromise impossible on most systems. However, some older systems which handle saved UIDs improperly may be vulnerable to a root compromise. Linux in particular is not vulnerable to this, nor should modern POSIX-compliant Unix variants be. POSIX defines that the setuid() system call will set all UIDs (UID, saved UID, and effective UID) the specified UID if it is called with root privileges. Therefore in general, a root compromise is not possible, and I am not specifically aware of any systems on which one is possible. The 2.2.2 release of rssh fixes this string format vulnerability. I have also gone over the code to make sure that no other such vulnerabilities exist. In addition to fixing this problem, rssh contains some new code to help identify certain problems for debugging problems when rssh fails. Additional logging of error conditions is performed. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041023/39372ec9/attachment.bin From code at pizzashack.org Sat Oct 23 18:48:29 2004 From: code at pizzashack.org (Derek Martin) Date: Sat, 23 Oct 2004 17:48:29 +0900 Subject: rssh: pizzacode security alert Message-ID: <20041023084829.GA16819@sophic.org> PIZZACODE SECURITY ALERT program: rssh risk: low[*] problem: string format vulnerability in log.c details: rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. Additioanlly, running rsync, rdist, and cvs are supported, and access can be configured on a per-user basis using a simple text-based configuration file. The rssh homepage is here: http://www.pizzashack.org/rssh/ Florian Schilhabel has identified a format string bug which can allow an attacker to run arbitrary code from an account configured to use rssh. [*]In general the risk is low, as in most cases the user can only compromise their own account. The risk is mittigated by the fact that before this bug can be exploited, the user must log in successfully through ssh. This means that either the user is known to the system (and therefore the administrators), or that the system is probably already compromised. However, on some older systems with broken implementations of the setuid() family of functions, a root compromise may be possible with certain configurations of rssh. Specifically, if rssh is configured to use a chroot jail, it will exec() rssh_chroot_helper, which must be setuid root in order to call chroot(). Normally, rssh_chroot_helper calls setuid(getuid()) and drops privileges before any of the logging functions are called, making a root compromise impossible on most systems. However, some older systems which handle saved UIDs improperly may be vulnerable to a root compromise. Linux in particular is not vulnerable to this, nor should modern POSIX-compliant Unix variants be. POSIX defines that the setuid() system call will set all UIDs (UID, saved UID, and effective UID) the specified UID if it is called with root privileges. Therefore in general, a root compromise is not possible, and I am not specifically aware of any systems on which one is possible. The 2.2.2 release of rssh fixes this string format vulnerability. I have also gone over the code to make sure that no other such vulnerabilities exist. In addition to fixing this problem, rssh contains some new code to help identify certain problems for debugging problems when rssh fails. Additional logging of error conditions is performed. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041023/39372ec9/attachment-0001.bin From code at pizzashack.org Sun Oct 24 05:45:46 2004 From: code at pizzashack.org (Derek Martin) Date: Sat, 23 Oct 2004 21:45:46 +0200 Subject: rssh: pizzacode security alert Message-ID: <000201c4b938$e3adc5a0$86c8a8c0@MervaSBS2003.local> PIZZACODE SECURITY ALERT program: rssh risk: low[*] problem: string format vulnerability in log.c details: rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. Additioanlly, running rsync, rdist, and cvs are supported, and access can be configured on a per-user basis using a simple text-based configuration file. The rssh homepage is here: http://www.pizzashack.org/rssh/ Florian Schilhabel has identified a format string bug which can allow an attacker to run arbitrary code from an account configured to use rssh. [*]In general the risk is low, as in most cases the user can only compromise their own account. The risk is mittigated by the fact that before this bug can be exploited, the user must log in successfully through ssh. This means that either the user is known to the system (and therefore the administrators), or that the system is probably already compromised. However, on some older systems with broken implementations of the setuid() family of functions, a root compromise may be possible with certain configurations of rssh. Specifically, if rssh is configured to use a chroot jail, it will exec() rssh_chroot_helper, which must be setuid root in order to call chroot(). Normally, rssh_chroot_helper calls setuid(getuid()) and drops privileges before any of the logging functions are called, making a root compromise impossible on most systems. However, some older systems which handle saved UIDs improperly may be vulnerable to a root compromise. Linux in particular is not vulnerable to this, nor should modern POSIX-compliant Unix variants be. POSIX defines that the setuid() system call will set all UIDs (UID, saved UID, and effective UID) the specified UID if it is called with root privileges. Therefore in general, a root compromise is not possible, and I am not specifically aware of any systems on which one is possible. The 2.2.2 release of rssh fixes this string format vulnerability. I have also gone over the code to make sure that no other such vulnerabilities exist. In addition to fixing this problem, rssh contains some new code to help identify certain problems for debugging problems when rssh fails. Additional logging of error conditions is performed. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041023/0b05f404/attachment.bin From shermane_carroll_dl at tfp-clan.de Sun Oct 24 19:32:05 2004 From: shermane_carroll_dl at tfp-clan.de (Sherman E. Carroll) Date: Sun, 24 Oct 2004 12:32:05 +0300 Subject: We sell regalis for an affordable price Message-ID: <288e01c4b9ac$ff49b1ae$96cd76d9@wellcom.at> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://rxand-more.com/sup/ Best regards, Jeremy Stones No thanks: http://rxand-more.com/rm.html From Dowdy19avaricious at ceramics.com Mon Oct 25 10:39:47 2004 From: Dowdy19avaricious at ceramics.com (Lloyd Michaud, MBA, PhD) Date: Mon, 25 Oct 2004 03:39:47 +0300 Subject: your ticket Message-ID: <20041021KLQGF1254KBYP@continentaltesting.net> **A Notice from the Office of the Registrar You are now qualified to obtain a Degree from an accredited University. There are NO required tests, classes, books, or interviews. Associate, Bachelors(BA,LLB) Masters(MBA,MSc) and Doctorate (PhD) are obtainable in the field of your choice. Discrete and Inexpensive. We send the degree to all countries (WORLDWIDE) Finish up your Assesment Form and you're on your way to a better future. http://wuniv.net/?partid=wh6 Lloyd Michaud, MBA, PhD Director Of Admissions No future offers: http://wuniv.net/st.html 146 CHARcandlelitrpinnateLcushman 2firecracker From code at pizzashack.org Sat Oct 23 18:48:29 2004 From: code at pizzashack.org (Derek Martin) Date: Sat, 23 Oct 2004 17:48:29 +0900 Subject: rssh: pizzacode security alert Message-ID: <20041023084829.GA16819@sophic.org> PIZZACODE SECURITY ALERT program: rssh risk: low[*] problem: string format vulnerability in log.c details: rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. Additioanlly, running rsync, rdist, and cvs are supported, and access can be configured on a per-user basis using a simple text-based configuration file. The rssh homepage is here: http://www.pizzashack.org/rssh/ Florian Schilhabel has identified a format string bug which can allow an attacker to run arbitrary code from an account configured to use rssh. [*]In general the risk is low, as in most cases the user can only compromise their own account. The risk is mittigated by the fact that before this bug can be exploited, the user must log in successfully through ssh. This means that either the user is known to the system (and therefore the administrators), or that the system is probably already compromised. However, on some older systems with broken implementations of the setuid() family of functions, a root compromise may be possible with certain configurations of rssh. Specifically, if rssh is configured to use a chroot jail, it will exec() rssh_chroot_helper, which must be setuid root in order to call chroot(). Normally, rssh_chroot_helper calls setuid(getuid()) and drops privileges before any of the logging functions are called, making a root compromise impossible on most systems. However, some older systems which handle saved UIDs improperly may be vulnerable to a root compromise. Linux in particular is not vulnerable to this, nor should modern POSIX-compliant Unix variants be. POSIX defines that the setuid() system call will set all UIDs (UID, saved UID, and effective UID) the specified UID if it is called with root privileges. Therefore in general, a root compromise is not possible, and I am not specifically aware of any systems on which one is possible. The 2.2.2 release of rssh fixes this string format vulnerability. I have also gone over the code to make sure that no other such vulnerabilities exist. In addition to fixing this problem, rssh contains some new code to help identify certain problems for debugging problems when rssh fails. Additional logging of error conditions is performed. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041023/39372ec9/attachment-0002.bin From mailfrom at mail.ru Tue Oct 26 01:42:26 2004 From: mailfrom at mail.ru (Michail Pishchagin) Date: Mon, 25 Oct 2004 19:42:26 +0400 Subject: Bug in sftp's chmod Message-ID: <78B5B03F-269C-11D9-8D55-000D93AEC602@mail.ru> Hi, I've discovered that on OpenSSH_3.6.1p1 (the latest SSH available on OSX, but I've also tried a couple of different linux distributions), when you 'sftp' to it, and try to 'chmod' some file or directory, only last three octal digits do actually matter. Example: sftp sshtest at localhost Connecting to localhost... sshtest at localhost's password: sftp> ls -l * -rwxr-xr-x 0 504 504 0 Oct 25 17:19 file sftp> chmod 754 file Changing mode on /Users/sshtest/file sftp> ls -l * -rwxr-xr-- 0 504 504 0 Oct 25 17:19 file As you can see, the permissions have changed, bug UID, GID and Sticky flags were not set. But it works fine in ssh session. PS: I'm not subscribed, please CC me on reply. -mblsha From mailfrom at mail.ru Tue Oct 26 02:02:03 2004 From: mailfrom at mail.ru (Michail Pishchagin) Date: Mon, 25 Oct 2004 20:02:03 +0400 Subject: Bug in sftp's chmod In-Reply-To: <78B5B03F-269C-11D9-8D55-000D93AEC602@mail.ru> References: <78B5B03F-269C-11D9-8D55-000D93AEC602@mail.ru> Message-ID: <3622ADEE-269F-11D9-8D55-000D93AEC602@mail.ru> On 25.10.2004, at 19:42, Michail Pishchagin wrote: > I've discovered that on OpenSSH_3.6.1p1 (the latest SSH available on > OSX, but I've also tried a couple of different linux distributions), > when you 'sftp' to it, and try to 'chmod' some file or directory, only > last three octal digits do actually matter. I think I've found it (read the inline comments): process_setstat(void) { ????Attrib *a; ????u_int32_t id; ????char *name; ????int status = SSH2_FX_OK, ret; ????id = get_int(); ????name = get_string(NULL); ????a = get_attrib(); ????TRACE("setstat id %u name %s", id, name); ????if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { ????????ret = truncate(name, a->size); ????????if (ret == -1) ????????????status = errno_to_portable(errno); ????} ????if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ????????ret = chmod(name, a->perm & 0777); // ^^^^ // This is plain wrong. You should be doing "perm & 07777" instead :) // Same bug in process_fsetstat. ????????if (ret == -1) ????????????status = errno_to_portable(errno); ????} ????if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ????????ret = utimes(name, attrib_to_tv(a)); ????????if (ret == -1) ????????????status = errno_to_portable(errno); ????} ????if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { ????????ret = chown(name, a->uid, a->gid); ????????if (ret == -1) ????????????status = errno_to_portable(errno); ????} ????send_status(id, status); ????xfree(name); } Also, yet another bug :) You seem to ignore the SSH2_FXF_APPEND flag in process_open() function. If this flag is set, you should seek to the end of file. At the present time, appending files effectively doesn't work, which is bad. Thank you for your hard work bringing us OpenSSH, and keep it up ;-) > PS: I'm not subscribed, please CC me on reply. -mblsha From banz at umbc.edu Tue Oct 26 02:42:30 2004 From: banz at umbc.edu (Robert Banz) Date: Mon, 25 Oct 2004 12:42:30 -0400 Subject: OpenSSH/Heimdal/MIT KDC problem/question Message-ID: <417D2CF6.2000207@umbc.edu> Hi, I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's GSSAPI & AFS integration. A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 to the lastest and greatest 1.3.5. However, it seems that as part of the upgrade, our GSSAPI credentials passing in OpenSSH stopped working. Actually, didn't completely stop... You can still do a GSSAPI-based logon to the same machine, e.g. machine1> ssh machine1 works. machine1> ssh machine2 doesn't. Weirdo, eh? I'm pretty familar with the Kerb APIs, however, not so much with the GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's going on at the Kerb level, so it's hard to tell what's going on. Any takers? -- Robert Banz (banz at umbc.edu) UMBC Office of Information Technology (410) 455-3933 fax: (410) 455-1065 From tcleamy at ucdavis.edu Tue Oct 26 09:04:07 2004 From: tcleamy at ucdavis.edu (Tim Leamy) Date: Mon, 25 Oct 2004 16:04:07 -0700 (PDT) Subject: OpenSSH 3.9p1 includes.h patch Message-ID: Hello there, In the openssh 3.9p1 includes.h there is a workaround for HP-UX 11.11 which broke compiling on HP-UX 10.20 since it needs _INCLUDE__STDC__ defined. Here's a patch for how I fixed it. It would be more elegant to do a "#ifdef __hpux11", but I don't have an HP-UX 11 box to try it out. So I'm not sure it would work. But you might want to try since I guess it would. Let me know if you need more details. Tim Leamy Computer Lab Management University of California at Davis tcleamy at ucdavis.edu http://clm.ucdavis.edu/ *** includes.h.orig Mon Oct 25 15:27:12 2004 --- includes.h Mon Oct 25 15:44:53 2004 *************** *** 184,191 **** /* * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. ! */ ! #ifdef __hpux # ifdef _INCLUDE__STDC__ # undef _INCLUDE__STDC__ # endif --- 184,190 ---- /* * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. ! #if defined(__hpux) && ! defined(__hpux10) # ifdef _INCLUDE__STDC__ # undef _INCLUDE__STDC__ # endif From Sergio.Gelato at astro.su.se Tue Oct 26 23:23:04 2004 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Tue, 26 Oct 2004 15:23:04 +0200 Subject: OpenSSH/Heimdal/MIT KDC problem/question In-Reply-To: <417D2CF6.2000207@umbc.edu> References: <417D2CF6.2000207@umbc.edu> Message-ID: <20041026132303.GA18502@hanuman.astro.su.se> * Robert Banz [2004-10-25 12:42:30 -0400]: > I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's > GSSAPI & AFS integration. > > A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 > to the lastest and greatest 1.3.5. However, it seems that as part of > the upgrade, our GSSAPI credentials passing in OpenSSH stopped working. [...] > I'm pretty familar with the Kerb APIs, however, not so much with the > GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's > going on at the Kerb level, so it's hard to tell what's going on. There are still a few things you can do to facilitate debugging: 1. Look at your credentials cache before and after the authentication attempt. Did you get a valid ticket for host/re.mo.te ? 2. Run sshd -ddd and ssh -vvv against each other, capturing the output at both ends. This may help you figure out whether the problem is client- or server-side. 3. Read the KDC's logs. 4. Capture the actual packets between the ssh client and the KDC. With a little practice, one can read the hex dumps directly (at least the cleartext portions; that should be enough for this purpose). Some versions of tcpdump may have good enough Kerberos parsing support to save you even this trouble. Have you tried using the fully-qualified domain name of the remote host? Your symptoms may well denote a DNS problem. From banz at umbc.edu Tue Oct 26 23:53:26 2004 From: banz at umbc.edu (Robert Banz) Date: Tue, 26 Oct 2004 09:53:26 -0400 Subject: OpenSSH/Heimdal/MIT KDC problem/question In-Reply-To: <20041026132303.GA18502@hanuman.astro.su.se> References: <417D2CF6.2000207@umbc.edu> <20041026132303.GA18502@hanuman.astro.su.se> Message-ID: <417E56D6.6020004@umbc.edu> Sergio, Thanks for the reply. Upon further investigation, we have narrowed down the problem to one OS... IRIX. Our OpenSSH build GSSAPI delegates and authenticates between Linux, Solaris & OSX just fine; however the IRIX build will only work against IRIX. As IRIX is slowly becoming a dying architecture at our site, I don't know if I'll be investigating it further ;) However, I will try compiling under IRIX's cc instead of gcc to see if it's related to it's compile environment. -rob Sergio Gelato wrote: > * Robert Banz [2004-10-25 12:42:30 -0400]: > >>I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's >>GSSAPI & AFS integration. >> >>A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 >>to the lastest and greatest 1.3.5. However, it seems that as part of >>the upgrade, our GSSAPI credentials passing in OpenSSH stopped working. > > [...] > >>I'm pretty familar with the Kerb APIs, however, not so much with the >>GSSAPI stuff; however, the GSSAPI routines seem to obfuscate what's >>going on at the Kerb level, so it's hard to tell what's going on. > > > There are still a few things you can do to facilitate debugging: > 1. Look at your credentials cache before and after the authentication > attempt. Did you get a valid ticket for host/re.mo.te ? > 2. Run sshd -ddd and ssh -vvv against each other, capturing the output > at both ends. This may help you figure out whether the problem is > client- or server-side. > 3. Read the KDC's logs. > 4. Capture the actual packets between the ssh client and the KDC. With > a little practice, one can read the hex dumps directly (at least the > cleartext portions; that should be enough for this purpose). Some > versions of tcpdump may have good enough Kerberos parsing support to > save you even this trouble. > > Have you tried using the fully-qualified domain name of the remote host? > Your symptoms may well denote a DNS problem. -- Robert Banz (banz at umbc.edu) UMBC Office of Information Technology (410) 455-3933 fax: (410) 455-1065 From sale at sun-media.co.jp Wed Oct 27 00:41:03 2004 From: sale at sun-media.co.jp (=?ISO-2022-JP?B?GyRCM3Q8MDJxPFIlNSVzJWElRyUjJSIbKEI=?=) Date: Tue, 26 Oct 2004 23:41:03 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhCIBskQjNKMEIhKkVFT0MbKEI=?= =?iso-2022-jp?b?GyRCMkNGfjgiSE5HZCF1OWIyQUdjPGgbKEI=?= Message-ID: <20041026152804156.00000.190.sale$sun-media.co.jp@K-WAKAMI.216.230.254.21> ??????????????????????? ????????????????????????????????? ???????????????????? ??????????????????????? ?????????????????? ????????????????? ?????????? ????????5-28-28 042-708-0888 ????????????????? ?????????????????????? ???????????????????????? ???????????????????????????????????? ???????????????????????????? ???? ??sunmail at nifty.com ???????????????????????????????? ??? ??????????????? ??? ?????????????????????????/???? ??? ???????????????????????????????? ????????????????,????????????????? ????????????????????????????????? ???????????????????????????????? ?????????????????????????????????????????????? ???????????????????????????????? ??? ??????????????????? ? ???????????????????? ????? ? ??????? ???????????????????????? ? ?????,??? ???????????????? ? ???,??? ????????????? ???????????? ??http://www.sun-media.co.jp/personal/personal_01.html ??????????????????????????????????? ?????????????????????? ??http://www.sun-media.co.jp/personal/personal_03.html ???????????????????????????? ??????????????????????? ???????????? ???????????,???? ??http://www.sun-media.co.jp/ ???????????????????????????? ???????????????????? ???????????????????????????????????? ?----------------------------------------------------? ??????????? ?????????5-28-28 ?TEL 042-708-0888 ?FAX 042-708-0887 ?E-mail?mail at sun-media.co.jp ?http://www.sun-media.co.jp/ ??? 10:00?18:00 ???? ?----------------------------------------------------? From exposedevilly at bigpond.com Tue Oct 26 22:53:29 2004 From: exposedevilly at bigpond.com (Terrie Low) Date: 26 Oct 2004 08:53:29 -0400 Subject: TH1S lS ABS0IUTE||Y 1NCREDlBI|E. Message-ID: http://VI1aggar_CO000Odelne_Xana|x_Va||um_CIa1lis_.......and___m0O000re http://C1aI|is_Vl|aggar_.......and___mO0O00re http://C|a|1is_VI1aggar_C0O0O0delne_.......and___m00O0Ore Y0UR S0lUT|0N |S HERE http://exposure.cpmmzo.com/as#exceptional From Latil at smapxsmap.net Wed Oct 27 18:20:00 2004 From: Latil at smapxsmap.net (Zechariah L. Reverberation) Date: Wed, 27 Oct 2004 03:20:00 -0500 Subject: =?windows-1251?b?zeXu4fXu5OjsIPHu4fHy4uXt7fvpIPHl8OLl8D8=?= Message-ID: <011101c4bbfd$fff171d2$34cb5eac@smapxsmap.net> ???????? ???????? ????????, ??????? ?????? ????? -------------- next part -------------- 3d"" From roman at rs-labs.com Wed Oct 27 20:44:14 2004 From: roman at rs-labs.com (Roman Medina-Heigl Hernandez) Date: Wed, 27 Oct 2004 12:44:14 +0200 (CEST) Subject: Slow uploading with sftp Message-ID: <44392.194.224.100.28.1098873854.squirrel@194.224.100.28> Hi, I'm observing a nasty and strange behaviour with OpenSSH (SSH-2.0-OpenSSH_3.7.1p2) on Solaris 8 (Sparc). I searched the FAQ and list archive and I didn't find anything about it. The problem is that uploading through sftp is tremendously slow (~ 0.2KB/s) while downloading is ok (~ 200-300 KB/s), so I'm quite surprised. The machines I tested (client & server) are all in the same LAN segment, so we can safely assume that no router / traffic shapper is intercepting the SSH communication. Is this problem known or at least could you point to some checks I could do to diagnose and solve the problem? Thanks in advance. -Roman PS: Please, cc to me, since I'm not subscribed to the list. From dtucker at zip.com.au Wed Oct 27 21:09:27 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 27 Oct 2004 21:09:27 +1000 Subject: Slow uploading with sftp In-Reply-To: <44392.194.224.100.28.1098873854.squirrel@194.224.100.28> References: <44392.194.224.100.28.1098873854.squirrel@194.224.100.28> Message-ID: <417F81E7.30108@zip.com.au> Roman Medina-Heigl Hernandez wrote: > I'm observing a nasty and strange behaviour with OpenSSH > (SSH-2.0-OpenSSH_3.7.1p2) on Solaris 8 (Sparc). I searched the FAQ and > list archive and I didn't find anything about it. > > The problem is that uploading through sftp is tremendously slow (~ > 0.2KB/s) while downloading is ok (~ 200-300 KB/s), so I'm quite surprised. > The machines I tested (client & server) are all in the same LAN segment, > so we can safely assume that no router / traffic shapper is intercepting > the SSH communication. I've seen one other report of slow SSH on a LAN with Solaris hosts. We never got to the bottom of it, but we found a workaround by disabling the Nagle algorithm (TCP_NODELAY) on the connection. You can try this by editting the set_nodelay function in misc.c and add the line at the bottom: /* disable nagle on socket */ void set_nodelay(int fd) { int opt; socklen_t optlen; return; /* add this line */ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From roman at rs-labs.com Wed Oct 27 21:40:43 2004 From: roman at rs-labs.com (Roman Medina-Heigl Hernandez) Date: Wed, 27 Oct 2004 13:40:43 +0200 (CEST) Subject: Slow uploading with sftp In-Reply-To: <417F81E7.30108@zip.com.au> References: <44392.194.224.100.28.1098873854.squirrel@194.224.100.28> <417F81E7.30108@zip.com.au> Message-ID: <15478.194.224.100.28.1098877243.squirrel@194.224.100.28> > Roman Medina-Heigl Hernandez wrote: >> The problem is that uploading through sftp is tremendously slow (~ >> 0.2KB/s) while downloading is ok (~ 200-300 KB/s), so I'm quite > > I've seen one other report of slow SSH on a LAN with Solaris hosts. We Was it a "generic" (upload/download) problem or did it affect only to upload, as it is my case? I'd like to (try to) identify the problem comparing to possible known cases. Regards, -Roman From dtucker at zip.com.au Wed Oct 27 21:49:49 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 27 Oct 2004 21:49:49 +1000 Subject: Slow uploading with sftp In-Reply-To: <15478.194.224.100.28.1098877243.squirrel@194.224.100.28> References: <44392.194.224.100.28.1098873854.squirrel@194.224.100.28> <417F81E7.30108@zip.com.au> <15478.194.224.100.28.1098877243.squirrel@194.224.100.28> Message-ID: <417F8B5D.3070706@zip.com.au> Roman Medina-Heigl Hernandez wrote: > Was it a "generic" (upload/download) problem or did it affect only to > upload, as it is my case? I'd like to (try to) identify the problem > comparing to possible known cases. I the other case it was interactive terminal traffic, so I don't know. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From woaytbcl at yahoo.com Thu Oct 28 14:16:20 2004 From: woaytbcl at yahoo.com (Xavier Honeycutt) Date: Thu, 28 Oct 2004 04:16:20 -0000 Subject: (no subject) Message-ID: <200410031400.i93ApbTw004935@www8.gmail.com> Hi again, Here is Xavier Honeycutt. I write to you because we are accepting your mor= tgage application. Our office confirms you can get a $220.000 lo=C0n for a $252.00 per month = payment. Approval process will take 1 minute, so please fill out the form on our we= bsite: http://cabaret-dada.refiinternet.com Thank you. Best Regards Xavier Honeycutt First Account Manager From jsetscot at yahoo.com Fri Oct 15 05:23:38 2004 From: jsetscot at yahoo.com (Dion Fernandez) Date: Thu, 14 Oct 2004 15:23:38 -0400 (EDT) Subject: (no subject) Message-ID: Hi again, Here is Dion Fernandez. I write to you because we are accepting your mortg= age application. Our office confirms you can get a $220.000 lo=C0n for a $252.00 per month = payment. Approval process will take 1 minute, so please fill out the form on our we= bsite: http://cluck-bryophyte.refitalk.com Thank you. Best Regards Dion Fernandez First Account Manager From bg at genetics.agrsci.dk Thu Oct 28 18:31:56 2004 From: bg at genetics.agrsci.dk (Bernt Guldbrandtsen) Date: Thu, 28 Oct 2004 10:31:56 +0200 Subject: Problem copying directories using sftp Message-ID: <4.3.2.7.2.20041028101820.045b4e88@genetics.agrsci.dk> Hello! A couple of days ago I submitted the problem report shown below to the support forum for WinSCP. I got a reply (shown at the end of this e-mail) saying that this in part was a WinSCP problem, but also that there appeared to be something wrong with the replies from OpenSSH-3.9p1 under AIX 4.3.3. The full dialog including the reply can be seen at http://winscp.sourceforge.net/forum/viewtopic.php?t=1624 Best regards, Bernt Guldbrandtsen -------------------------------------8<---------------------------------- Copying directories recursively to our AIX-4.3.3 host with sftp consistently fails with an error relating to SSH_FXP_NAME (see below in the log). This happens with both WinSCP 3.6.8 and 3.7.0 beta dated 2004-10-12 with both the Norton and the Explorer interface. The problem does not occur using SCP as the protocol. The problem occurs from several client machines. The server uses the SSH protocol version 2 with aes encryption and compression. The file transer protocol is SFTP(v3). The AIX-box runs OpenSSH-3.9p1. The problem does not occur using a RedHat Linux 9.0 box, i.e. this does not HAVE to be a WinSCP problem. However, creating directories on the AIX machine using Cygwin sftp works fine. I hope somebody can help with this. Best regards, Bernt Guldbrandtsen The log file says: . Startup conversation with host finished. . Copying 1 files/directories to remote directory "/h580/avl/bg/" . PrTime: Yes; PrRO: Yes; Rght: rw-r--r--; PrR: No; FnCs: N; RIC: Yes; Resume: S (102400); CalcS: Yes; Mask: *.* . TM: M; ExclM: . AscM: *.*html; *.htm; *.txt; *.php*; *.cgi; *.c; *.cpp; *.h; *.pas; *.bas; * .tex; *.pl; .htaccess; *.xtml; *.css; *.cfg; *.ini; *.sh; *.xml . File: "C:\Documents and Settings\bgu\Dokumenter\pdf" . Trying to open directory "/h580/avl/bg/pdf/". > Type: SSH_FXP_OPENDIR, Size: 27, Number: 2571 < Type: SSH_FXP_STATUS, Size: 29, Number: 2571 < Status/error code: 2, Message: 2571, Server: No such file, Language: . Creating directory "/h580/avl/bg/pdf/". . Canonifying: "/h580/avl/bg/pdf/" . Getting real path for '/h580/avl/bg/pdf/' > Type: SSH_FXP_REALPATH, Size: 28, Number: 3088 < Type: SSH_FXP_STATUS, Size: 24, Number: 3088 < Status/error code: 0 . Attempt to close connection due to fatal exception: * Received SSH_FXP_NAME packet with zero or multiple records. . Closing connection. -------------------------------------8<---------------------------- There is definitely bug in WinSCP handling the response to SSH_FXP_REALPATH request. The error it displays is non-sense. However there seems to be greater bug on your server side. To SSH_FXP_REALPATH request the server must reply either SSH_FXP_NAME or, when error occures, with SSH_FXP_STATUS with reason of the failure. Your server replies SSH_FXP_STATUS with status "OK". It does not make sense and probably it violates the SFTP protocol specification. I do not know how to solve this --------------------------------------------------------------------- From dtucker at zip.com.au Thu Oct 28 19:54:27 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 28 Oct 2004 19:54:27 +1000 Subject: Problem copying directories using sftp In-Reply-To: <4.3.2.7.2.20041028101820.045b4e88@genetics.agrsci.dk> References: <4.3.2.7.2.20041028101820.045b4e88@genetics.agrsci.dk> Message-ID: <4180C1D3.9010203@zip.com.au> Bernt Guldbrandtsen wrote: > A couple of days ago I submitted the problem report shown below to the > support forum for WinSCP. > > I got a reply (shown at the end of this e-mail) saying that this in part > was a WinSCP problem, but also that there appeared to be something wrong > with the replies from OpenSSH-3.9p1 under AIX 4.3.3. [...] > . Getting real path for '/h580/avl/bg/pdf/' Wild guess: does the problem persist if you add "#define BROKEN_REALPATH 1" to config.h (after running configure) and then rebuild OpenSSH? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Oct 28 19:56:21 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 28 Oct 2004 19:56:21 +1000 Subject: Problem copying directories using sftp In-Reply-To: <4180C1D3.9010203@zip.com.au> References: <4.3.2.7.2.20041028101820.045b4e88@genetics.agrsci.dk> <4180C1D3.9010203@zip.com.au> Message-ID: <4180C245.1050503@zip.com.au> Darren Tucker wrote: > Wild guess: does the problem persist if you add "#define BROKEN_REALPATH > 1" to config.h (after running configure) and then rebuild OpenSSH? On second thought, ignore that (configure defines BROKEN_REALPATH on AIX anyway). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From support at fistbank.cc Fri Oct 29 07:32:45 2004 From: support at fistbank.cc (support at fistbank.cc) Date: Thu, 28 Oct 2004 17:32:45 -0400 Subject: InternetBank Agreement Message-ID: <907314858.20040912041737@fistbank.cc> Thank you for opening account in our internet bank. Before you can accept and do payments, print and fill in the attached agreement. Also send the filled agreement to us by e-mail or a fax. With the best regards. InternetBank support. From lane.esparza_af at cwnetdg.io Fri Oct 29 11:11:04 2004 From: lane.esparza_af at cwnetdg.io (Lane Esparza) Date: Fri, 29 Oct 2004 04:11:04 +0300 Subject: Get great prices on medications Message-ID: <3bb301c4bd54$ac701dd1$99e17271@barfigo.de> Discount generic drugs. save over 70% todays specials, Viagra, retails for $15, we sell for 3!!! Prozac, retails for $6, we sell for $1.50!! - Private Online ordering! - World wide shipping! - No Prescription required!! Check it out: http://real-cat.com/?index No thanks: http://real-cat.com/rm.html From zjndwai at yahoo.com Fri Oct 29 17:55:27 2004 From: zjndwai at yahoo.com (Dean Hammond) Date: Fri, 29 Oct 2004 07:55:27 -0000 Subject: (no subject) Message-ID: <200410031445.i93RoeTw007132@www5.warnerreprise.com> Hi again, Here is Dean Hammond. I write to you because we are accepting your mortgag= e application. Our office confirms you can get a $220.000 lo=C0n for a $252.00 per month = payment. Approval process will take 1 minute, so please fill out the form on our we= bsite: http://dangle-elysian.refitalk.com Thank you. Best Regards Dean Hammond First Account Manager