From dtucker at zip.com.au Sun May 1 00:49:33 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 01 May 2005 00:49:33 +1000 Subject: PAM_AUTH_ERR messages In-Reply-To: <1723.10.10.10.24.1114866216.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> Message-ID: <42739AFD.2000601@zip.com.au> Sean wrote: > There seems to be no way for PAM to inform a user why her ssh login > attempt is being denied. Niether PAM_TEXT_INFO or PAM_ERROR_MSG > conversation messages are passed on to the user by sshd unless the login > is successful. This is causing great frustration for us at several sites > where users can't figure out why their logins aren't working. What version of OpenSSH is this, which authentication method, and which module type is denying the login? In 4.0p1, results of failing account and session modules are sent to the user (account messages via SSH2 banner messages, the session modules via the session itself). > Would a patch be accepted to display such text even on login failure with > a couple second of delay afterward? Or is there a way to already do this > that i'm just missing? Possibly, but it's not trivial: you can't just printf() the message because if authentication fails then there's no session to send the messages down. There's a few things to consider: * For keyboard-interactive, the kbdint machinery currently doesn't send any messages after the authentication fails (ie it won't send a zero-prompt message with the failure text). * The messages will accumulate in the monitor when privsep=yes and will need to be copied to the slave before they can be sent to the user (see mm_do_pam_account for an example). * The output could be sent in banner messages (however they're a Protocol 2 only feature). * For protocol 1 the only option appears to be a disconnect message. * There's also a potential issue with leaking information: it'll behave significantly differently if the authentication is denied for other reasons (eg DenyUsers). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From davidl at vintela.com Sun May 1 01:58:03 2005 From: davidl at vintela.com (David Leonard) Date: Sun, 1 May 2005 01:58:03 +1000 (EST) Subject: PAM_AUTH_ERR messages In-Reply-To: <42739AFD.2000601@zip.com.au> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> Message-ID: Hi > Sean wrote: > > There seems to be no way for PAM to inform a user why her ssh login > > attempt is being denied. Niether PAM_TEXT_INFO or PAM_ERROR_MSG > > conversation messages are passed on to the user by sshd unless the login > > is successful. This is causing great frustration for us at several sites > > where users can't figure out why their logins aren't working. I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive) Our pam module believes that calling through the pam_conv (during auth, and just before returning PAM_AUTH_ERR) will display an important message to the user. But it doesn't, and it causes confusion. > > Would a patch be accepted to display such text even on login failure > > with a couple second of delay afterward? I'd love to see a fix for it too, though I think adding a delay is unnecessary. d -- David Leonard Resource Central software engineer Vintela Inc.; Brisbane, Australia From seanlkml at sympatico.ca Sun May 1 02:19:15 2005 From: seanlkml at sympatico.ca (Sean) Date: Sat, 30 Apr 2005 12:19:15 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: <42739AFD.2000601@zip.com.au> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> Message-ID: <2541.10.10.10.24.1114877955.squirrel@linux1> On Sat, April 30, 2005 10:49 am, Darren Tucker said: Hi Darren, > What version of OpenSSH is this, which authentication method, and which > module type is denying the login? In 4.0p1, results of failing account > and session modules are sent to the user (account messages via SSH2 > banner messages, the session modules via the session itself). It's Fedora FC3 openssh-3.9p1-8.0.1. kbd-int password authentication. And it's a session module. Originally it was pam_limits doing the login denial, but unfortunately it doesn't send any message giving a reason for the failure. So now we have a custom PAM module :o/ I'm rather shocked more people aren't running into this. > Possibly, but it's not trivial: you can't just printf() the message > because if authentication fails then there's no session to send the > messages down. For our purposes we're only trying to report reasons for a session being denied, so if I understand correctly, this shouldn't be an issue. > There's a few things to consider: > > * For keyboard-interactive, the kbdint machinery currently doesn't send > any messages after the authentication fails (ie it won't send a > zero-prompt message with the failure text). This may be the crux of the problem and is definitely the behavior we're seeing. > * The messages will accumulate in the monitor when privsep=yes and will > need to be copied to the slave before they can be sent to the user (see > mm_do_pam_account for an example). > > * The output could be sent in banner messages (however they're a > Protocol 2 only feature). Hmmm, protocol 2 isn't a problem, however I don't see anything in auth-pam.c about "banner messages". Are they somehow separate from pam_conv messages? > * For protocol 1 the only option appears to be a disconnect message. > > * There's also a potential issue with leaking information: it'll behave > significantly differently if the authentication is denied for other > reasons (eg DenyUsers). Well, the message only comes up after someone enters a correct password, so I don't think this is actually a leak. Thanks very much for your help, Sean From seanlkml at sympatico.ca Sun May 1 02:22:22 2005 From: seanlkml at sympatico.ca (Sean) Date: Sat, 30 Apr 2005 12:22:22 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> Message-ID: <2560.10.10.10.24.1114878142.squirrel@linux1> On Sat, April 30, 2005 11:58 am, David Leonard said: Hi David, > I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive) > > Our pam module believes that calling through the pam_conv (during auth, > and just before returning PAM_AUTH_ERR) will display an important message > to the user. But it doesn't, and it causes confusion. Yes exactly. It's interesting that the PAM module works just as expected with telnetd. openssh just handles it differently. > I'd love to see a fix for it too, though I think adding a delay is > unnecessary. Perhaps it could be configurable. The only reason for the suggestion is that some clients (Putty in this case) are configured to auto close the window on disconnection. The idea was to make sure the user had time to read the message, but a "press enter to continue..." type thing would work too. Cheers, Sean From davidl at vintela.com Sun May 1 02:49:34 2005 From: davidl at vintela.com (David Leonard) Date: Sun, 1 May 2005 02:49:34 +1000 (EST) Subject: PAM_AUTH_ERR messages In-Reply-To: <2560.10.10.10.24.1114878142.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2560.10.10.10.24.1114878142.squirrel@linux1> Message-ID: On Sat, 30 Apr 2005, Sean wrote: > > I think adding a delay is unnecessary. > > Perhaps it could be configurable. The only reason for the suggestion is > that some clients (Putty in this case) are configured to auto close the > window on disconnection. The idea was to make sure the user had time to > read the message, but a "press enter to continue..." type thing would work > too. I see. Still, it sounds to me like its solving something that is not openssh's problem. Let's not discuss putty changes on this list, but this may be kind of related to what you describe: -- David Leonard Resource Central software engineer Vintela Inc.; Brisbane, Australia VoIP: US: 801-655-2755 AU: 07-3023-5133 From dtucker at zip.com.au Sun May 1 11:50:52 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 01 May 2005 11:50:52 +1000 Subject: PAM_AUTH_ERR messages In-Reply-To: <2541.10.10.10.24.1114877955.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2541.10.10.10.24.1114877955.squirrel@linux1> Message-ID: <427435FC.6090800@zip.com.au> Sean wrote: > On Sat, April 30, 2005 10:49 am, Darren Tucker said: >>What version of OpenSSH is this, which authentication method, and which >>module type is denying the login? In 4.0p1, results of failing account >>and session modules are sent to the user (account messages via SSH2 >>banner messages, the session modules via the session itself). > > It's Fedora FC3 openssh-3.9p1-8.0.1. kbd-int password authentication. > And it's a session module. In that case, 4.0p1 already does what you want. If the session module fails, the messages are accumulated, sent down the session and the session closed (this is how /etc/nologin works too). > Originally it was pam_limits doing the login > denial, but unfortunately it doesn't send any message giving a reason for > the failure. So now we have a custom PAM module :o/ I'm rather shocked > more people aren't running into this. [...] >>* For keyboard-interactive, the kbdint machinery currently doesn't send >>any messages after the authentication fails (ie it won't send a >>zero-prompt message with the failure text). > > This may be the crux of the problem and is definitely the behavior we're > seeing. If it's a session module that's failing then that's not your problem. >>* The output could be sent in banner messages (however they're a >>Protocol 2 only feature). > > Hmmm, protocol 2 isn't a problem, however I don't see anything in > auth-pam.c about "banner messages". Are they somehow separate from > pam_conv messages? Banner messages are a ssh2 protocol feature (SSH2_MSG_USERAUTH_BANNER), the server can send them to the client at any time after the authentication has started and before it's finished. The client is supposed to show them to the user. See [1] section 5.4. The basic idea is you accumulate the PAM_ERROR_MSG and PAM_TEXT_INFO messages from PAM, cram them into a SSH2 banner message and fire them at the user. >>* There's also a potential issue with leaking information: it'll behave >>significantly differently if the authentication is denied for other >>reasons (eg DenyUsers). > > Well, the message only comes up after someone enters a correct password, > so I don't think this is actually a leak. In the case of a failing auth or session module, that's correct. For a failing auth module, it's a leak. The question is: is it a worthwhile tradeoff? [1] http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-27.txt -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun May 1 11:56:36 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 01 May 2005 11:56:36 +1000 Subject: PAM_AUTH_ERR messages In-Reply-To: References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> Message-ID: <42743754.1000305@zip.com.au> David Leonard wrote: >>Sean wrote: >>>There seems to be no way for PAM to inform a user why her ssh login >>>attempt is being denied. Niether PAM_TEXT_INFO or PAM_ERROR_MSG >>>conversation messages are passed on to the user by sshd unless the login >>>is successful. This is causing great frustration for us at several sites >>>where users can't figure out why their logins aren't working. > > I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive) > > Our pam module believes that calling through the pam_conv (during auth, > and just before returning PAM_AUTH_ERR) will display an important message > to the user. But it doesn't, and it causes confusion. OK, this is a separate problem to the one Sean is having. I had a patch a while back that worked around this by sedning kbdint packets with text but no prompt, however the patch was truly evil. Using a ssh2 banner message might be a viable option for this too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun May 1 12:04:53 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 01 May 2005 12:04:53 +1000 Subject: PAM_AUTH_ERR messages In-Reply-To: <2560.10.10.10.24.1114878142.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2560.10.10.10.24.1114878142.squirrel@linux1> Message-ID: <42743945.9050709@zip.com.au> Sean wrote: > On Sat, April 30, 2005 11:58 am, David Leonard said: >>I'm seeing the same problem being hit here. (4.0p1 keyboard-interactive) >> >>Our pam module believes that calling through the pam_conv (during auth, >>and just before returning PAM_AUTH_ERR) will display an important message >>to the user. But it doesn't, and it causes confusion. > > Yes exactly. It's interesting that the PAM module works just as expected > with telnetd. openssh just handles it differently. That's because the SSH{1,2} protocols are fundamentally different to a telnet session. (PAM's API makes it tricky to use for SSH too, however that's a separate rant.) >>I'd love to see a fix for it too, though I think adding a delay is >>unnecessary. > > Perhaps it could be configurable. The only reason for the suggestion is > that some clients (Putty in this case) are configured to auto close the > window on disconnection. The idea was to make sure the user had time to > read the message, but a "press enter to continue..." type thing would work > too. You can hack a fflush and sleep into session.c but I don't think it should be yet another sshd option. If the user has configured the client to close immediately, taking any useful information with it then that's their problem. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From seanlkml at sympatico.ca Sun May 1 17:35:59 2005 From: seanlkml at sympatico.ca (Sean) Date: Sun, 1 May 2005 03:35:59 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: <427435FC.6090800@zip.com.au> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2541.10.10.10.24.1114877955.squirrel@linux1> <427435FC.6090800@zip.com.au> Message-ID: <1830.10.10.10.24.1114932959.squirrel@linux1> On Sat, April 30, 2005 9:50 pm, Darren Tucker said: > In that case, 4.0p1 already does what you want. If the session module > fails, the messages are accumulated, sent down the session and the > session closed (this is how /etc/nologin works too). Yes you're right about the upgrade solving the problem. And in fact the custom PAM module that we made was based on the original pam nologin module. We also had to set "UsePrivilegeSeparation no", which we tweaked on because of what you said in your first reply. So for our RHEL 4 server, we had to write a custom PAM module and do a non-standard openssh upgrade, just so users can know why they've been denied login. Pretty bad really, but your help made it easier to get through, thanks. Sean From seanlkml at sympatico.ca Sun May 1 17:38:13 2005 From: seanlkml at sympatico.ca (Sean) Date: Sun, 1 May 2005 03:38:13 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: <42743945.9050709@zip.com.au> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2560.10.10.10.24.1114878142.squirrel@linux1> <42743945.9050709@zip.com.au> Message-ID: <1839.10.10.10.24.1114933093.squirrel@linux1> On Sat, April 30, 2005 10:04 pm, Darren Tucker said: > You can hack a fflush and sleep into session.c but I don't think it > should be yet another sshd option. If the user has configured the > client to close immediately, taking any useful information with it then > that's their problem. There is a setting in Putty that says to auto-close window only on "clean exit". Any idea how we would send a "this is not a clean exit" message in protocol 2 along with our failure text so that the window isn't closed on the user? Sean From dtucker at zip.com.au Sun May 1 17:52:42 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 01 May 2005 17:52:42 +1000 Subject: PAM_AUTH_ERR messages In-Reply-To: <1839.10.10.10.24.1114933093.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2560.10.10.10.24.1114878142.squirrel@linux1> <42743945.9050709@zip.com.au> <1839.10.10.10.24.1114933093.squirrel@linux1> Message-ID: <42748ACA.2080409@zip.com.au> Sean wrote: > On Sat, April 30, 2005 10:04 pm, Darren Tucker said: >>You can hack a fflush and sleep into session.c but I don't think it >>should be yet another sshd option. If the user has configured the >>client to close immediately, taking any useful information with it then >>that's their problem. > > There is a setting in Putty that says to auto-close window only on "clean > exit". Any idea how we would send a "this is not a clean exit" message > in protocol 2 along with our failure text so that the window isn't closed > on the user? The code in session.c that returns the error message also sets an exit code of 254. If PuTTY checks the exit code then it'll detect this, however if it's just looking for connection breaks and the like then it probably won't. I don't know which it does. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun May 1 17:53:37 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 01 May 2005 17:53:37 +1000 Subject: PAM_AUTH_ERR messages In-Reply-To: <1830.10.10.10.24.1114932959.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2541.10.10.10.24.1114877955.squirrel@linux1> <427435FC.6090800@zip.com.au> <1830.10.10.10.24.1114932959.squirrel@linux1> Message-ID: <42748B01.3010900@zip.com.au> Sean wrote: > On Sat, April 30, 2005 9:50 pm, Darren Tucker said: >>In that case, 4.0p1 already does what you want. If the session module >>fails, the messages are accumulated, sent down the session and the >>session closed (this is how /etc/nologin works too). > > Yes you're right about the upgrade solving the problem. And in fact the > custom PAM module that we made was based on the original pam nologin > module. > > We also had to set "UsePrivilegeSeparation no", which we tweaked on > because of what you said in your first reply. You shouldn't need to disable privsep to see the output of the session modules (there's a mechanism to copy them from the monitor to where it can be displayed to the user). If this doesn't work with privsep=yes then I would appreciate if you could open a bug at bugzilla.mindrot.org and supply some information about the problem module (w/source if possible so I can try to reproduce it). > So for our RHEL 4 server, we had to write a custom PAM module and do a > non-standard openssh upgrade, just so users can know why they've been > denied login. Pretty bad really, but your help made it easier to get > through, thanks. It usually takes a while for new versions of upstream software including OpenSSH to filter down to vendor distributions but that's entirely out of our control. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From seanlkml at sympatico.ca Sun May 1 19:15:43 2005 From: seanlkml at sympatico.ca (Sean) Date: Sun, 1 May 2005 05:15:43 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: <42748B01.3010900@zip.com.au> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2541.10.10.10.24.1114877955.squirrel@linux1> <427435FC.6090800@zip.com.au> <1830.10.10.10.24.1114932959.squirrel@linux1> <42748B01.3010900@zip.com.au> Message-ID: <2167.10.10.10.24.1114938943.squirrel@linux1> On Sun, May 1, 2005 3:53 am, Darren Tucker said: > Sean wrote: >> On Sat, April 30, 2005 9:50 pm, Darren Tucker said: >>>In that case, 4.0p1 already does what you want. If the session module >>>fails, the messages are accumulated, sent down the session and the >>>session closed (this is how /etc/nologin works too). >> >> Yes you're right about the upgrade solving the problem. And in fact >> the >> custom PAM module that we made was based on the original pam nologin >> module. >> >> We also had to set "UsePrivilegeSeparation no", which we tweaked on >> because of what you said in your first reply. > > You shouldn't need to disable privsep to see the output of the session > modules (there's a mechanism to copy them from the monitor to where it > can be displayed to the user). > > If this doesn't work with privsep=yes then I would appreciate if you > could open a bug at bugzilla.mindrot.org and supply some information > about the problem module (w/source if possible so I can try to reproduce > it). > Will Do. Think we've found another "bug" too. With previous versions of openssh we had maxlogin limit set to 1. However, with the new version that doesn't work, it has to be set to 2 in order to limit people to a single login. It appears that with the new version of openssh, PAM is being called after doing whatever it takes to setup a full session. PAM sees that sessions and says, can't add another! Whereas with previous versions PAM saw session count = 0 on first invocation. (Well this is all just speculation, however it's a fact we can't get things to work with maxlogin = 1). Sean From seanlkml at sympatico.ca Sun May 1 19:45:26 2005 From: seanlkml at sympatico.ca (Sean) Date: Sun, 1 May 2005 05:45:26 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: <42748ACA.2080409@zip.com.au> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2560.10.10.10.24.1114878142.squirrel@linux1> <42743945.9050709@zip.com.au> <1839.10.10.10.24.1114933093.squirrel@linux1> <42748ACA.2080409@zip.com.au> Message-ID: <2210.10.10.10.24.1114940726.squirrel@linux1> On Sun, May 1, 2005 3:52 am, Darren Tucker said: > The code in session.c that returns the error message also sets an exit > code of 254. If PuTTY checks the exit code then it'll detect this, > however if it's just looking for connection breaks and the like then it > probably won't. I don't know which it does. Yes, the putty log confirms what you say: Incoming packet type 96 / 0x60 (SSH2_MSG_CHANNEL_EOF) 00000000 00 00 01 00 Incoming packet type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST) 00000000 00 00 01 00 00 00 00 0b 65 78 69 74 2d 73 74 61 00000010 74 75 73 00 00 00 00 fe Event Log: Server sent command exit status 254 However then openssh sends: Incoming packet type 97 / 0x61 (SSH2_MSG_CHANNEL_CLOSE) 00000000 00 00 01 00 And Putty concludes, all is well shutting down normally. It looks like it would be a one line change in Putty to get it to respond correctly. Sean From seanlkml at sympatico.ca Sun May 1 23:40:38 2005 From: seanlkml at sympatico.ca (Sean) Date: Sun, 1 May 2005 09:40:38 -0400 (EDT) Subject: PAM_AUTH_ERR messages In-Reply-To: <2210.10.10.10.24.1114940726.squirrel@linux1> References: <1723.10.10.10.24.1114866216.squirrel@linux1> <42739AFD.2000601@zip.com.au> <2560.10.10.10.24.1114878142.squirrel@linux1> <42743945.9050709@zip.com.au> <1839.10.10.10.24.1114933093.squirrel@linux1> <42748ACA.2080409@zip.com.au> <2210.10.10.10.24.1114940726.squirrel@linux1> Message-ID: <2712.10.10.10.24.1114954838.squirrel@linux1> On Sun, May 1, 2005 5:45 am, Sean said: > And Putty concludes, all is well shutting down normally. It looks like > it would be a one line change in Putty to get it to respond correctly. > Darren, Thanks again for your help. Patch to Putty stops the client window from closing when Openssh sends a session failure message. --- old/ssh.c Sun May 1 09:27:47 2005 +++ new/ssh.c Sun May 1 09:27:40 2005 @@ -5918,7 +5918,7 @@ ssh2_pkt_addstring(s->pktout, "en"); /* language tag */ ssh2_pkt_send_noqueue(ssh, s->pktout); #endif - ssh->close_expected = TRUE; + ssh->close_expected = ssh->exitcode == 254 ? FALSE : TRUE; ssh_closing((Plug)ssh, NULL, 0, 0); } } Cheers, Sean From igor.bukanov at gmail.com Mon May 2 22:14:25 2005 From: igor.bukanov at gmail.com (Igor Bukanov) Date: Mon, 2 May 2005 14:14:25 +0200 Subject: forwarding stdin/out to remote socket Message-ID: Hi! Some vnc clients has '-via ssh_gateway' option to simplify the setup of ssh port forwarding. Basically the option implements the following 3 steps: 1. Find local port available for listening. 2. Fork/exec ssh -L found_port:vnc_host:vnc_port ssh_gateway sleep some_delay 3. Connect to the found_port Although convenient the setup has its problems. First, it exposes the remote vnc port for everybody on the localhost for the duration of some_delay. Second it can cause connection at step 3 to fail if it would take a long time for ssh to setup the forwarding. Now all this can be avoided if vnc would simply use stdin/out from ssh as a communication channel and make sure that ssh would forward the remote port to it. Currently I did it using netpipes, http://web.purplefrog.com/~thoth/netpipes/netpipes.html , but it does not seem right to execute an additional process copying megabytes of tcp trafic from vncserver to stdin/out just so ssh can forward it one more time. So it would be nice if ssh can forward a port to stdin/out on its own. AFAICS for ssh2 it would require to modify only ssh client, right? Regards, Igor From lucio at sulweb.org Mon May 2 23:18:16 2005 From: lucio at sulweb.org (Lucio Crusca) Date: Mon, 2 May 2005 15:18:16 +0200 Subject: forwarding stdin/out to remote socket In-Reply-To: References: Message-ID: <200505021518.16939.lucio@sulweb.org> Igor Bukanov wrote: > Although convenient the setup has its problems. First, it exposes the > remote vnc port for everybody on the localhost for the duration of > some_delay. Second it can cause connection at step 3 to fail if it > would take a long time for ssh to setup the forwarding. > > Now all this can be avoided if vnc would simply use stdin/out from ssh I believe you are working around a lack of feature in sshd: sshd should be able to choose a free port and forward that port, but, as for now, it isn't. I've been working on a patch against 4.0p1 for a while (see thread http://www.mindrot.org/pipermail/openssh-unix-dev/2005-March/022829.html and relative follow-ups) that would implement said feature, but it has been rightly rejected. Now I have to find the time to fix the bugs and recode the patch against latest CVS or against 4.1. I plan to work on it and have it approved within the end of june, but don't rely too much on that. Lucio. From igor.bukanov at gmail.com Tue May 3 00:09:00 2005 From: igor.bukanov at gmail.com (Igor Bukanov) Date: Mon, 2 May 2005 16:09:00 +0200 Subject: forwarding stdin/out to remote socket In-Reply-To: References: Message-ID: On 5/2/05, Lucio Crusca wrote: >I believe you are working around a lack of feature in sshd: sshd should > be able to choose a free port and forward that port, but, as for now, it > isn't. I do not think so. What I would like to do is to replace the current invocation (where hose is from http://web.purplefrog.com/~thoth/netpipes/hose.html): ssh remote_host hose localhost 5901 --netslave by ssh -oForwardStdInAndOut=localhost/5901 remote_host In this way a process (hose) that simply copy megabytes of vnc traffic would be eliminated decreasing latency. BTW, what would be a better name then ForwardStdInAndOut ? Regards, Igor From mjaiganesh_78 at yahoo.com Tue May 3 00:08:40 2005 From: mjaiganesh_78 at yahoo.com (Jaiganesh Mathaiyan) Date: Mon, 2 May 2005 07:08:40 -0700 (PDT) Subject: Regarding Open SSH In-Reply-To: 6667 Message-ID: <20050502140841.39989.qmail@web52206.mail.yahoo.com> Hi, I am facing an implementation challenge while using open ssh libraries in my application. I have a server which uses open ssh to communicate with a network element. My requirement is to open multiple ssh sessions from my application and maintain it concurrently. I would like to know, if this is possible to use multiple and conncurrent sessions to different network elements and managing it from a single application. If possible, please provide some links to any c libraries which already implement this (both commercial and open sources). Thanks Jaiganesh __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From mstevens at cmu.edu Tue May 3 02:30:58 2005 From: mstevens at cmu.edu (Michael A Stevens) Date: Mon, 2 May 2005 12:30:58 -0400 (EDT) Subject: Regarding Open SSH In-Reply-To: <20050502140841.39989.qmail@web52206.mail.yahoo.com> References: <20050502140841.39989.qmail@web52206.mail.yahoo.com> Message-ID: OpenSSH uses a giant select loop to process events coming in, so anything you do with multiple channels has to take this into account. One way you could do it is fork() a library session off and use port forwarding to interface with it while having threads on your end. The other way is you could change some of the events that openssh registers to have hooks to your functions. Mike On Mon, 2 May 2005, Jaiganesh Mathaiyan wrote: > Hi, > > I am facing an implementation challenge while > using > open ssh libraries in my application. I have a > server > which uses open ssh to communicate with a network > element. My requirement is to open multiple ssh > sessions from my application and maintain it > concurrently. > > I would like to know, if this is possible to use > multiple and conncurrent sessions to different > network > elements and managing it from a single application. > > If possible, please provide some links to any c > libraries which already implement this (both > commercial and open sources). > > Thanks > Jaiganesh > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From logsnaath at gmx.net Tue May 3 20:07:00 2005 From: logsnaath at gmx.net (Logu) Date: Tue, 3 May 2005 15:37:00 +0530 Subject: which PID should be written to utmp/wtmp file Message-ID: <02c201c54fc7$df7b1980$140110ac@loguco> Hi, For each user connection when privilege separation is enabled, 3 processes are of interest for this topic. 1. sshd:[priv] - privileged user process. 2. sshd:user at pts/0 - user process. 3. shell - shell process. Openssh code writes the #2. sshd:user at pts/0 - user process to the utmp/wtmp file. Is this the correct behaviour.? Or should it write the #3. shell pid to the utmp/wtmp file. Thanks -logu From dtucker at zip.com.au Wed May 4 23:24:55 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 04 May 2005 23:24:55 +1000 Subject: which PID should be written to utmp/wtmp file In-Reply-To: <02c201c54fc7$df7b1980$140110ac@loguco> References: <02c201c54fc7$df7b1980$140110ac@loguco> Message-ID: <4278CD27.9050208@zip.com.au> Logu wrote: > For each user connection when privilege separation is enabled, 3 > processes are of interest for this topic. > > 1. sshd:[priv] - privileged user process. > 2. sshd:user at pts/0 - user process. > 3. shell - shell process. > > Openssh code writes the #2. sshd:user at pts/0 - user process to the > utmp/wtmp file. Is this the correct behaviour.? Or should it write the > #3. shell pid to the utmp/wtmp file. I think it should probably write #3 (it's the session leader) however none of the doco I could find specifies (usually it just says "pid of process" and doesn't specify exactly which process). On most systems it doesn't seem to make any difference (HP-UX being the apparent exception). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Mon May 9 20:21:37 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 9 May 2005 12:21:37 +0200 Subject: [PATCH] contrib/cygwin/ssh-host-config Message-ID: <20050509102137.GB3375@calimero.vinschen.de> Hi, the below patch adds a test to the ssh-host-config script, which helps the user by testing for one of the most annoying problems in a Cygwin installation of OpenSSH and printing a message to help. Please apply the patch. Thanks, Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.16 diff -p -u -r1.16 ssh-host-config --- contrib/cygwin/ssh-host-config 13 Mar 2005 10:20:18 -0000 1.16 +++ contrib/cygwin/ssh-host-config 9 May 2005 10:03:21 -0000 @@ -583,6 +583,16 @@ then chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log fi fi + if ! ( mount | egrep -q 'on /(|usr/(bin|lib)) type system' ) + then + echo + echo "Warning: It appears that you have user mode mounts (\"Just me\"" + echo "chosen during install.) Any daemons installed as services will" + echo "fail to function unless system mounts are used. To change this," + echo "re-run setup.exe and choose \"All users\"." + echo + echo "For more information, see http://cygwin.com/faq/faq0.html#TOC33" + fi fi fi -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From chidanand.gangur at gmail.com Wed May 11 00:25:53 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Tue, 10 May 2005 19:55:53 +0530 Subject: SSHD creates defunct process Message-ID: Hi, I am using on sshd version OpenSSH_3.6.1p2. I am facing some very vauge problem when i run sshd server and try to connect to it. When I run sshd in debug mode [ ./sshd -ddd] I am able to connect to it and every thing functions very well, but when i run it as [./sshd] and try to connect it the connection hangs creating defunct process. The entries in process table are 25571 ? S 0:00 sshd: admin [priv] 25573 ? Z 0:00 [sshd ] I have propretory PAM module which hooks in my authentication mechanism to sshd. Based upon my pam module logs and sshd debug messages i can say that authentication went on smoothly and it returned PAM_SUCCESS to do_pam_authenticate. After this the shell just hangs. I can see this error in var log messages when run either by [ ./sshd -ddd] or [./sshd] PAM [dlerror: /lib/security/$ISA/pam_deny.so: cannot open shared object file: No such file or directory] My /etc/pam.d/sshd looks like this #%PAM-1.0 auth sufficient /scratch/Chidanand/bagini-p2/lib/pam_test.so account required /scratch/Chidanand/bagini-p2/lib/pam_test.so password required pam_stack.so service=system-auth session required /scratch/Chidanand/bagini-p2/lib/pam_test.so _________________________________________________________ I am confused with this problem, can any one help me to nail down this issue. -- Thanks, Chidanand Gangur Pune. From stuge-openssh-unix-dev at cdy.org Wed May 11 02:44:45 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 10 May 2005 18:44:45 +0200 Subject: SSHD creates defunct process In-Reply-To: References: Message-ID: <20050510164445.GA1384@foo.birdnet.se> On Tue, May 10, 2005 at 07:55:53PM +0530, Chidanand Gangur wrote: > I am confused with this problem, can any one help me to nail down > this issue. Is the problem repeatable when you run ./sshd -D ? If it is, you can run sshd under strace/ktrace/truss/similar to get a thorough view of what is going on. //Peter From ed.white at libero.it Wed May 11 03:08:29 2005 From: ed.white at libero.it (Ed White) Date: Tue, 10 May 2005 19:08:29 +0200 Subject: public-key ? Message-ID: <200505101908.29560.ed.white@libero.it> Hi, I'm not a crypto expert, so after reading this interview with Bruce Schneier ( http://www.securityfocus.com/columnists/324 ) I'm wondering if OpenSSH has the same problem he talks about, that is one public-key algorithm. Doesn't OpenSSH use RSA, DSA, and DH ? Also, is there any plan to include those new NSA standards based on ECC ? From chidanand.gangur at gmail.com Wed May 11 04:47:34 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Wed, 11 May 2005 00:17:34 +0530 Subject: SSHD creates defunct process In-Reply-To: <20050510164445.GA1384@foo.birdnet.se> References: <20050510164445.GA1384@foo.birdnet.se> Message-ID: When started with strace SSHD waits in select loop. I have placed various log messages in sshd source code .what I can see is after calling do_pam_converse function from do_pam_account function sshd does nothing. that is creates zombie. On 5/10/05, Peter Stuge wrote: > On Tue, May 10, 2005 at 07:55:53PM +0530, Chidanand Gangur wrote: > > I am confused with this problem, can any one help me to nail down > > this issue. > > Is the problem repeatable when you run ./sshd -D ? > > If it is, you can run sshd under strace/ktrace/truss/similar to get a > thorough view of what is going on. > > //Peter > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Chidanand Gangur Pune. From sgales at firewall.simonandchristy.com Wed May 11 11:38:05 2005 From: sgales at firewall.simonandchristy.com (Simon Gales) Date: Tue, 10 May 2005 20:38:05 -0500 (CDT) Subject: Need help with GSSAPI authentication Message-ID: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash shows that my tickets ARE forwardable. Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and OpenSSH 4.0p1. I've created two AD accounts, and extracted keys mapped to "host/hostname.domainname.com at REALM.COM" and "ssh/hostname.domainname.com at REALM.COM" and installed them into /etc/krb5.keytab. I can login to the server just fine - GSSAPI-with-mic authentication works fine. But when I "klist" after logging in, I have no tickets. So... is this supposed to work? Should my tickets get forwarded? If not, is there a patch that would make this work? Any help would be appreciated... I can provide server-side debug traces if it'll help, but I really just need to know if tgt-forwarding is supposed to work in OpenSSH 4.0... -Simon From stuge-openssh-unix-dev at cdy.org Wed May 11 13:19:55 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 11 May 2005 05:19:55 +0200 Subject: SSHD creates defunct process In-Reply-To: References: <20050510164445.GA1384@foo.birdnet.se> Message-ID: <20050511031955.GD25402@foo.birdnet.se> On Wed, May 11, 2005 at 12:17:34AM +0530, Chidanand Gangur wrote: > When started with strace SSHD waits in select loop. Ok, so you're on Linux. Try strace -fF sshd -D > I have placed various log messages in sshd source code .what I can > see is after calling do_pam_converse function from do_pam_account > function sshd does nothing. that is creates zombie. Hm, I'm not too familiar with the workings of the PAM but perhaps the trace output could help nail the problem down. //Peter From davidl at vintela.com Wed May 11 13:27:58 2005 From: davidl at vintela.com (David Leonard) Date: Wed, 11 May 2005 13:27:58 +1000 (EST) Subject: Need help with GSSAPI authentication In-Reply-To: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> References: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> Message-ID: Hi, Simon. On Tue, 10 May 2005, Simon Gales wrote: > So... is this supposed to work? Should my tickets get forwarded? If not, > is there a patch that would make this work? I can verify that TGT forwarding certainly works between openssh client and server. I've been using it extensievly with openssh 4.0p1 linked to a heimdal-based GSSAPI impl. I see a similar problems here but with PuTTY modified to use SSPI for gssapi-with-mic. It too is in an AD 2003 realm. One thing I thought of that could stop delegation is if the target host has not been flagged as 'Trusted for delgation' in AD, as SSPI will silently ignore the request to delegate when the service ticket doesn't have the 'ok to delegate' flag. But, kerbtray.exe (from the windows reskit) and some ethereal traces show this isn't the problem. > I can login to the server just fine - GSSAPI-with-mic authentication works > fine. But when I "klist" after logging in, I have no tickets. Same here. What's interesting is that here the GSSAPI seems to receive from SSPI an *empty* set of delegated credentials. So, I see a credential cache constructed with the right default UPN, but with zero tickets. > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. I don't think the ssh/ service key would ever get used. Because you're getting a shell, it's using host/. d -- David Leonard Resource Central software engineer Vintela Inc.; Brisbane, Australia VoIP: US: 801-655-2755 AU: 07-3023-5133 From djm at mindrot.org Wed May 11 13:51:40 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 May 2005 13:51:40 +1000 Subject: public-key ? In-Reply-To: <200505101908.29560.ed.white@libero.it> References: <200505101908.29560.ed.white@libero.it> Message-ID: <4281814C.1080900@mindrot.org> Ed White wrote: > Hi, > > I'm not a crypto expert, so after reading this interview with Bruce Schneier > ( http://www.securityfocus.com/columnists/324 ) I'm wondering if OpenSSH has > the same problem he talks about, that is one public-key algorithm. I don't see anything in there where he talks about a problem. > Doesn't OpenSSH use RSA, DSA, and DH ? Yes, but those are three different algorithms, based on two different number-theoretic approaches. > Also, is there any plan to include those new NSA standards based on ECC ? No, they are a patent minefield that we don't have time to negotiate. -d From dtucker at zip.com.au Wed May 11 13:59:56 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 May 2005 13:59:56 +1000 Subject: SSHD creates defunct process In-Reply-To: <20050511031955.GD25402@foo.birdnet.se> References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> Message-ID: <4281833C.2040805@zip.com.au> Peter Stuge wrote: > On Wed, May 11, 2005 at 12:17:34AM +0530, Chidanand Gangur wrote: >>When started with strace SSHD waits in select loop. > > Ok, so you're on Linux. > Try strace -fF sshd -D Be aware that strace on Linux will change some of the behaviour of the parent/child relationships, so while it may help it's not an ideal diagnostic. [and from the original posting] >> PAM [dlerror: /lib/security/$ISA/pam_deny.so: cannot open shared >>object file: No such file or directory] It looks like you are missing the pam_deny.so file, or the path is wrong in /etc/pam.d/system-auth. >>I have placed various log messages in sshd source code .what I can >>see is after calling do_pam_converse function from do_pam_account >>function sshd does nothing. that is creates zombie. > > Hm, I'm not too familiar with the workings of the PAM but perhaps the > trace output could help nail the problem down. There's a bug in some versions of LinuxPAM that prevents an app from changing of the conversation function. It's possible that PAM is calling the wrong conversation function: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126985 I wrote a tool for figuring out what PAM is doing underneath the covers, based in part on sshd's PAM interface code. It's available here: http://www.zip.com.au/~dtucker/patches/pam-test-harness.c The documentation, such as it is, is here: http://www.zip.com.au/~dtucker/patches/#pamtest -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From chidanand.gangur at gmail.com Wed May 11 16:11:44 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Wed, 11 May 2005 11:41:44 +0530 Subject: SSHD creates defunct process In-Reply-To: <4281833C.2040805@zip.com.au> References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> Message-ID: I tried to trace SSHD using strace -fF as said before SSHd waits in select loop. When i connect I do not get login prompt to proceed further. regarding PAM unable to dlopen(/lib/security/$ISA/pam_deny.so) the file exists in that location. $ISA is not initialised that contains nothing. I have also tried hard codding the file path in system-auth file, still i see the above error in /var/log/messages. I also tried Darrens pam-test-harness program, all of my test went through. [thanks Darren] With this test i could see my authentication request comming to my authentication module getting authenticated and returning success to my pam module. All these functions returned SUCCESS pam_start pam_set_item(pamh, PAM_TTY pam_set_item(pamh, PAM_RHOST, pam_set_item(pamh, PAM_RUSER, pam_authenticate(pamh, 0) pam_acct_mgmt(pamh, 0) pam_open_session(pamh, 0) pam_setcred(pamh, 0) pam_get_item(pamh, PAM_USER, ...) PAM_USER = testcng (unchanged) Standard environment variables ADMIN_NAME=testcng ADMIN_PORT=3445 ADMIN_IP=192.168.2.129 PAM environment variables uid 0 euid 0 gid 0 egid 0 pam_end(pamh, 0) = 0 (Success) But the [sshd ] problem still persists. when SSHD started as [./sshd]. To add more information i am using gcc-v3.2.2 On 5/11/05, Darren Tucker wrote: > Peter Stuge wrote: > > On Wed, May 11, 2005 at 12:17:34AM +0530, Chidanand Gangur wrote: > >>When started with strace SSHD waits in select loop. > > > > Ok, so you're on Linux. > > Try strace -fF sshd -D > > Be aware that strace on Linux will change some of the behaviour of the > parent/child relationships, so while it may help it's not an ideal > diagnostic. > > [and from the original posting] > >> PAM [dlerror: /lib/security/$ISA/pam_deny.so: cannot open shared > >>object file: No such file or directory] > > It looks like you are missing the pam_deny.so file, or the path is wrong > in /etc/pam.d/system-auth. > > >>I have placed various log messages in sshd source code .what I can > >>see is after calling do_pam_converse function from do_pam_account > >>function sshd does nothing. that is creates zombie. > > > > Hm, I'm not too familiar with the workings of the PAM but perhaps the > > trace output could help nail the problem down. > > There's a bug in some versions of LinuxPAM that prevents an app from > changing of the conversation function. It's possible that PAM is > calling the wrong conversation function: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126985 > > I wrote a tool for figuring out what PAM is doing underneath the covers, > based in part on sshd's PAM interface code. > > It's available here: > http://www.zip.com.au/~dtucker/patches/pam-test-harness.c > > The documentation, such as it is, is here: > http://www.zip.com.au/~dtucker/patches/#pamtest > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Chidanand Gangur Pune. From Sergio.Gelato at astro.su.se Wed May 11 19:14:04 2005 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Wed, 11 May 2005 11:14:04 +0200 Subject: Need help with GSSAPI authentication In-Reply-To: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> References: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> Message-ID: <20050511091404.GB1142@hanuman.astro.su.se> * Simon Gales [2005-05-10 20:38:05 -0500]: > Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. > I've also got MIT Kerberos for Windows installed on the client, and Leash > shows that my tickets ARE forwardable. > > Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and > OpenSSH 4.0p1. > > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. > > I can login to the server just fine - GSSAPI-with-mic authentication works > fine. But when I "klist" after logging in, I have no tickets. > > So... is this supposed to work? Should my tickets get forwarded? If not, > is there a patch that would make this work? That's a SecureCRT question. If you were using the OpenSSH client, you would have to set the GSSAPIDelegateCredentials option (it's off by default) in order for your TGT to be forwarded. I have no idea what the corresponding option for SecureCRT is called. > Any help would be appreciated... I can provide server-side debug traces > if it'll help, but I really just need to know if tgt-forwarding is > supposed to work in OpenSSH 4.0... It works for me. From simongales at simonandchristy.com Wed May 11 22:01:35 2005 From: simongales at simonandchristy.com (Simon Gales) Date: Wed, 11 May 2005 07:01:35 -0500 Subject: Need help with GSSAPI authentication In-Reply-To: <20050511091404.GB1142@hanuman.astro.su.se> Message-ID: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> David - I think you're correct - the ssh/fqdn at realm principal probably isn't needed. I added it in a fit of desperation a couple of nights ago, but that wasn't what fixed the authentication. After more experimentation last night, I found that: + Putty (with patches) can authenticate but doesn't forward the tickets. + SecureCRT can authenticate but doesn't forward the tickets. + OpenSSH works fine, using kinit to get my tickets initially. So now I'm trying to find OpenSSH built for CygWin that has Kerberos V (1.4.1) support compiled in. I've also begun trying to build it myself, but I've never built anything under CygWin before, and it's slow going. Still trying to resolve errors from missing include files (arpa/nameser.h, resolv.h). -S -----Original Message----- From: openssh-unix-dev-bounces+sgales=simonandchristy.com at mindrot.org [mailto:openssh-unix-dev-bounces+sgales=simonandchristy.com at mindrot.org] On Behalf Of Sergio Gelato Sent: Wednesday, May 11, 2005 4:14 AM To: openssh-unix-dev at mindrot.org Subject: Re: Need help with GSSAPI authentication * Simon Gales [2005-05-10 20:38:05 -0500]: > Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. > I've also got MIT Kerberos for Windows installed on the client, and > Leash shows that my tickets ARE forwardable. > > Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and > OpenSSH 4.0p1. > > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. > > I can login to the server just fine - GSSAPI-with-mic authentication > works fine. But when I "klist" after logging in, I have no tickets. > > So... is this supposed to work? Should my tickets get forwarded? If > not, is there a patch that would make this work? That's a SecureCRT question. If you were using the OpenSSH client, you would have to set the GSSAPIDelegateCredentials option (it's off by default) in order for your TGT to be forwarded. I have no idea what the corresponding option for SecureCRT is called. > Any help would be appreciated... I can provide server-side debug > traces if it'll help, but I really just need to know if tgt-forwarding > is supposed to work in OpenSSH 4.0... It works for me. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Sergio.Gelato at astro.su.se Wed May 11 22:22:17 2005 From: Sergio.Gelato at astro.su.se ('Sergio Gelato') Date: Wed, 11 May 2005 14:22:17 +0200 Subject: Need help with GSSAPI authentication In-Reply-To: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> References: <20050511091404.GB1142@hanuman.astro.su.se> <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> Message-ID: <20050511122216.GA8993@hanuman.astro.su.se> * Simon Gales [2005-05-11 07:01:35 -0500]: > After more experimentation last night, I found that: > + Putty (with patches) can authenticate but doesn't forward the tickets. If you're in a position to apply patches, then maybe you should simply patch the call to gss_init_sec_context() to enable credentials delegation. See RFC 2744 sections 4.1 and 5.19. Since all you need to do is set the GSS_C_DELEG_FLAG bit in the req_flags argument, I guess it should be possible even without recompilation, by patching the executable file with a binary editor. > + SecureCRT can authenticate but doesn't forward the tickets. > + OpenSSH works fine, using kinit to get my tickets initially. From dtucker at zip.com.au Wed May 11 22:23:56 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 May 2005 22:23:56 +1000 Subject: Need help with GSSAPI authentication In-Reply-To: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> References: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> Message-ID: <4281F95C.3020709@zip.com.au> Simon Gales wrote: > I've also begun trying to build it myself, but I've never built anything > under CygWin before, and it's slow going. Still trying to resolve errors > from missing include files (arpa/nameser.h, resolv.h). The required packages for Cygwin are documented in README.platform and contrib/cygwin/README. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stuge-openssh-unix-dev at cdy.org Wed May 11 22:31:31 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 11 May 2005 14:31:31 +0200 Subject: SSHD creates defunct process In-Reply-To: References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> Message-ID: <20050511123131.GA4664@foo.birdnet.se> On Wed, May 11, 2005 at 11:41:44AM +0530, Chidanand Gangur wrote: > I tried to trace SSHD using strace -fF as said before SSHd waits in > select loop. When i connect I do not get login prompt to proceed > further. Ah, ok, I understand. And what are the last 100 or so lines of output at that point? //Peter From f_mohr at yahoo.de Wed May 11 22:49:01 2005 From: f_mohr at yahoo.de (frank) Date: Wed, 11 May 2005 14:49:01 +0200 Subject: SSH_ORIGINAL_COMMAND and no forced command Message-ID: <4281FF3D.5000200@yahoo.de> i just noticed that the env. variable SSH_ORIGINAL_COMMAND is no more set if there is no forced command. was there a reason to do so? Background: I'm using a wrapper that can be used as forced command and as shell. (most of the time as forced command, but now I had a task where it had to be used as shell) The wrapper currently only gets its parameters by parsing the SSH_ORIGINAL_COMMAND variable and ignores anything after the -c option. This worked when I implemented it (OpenSSH 2.9). Frank From deengert at anl.gov Wed May 11 23:09:39 2005 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 11 May 2005 08:09:39 -0500 Subject: Need help with GSSAPI authentication In-Reply-To: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> References: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> Message-ID: <42820413.3020700@anl.gov> Simon Gales wrote: > Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. > I've also got MIT Kerberos for Windows installed on the client, and Leash > shows that my tickets ARE forwardable. We have a similiar setup. > > Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and > OpenSSH 4.0p1. > > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. (The ssh/... principal is not needed, as sshd uses the host.) > > I can login to the server just fine - GSSAPI-with-mic authentication works > fine. But when I "klist" after logging in, I have no tickets. > > So... is this supposed to work? Should my tickets get forwarded? If not, > is there a patch that would make this work? Yes it should work, but it could be a number of things: SSHD is not setting the KRB5CCANME. See if there are ticket caches created from the session. /tmp/krb5cc_* Windows AD has an attribute for servers called ok_to_delegate (something like this) It sets this on the server ticket, so the client knows if it is safe to delegate credentials. Your AD admin might have to change this on the host/... principal Also see the Windows "ksetup /listRealmFlags". As a test you could set the Delegate flag for the realm. This would tell the client its OK to delegate credentials to any host in the realm even if te AD was not sure. > > Any help would be appreciated... I can provide server-side debug traces > if it'll help, but I really just need to know if tgt-forwarding is > supposed to work in OpenSSH 4.0... > Yes itshoulod work. It works in 3.9 from SecureCRT. > -Simon > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Wed May 11 23:19:30 2005 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 11 May 2005 08:19:30 -0500 Subject: Need help with GSSAPI authentication In-Reply-To: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> References: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> Message-ID: <42820662.1000006@anl.gov> P.S. Since you have Leash, tell the SecureCRT to use the MIT Kerberos rather then SSPI. I dont believe the MIT code looks at the ok_to_delegate flag. Simon Gales wrote: > Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. > I've also got MIT Kerberos for Windows installed on the client, and Leash > shows that my tickets ARE forwardable. > > Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and > OpenSSH 4.0p1. > > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. > > I can login to the server just fine - GSSAPI-with-mic authentication works > fine. But when I "klist" after logging in, I have no tickets. > > So... is this supposed to work? Should my tickets get forwarded? If not, > is there a patch that would make this work? > > Any help would be appreciated... I can provide server-side debug traces > if it'll help, but I really just need to know if tgt-forwarding is > supposed to work in OpenSSH 4.0... > > -Simon > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Sergio.Gelato at astro.su.se Wed May 11 23:49:21 2005 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Wed, 11 May 2005 15:49:21 +0200 Subject: Need help with GSSAPI authentication In-Reply-To: <20050511122216.GA8993@hanuman.astro.su.se> References: <20050511091404.GB1142@hanuman.astro.su.se> <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> <20050511122216.GA8993@hanuman.astro.su.se> Message-ID: <20050511134921.GB8993@hanuman.astro.su.se> * 'Sergio Gelato' [2005-05-11 14:22:17 +0200]: > * Simon Gales [2005-05-11 07:01:35 -0500]: > > After more experimentation last night, I found that: > > + Putty (with patches) can authenticate but doesn't forward the tickets. > > If you're in a position to apply patches, then maybe you should simply > patch the call to gss_init_sec_context() to enable credentials delegation. I'll take that back. Having now looked at the PuTTY patch, I see that the -f flag already does precisely that. The question, then, is whether the SSPI implementation is doing the right thing. David said that an empty credential set was being forwarded. Would be nice to know what's happening on the wire: the client is supposed to ask the KDC for a new TGT for the target host, prior to the GSSAPI exchange. (Unless perhaps addressless TGTs are being used.) From deengert at anl.gov Wed May 11 23:52:27 2005 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 11 May 2005 08:52:27 -0500 Subject: Need help with GSSAPI authentication In-Reply-To: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> References: <1324.192.168.0.5.1115775485.squirrel@Www.SimonAndChristy.Com> Message-ID: <42820E1B.9060407@anl.gov> [ sorry if you got this twice...] Simon Gales wrote: > Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. > I've also got MIT Kerberos for Windows installed on the client, and Leash > shows that my tickets ARE forwardable. We have a similiar setup. > > Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and > OpenSSH 4.0p1. > > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. (The ssh/... principal is not needed, as sshd uses the host.) > > I can login to the server just fine - GSSAPI-with-mic authentication works > fine. But when I "klist" after logging in, I have no tickets. > > So... is this supposed to work? Should my tickets get forwarded? If not, > is there a patch that would make this work? Yes it should work, but it could be a number of things: SSHD is not setting the KRB5CCANME. See if there are ticket caches created from the session. /tmp/krb5cc_* Windows AD has an attribute for servers called ok_to_delegate (something like this) It sets this on the server ticket, so the client knows if it is safe to delegate credentials. Your AD admin might have to change this on the host/... principal Also see the Windows "ksetup /listRealmFlags". As a test you could set the Delegate flag for the realm. This would tell the client its OK to delegate credentials to any host in the realm even if the AD was not sure. > > Any help would be appreciated... I can provide server-side debug traces > if it'll help, but I really just need to know if tgt-forwarding is > supposed to work in OpenSSH 4.0... > Yes it should work. It works in 3.9 from SecureCRT. > -Simon > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From davidl at vintela.com Thu May 12 00:09:30 2005 From: davidl at vintela.com (David Leonard) Date: Thu, 12 May 2005 00:09:30 +1000 (EST) Subject: Need help with GSSAPI authentication In-Reply-To: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> References: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> Message-ID: Simon I did some more testing of this this evening, and .. well it started to work just fine!?! I feel a bit stupid. Unfortunately too many variables changed between it not-working and working to say why exactly, one of them being a reboot of the AD server (for an unrelated purpose.) My checklist for SSPI->openssh delegated creds is therefore: * ensure "enable krb5 ticket forwarding" is checked in the putty config settings (or whatever the equivalent is in securecrt) * enable 'ok for delegation' for the computer object representing the server On Wed, 11 May 2005, Simon Gales wrote: > After more experimentation last night, I found that: > + Putty (with patches) can authenticate but doesn't forward the tickets. which putty/patches was this? was it our one from http://rc.vintela.com? d -- David Leonard Resource Central software engineer Vintela Inc.; Brisbane, Australia VoIP: US: 801-655-2755 AU: 07-3023-5133 From galb at vandyke.com Thu May 12 01:43:13 2005 From: galb at vandyke.com (Joseph Galbraith) Date: Wed, 11 May 2005 09:43:13 -0600 Subject: Need help with GSSAPI authentication Message-ID: <42822811.1070505@vandyke.com> "Simon Gales" said: > Client: Windows XP pro, in an AD 2003 domain, running SecureCRT 4.1.11. I've also got MIT Kerberos for Windows installed on the client, and Leash > shows that my tickets ARE forwardable. > > Server: Solaris 8 Sparc server, with MIT Kerberos (krb5-1.4.1), and > OpenSSH 4.0p1. > > I've created two AD accounts, and extracted keys mapped to > "host/hostname.domainname.com at REALM.COM" and > "ssh/hostname.domainname.com at REALM.COM" and installed them into > /etc/krb5.keytab. > > I can login to the server just fine - GSSAPI-with-mic authentication works > fine. But when I "klist" after logging in, I have no tickets. > > So... is this supposed to work? Should my tickets get forwarded? If not, > is there a patch that would make this work? > > Any help would be appreciated... I can provide server-side debug traces > if it'll help, but I really just need to know if tgt-forwarding is > supposed to work in OpenSSH 4.0... "Simon Gales" also said: > After more experimentation last night, I found that: > + Putty (with patches) can authenticate but doesn't forward the tickets. > + SecureCRT can authenticate but doesn't forward the tickets. > + OpenSSH works fine, using kinit to get my tickets initially. SecureCRT does indeed support this. You need to make sure that: + Your user, the server, and the client are all trusted for delegation in the AD domain. To do this go to "Manage Users and Computers in Active Domain." In the "Computers" part of the tree, find your Windows XP box, and do Properties. On the general page, turn on the "Trust computer for delegation" check box. Do the same thing for the unix server (it may not be in the "Computers" part-- it will depend on where you added it. Also, find your username and make sure it is also enabled for delegation (in the users section; do properties; on the "Account" tab, "Account is trusted for delegation") + Make sure SCRT is configured for delegation (you've probably already done this.) Delegation should be set to "Full" on the properties dialog for GSSAPI authentication. If you do this, you should not need to use the mit kerberos stuff at all. As Douglas noted, you may get away w/o doing this if you use the mit stuff (change Method: from Auto to MS Kerberos.) If this doesn't work, turning on File / Trace Options before you connect might help use figure out what is going on. Thanks, Joseph (PS. I don't usually follow the mailing list, so please keep me cc'd on any responses-- presuming my post actually gets to the mailing list; I don't know if it is open or not.) From kareemy at gmail.com Thu May 12 05:03:32 2005 From: kareemy at gmail.com (kareemy) Date: Wed, 11 May 2005 14:03:32 -0500 Subject: OpenSSH 4.0p1 ignoring password authentication Message-ID: Hello, I recently compiled OpenSSH 4.0p1 with OpenSSL 0.9.7g on my Linux 2.6.11.3 machine. When I try to connect, the connection is immediately closed. When I setup public key authentication, I am able to login using my public key. However password authentication seems to be ignored. I attached debugging output from both the server and client. $ ssh -vvv localhost OpenSSH_4.0p1, OpenSSL 0.9.7g 11 Apr 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/kcd/.ssh/identity type -1 debug1: identity file /home/kcd/.ssh/id_rsa type -1 debug1: identity file /home/kcd/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.0 debug1: match: OpenSSH_4.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.0 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 135/256 debug2: bits set: 529/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/kcd/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /home/kcd/.ssh/known_hosts:1 debug2: bits set: 544/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/kcd/.ssh/identity ((nil)) debug2: key: /home/kcd/.ssh/id_rsa ((nil)) debug2: key: /home/kcd/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/kcd/.ssh/identity debug3: no such identity: /home/kcd/.ssh/identity debug1: Trying private key: /home/kcd/.ssh/id_rsa debug3: no such identity: /home/kcd/.ssh/id_rsa debug1: Trying private key: /home/kcd/.ssh/id_dsa debug3: no such identity: /home/kcd/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply Connection closed by 127.0.0.1 # /usr/sbin/sshd -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 160 debug2: parse_server_config: config /etc/ssh/sshd_config len 160 debug1: sshd version OpenSSH_4.0p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. socket: Address family not supported by protocol Generating 768 bit RSA key. RSA key generation complete. debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 160 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from 127.0.0.1 port 56693 debug1: Client protocol version 2.0; client software version OpenSSH_4.0 debug1: match: OpenSSH_4.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.0 debug2: fd 3 setting O_NONBLOCK debug3: privsep user:group 1004:102 debug2: Network child is on pid 817 debug3: preauth child monitor started debug3: mm_request_receive entering debug1: permanently_set_uid: 1004/102 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 115/256 debug2: bits set: 544/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 529/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x8117390(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user kcd service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: auth_shadow_acctexpired: today 12914 sp_expire -1 days left -12915 debug3: account expiration disabled debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for kcd debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for kcd from 127.0.0.1 port 56693 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for kcd from 127.0.0.1 port 56693 ssh2 debug1: userauth-request for user kcd service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=kcd devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for kcd from 127.0.0.1 port 56693 ssh2 debug3: Trying to reverse map address 127.0.0.1. debug1: do_cleanup Remember, public key authentication works fine but password authentication doesn't even give me a chance to enter in my password. I compiled sshd with --with-md5-passwords which is what I am using. I am not sure what could be wrong. Thanks for the help, Kareem From dtucker at zip.com.au Thu May 12 07:58:44 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 May 2005 07:58:44 +1000 Subject: OpenSSH 4.0p1 ignoring password authentication In-Reply-To: References: Message-ID: <42828014.3070406@zip.com.au> kareemy wrote: > I recently compiled OpenSSH 4.0p1 with OpenSSL 0.9.7g on my Linux > 2.6.11.3 machine. Which distribution is this? Does "ssh -o PreferredAthentications=password yourserver" work? > When I try to connect, the connection is > immediately closed. When I setup public key authentication, I am able > to login using my public key. However password authentication seems to > be ignored. I attached debugging output from both the server and > client. As a long shot, try creating a /var/empty/lib directory (ie a "lib" dir in wherever you have sshd's privsep chroot configured) and see if that makes a difference. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sgales at firewall.simonandchristy.com Thu May 12 08:10:36 2005 From: sgales at firewall.simonandchristy.com (Simon Gales) Date: Wed, 11 May 2005 17:10:36 -0500 (CDT) Subject: Need help with GSSAPI authentication In-Reply-To: <4281F95C.3020709@zip.com.au> References: <200505111106.j4BB6Jvs022053@firewall.simonandchristy.com> <4281F95C.3020709@zip.com.au> Message-ID: <4383.192.168.0.245.1115849436.squirrel@SimonAndChristy.Com> Thanks for the pointer. I'm past the missing include files problem, and ssh.exe now build without a problem (well, none I couldn't resolve, and I'm still working on sshd). But when I run this ssh.exe, it complains about the GSSAPI lines in the ssh_config file: $ ./ssh sgales at testsunblade.gales.org /usr/local/etc/ssh_config line 21: Unsupported option "GSSAPIAuthentication" /usr/local/etc/ssh_config line 22: Unsupported option "GSSAPIDelegateCredentials" sgales at testsunblade.gales.org's password: Any ideas? I've tried the OpenSSH from CygWin and from Openssh.org, results are the same. Configure is definitely building with Kerberos support... -S > Simon Gales wrote: >> I've also begun trying to build it myself, but I've never built anything >> under CygWin before, and it's slow going. Still trying to resolve >> errors >> from missing include files (arpa/nameser.h, resolv.h). > > The required packages for Cygwin are documented in README.platform and > contrib/cygwin/README. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From josterm at raytheon.com Thu May 12 13:13:42 2005 From: josterm at raytheon.com (Jason Ostermann) Date: Wed, 11 May 2005 22:13:42 -0500 Subject: Trusted IRIX Support Message-ID: <4282C9E6.1090604@raytheon.com> I'm working on integrating OpenSSH into Trusted IRIX. SGI has performed some manner of change and created their own binary distributions. Unfortunately, we have to wait until their quarterly release to get updated versions. To that end, I'd like to make the appropriate changes and feed them back into the main OpenSSH tree. I've started work and created a very quick-n-dirty hack to show it can work. I set this up using SGI's distribution of PAM. I'm also quite certain that this is not a complete fix. To my (limited) understanding, the following changes have to take place: 1) Change the MAC (Mandatory Access Control) label of the process to the label requested by the user. This is loaded by the SGI pam_mac module into the PAM envinronment variable "MAC". I'm assuming this should happen sometime around permanently_set_uid in uidswap.c. 2) Change the capabilities of the process to the capabilities requested by the user. This is loaded by the SGI pam_cap module into the PAM encironment variable "CAP". I'm also assuming this should happen sometime around permanently_set_uid in uidswap.c. 3) Ignore the sanity checks at the end of permanently_set_uid that ensures the user cannot change back to the prior uid. If they request, and are granted, the capabilities to do that, then it's ok. This works with UsePrivilegeSeparation set to OFF, and UseLogin set to OFF. In the Trusted OS realm, UsePrivilegeSeparation has little meaning. We have run with UseLogin set to ON previously, but this requires authenticating to ssh and to login, as SGI login does not support -f. In addition, failure lockout password controls are not enforced on the first password authentication. Using keys to avoid the initial password prompt is not feasable in our environment. Please let me know if this appears to hunt down the right track, and what manner I should provide a diff when the time comes. This is just an initial investigation at this point, and all that is tested is PasswordAuthentication and a basic user shell. Thanks, Jason From chidanand.gangur at gmail.com Thu May 12 15:46:35 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Thu, 12 May 2005 11:16:35 +0530 Subject: SSHD creates defunct process In-Reply-To: <20050511123131.GA4664@foo.birdnet.se> References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> Message-ID: I have tried various options upgrading PAM tweaking configuration files here and there went through the SSHD code but yet failed to resolve the problem. What is wrong in my configuration ?? is this problem related to libraries ? to which SSHD links? Please give me some clue. Thanks, Chidanand On 5/11/05, Peter Stuge wrote: > On Wed, May 11, 2005 at 11:41:44AM +0530, Chidanand Gangur wrote: > > I tried to trace SSHD using strace -fF as said before SSHd waits in > > select loop. When i connect I do not get login prompt to proceed > > further. > > Ah, ok, I understand. And what are the last 100 or so lines of output > at that point? > > > //Peter > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Chidanand Gangur Pune. From edivad73 at gmail.com Thu May 12 19:37:45 2005 From: edivad73 at gmail.com (davide) Date: Thu, 12 May 2005 11:37:45 +0200 Subject: problem ssh2 Message-ID: Hi, I have a problem for the ssh2, when i try to connect the verbose mode on the client stops the messages to the follow: Wait SSH2_MSG_KEXDH_REPLY after some minutes appear that the connection is timed out. How i'll do to reach the hosts in ssh2? Tahks D. From dtucker at zip.com.au Thu May 12 19:56:58 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 May 2005 19:56:58 +1000 Subject: problem ssh2 In-Reply-To: References: Message-ID: <4283286A.5090307@zip.com.au> davide wrote: > I have a problem for the ssh2, when i try to connect the verbose mode > on the client stops the messages to the follow: > > Wait SSH2_MSG_KEXDH_REPLY > > after some minutes appear that the connection is timed out. > How i'll do to reach the hosts in ssh2? There's a few things worth checking here: http://www.openssh.com/faq.html#3.3 but I would bet on this: http://www.snailbook.com/faq/mtu-mismatch.auto.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From thesource at ldb-jab.org Thu May 12 21:50:07 2005 From: thesource at ldb-jab.org (Lawrence Bowie) Date: Thu, 12 May 2005 07:50:07 -0400 Subject: problem ssh2 In-Reply-To: References: Message-ID: <428342EF.4070707@ldb-jab.org> It is timing out on a Key Exchange .. Has the server generated all the keys necessary to talk to any client using either DSA or RSA? Is this the only server this part hangs on or does it do it with all servers? Thanks, LDB davide wrote: >Hi, >I have a problem for the ssh2, when i try to connect the verbose mode >on the client stops the messages to the follow: > >Wait SSH2_MSG_KEXDH_REPLY > >after some minutes appear that the connection is timed out. >How i'll do to reach the hosts in ssh2? >Tahks >D. > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > From dtucker at zip.com.au Thu May 12 22:23:17 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 May 2005 22:23:17 +1000 Subject: SSHD creates defunct process In-Reply-To: References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> Message-ID: <42834AB5.3030807@zip.com.au> Chidanand Gangur wrote: > I have tried various options upgrading PAM > tweaking configuration files here and there > went through the SSHD code 3.6.1p2 is a couple of years old and the PAM code in sshd has been significantly changed (improved, I hope :-). Did you build it from source yourself? What does the debug output from sshd give (ie "/path/to/sshd -ddde") for one of the problem connections? Does the problem occur with sshd from OpenSSH-4.0p1? > but yet failed to resolve the problem. What is wrong in my > configuration ?? is this problem related to libraries ? to which SSHD > links? Please give me some clue. Could be anything. When you mentioned "proprietary PAM module" you entered the realm of "there be dragons". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From chidanand.gangur at gmail.com Thu May 12 23:59:45 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Thu, 12 May 2005 19:29:45 +0530 Subject: SSHD creates defunct process In-Reply-To: <42834AB5.3030807@zip.com.au> References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> Message-ID: you are right Darren I have built the SSHD from source code. My only concern is as mentioned before every thing goes well when i run SSHD in debug mode [./sshd -ddd] . I face problem when i run it as service. [./sshd]. Regarding my pam module I not doing great in it i have my implementation for pam_sm_authenticate rest of the pam_sm_* functions are empty, that is they just return PAM_SUCCESS. And from the logs in SSHD , pam module and rest of the programs i can make out user was authenticated and a success was sent to SSHD. Now I am plannig to put function entry log and function exit log in all sshd code so that i can see what actually went wrong. Is there any other method to achive it. Thanks, Chidanand On 5/12/05, Darren Tucker wrote: > Chidanand Gangur wrote: > > I have tried various options upgrading PAM > > tweaking configuration files here and there > > went through the SSHD code > > 3.6.1p2 is a couple of years old and the PAM code in sshd has been > significantly changed (improved, I hope :-). Did you build it from > source yourself? > > What does the debug output from sshd give (ie "/path/to/sshd -ddde") for > one of the problem connections? > > Does the problem occur with sshd from OpenSSH-4.0p1? > > > but yet failed to resolve the problem. What is wrong in my > > configuration ?? is this problem related to libraries ? to which SSHD > > links? Please give me some clue. > > Could be anything. When you mentioned "proprietary PAM module" you > entered the realm of "there be dragons". > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Chidanand Gangur Pune. From dtucker at zip.com.au Fri May 13 00:10:40 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 13 May 2005 00:10:40 +1000 Subject: SSHD creates defunct process In-Reply-To: References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> Message-ID: <428363E0.5060805@zip.com.au> Chidanand Gangur wrote: [some stuff, but not...] > On 5/12/05, Darren Tucker wrote: >>Does the problem occur with sshd from OpenSSH-4.0p1? You didn't answer this. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From chidanand.gangur at gmail.com Fri May 13 00:26:45 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Thu, 12 May 2005 19:56:45 +0530 Subject: SSHD creates defunct process In-Reply-To: <428363E0.5060805@zip.com.au> References: <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> <428363E0.5060805@zip.com.au> Message-ID: Darren I havent checked with the latest version ... I have made few changes in sshd code too and few of my colleuges also share the same SSHD version, I will suerly try out OpenSSH-4.0p1? On 5/12/05, Darren Tucker wrote: > Chidanand Gangur wrote: > [some stuff, but not...] > > On 5/12/05, Darren Tucker wrote: > >>Does the problem occur with sshd from OpenSSH-4.0p1? > > You didn't answer this. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Chidanand Gangur Pune. From stuge-openssh-unix-dev at cdy.org Fri May 13 01:53:12 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 12 May 2005 17:53:12 +0200 Subject: SSHD creates defunct process In-Reply-To: References: <20050510164445.GA1384@foo.birdnet.se> <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> Message-ID: <20050512155312.GA31963@foo.birdnet.se> On Thu, May 12, 2005 at 07:29:45PM +0530, Chidanand Gangur wrote: > you are right Darren I have built the SSHD from source code. My > only concern is as mentioned before every thing goes well when i > run SSHD in debug mode [./sshd -ddd] . I face problem when i run it > as service. [./sshd]. How about ./sshd -D ? //Peter From josterm at raytheon.com Fri May 13 06:49:04 2005 From: josterm at raytheon.com (Jason Ostermann) Date: Thu, 12 May 2005 15:49:04 -0500 Subject: [PATCH] Trusted IRIX Support Message-ID: <4283C140.6020303@raytheon.com> I developed a better prototype quicker than I expected. Please provide feedback. It's been a few years since I've used autoconf, so I'm not certain the new defines were integrated correctly. Jason diff -r -C3 openssh-4.0p1/acconfig.h openssh-4.0p1.trix/acconfig.h *** openssh-4.0p1/acconfig.h Fri Feb 25 17:07:38 2005 --- openssh-4.0p1.trix/acconfig.h Thu May 12 10:32:25 2005 *************** *** 146,151 **** --- 146,157 ---- /* Define if you want IRIX kernel jobs */ #undef WITH_IRIX_JOBS + /* Define if you want IRIX Capability support */ + #undef WITH_IRIX_CAP + + /* Define if you want IRIX MAC Label support (Trusted IRIX only!) */ + #undef WITH_IRIX_MAC + /* Location of PRNGD/EGD random number socket */ #undef PRNGD_SOCKET diff -r -C3 openssh-4.0p1/config.h.in openssh-4.0p1.trix/config.h.in *** openssh-4.0p1/config.h.in Tue Mar 8 22:54:14 2005 --- openssh-4.0p1.trix/config.h.in Thu May 12 12:56:15 2005 *************** *** 146,151 **** --- 146,157 ---- /* Define if you want IRIX kernel jobs */ #undef WITH_IRIX_JOBS + /* Define if you want IRIX Capability support */ + #undef WITH_IRIX_CAP + + /* Define if you want IRIX MAC Label support (Trusted IRIX only!) */ + #undef WITH_IRIX_MAC + /* Location of PRNGD/EGD random number socket */ #undef PRNGD_SOCKET diff -r -C3 openssh-4.0p1/configure.ac openssh-4.0p1.trix/configure.ac *** openssh-4.0p1/configure.ac Mon Mar 7 03:21:37 2005 --- openssh-4.0p1.trix/configure.ac Thu May 12 10:33:58 2005 *************** *** 241,246 **** --- 241,248 ---- AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) AC_DEFINE(WITH_IRIX_AUDIT) + AC_DEFINE(WITH_IRIX_CAP) + AC_DEFINE(WITH_IRIX_MAC) AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) AC_DEFINE(BROKEN_INET_NTOA) AC_DEFINE(SETEUID_BREAKS_SETUID) diff -r -C3 openssh-4.0p1/openbsd-compat/port-irix.c openssh-4.0p1.trix/openbsd-compat/port-irix.c *** openssh-4.0p1/openbsd-compat/port-irix.c Sat May 31 22:23:57 2003 --- openssh-4.0p1.trix/openbsd-compat/port-irix.c Thu May 12 13:01:58 2005 *************** *** 38,43 **** --- 39,51 ---- #ifdef WITH_IRIX_AUDIT # include #endif /* WITH_IRIX_AUDIT */ + #ifdef WITH_IRIX_CAP + # include + #endif /* WITH_IRIX_CAP */ + #ifdef WITH_IRIX_MAC + # include + # include + #endif /* WITH_IRIX_MAC */ void irix_setusercontext(struct passwd *pw) *************** *** 84,86 **** --- 92,144 ---- #endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ + + #ifdef WITH_IRIX_CAP + void + irix_set_cap(const char * cap_string) + { + cap_t running_cap; + if(cap_string == NULL) + fatal("irix_set_cap received NULL for input!"); + if(sysconf(_SC_CAP) != 0) { + debug("irix_set_cap: setting capability to %s",cap_string); + running_cap=cap_from_text(cap_string); + if(running_cap != NULL) { + if(cap_set_proc(running_cap) != 0) + fatal("Unable to set the process capability " + "set to %s!",cap_string); + cap_free(running_cap); + } + else + fatal("Unable to convert %s into a capability set!", + cap_string); + } + } + + #endif /* WITH_IRIX_CAP */ + + + #ifdef WITH_IRIX_MAC + void + irix_set_mac(const char * mac_string) + { + mac_t running_mac; + if(mac_string == NULL) + fatal("irix_set_mac received NULL for input!"); + if(sysconf(_SC_MAC) != 0) { + debug("irix_set_mac: setting mac label to %s",mac_string); + running_mac=mac_from_text(mac_string); + if(running_mac != NULL) { + if(mac_set_proc(running_mac) != 0) + fatal("Unable to set the process mac label " + "to %s!",mac_string); + mac_free(running_mac); + } + else + fatal("Unable to convert %s into a mac label!", + mac_string); + } + } + + #endif /* WITH_IRIX_MAC */ + diff -r -C3 openssh-4.0p1/session.c openssh-4.0p1.trix/session.c *** openssh-4.0p1/session.c Sun Mar 6 05:38:52 2005 --- openssh-4.0p1.trix/session.c Thu May 12 13:03:23 2005 *************** *** 1554,1559 **** --- 1554,1583 ---- #endif } + #ifdef WITH_IRIX_CAP + /* Set the user's capabilities before running their RC files!! + Only if we won't use login(1), as login handles setting + capabilities itself */ + if (!options.use_login) { + if(child_get_env(env,"CAP") == NULL) + irix_set_cap("all="); + else + irix_set_cap(child_get_env(env,"CAP")); + } + #endif /* WITH_IRIX_CAP */ + + #ifdef WITH_IRIX_MAC + /* Set the user's mac label before running their RC files!! + Only if we won't use login(1), as login handles setting + mac labels itself */ + if (!options.use_login) { + if(child_get_env(env,"MAC") == NULL) + irix_set_mac("all="); + else + irix_set_mac(child_get_env(env,"MAC")); + } + #endif /* WITH_IRIX_MAC */ + if (!options.use_login) do_rc_files(s, shell); diff -r -C3 openssh-4.0p1/uidswap.c openssh-4.0p1.trix/uidswap.c *** openssh-4.0p1/uidswap.c Tue Feb 22 00:57:13 2005 --- openssh-4.0p1.trix/uidswap.c Thu May 12 12:05:00 2005 *************** *** 202,207 **** --- 203,216 ---- fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); #endif + #ifdef WITH_IRIX_CAP + /* Don't want to perform the following checks on a system + that supports capabilities, because they may be valid + actions */ + if(sysconf(_SC_CAP != 0)) + return; + #endif /* WITH_IRIX_CAP */ + #ifndef HAVE_CYGWIN /* Try restoration of GID if changed (test clearing of saved gid) */ if (old_gid != pw->pw_gid && pw->pw_uid != 0 && From djm at mindrot.org Fri May 13 08:00:31 2005 From: djm at mindrot.org (Damien Miller) Date: Fri, 13 May 2005 08:00:31 +1000 Subject: SSHD creates defunct process In-Reply-To: References: <20050511031955.GD25402@foo.birdnet.se> <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> <428363E0.5060805@zip.com.au> Message-ID: <4283D1FF.90209@mindrot.org> Chidanand Gangur wrote: > Darren I havent checked with the latest version ... I have made few > changes in sshd code too and few of my colleuges also share the same > SSHD version, I will suerly try out OpenSSH-4.0p1? So, you use a old ssh version, to which you have made unspecified changes, on top of that you use a custom, unreleased PAM module, and you expect us to be willing and able to help you? Come on - if you are going to make changes to the code, then you have to be ready to fix on your own it when it breaks. -d From cgallek at gmail.com Fri May 13 08:12:09 2005 From: cgallek at gmail.com (Craig Gallek) Date: Thu, 12 May 2005 18:12:09 -0400 (EDT) Subject: Problems with PAM environments in ssh Message-ID: <19591.164.55.254.103.1115935929.squirrel@trapperhoney.dyndns.org> I?ve stumbled across a rather obscure problem with ssh. My machine is setup to use Kerberos authentication, i.e., I use the pam_krb5 module in the ssh auth section of the PAM configuration file and I have sshd compiled to accept valid Kerberos 5 tickets as well. I also use OpenAFS, so I?ve got the pam_openafs_session module in the ssh session section of the PAM configuration file. Everything works as expected when I log in as a user that has not yet obtained any Kerberos credentials. The pam_krb5 module successfully authenticates a user by prompting for a user name and password and obtains tickets. Then the pam_openafs_session module runs aklog and obtains AFS tokens. When connecting to the machine as a user who has already obtained valid Kerberos credentials, authentication occurs as expected (I?m not prompted for a password) but pam_openafs_session fails to obtain AFS tokens. I?m using ssh protocol 2, so token passing is not possible (as far as I can tell). pam_openafs_session fails because the KRB5CCNAME variable is not set in the PAM environment at the time the module is used. In the successful case of authenticating with pam_krb5 via a password, the pam_krb5 module successfully exports the KRB5CCNAME variable into the PAM environment during the auth phase. When authenticating with existing Kerberos credentials, the pam_sm_authenticate function in the auth module of pam_krb5 is never called by ssh, so it never has a chance to set KRB5CCNAME. sshd eventually exports the KRB5CCNAME variable into the PAM environment, but it doesn?t happen until the ssh_gssapi_krb5_storecred function, which occurs after the call to do_pam_session is made during the privsep_postauth process. Here an outline of the code in the main function of sshd.c that outlines the problem: authenticated: /* * In privilege separation, we fork another child and prepare * file descriptor passing. */ if (use_privsep) { /***** eventually calls do_pam_session *******/ privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) destroy_sensitive_data(); } /* Start session. */ /******** eventually sets KRB5CCNAME in the PAM env ********/ do_authenticated(authctxt); /* The connection has been terminated. */ verbose("Closing connection to %.100s", remote_ip); I?m not really sure what the proper solution to this problem is. Should the account module of pam_krb5 set this environment variable? Should sshd do it before calling the session code in pam_openafs_session?? Any suggestions are greatly appreciated. Thanks, Craig From dtucker at zip.com.au Fri May 13 08:26:11 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 13 May 2005 08:26:11 +1000 Subject: Problems with PAM environments in ssh In-Reply-To: <19591.164.55.254.103.1115935929.squirrel@trapperhoney.dyndns.org> References: <19591.164.55.254.103.1115935929.squirrel@trapperhoney.dyndns.org> Message-ID: <4283D803.2020306@zip.com.au> Craig Gallek wrote: > When connecting to the machine as a user who has already obtained valid > Kerberos credentials, authentication occurs as expected (I?m not prompted > for a password) but pam_openafs_session fails to obtain AFS tokens. I?m > using ssh protocol 2, so token passing is not possible (as far as I can > tell). pam_openafs_session fails because the KRB5CCNAME variable is not > set in the PAM environment at the time the module is used. What version is this? One of the changes for 4.0p1 was: - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic authentication early enough to be available to PAM session modules when privsep=yes. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cgallek at gmail.com Fri May 13 08:36:19 2005 From: cgallek at gmail.com (Craig Gallek) Date: Thu, 12 May 2005 18:36:19 -0400 (EDT) Subject: Problems with PAM environments in ssh In-Reply-To: <4283D803.2020306@zip.com.au> References: <19591.164.55.254.103.1115935929.squirrel@trapperhoney.dyndns.org> <4283D803.2020306@zip.com.au> Message-ID: <23221.164.55.254.103.1115937379.squirrel@trapperhoney.dyndns.org> > Craig Gallek wrote: >> When connecting to the machine as a user who has already obtained valid >> Kerberos credentials, authentication occurs as expected (I?m not >> prompted >> for a password) but pam_openafs_session fails to obtain AFS tokens. I?m >> using ssh protocol 2, so token passing is not possible (as far as I can >> tell). pam_openafs_session fails because the KRB5CCNAME variable is not >> set in the PAM environment at the time the module is used. > > What version is this? One of the changes for 4.0p1 was: > > - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic > authentication early enough to be available to PAM session modules when > privsep=yes. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > I'm using Debian unstable, which is version 3.8.1p1-7. I'll try upgrading to the version you mentioned. Thanks, Craig From chidanand.gangur at gmail.com Fri May 13 15:30:21 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Fri, 13 May 2005 11:00:21 +0530 Subject: SSHD creates defunct process In-Reply-To: <4283D1FF.90209@mindrot.org> References: <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> <428363E0.5060805@zip.com.au> <4283D1FF.90209@mindrot.org> Message-ID: Hi Daimen Miller, I accept your disguize, but I really thought this mailing list which could help me to solve the problem. The changes in SSHD code is only in one file i.e session.c and that too it is a very simple change. The changes is just setting an envoirnment variable which is just an integer. I am using child_set_env function to achieve it. The main problem is the behaviour changes on machine to machine. On some machine i get error PAM faulty module pam_test.so PAM unable to dlopen pam_test.so PAM unable to dlopen pam_deny.so On some machine every thing goes fine end to end and surprisingly all the machines are standard RH 9 machines. Am I missing out some configuration. I havent changed standard sshd_config file. I have tweaked nsswitch.conf and /etc/pam.d/sshd file. Thanks, Chidanand On 5/13/05, Damien Miller wrote: > Chidanand Gangur wrote: > > Darren I havent checked with the latest version ... I have made few > > changes in sshd code too and few of my colleuges also share the same > > SSHD version, I will suerly try out OpenSSH-4.0p1? > > So, > > you use a old ssh version, > > to which you have made unspecified changes, > > on top of that you use a custom, unreleased PAM module, > > and you expect us to be willing and able to help you? > > Come on - if you are going to make changes to the code, then you have to > be ready to fix on your own it when it breaks. > > -d > -- Chidanand Gangur Pune. From djm at mindrot.org Fri May 13 21:04:43 2005 From: djm at mindrot.org (Damien Miller) Date: Fri, 13 May 2005 21:04:43 +1000 Subject: SSHD creates defunct process In-Reply-To: References: <4281833C.2040805@zip.com.au> <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> <428363E0.5060805@zip.com.au> <4283D1FF.90209@mindrot.org> Message-ID: <428489CB.6050401@mindrot.org> Chidanand Gangur wrote: > Hi Daimen Miller, > > I accept your disguize, but I really thought this mailing list which > could help me to solve the problem. > > The changes in SSHD code is only in one file i.e session.c and that > too it is a very simple change. The changes is just setting an > envoirnment variable which is just an integer. > I am using child_set_env function to achieve it. > > The main problem is the behaviour changes on machine to machine. On > some machine i get error > > PAM faulty module pam_test.so > PAM unable to dlopen pam_test.so > PAM unable to dlopen pam_deny.so Well, erratic behaviour like that might be indicative of a memory corruption problem somewhere. However, we still can't help you, because we can't replicate your configuration and you haven't even posted any debug traces. If you want to post and ask for help, you have to give us enough information to do more than guess at your problems. Start by sending your pam config, sshd_config, any configure options that you built with, details of your platform and a server debug ("sshd -ddd") trace. -d From seann at herdejurgen.com Fri May 13 21:53:31 2005 From: seann at herdejurgen.com (Seann Herdejurgen) Date: Fri, 13 May 2005 06:53:31 -0500 Subject: SSHD Feature Request Message-ID: <200505131153.j4DBrVKh007861@proxy.alphapager.org> With the increased number of "brute force" login attempts against port 22, I am concerned that an intruder may actually stumble accross a valid user/pass combination. To combat this, I would like to request an sshd_config option that would cause the running sshd parent process to keep track of login failures by IP address. If there are more than X number of login failures for a particular IP address over a fixed period of time, simply deny login to all attempts after the first X tries. While there is a possibility of creating a denial of service for a particular incoming IP address, one can workaround a temporarily blocked IP by attempting to login from a different IP address. Most people have access to more than one. Thoughts? Regards, Seann Herdejurgen seann at herdejurgen.com From djm at mindrot.org Fri May 13 22:02:32 2005 From: djm at mindrot.org (Damien Miller) Date: Fri, 13 May 2005 22:02:32 +1000 Subject: SSHD Feature Request In-Reply-To: <200505131153.j4DBrVKh007861@proxy.alphapager.org> References: <200505131153.j4DBrVKh007861@proxy.alphapager.org> Message-ID: <42849758.2090409@mindrot.org> Seann Herdejurgen wrote: > With the increased number of "brute force" login attempts against > port 22, I am concerned that an intruder may actually stumble accross > a valid user/pass combination. To combat this, I would like to > request an sshd_config option that would cause the running sshd > parent process to keep track of login failures by IP address. If > there are more than X number of login failures for a particular IP > address over a fixed period of time, simply deny login to all > attempts after the first X tries. We are pretty sure that we don't want to do this for a variety of reasons. But, that doesn't stop you from doing it with a little perl script that watches syslog and pokes addresses into your packet filter of choice. This has been discussed on the list a couple of times, pleast check the archives for more detailled comments. I have some other ideas on how to mitigate these attacks in sshd, hopefully I'll have time to implement them soon. -d From davidl at vintela.com Fri May 13 23:30:47 2005 From: davidl at vintela.com (David Leonard) Date: Fri, 13 May 2005 23:30:47 +1000 (EST) Subject: SSHD Feature Request In-Reply-To: <200505131153.j4DBrVKh007861@proxy.alphapager.org> References: <200505131153.j4DBrVKh007861@proxy.alphapager.org> Message-ID: On Fri, 13 May 2005, Seann Herdejurgen wrote: > a valid user/pass combination. To combat this, I would like to request > an sshd_config option that would cause the running sshd parent process > to keep track of login failures by IP address. If there are more than X > number of login failures for a particular IP address over a fixed period > of time, simply deny login to all attempts after the first X tries. check out pam_tally. I've not used it but googling shows some reports of success with ssh. -- David Leonard Resource Central software engineer Vintela Inc.; Brisbane, Australia VoIP: US: 801-655-2755 AU: 07-3023-5133 From mprice at hst.nasa.gov Fri May 13 22:34:08 2005 From: mprice at hst.nasa.gov (Michael A. Price) Date: Fri, 13 May 2005 08:34:08 -0400 Subject: ssh_exchange_identification error In-Reply-To: <4284958A.9080203@hst.nasa.gov> References: <4284958A.9080203@hst.nasa.gov> Message-ID: <42849EC0.4070802@hst.nasa.gov> > > Hello, > > I hope you guys can help, I have searched all around the internet for > the answer to this problem, with no help. > > > OS: Win2k Sp4 Server > > I have installed and uninstalled OpenSSH manually and through the > uninstall script a number of times with no luck. > > I think this problem came about during an IP change of the server, but > I have changed it back to hopefully fix the problem with no luck. > > The OpenSSH service is configured to start on boot automatically in > the OS. But when I reboot the server I can not ssh into the system > from another system or locally. > The error I get back is ssh_exchange_identification on the client > side. To fix this problem, I log into the server and bring up the DOS > Prompt and restart the service with the following commands: > > net stop opensshd > net start opensshd > > > And then it works great, we run this service on many systems with no > problems.... > > Please help, michael a. price > > > > > -- From cgallek at gmail.com Sat May 14 10:50:03 2005 From: cgallek at gmail.com (Craig Gallek) Date: Fri, 13 May 2005 20:50:03 -0400 Subject: Problems with PAM environments in ssh In-Reply-To: <4283D803.2020306@zip.com.au> References: <19591.164.55.254.103.1115935929.squirrel@trapperhoney.dyndns.org> <4283D803.2020306@zip.com.au> Message-ID: <1116031803.4244.1.camel@hotrod.angrydoughnuts.com> On Fri, 2005-05-13 at 08:26 +1000, Darren Tucker wrote: > What version is this? One of the changes for 4.0p1 was: > > - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic > authentication early enough to be available to PAM session modules when > privsep=yes. This change fixed my problem. Thanks again, Craig From dtucker at zip.com.au Sat May 14 10:50:04 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 14 May 2005 10:50:04 +1000 Subject: SSHD Feature Request In-Reply-To: References: <200505131153.j4DBrVKh007861@proxy.alphapager.org> Message-ID: <42854B3C.9010704@zip.com.au> David Leonard wrote: > On Fri, 13 May 2005, Seann Herdejurgen wrote: > >>a valid user/pass combination. To combat this, I would like to request >>an sshd_config option that would cause the running sshd parent process >>to keep track of login failures by IP address. If there are more than X >>number of login failures for a particular IP address over a fixed period >>of time, simply deny login to all attempts after the first X tries. > > > check out pam_tally. I've not used it but googling shows some reports of > success with ssh. Also pam_abl. It allows blocking by source IP not just by account. http://www.hexten.net/sw/pam_abl/index.mhtml -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bob at proulx.com Sat May 14 13:48:02 2005 From: bob at proulx.com (Bob Proulx) Date: Fri, 13 May 2005 21:48:02 -0600 Subject: SSHD Feature Request In-Reply-To: <42854B3C.9010704@zip.com.au> References: <200505131153.j4DBrVKh007861@proxy.alphapager.org> <42854B3C.9010704@zip.com.au> Message-ID: <20050514034802.GB30647@dementia.proulx.com> Darren Tucker wrote: > David Leonard wrote: > >On Fri, 13 May 2005, Seann Herdejurgen wrote: > >>a valid user/pass combination. To combat this, I would like to request > >>an sshd_config option that would cause the running sshd parent process > >>to keep track of login failures by IP address. If there are more than X > >>number of login failures for a particular IP address over a fixed period > >>of time, simply deny login to all attempts after the first X tries. > > > >check out pam_tally. I've not used it but googling shows some reports of > >success with ssh. > > Also pam_abl. It allows blocking by source IP not just by account. > http://www.hexten.net/sw/pam_abl/index.mhtml Also port knocking is an interesting technique if you are concerned about this. http://shorewall.net/PortKnocking.html Bob From dtucker at zip.com.au Sun May 15 14:56:20 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 May 2005 14:56:20 +1000 Subject: OpenSSH 4.0p1 ignoring password authentication In-Reply-To: References: <42828014.3070406@zip.com.au> Message-ID: <4286D674.3030103@zip.com.au> kareemy wrote: [...] > Making a lib directory does not work. I also found that when I set > UseDNS to no in the sshd_config file that everything works as > expected. Is it safe to keep that config setting? It sounds an awful lot like this which is a bug in glibc: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=111061843820265 You can try the test program at the above URL to confirm. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From hadmut at danisch.de Sun May 15 21:59:53 2005 From: hadmut at danisch.de (Hadmut Danisch) Date: Sun, 15 May 2005 13:59:53 +0200 Subject: Host verification problem Message-ID: <20050515115953.GA3414@danisch.de> Hi, I have a problem with the host verification of ssh in several networks of the same structure: In all cases there is a router or a firewall with an official IP address, making the ssh-ports of several hosts with RFC1918-addresses available through NAT or TCP forwarding. Thus, different hosts appear on the same IP address, just with different ports. Since SSH uses the IP address but not the port to verify the peer host, ssh always blocks/warns when connecting to a different port since it detects a changed host key. This means to edit the host key file every time or to ommit host key validation. Please store the host keys based on hostname/IP and port number. regards Hadmut From dtucker at zip.com.au Sun May 15 22:30:27 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 May 2005 22:30:27 +1000 Subject: Host verification problem In-Reply-To: <20050515115953.GA3414@danisch.de> References: <20050515115953.GA3414@danisch.de> Message-ID: <428740E3.4010801@zip.com.au> Hadmut Danisch wrote: [...] > Since SSH uses the IP address but not the port to verify the peer > host, ssh always blocks/warns when connecting to a different port > since it detects a changed host key. This means to edit the host key > file every time or to ommit host key validation. Or use a HostKeyAlias in your ssh_config, eg, for hosts "server1" and "server2" behind ports 2222 and 2223 of "gateway": Host server1 Hostname gateway Port 2222 HostKeyAlias server1 Host server2 Hostname gateway Port 2223 HostKeyAlias server2 > Please store the host keys based on hostname/IP and port number. See: http://bugzilla.mindrot.org/show_bug.cgi?id=910 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From hadmut at danisch.de Mon May 16 01:10:04 2005 From: hadmut at danisch.de (Hadmut Danisch) Date: Sun, 15 May 2005 17:10:04 +0200 Subject: Host verification problem In-Reply-To: <428740E3.4010801@zip.com.au> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> Message-ID: <20050515151004.GA10520@danisch.de> On Sun, May 15, 2005 at 10:30:27PM +1000, Darren Tucker wrote: > > Or use a HostKeyAlias in your ssh_config, eg, for hosts "server1" and > "server2" behind ports 2222 and 2223 of "gateway": Which still requires to enter an entry in the ssh_config file. > See: http://bugzilla.mindrot.org/show_bug.cgi?id=910 I had a glance on this and also on bug 393. It's an awful and silly discussion. HostKeyAlias is not a solution, it is just a workaround for an unfixed bug. For some reasons, which none of them does convince me, some people seem to insist on not fixing this bug. Strange. Reality shows that there are more people out there having more than one ssh daemon available at a single IP address. This might be considered as odd, but that's how it is since the world started to use RFC1918 address ranges and IP connections with limited address space. On the other hand, ssh was designed at a time before RFC1918 was issued. Insisting on the old one host - one ip address - one ssh key model is a bit like my grandfather who never accepted the way cars were designed after the 1950s. It's time for ssh to reach the NAT and Port-forwarding age. And by the way: A reverse lookup (unknown IP but host key found in the list) wouldn't be that bad for dynamically assigned IP addresses (e.g. ppp, dhcp). regards Hadmut From gert at greenie.muc.de Mon May 16 07:43:12 2005 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 15 May 2005 23:43:12 +0200 Subject: Host verification problem In-Reply-To: <20050515151004.GA10520@danisch.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> Message-ID: <20050515214312.GG7864@greenie.muc.de> Hi, On Sun, May 15, 2005 at 05:10:04PM +0200, Hadmut Danisch wrote: > It's time for ssh to reach the NAT and Port-forwarding age. If you want to argue that way: it's time to go to IPv6, and leave NAT behind. NAT is not an answer, NAT is a question - and the answer is "no". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From hadmut at danisch.de Mon May 16 07:56:03 2005 From: hadmut at danisch.de (Hadmut Danisch) Date: Sun, 15 May 2005 23:56:03 +0200 Subject: Host verification problem In-Reply-To: <20050515214312.GG7864@greenie.muc.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> <20050515214312.GG7864@greenie.muc.de> Message-ID: <20050515215603.GA3715@danisch.de> On Sun, May 15, 2005 at 11:43:12PM +0200, Gert Doering wrote: > > If you want to argue that way: it's time to go to IPv6, and leave NAT > behind. > Oh great. Would you please make all the involved providers, machines, and firewalls use IPv6 next week? This is one of the most stupid answers I've ever got. Security by ignorance. Do you really believe a security tool like ssh is the place to fight your personal religious war? Is ssh your crusade against IPv4? Hadmut (BTW: Have a look at Bruce Schneier's latest cryptogram. He is pointing out a security problem with the host key file. Maybe it would be better to care about security than to dance around the holy grail IPv6. Most providers don't even have plans to invent it. Focus on security, not religion.) From gert at greenie.muc.de Mon May 16 08:01:12 2005 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 16 May 2005 00:01:12 +0200 Subject: Host verification problem In-Reply-To: <20050515215603.GA3715@danisch.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> <20050515214312.GG7864@greenie.muc.de> <20050515215603.GA3715@danisch.de> Message-ID: <20050515220112.GH7864@greenie.muc.de> Hi, On Sun, May 15, 2005 at 11:56:03PM +0200, Hadmut Danisch wrote: > On Sun, May 15, 2005 at 11:43:12PM +0200, Gert Doering wrote: > > > > If you want to argue that way: it's time to go to IPv6, and leave NAT > > behind. > > Oh great. Would you please make all the involved providers, machines, > and firewalls use IPv6 next week? My provider, machines, and firewalls do IPv6 just fine. > This is one of the most stupid answers I've ever got. > Security by ignorance. This has nothing to do with "security by ignorance". You're the one that tells us "NAT is a great thing" - it isn't. It's a major pain, and you're feeling some of it by trying to hack around it. You don't want to understand that *NAT* is the cause of your pain, not ssh. Even if you assume IPv6 won't happen - there still are better solutions than to go with NAT (and with a reasonable ISP you can even today get any amount of IPv4 addresses if you can document the need). > Do you really believe a security tool like ssh is the place to > fight your personal religious war? *I* didn't start argueing with "assumptions of the past". > (BTW: Have a look at Bruce Schneier's latest cryptogram. He is > pointing out a security problem with the host key file. Maybe it would > be better to care about security than to dance around the > holy grail IPv6. Most providers don't even have plans to invent it. > Focus on security, not religion.) The SSH developers do (focus on security). They have an answer for you. You don't like the answer. Who is religious here? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From djm at mindrot.org Mon May 16 13:27:05 2005 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 May 2005 13:27:05 +1000 Subject: Host verification problem In-Reply-To: <20050515215603.GA3715@danisch.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> <20050515214312.GG7864@greenie.muc.de> <20050515215603.GA3715@danisch.de> Message-ID: <42881309.9000506@mindrot.org> Hadmut Danisch wrote: [blah blah deleted] > (BTW: Have a look at Bruce Schneier's latest cryptogram. He is > pointing out a security problem with the host key file. Arguably, the problem is not with ssh at all but with users who choose weak host passwords / passphrases on public keys and the admins that allow this behaviour. > Maybe it would > be better to care about security than to dance around the > holy grail IPv6. Most providers don't even have plans to invent it. > Focus on security, not religion.) I see that you didn't pay attention long enough to get to the part where he mentions that this problem is fixed. -d From djm at mindrot.org Mon May 16 13:32:18 2005 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 May 2005 13:32:18 +1000 Subject: Host verification problem In-Reply-To: <20050515151004.GA10520@danisch.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> Message-ID: <42881442.6010005@mindrot.org> Hadmut Danisch wrote: >>See: http://bugzilla.mindrot.org/show_bug.cgi?id=910 > > > I had a glance on this and also on bug 393. > It's an awful and silly discussion. [blah blah blah] If you care enough to write rants at the developers, then you should care enough to test the patch attached to the bug. > And by the way: A reverse lookup (unknown IP but host key found in the > list) wouldn't be that bad for dynamically assigned IP addresses (e.g. > ppp, dhcp). reverse dns can lie. -d From hadmut at danisch.de Mon May 16 20:55:42 2005 From: hadmut at danisch.de (Hadmut Danisch) Date: Mon, 16 May 2005 12:55:42 +0200 Subject: Host verification problem In-Reply-To: <20050515220112.GH7864@greenie.muc.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> <20050515214312.GG7864@greenie.muc.de> <20050515215603.GA3715@danisch.de> <20050515220112.GH7864@greenie.muc.de> Message-ID: <20050516105542.GA25673@danisch.de> On Mon, May 16, 2005 at 12:01:12AM +0200, Gert Doering wrote: > > My provider, machines, and firewalls do IPv6 just fine. > What a crap... Is this what you base your security design on? Hadmut From hadmut at danisch.de Mon May 16 21:01:02 2005 From: hadmut at danisch.de (Hadmut Danisch) Date: Mon, 16 May 2005 13:01:02 +0200 Subject: Host verification problem In-Reply-To: <42881442.6010005@mindrot.org> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> <42881442.6010005@mindrot.org> Message-ID: <20050516110102.GB25673@danisch.de> On Mon, May 16, 2005 at 01:32:18PM +1000, Damien Miller wrote: > > If you care enough to write rants at the developers, then you should > care enough to test the patch attached to the bug. > > >And by the way: A reverse lookup (unknown IP but host key found in the > >list) wouldn't be that bad for dynamically assigned IP addresses (e.g. > >ppp, dhcp). > > reverse dns can lie. And you should read what I write before critizing it. I didn't write anything about *DNS*. I was talking about host keys. If you connect to an IP address not known in the host file yet, ssh could look in the list of known host keys whether the key is known and give the user the name of the machine instead of just a hex string. What does this have to do with DNS? Hadmut From dtucker at zip.com.au Mon May 16 22:25:54 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 16 May 2005 22:25:54 +1000 Subject: Host verification problem In-Reply-To: <20050515151004.GA10520@danisch.de> References: <20050515115953.GA3414@danisch.de> <428740E3.4010801@zip.com.au> <20050515151004.GA10520@danisch.de> Message-ID: <42889152.5000706@zip.com.au> Hadmut Danisch wrote: > On Sun, May 15, 2005 at 10:30:27PM +1000, Darren Tucker wrote: >>Or use a HostKeyAlias in your ssh_config, eg, for hosts "server1" and >>"server2" behind ports 2222 and 2223 of "gateway": > > Which still requires to enter an entry in the ssh_config > file. Well, no, you could use "ssh -o HostKeyAlias=foo server". If you meant that you have to provide an additional parameter somehow, then that's true. What I was replying to, however, was the statement: "This means to edit the host key file every time or to ommit host key validation" which is not correct. [and in a later message] > Security by ignorance. Out of curiosity, how would you describe a situation where someone disables authenticity checks rather than use an existing mechanism whereby they can be maintainted? [and later message still] > And you should read what I write before critizing it. When you read the bug I first referred you to (#910) and got to the part where I attached an updated patch[1] the day before you sent your first message, how did the testing of that patch go? [1] based on an earlier one by Devin Nate -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From KhatirSaiyed at templeinland.com Tue May 17 14:31:42 2005 From: KhatirSaiyed at templeinland.com (Saiyed, Khatir) Date: Mon, 16 May 2005 23:31:42 -0500 Subject: Building openssh4.0p1 on AIX 5.3 with openssl 0.9.7g and tcp_wrapper Message-ID: <5A9545205976F94684E67FF4BB5C35AF0A43C21D@tfpadcntex01.templeinland.com> Hi all, Would appreciate if you can help me resolve this issue. I'm getting following error on running configure: The library libcrypto.a is under "/opt/freeware/lib" and is the only instance of libcrypto.a. And I'm using IBM AIX C compiler 6.0. configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** CONFIGURE $ ./configure --prefix=/home/ksaiyed/ssh --sysconfdir=/etc/ssh --with- tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-ssl-dir=/opt/freeware/ssl -- with-zlib=/opt/freeware/include --with-libs=-L/opt/freeware/lib Excerpts from config.log +14369 configure:13739: cc -o conftest -g -I/opt/freeware/ssl -I/opt/freeware/i nclude -L/opt/freeware/ssl -L/opt/freeware/include conftest.c -lcrypto -lz -L /opt/freeware/lib >&5 +14370 ld: 0711-317 ERROR: Undefined symbol: .RAND_add +14371 ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more inform ation. +14372 configure:13745: $? = 8 +14373 configure: failed program was: +14532 | char RAND_add (); +14533 | int +14534 | main () +14535 | { +14536 | RAND_add (); +14537 | ; +14538 | return 0; +14539 | } +14540 configure:13798: cc -o conftest -g -I/usr/local/ssl/include -I/opt/freew are/include -L/usr/local/ssl/lib -L/opt/freeware/include conftest.c -lcrypto - lz -L/opt/freeware/lib >&5 +14541 ld: 0711-317 ERROR: Undefined symbol: .RAND_add ation. ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more inform +14543 configure:13804: $? = 8 +14544 configure: failed program was: +14545 | /* confdefs.h. */ +14703 | char RAND_add (); +14704 | int +14705 | main () +14706 | { +14707 | RAND_add (); +14708 | ; +14709 | return 0; +14710 | } +14711 configure:13828: error: *** Can't find recent OpenSSL libcrypto (see con fig.log for details) *** Thanks for your time and efforts. Khatir Saiyed Temple-Inland Corporate Services UNIX Administration khatirsaiyed at templeinland.com (512) 434-8055 ********** Confidentiality Notice ********** This electronic transmission and any attached documents or other writings are confidential and are for the sole use of the intended recipient(s) identified above. This message may contain information that is privileged, confidential or otherwise protected from disclosure under applicable law. If the receiver of this information is not the intended recipient, or the employee, or agent responsible for delivering the information to the intended recipient, you are hereby notified that any use, reading, dissemination, distribution, copying or storage of this information is strictly prohibited. If you have received this information in error, please notify the sender by return email and delete the electronic transmission, including all attachments from your system. From jmc at avon.xisl.com Tue May 17 20:56:50 2005 From: jmc at avon.xisl.com (John M Collins) Date: Tue, 17 May 2005 11:56:50 +0100 Subject: Blacklisting repeated login tries Message-ID: <200505171056.j4HAuoSh016498@avon.xisl.com> Please CC jmc AT xisl.com on any reply as I'm not subscribed. We are getting several thousand login tries daily all from the same IP each try. It would be a great help to automatically refuse connections from a given IP after a certain number of failed login attempts. I was thinking of doing that myself but if anyone else is about to do it or has done it please let me know. Thanks. John Collins Xi Software Ltd www.xisl.com From L.T.Lowe at hep.ph.bham.ac.uk Wed May 18 01:04:18 2005 From: L.T.Lowe at hep.ph.bham.ac.uk (L.T.Lowe at hep.ph.bham.ac.uk) Date: Tue, 17 May 2005 16:04:18 +0100 (BST) Subject: feature: RequiredAuthentications Message-ID: Hi, probably an ignorant question, maybe I'm missing something ... Is there a way for a sshd server to be able to enforce both client host key authentication as well as user authentication, say for roving user-administered laptops. So a sysadmin can restrict access to allow only client hosts which can pass the HostbasedAuthentication tests, whatever the current IP name/address, but still insist on the user authenticating themselves (by password say). Is this possible? I see there's a SSH2 configuration of RequiredAuthentications which might allow the sysadmin to specify two authentications required, but it's not in openssh is it, and maybe it doesn't do what I want anyway? Thanks in advance, Lawrence. -- Tel: 0121 414 4621 Fax: 0121 414 6709 Email: L.S.Lowe at bham.ac.uk From bob at proulx.com Wed May 18 01:46:45 2005 From: bob at proulx.com (Bob Proulx) Date: Tue, 17 May 2005 09:46:45 -0600 Subject: feature: RequiredAuthentications In-Reply-To: References: Message-ID: <20050517154645.GB8851@dementia.proulx.com> L.T.Lowe at hep.ph.bham.ac.uk wrote: > Is there a way for a sshd server to be able to enforce both > client host key authentication as well as user authentication, > say for roving user-administered laptops. > So a sysadmin can restrict access to allow only client hosts > which can pass the HostbasedAuthentication tests, > whatever the current IP name/address, but still insist on the user > authenticating themselves (by password say). Is this possible? I turn off password authentification and enforce use of rsa keys. The sshd config option is: PasswordAuthentication no This is slightly different than you propose but I think has a higher utility. I can switch laptops as long as I am using the same user key. Bob From senthilkumar_sen at hotpop.com Wed May 18 03:04:56 2005 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Tue, 17 May 2005 22:34:56 +0530 Subject: SSHD Feature Request References: <200505131153.j4DBrVKh007861@proxy.alphapager.org> <42849758.2090409@mindrot.org> Message-ID: <5bd701c55b02$9d02b630$220110ac@sekco> Damien Miller wrote: > We are pretty sure that we don't want to do this for a variety of > reasons. But, that doesn't stop you from doing it with a little > perl script that watches syslog and pokes addresses into your packet > filter of choice. > > This has been discussed on the list a couple of times, pleast check the > archives for more detailled comments. > > I have some other ideas on how to mitigate these attacks in sshd, > hopefully I'll have time to implement them soon. > Could you please share your idea so that I have better understanding on avoiding such attacks and also if possible I like to involve in the implementation. Thanks, Senthil Kumar. From djm at mindrot.org Wed May 18 13:20:20 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 May 2005 13:20:20 +1000 Subject: feature: RequiredAuthentications In-Reply-To: References: Message-ID: <428AB474.1000100@mindrot.org> L.T.Lowe at hep.ph.bham.ac.uk wrote: > Hi, probably an ignorant question, maybe I'm missing something ... > > Is there a way for a sshd server to be able to enforce both > client host key authentication as well as user authentication, > say for roving user-administered laptops. > So a sysadmin can restrict access to allow only client hosts > which can pass the HostbasedAuthentication tests, > whatever the current IP name/address, but still insist on the user > authenticating themselves (by password say). Is this possible? No, but see http://bugzilla.mindrot.org/show_bug.cgi?id=983 From djm at mindrot.org Wed May 18 13:21:13 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 May 2005 13:21:13 +1000 Subject: Blacklisting repeated login tries In-Reply-To: <200505171056.j4HAuoSh016498@avon.xisl.com> References: <200505171056.j4HAuoSh016498@avon.xisl.com> Message-ID: <428AB4A9.7060304@mindrot.org> John M Collins wrote: > Please CC jmc AT xisl.com on any reply as I'm not subscribed. > We are getting several thousand login tries daily all from the same IP each > try. > > It would be a great help to automatically refuse connections from a given IP > after a certain number of failed login attempts. Please check the list archives for past discussion on this request. -d From waspswarm at gmail.com Wed May 18 15:55:53 2005 From: waspswarm at gmail.com (scott rankin) Date: Tue, 17 May 2005 22:55:53 -0700 Subject: make tests failures (agent.sh) Message-ID: <489b43e2050517225515d13d62@mail.gmail.com> Hello, I recently setup a CentOS 4.0 box (a derivative of RH). I downloaded a 4.0p1 tarball of OpenSSH and grabbed OpenSSL 0.9.7e. I configured OpenSSL with, $ ./Configure no-idea no-rc5 shared linux-pentium and it built fine. I didn't do a make install. I then configured OpenSSH. Here is a snippet of config.log: [scott at choke openssh-4.0p1]$ less config.log ... This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by OpenSSH configure Portable, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --prefix=/home/scott --with-ssl-dir=/home/scott/src/openssl-0.9.7e I would be happy to send the full config.log if it would help. I had to set the LD_LIBRARY_PATH to include this directory as just using --with-ssl-dir=[path_to_my_libcrypto] didn't work. Configure would complain about the OpenSSL header not matching the library. I hacked out the conftest.c that was failing in configure, added -H and -v to CPPFLAGS and built it as a small app and ran ldd on it and it reported that libcrypto was from /usr/lib. Hmm. The ld and gcc manual pages sure seem to imply that if you pass -L and a path that that is the path that is searched for libraries to link against. Sorry, I have digressed. I will look at this further. Anyway, the main point/problem I am seeing is in make tests: [scott at choke openssh-4.0p1]$ make tests [trim] run test agent.sh ... ssh-add -l via agent fwd proto 1 failed (exit code 0) /home/scott/src/openssh-4.0p1/ssh: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory agent fwd proto 1 failed (exit code 0) ssh-add -l via agent fwd proto 2 failed (exit code 0) /home/scott/src/openssh-4.0p1/ssh: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory agent fwd proto 2 failed (exit code 0) failed simple agent test make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/home/scott/src/openssh-4.0p1/regress' make: *** [tests] Error 2 [scott at choke openssh-4.0p1]$ Here is some information from ldd: [scott at choke openssh-4.0p1]$ ldd ./ssh-agent libresolv.so.2 => /lib/libresolv.so.2 (0x009b5000) libcrypto.so.0.9.7 => /home/scott/src/openssl-0.9.7e/libcrypto.so.0.9.7(0x00c71000) libutil.so.1 => /lib/libutil.so.1 (0x00bcd000) libz.so.1 => /usr/lib/libz.so.1 (0x003f2000) libnsl.so.1 => /lib/libnsl.so.1 (0x06b46000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x06b77000) libc.so.6 => /lib/tls/libc.so.6 (0x001c3000) libdl.so.2 => /lib/libdl.so.2 (0x00313000) /lib/ld-linux.so.2 (0x001aa000) [scott at choke openssh-4.0p1]$ ldd ./ssh-add libresolv.so.2 => /lib/libresolv.so.2 (0x009b5000) libcrypto.so.0.9.7 => /home/scott/src/openssl-0.9.7e/libcrypto.so.0.9.7(0x00670000) libutil.so.1 => /lib/libutil.so.1 (0x00bcd000) libz.so.1 => /usr/lib/libz.so.1 (0x003f2000) libnsl.so.1 => /lib/libnsl.so.1 (0x06b46000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x06b77000) libc.so.6 => /lib/tls/libc.so.6 (0x001c3000) libdl.so.2 => /lib/libdl.so.2 (0x00313000) /lib/ld-linux.so.2 (0x001aa000) [scott at choke openssh-4.0p1]$ ldd ./ssh libresolv.so.2 => /lib/libresolv.so.2 (0x009b5000) libcrypto.so.0.9.7 => /home/scott/src/openssl-0.9.7e/libcrypto.so.0.9.7(0x00de5000) libutil.so.1 => /lib/libutil.so.1 (0x00bcd000) libz.so.1 => /usr/lib/libz.so.1 (0x003f2000) libnsl.so.1 => /lib/libnsl.so.1 (0x06b46000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x06b77000) libc.so.6 => /lib/tls/libc.so.6 (0x001c3000) libdl.so.2 => /lib/libdl.so.2 (0x00313000) /lib/ld-linux.so.2 (0x001aa000) [scott at choke openssh-4.0p1]$ ls -l /home/scott/src/openssl-0.9.7e/libcrypto.so.0.9.7 -rwxrwxr-x 1 scott scott 1183316 May 17 09:41 /home/scott/src/openssl-0.9.7e/libcrypto.so.0.9.7 [scott at choke openssh-4.0p1]$ gcc --version gcc (GCC) 3.4.3 20041212 (Red Hat 3.4.3-9.EL4) Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. I did a quick scan in bugzilla and didn't see anything. I searched the mailing list archives and found this [1]. This test failure seems like the same beast. Do I need to specify something else to configure? cheers, scott [1] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108246995620226&w=2 From dtucker at zip.com.au Wed May 18 17:17:31 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 May 2005 17:17:31 +1000 Subject: make tests failures (agent.sh) In-Reply-To: <489b43e2050517225515d13d62@mail.gmail.com> References: <489b43e2050517225515d13d62@mail.gmail.com> Message-ID: <428AEC0B.5060706@zip.com.au> scott rankin wrote: > $ ./configure --prefix=/home/scott --with-ssl-dir=/home/scott/src/openssl-0.9.7e > > I would be happy to send the full config.log if it would help. > > I had to set the LD_LIBRARY_PATH to include this directory as just > using --with-ssl-dir=[path_to_my_libcrypto] didn't work. [...] > run test agent.sh ... > ssh-add -l via agent fwd proto 1 failed (exit code 0) > /home/scott/src/openssh-4.0p1/ssh: error while loading shared > libraries: libcrypto.so.0.9.7: cannot open shared object file: No such > file or directory [also, "OpenSSL headers do not match library" errors] Configure may be getting confused by the combination of options, or possibly you didn't hit quite the right combination. Try setting everything explicitly, eg (untested): $ LD_LIBRARY_PATH=/home/scott/src/openssl-0.9.7e:/usr/lib:/lib $ export LD_LIBRARY_PATH $ ./configure --prefix=/home/scott \ --with-cflags=-I/home/scott/src/openssl-0.9.7e \ --with-ldflags=-L/home/scott/src/openssl-0.9.7e $ make && make tests The other thing to consider is that some of the commands are run via ssh/sshd. For those, LD_LIBRARY_PATH will be set by your shell as part of its startup procedure. For those, the only option is to either alter your shell startup to include your ssl dir in LD_LIBRARY_PATH, or force your linker to link against the static libcrypto libraries. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed May 18 18:36:00 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 May 2005 18:36:00 +1000 Subject: Blacklisting repeated login tries In-Reply-To: <1116400348.13210.20.camel@caveman.xisl.com> References: <200505171056.j4HAuoSh016498@avon.xisl.com> <428AB4A9.7060304@mindrot.org> <1116400348.13210.20.camel@caveman.xisl.com> Message-ID: <428AFE70.3040908@mindrot.org> John M Collins wrote: > I did. I checked through the threads for the past year and couldn't see > anything which seemed to address this question. The last one was less than a week ago: http://www.mindrot.org/pipermail/openssh-unix-dev/2005-May/023221.html > I don't think my enquiry was an unreasonable one. I don't think that referring someone to check past history before we answer the same question again is unreasonable. -d From openssh at roumenpetrov.info Wed May 18 19:17:16 2005 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 18 May 2005 12:17:16 +0300 (EEST) Subject: make tests failures (agent.sh) In-Reply-To: <489b43e2050517225515d13d62@mail.gmail.com> References: <489b43e2050517225515d13d62@mail.gmail.com> Message-ID: <37293.213.91.169.3.1116407836.squirrel@srv04.zergon.net> > Hello, > I recently setup a CentOS 4.0 box (a derivative of RH). > > I downloaded a 4.0p1 tarball of OpenSSH and grabbed OpenSSL 0.9.7e. I > [SNIP] > I then configured OpenSSH. > [SNIP] > $ ./configure --prefix=/home/scott > --with-ssl-dir=/home/scott/src/openssl-0.9.7e > [SNIP] > ssh-add -l via agent fwd proto 2 failed (exit code 0) > /home/scott/src/openssh-4.0p1/ssh: error while loading shared > libraries: libcrypto.so.0.9.7: cannot open shared object file: No such > file or directory > agent fwd proto 2 failed (exit code 0) > [SNIP] > Do I need to specify something else to configure? Yes, run-time library search path. As example for gcc compiler with the GNU ld linker: LDFLAGS='-Wl,-rpath,/home/scott/src/openssl-0.9.7e \ ./configure ... From djm at mindrot.org Wed May 18 20:39:37 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 May 2005 20:39:37 +1000 Subject: Blacklisting repeated login tries In-Reply-To: <1116407368.13210.49.camel@caveman.xisl.com> References: <200505171056.j4HAuoSh016498@avon.xisl.com> <428AB4A9.7060304@mindrot.org> <1116400348.13210.20.camel@caveman.xisl.com> <428AFE70.3040908@mindrot.org> <1116407368.13210.49.camel@caveman.xisl.com> Message-ID: <428B1B69.2070003@mindrot.org> John M Collins wrote: > It might be more reasonable if you provided a search facility. Like I > said, I did look through past history but none of the threads seemed to > mention it. All the article you referred to said as a subject was "SSH > feature request" and you referred that poster to previous discussions > which had obviously eluded him just as much as it eluded me. You must be allergic to google: "openssh login attempt", 1st link and follow the thread. > If it's such a bad idea, why don't you put up on the FAQ list why you > think it's such a bad idea? I.e. we should do the work because you are too lazy to use a search engine. > For my own part it is clear that there are lots of brute force attempts > to break in taking place at them moment and optional features which > might assist seem worth discussing. ... and we have. Check the archives. -d From chidanand.gangur at gmail.com Wed May 18 22:03:16 2005 From: chidanand.gangur at gmail.com (Chidanand Gangur) Date: Wed, 18 May 2005 17:33:16 +0530 Subject: SSHD creates defunct process In-Reply-To: <428489CB.6050401@mindrot.org> References: <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> <428363E0.5060805@zip.com.au> <4283D1FF.90209@mindrot.org> <428489CB.6050401@mindrot.org> Message-ID: I have got fresh source of openssh-3.6.1p2 . I compiled it with --with-pam option. I have my pam_test.so . With the same set up as mentioned above I have every thing working fine on one of my test machines which has RH9 installed . But the same set up on another machine with same configuration same OS RH9 fails to work. I get following messages : May 18 16:53:44 vml1ravid sshd: PAM unable to dlopen(/build/release-cp/pam_test.so) May 18 16:53:44 vml1ravid sshd: PAM [dlerror: /build/release-cp/libcmapi.so: undefined symbol: pdp_module_props] May 18 16:53:44 vml1ravid sshd: PAM adding faulty module: build/release-cp/pam_test.so When I run Darrens pam-test-harness -u testcng -s sshd I get following response: conversation struct {conv=0x8048d6d, appdata_ptr=0x804b064} pam_start(sshd, testcng, &conv, &pamh) = 0 (Success) pam_set_item(pamh, PAM_TTY, "/dev/pts/2") = 0 (Success) pam_set_item(pamh, PAM_RHOST, "vml1ravid.pune.localdomain.com") = 0 (Success) pam_set_item(pamh, PAM_RUSER, "chidanandgangur") = 0 (Success) pam_authenticate(pamh, 0) = 6 (Permission denied) pam_end(pamh, 0) = 0 (Success) When I run SSHD in debug mode i get following debug messages debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.2.129 port 4130 debug1: Client protocol version 1.5; client software version PuTTY-Release-0.53b debug1: no match: PuTTY-Release-0.53b debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: Sent 768 bit server key and 1024 bit host key. debug2: Network child is on pid 845 debug3: preauth child monitor started debug3: mm_request_receive entering debug1: Encryption type: blowfish debug3: mm_request_send entering: type 28 debug3: monitor_read: checking request 28 debug3: mm_request_send entering: type 29 debug2: monitor_read: 28 used once, disabling now debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: mm_ssh1_session_id entering debug3: mm_request_send entering: type 30 debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: mm_start_pam entering debug3: mm_request_send entering: type 41 [root at vml1ravid release-cp]# /usr/sbin/sshd -ddd debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.2.129 port 4140 debug1: Client protocol version 1.5; client software version PuTTY-Release-0.53b debug1: no match: PuTTY-Release-0.53b debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: Sent 768 bit server key and 1024 bit host key. debug2: Network child is on pid 959 debug3: preauth child monitor started debug3: mm_request_receive entering debug1: Encryption type: blowfish debug3: mm_request_send entering: type 28 debug3: monitor_read: checking request 28 debug3: mm_request_send entering: type 29 debug2: monitor_read: 28 used once, disabling now debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: mm_ssh1_session_id entering debug3: mm_request_send entering: type 30 debug1: Received session key; encryption turned on. debug3: mm_request_receive entering debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug1: Installing crc compensation attack detector. debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: mm_start_pam entering debug3: mm_request_send entering: type 41 debug1: Attempting authentication for testcng. debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 41 debug1: Starting up PAM with username "testcng" debug3: Trying to reverse map address 192.168.2.129. debug1: PAM setting rhost to "chidanandgangur.pune.localdomain.com" debug2: monitor_read: 41 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug1: PAM password authentication failed for testcng: Permission denied debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for testcng from 192.168.2.129 port 4140 debug3: mm_request_receive entering debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug1: PAM password authentication failed for testcng: Permission denied debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed password for testcng from 192.168.2.129 port 4140 Failed password for testcng from 192.168.2.129 port 4140 debug3: mm_request_receive entering Thanks, Chidanand On 5/13/05, Damien Miller wrote: > Chidanand Gangur wrote: > > Hi Daimen Miller, > > > > I accept your disguize, but I really thought this mailing list which > > could help me to solve the problem. > > > > The changes in SSHD code is only in one file i.e session.c and that > > too it is a very simple change. The changes is just setting an > > envoirnment variable which is just an integer. > > I am using child_set_env function to achieve it. > > > > The main problem is the behaviour changes on machine to machine. On > > some machine i get error > > > > PAM faulty module pam_test.so > > PAM unable to dlopen pam_test.so > > PAM unable to dlopen pam_deny.so > > Well, erratic behaviour like that might be indicative of a memory > corruption problem somewhere. However, we still can't help you, because > we can't replicate your configuration and you haven't even posted any > debug traces. > > If you want to post and ask for help, you have to give us enough > information to do more than guess at your problems. > > Start by sending your pam config, sshd_config, any configure options > that you built with, details of your platform and a server debug ("sshd > -ddd") trace. > > -d > -- Chidanand Gangur Pune. From herb at sgi.com Wed May 18 23:01:14 2005 From: herb at sgi.com (herb at sgi.com) Date: Wed, 18 May 2005 13:01:14 UTC Subject: The Whore Lived Like a German Message-ID: <4bce47119ab8.8b54569@sgi.com> Full Article: http://service.spiegel.de/cache/international/0,1518,344374,00.html From stuge-openssh-unix-dev at cdy.org Thu May 19 00:19:33 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 18 May 2005 16:19:33 +0200 Subject: SSHD creates defunct process In-Reply-To: References: <20050511123131.GA4664@foo.birdnet.se> <42834AB5.3030807@zip.com.au> <428363E0.5060805@zip.com.au> <4283D1FF.90209@mindrot.org> <428489CB.6050401@mindrot.org> Message-ID: <20050518141933.GA12042@foo.birdnet.se> Hi, I'll chip in here, even if I'm no PAM guru. On Wed, May 18, 2005 at 05:33:16PM +0530, Chidanand Gangur wrote: > I have got fresh source of openssh-3.6.1p2 . I compiled it with > --with-pam option. I have my pam_test.so . 3.6.1p2 is really old and many PAM improvements are in the latest release 4.0p1. > With the same set up as mentioned above I have every thing working > fine on one of my test machines which has RH9 installed . But the > same set up on another machine with same configuration same OS RH9 > fails to work. > > I get following messages : > > May 18 16:53:44 vml1ravid sshd: PAM unable to > dlopen(/build/release-cp/pam_test.so) > May 18 16:53:44 vml1ravid sshd: PAM [dlerror: > /build/release-cp/libcmapi.so: undefined symbol: pdp_module_props] > May 18 16:53:44 vml1ravid sshd: PAM adding faulty module: > build/release-cp/pam_test.so This tells me that there's a problem in your PAM module pam_test.so, which tries to load the symbol pdp_module_props from libcmapi.so, but that load fails. > When I run Darrens pam-test-harness -u testcng -s sshd > I get following response: > conversation struct {conv=0x8048d6d, appdata_ptr=0x804b064} > pam_start(sshd, testcng, &conv, &pamh) = 0 (Success) > > pam_set_item(pamh, PAM_TTY, "/dev/pts/2") = 0 (Success) > > pam_set_item(pamh, PAM_RHOST, "vml1ravid.pune.localdomain.com") = 0 (Success) > > pam_set_item(pamh, PAM_RUSER, "chidanandgangur") = 0 (Success) > > pam_authenticate(pamh, 0) = 6 (Permission denied) Since I don't know PAM very well I can't say if this means that the authentication just failed because of invalid credentials or if there was an internal error in a PAM module. > When I run SSHD in debug mode i get following debug messages Looks like sshd exits or hangs abruptly. That could be a consequence from the PAM module failing somehow, right? From waspswarm at gmail.com Thu May 19 03:50:54 2005 From: waspswarm at gmail.com (scott rankin) Date: Wed, 18 May 2005 10:50:54 -0700 Subject: make tests failures (agent.sh) In-Reply-To: <428AEC0B.5060706@zip.com.au> References: <489b43e2050517225515d13d62@mail.gmail.com> <428AEC0B.5060706@zip.com.au> Message-ID: <489b43e2050518105065ae6a54@mail.gmail.com> Darren et.al, > Configure may be getting confused by the combination of options, or > possibly you didn't hit quite the right combination. > > Try setting everything explicitly, eg (untested): > > $ LD_LIBRARY_PATH=/home/scott/src/openssl-0.9.7e:/usr/lib:/lib > $ export LD_LIBRARY_PATH > $ ./configure --prefix=/home/scott \ > --with-cflags=-I/home/scott/src/openssl-0.9.7e \ > --with-ldflags=-L/home/scott/src/openssl-0.9.7e > $ make && make tests I tried the above but configure didn't like the -l at the beginning of cflags. The config.log had a message that ld couldn't find -l/home/scott/src/openssl-0.9.7e. I changed it to -L and configure would complete. Was I supposed to specifically name libcrypto in the --with-cflags or did your original suggestion contain a typo? Anyway, configure goes along but without --with-ssl-dir= I get an OpenSSL header mismatch. Here is the head of my config.log the value of LD_LIBRARY_PATH and LDFLAGS before make: [scott at choke openssh-4.0p1]$ head config.log This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by OpenSSH configure Portable, which was generated by GNU Autoconf 2.59. Invocation command line was $ ./configure --prefix=/home/scott --with-ssl-dir=/home/scott/src/openssl-0.9.7e --with-cflags=-L/home/scott/src/openssl-0.9.7e --with-ldflags=-L/home/scott/src/openssl-0.9.7e ## --------- ## ## Platform. ## [scott at choke openssh-4.0p1]$ echo $LD_LIBRARY_PATH /home/scott/src/openssl-0.9.7e:/usr/lib:lib [scott at choke openssh-4.0p1]$ echo $LDFLAGS [scott at choke openssh-4.0p1]$ make completes fine. make tests dies in the same spot, ... ok connect after login grace timeout run test agent.sh ... ssh-add -l via agent fwd proto 1 failed (exit code 0) /home/scott/src/openssh-4.0p1/ssh: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory agent fwd proto 1 failed (exit code 0) ssh-add -l via agent fwd proto 2 failed (exit code 0) /home/scott/src/openssh-4.0p1/ssh: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory agent fwd proto 2 failed (exit code 0) failed simple agent test make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/home/scott/src/openssh-4.0p1/regress' make: *** [tests] Error 2 > [trim] > include your ssl dir in LD_LIBRARY_PATH, or force your linker to link > against the static libcrypto libraries. I will try the static libcrypto option next... cheers, scott From waspswarm at gmail.com Thu May 19 04:49:22 2005 From: waspswarm at gmail.com (scott rankin) Date: Wed, 18 May 2005 11:49:22 -0700 Subject: make tests failures (agent.sh) In-Reply-To: <489b43e2050518105065ae6a54@mail.gmail.com> References: <489b43e2050517225515d13d62@mail.gmail.com> <428AEC0B.5060706@zip.com.au> <489b43e2050518105065ae6a54@mail.gmail.com> Message-ID: <489b43e205051811491be5f8c6@mail.gmail.com> Sorry to reply to my own post. > [scott at choke openssh-4.0p1]$ echo $LDFLAGS > > [scott at choke openssh-4.0p1]$ > So I followed Roumen's suggestion first, [scott at choke openssh-4.0p1]$ LDFLAGS="-Wl,-rpath,/home/scott/src/openssl-0.9.7e" [scott at choke openssh-4.0p1]$ export $LDFLAGS follwed by the earlier step of setting LD_LIBRARY_PATH, [scott at choke openssh-4.0p1]$ echo $LDFLAGS -Wl,-rpath,/home/scott/src/openssl-0.9.7e [scott at choke openssh-4.0p1]$ echo $LD_LIBRARY_PATH /home/scott/src/openssl-0.9.7e:/usr/lib:lib [scott at choke openssh-4.0p1]$ followed by configure, [scott at choke openssh-4.0p1]$ ./configure --prefix=$HOME --with-ssl-dir=/home/scott/src/openssl-0.9.7e --with-cflags=-L/home/scott/src/openssl-0.9.7e --with-ldflags=-L/home/scott/src/openssl-0.9.7e and make tests completes with success. Thanks for all the suggestions. cheers, scott From spamtrap at knobisoft.de Thu May 19 04:05:27 2005 From: spamtrap at knobisoft.de (Martin Knoblauch) Date: Wed, 18 May 2005 11:05:27 -0700 (PDT) Subject: Problems with RhostRSAAuthecntication and UsePrivilegeSeparation (RH9, 2.4.20-42.9.legacybigmem) Message-ID: <20050518180527.13318.qmail@web32605.mail.mud.yahoo.com> Hi, for some days now I am/was fighting with an annoying problem. I have to support an environment where RhostRSAAuthecntication via /etc/ssh/sshd_known_hosts is used for password-less login. This works fine with RH7.3 (and RH8) and openssh versions openssh-3.1p1-3 (and openssh-3.4p1-2). Our customer has now requested an upgrade to RH9. That comes with openssh-3.5p-11 and the password-less stuff (from the outside) does not work any more. $ ssh -v lpsdm05 date OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 43922 geteuid 0 anon 1 debug1: Connecting to lpsdm05 [160.48.88.26] port 22. debug1: temporarily_use_uid: 43922/1000 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 43922/1000 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/qx29340/.ssh/identity type -1 debug1: identity file /home/qx29340/.ssh/id_rsa type 1 debug1: identity file /home/qx29340/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'lpsdm05' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:4450 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Remote: Accepted for lpsdm21.muc [160.48.88.10] by /etc/hosts.equiv. debug1: Remote: Your host key cannot be verified: unknown or invalid host key. debug1: Server refused our rhosts authentication or host key. debug1: Doing challenge response authentication. debug1: No challenge. debug1: Doing password authentication. qx29340 at lpsdm05's password: The interesting part is the "unknown or invalid host key". The ssh-known_hosts file ist maintained centrally and is good. First I suspected reverse lookup and added the IP-Adress of the client to ssh_known_hosts. And password-less started to work again. But all other tests I did showed that reverse lookup was working for all other purposes. So I played a bit more and found that setting "UsePrivilegeSeparation no" in sshd_config "solved" my problem. Unfortunatelly that option is not documented very well. Any ideas why it should make RhostsRSAA fail? While I am kind of happy now, I like to understand what goes on :-) The problem also happens when I am running a plain 2.4.30 kernel and openssh-3.9p1. Thanks a lot in advance Please CC me, as I am not on the list Martin ------------------------------------------------------ Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de From eldergabriel at charter.net Thu May 19 05:30:38 2005 From: eldergabriel at charter.net (Gabriel M. Elder) Date: Wed, 18 May 2005 14:30:38 -0500 Subject: known_hosts vulnerability? Message-ID: <1116444639.5328.33.camel@puter> Hey all, I came across a security news article, referenced by http://www.linux.org/news, at http://www.techworld.com/security/news/index.cfm?NewsID=3668 talking about an SSH weakness involving the known_hosts file. I apologize if this issue has already been addressed, but the mailing list archives didn't turn up anything when i tried searching for something relevant. So; not to knee-jerk or anything, but is anyone currently looking into this? Does this need to be addressed, or has it already been taken care of? Offhand, on a scale of 0 - 11, this would seem to rate kinda high, ~7. Am i off-base? >From the article: "a known_hosts hashing scheme proposed by MIT has been implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH". Looking at my own ~/.ssh/known_hosts file, the entries appear to be encrypted, by default; i assume this is a Good Thing. Installed ssh package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies and assume all is snug and secure in openssh-land? From carson at taltos.org Thu May 19 06:29:06 2005 From: carson at taltos.org (Carson Gaspar) Date: Wed, 18 May 2005 16:29:06 -0400 Subject: feature: RequiredAuthentications In-Reply-To: <428AB474.1000100@mindrot.org> References: <428AB474.1000100@mindrot.org> Message-ID: <2633FAA5801FC604D8C0FB82@gaspac.ny.ficc.gs.com> --On Wednesday, May 18, 2005 01:20:20 PM +1000 Damien Miller wrote: > L.T.Lowe at hep.ph.bham.ac.uk wrote: >> >> Is there a way for a sshd server to be able to enforce both >> client host key authentication as well as user authentication, >> say for roving user-administered laptops. >> So a sysadmin can restrict access to allow only client hosts >> which can pass the HostbasedAuthentication tests, >> whatever the current IP name/address, but still insist on the user >> authenticating themselves (by password say). Is this possible? > > No, but see http://bugzilla.mindrot.org/show_bug.cgi?id=983 I also had an old patch that supported ordered auth methods (the patch referenced above requires multiple auth methods in any order). I will again offer to update my patch to the current OpenSSH code if the core maintainers express any interest in integrating the patch. It was previously rejected as "too complicated" (functionality-wise, not code complexity). -- Carson Gaspar From carson at taltos.org Thu May 19 06:32:44 2005 From: carson at taltos.org (Carson Gaspar) Date: Wed, 18 May 2005 16:32:44 -0400 Subject: make tests failures (agent.sh) In-Reply-To: <489b43e2050518105065ae6a54@mail.gmail.com> References: <489b43e2050517225515d13d62@mail.gmail.com> <428AEC0B.5060706@zip.com.au> <489b43e2050518105065ae6a54@mail.gmail.com> Message-ID: --On Wednesday, May 18, 2005 10:50:54 AM -0700 scott rankin wrote: > Darren et.al, > >> Configure may be getting confused by the combination of options, or >> possibly you didn't hit quite the right combination. >> >> Try setting everything explicitly, eg (untested): >> >> $ LD_LIBRARY_PATH=/home/scott/src/openssl-0.9.7e:/usr/lib:/lib >> $ export LD_LIBRARY_PATH >> $ ./configure --prefix=/home/scott \ >> --with-cflags=-I/home/scott/src/openssl-0.9.7e \ >> --with-ldflags=-L/home/scott/src/openssl-0.9.7e >> $ make && make tests > > I tried the above but configure didn't like the -l at the beginning of > cflags. The config.log had a message that ld couldn't find Use a real font in your mail client, or cut-and-paste. Thats -I not -l - SHIFT+i, as in Include. -- Carson From stuge-openssh-unix-dev at cdy.org Thu May 19 06:32:38 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 18 May 2005 22:32:38 +0200 Subject: make tests failures (agent.sh) In-Reply-To: <489b43e205051811491be5f8c6@mail.gmail.com> References: <489b43e2050517225515d13d62@mail.gmail.com> <428AEC0B.5060706@zip.com.au> <489b43e2050518105065ae6a54@mail.gmail.com> <489b43e205051811491be5f8c6@mail.gmail.com> Message-ID: <20050518203238.GA20300@foo.birdnet.se> On Wed, May 18, 2005 at 11:49:22AM -0700, scott rankin wrote: > LDFLAGS="-Wl,-rpath,/home/scott/src/openssl-0.9.7e" > [scott at choke openssh-4.0p1]$ export $LDFLAGS That should probably be export LDFLAGS, without the $. > [scott at choke openssh-4.0p1]$ ./configure --prefix=$HOME > --with-ssl-dir=/home/scott/src/openssl-0.9.7e > --with-cflags=-L/home/scott/src/openssl-0.9.7e The CFLAGS should probably be -I/home/scott/src/openssl-0.9.7e, rather than -L. -I for include files, -L for libraries. > and make tests completes with success. Great that it works! //Peter From carson at taltos.org Thu May 19 06:39:02 2005 From: carson at taltos.org (Carson Gaspar) Date: Wed, 18 May 2005 16:39:02 -0400 Subject: known_hosts vulnerability? In-Reply-To: <1116444639.5328.33.camel@puter> References: <1116444639.5328.33.camel@puter> Message-ID: --On Wednesday, May 18, 2005 02:30:38 PM -0500 "Gabriel M. Elder" wrote: > Hey all, > > I came across a security news article, referenced by > http://www.linux.org/news, at > > http://www.techworld.com/security/news/index.cfm?NewsID=3668 > > talking about an SSH weakness involving the known_hosts file. I > apologize if this issue has already been addressed, but the mailing list > archives didn't turn up anything when i tried searching for something > relevant. So; not to knee-jerk or anything, but is anyone currently > looking into this? Does this need to be addressed, or has it already > been taken care of? Offhand, on a scale of 0 - 11, this would seem to > rate kinda high, ~7. Am i off-base? It's about a 1. If someone breaks into your machine with an older version of SSH, they can get a list of hosts you've connected to. Whoopee. Unless you scrub your .bash_history (or equivalent), you're already exposed to this. More FUD from "security" stories. The real solution is to stop using known_hosts files. There are some patches floating around that do this for X.509 certs, and it's possible with GSSAPI already (I think...). It would be really nice to get LDAP or DNSSEC support, but I don't think there are current patches for either. -- Carson Gaspar -- Carson Gaspar From djm at mindrot.org Thu May 19 07:49:41 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 19 May 2005 07:49:41 +1000 Subject: known_hosts vulnerability? In-Reply-To: References: <1116444639.5328.33.camel@puter> Message-ID: <428BB875.4070407@mindrot.org> Carson Gaspar wrote: > The real solution is to stop using known_hosts files. There are some > patches floating around that do this for X.509 certs, and it's possible > with GSSAPI already (I think...). It would be really nice to get LDAP or > DNSSEC support, but I don't think there are current patches for either. DNSSEC support has been in OpenSSH for around two years. -d From djm at mindrot.org Thu May 19 08:02:47 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 19 May 2005 08:02:47 +1000 Subject: known_hosts vulnerability? In-Reply-To: <1116444639.5328.33.camel@puter> References: <1116444639.5328.33.camel@puter> Message-ID: <428BBB87.4010201@mindrot.org> Gabriel M. Elder wrote: > Hey all, > > I came across a security news article, referenced by > http://www.linux.org/news, at > > http://www.techworld.com/security/news/index.cfm?NewsID=3668 > > talking about an SSH weakness involving the known_hosts file. I > apologize if this issue has already been addressed, but the mailing list > archives didn't turn up anything when i tried searching for something > relevant. So; not to knee-jerk or anything, but is anyone currently > looking into this? Does this need to be addressed, or has it already > been taken care of? Offhand, on a scale of 0 - 11, this would seem to > rate kinda high, ~7. Am i off-base? It is a problem mainly for large educational facilities and labs, where users use weak authenticators (same passwords, password-less public keys, etc) on multiple hosts. In these cases, an attacker (or their worm) could use the known_hosts file as a hit-list of other hosts to try. I think some of the publicity is a little overblown because the same information is available from many other sources: shell histories, netstat or ps output, etc. Furthermore, if an account is already compromised, then there are far more effective ways for a worm to gain access to other accounts (e.g. fudge $PATH to contain a trojan ssh that steals account/password/host information directly). Anyway, we implemented the HashKnownHosts (see "man ssh") to address this. Admins should be aware that this doesn't make the problem go away, but it does make the attack harder (hopefully too hard for a worm). >>From the article: "a known_hosts hashing scheme proposed by MIT has been > implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH". > Looking at my own ~/.ssh/known_hosts file, the entries appear to be > encrypted, by default; i assume this is a Good Thing. Installed ssh > package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies > and assume all is snug and secure in openssh-land? No - unless your admins have modified 3.9p1 for you, your file probably looks like: hostname ssh-rsa AAAAAPO7JD765SPF2OJ337FSAPSO... This change is about hashing "hostname" so noone can tell what hosts you have visited. -d From Jefferson.Ogata at noaa.gov Thu May 19 08:27:56 2005 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Wed, 18 May 2005 18:27:56 -0400 Subject: known_hosts vulnerability? In-Reply-To: References: <1116444639.5328.33.camel@puter> Message-ID: <428BC16C.7050908@noaa.gov> Carson Gaspar wrote: > --On Wednesday, May 18, 2005 02:30:38 PM -0500 "Gabriel M. Elder" > wrote: >> I came across a security news article, referenced by >> http://www.linux.org/news, at >> >> http://www.techworld.com/security/news/index.cfm?NewsID=3668 >> >> talking about an SSH weakness involving the known_hosts file. I >> apologize if this issue has already been addressed, but the mailing list >> archives didn't turn up anything when i tried searching for something >> relevant. So; not to knee-jerk or anything, but is anyone currently >> looking into this? Does this need to be addressed, or has it already >> been taken care of? Offhand, on a scale of 0 - 11, this would seem to >> rate kinda high, ~7. Am i off-base? > > It's about a 1. If someone breaks into your machine with an older > version of SSH, they can get a list of hosts you've connected to. > Whoopee. Unless you scrub your .bash_history (or equivalent), you're > already exposed to this. More FUD from "security" stories. This is a real problem. It is not FUD. If you ever actually watch what intruders do when they get onto a system, you'll realize that known_hosts is very beneficial to them in terms of widening the scope of a compromise. It's one of the first things they go for. Yes, eventually the intruder can discover the same information, but there is good value in providing measures that slow down the growth of an intrusion once it happens. A lot of intruders are surprisingly lazy, if not totally ignorant, and there's nothing wrong with taking advantage of that. And many people do scrub their .bash_histories, BTW. > The real solution is to stop using known_hosts files. There are some > patches floating around that do this for X.509 certs, and it's possible > with GSSAPI already (I think...). It would be really nice to get LDAP or > DNSSEC support, but I don't think there are current patches for either. Actually, putting hashes in known_hosts is not a bad solution, at least until everyone has his own CA or DNSSEC signing key. -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) From carson at taltos.org Thu May 19 10:55:55 2005 From: carson at taltos.org (Carson Gaspar) Date: Wed, 18 May 2005 20:55:55 -0400 Subject: known_hosts vulnerability? In-Reply-To: <428BB875.4070407@mindrot.org> References: <1116444639.5328.33.camel@puter> <428BB875.4070407@mindrot.org> Message-ID: <512B092D02B9BECBAEFDE255@[192.168.0.1]> --On Thursday, May 19, 2005 7:49 AM +1000 Damien Miller wrote: > DNSSEC support has been in OpenSSH for around two years. How I managed to miss that, I have no idea. Way to go, guys. Now I just have to figure out how to make this work with our QIP infrastructure... -- Carson From djm at mindrot.org Fri May 20 00:45:54 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 19 May 2005 10:45:54 -0400 Subject: known_hosts vulnerability? In-Reply-To: <1116444639.5328.33.camel@puter> References: <1116444639.5328.33.camel@puter> Message-ID: <000301c55c81$75a03f60$1402a8c0@netcentric.local> Gabriel M. Elder wrote: > Hey all, > > I came across a security news article, referenced by > http://www.linux.org/news, at > > http://www.techworld.com/security/news/index.cfm?NewsID=3668 > > talking about an SSH weakness involving the known_hosts file. I > apologize if this issue has already been addressed, but the mailing list > archives didn't turn up anything when i tried searching for something > relevant. So; not to knee-jerk or anything, but is anyone currently > looking into this? Does this need to be addressed, or has it already > been taken care of? Offhand, on a scale of 0 - 11, this would seem to > rate kinda high, ~7. Am i off-base? It is a problem mainly for large educational facilities and labs, where users use weak authenticators (same passwords, password-less public keys, etc) on multiple hosts. In these cases, an attacker (or their worm) could use the known_hosts file as a hit-list of other hosts to try. I think some of the publicity is a little overblown because the same information is available from many other sources: shell histories, netstat or ps output, etc. Furthermore, if an account is already compromised, then there are far more effective ways for a worm to gain access to other accounts (e.g. fudge $PATH to contain a trojan ssh that steals account/password/host information directly). Anyway, we implemented the HashKnownHosts (see "man ssh") to address this. Admins should be aware that this doesn't make the problem go away, but it does make the attack harder (hopefully too hard for a worm). >>From the article: "a known_hosts hashing scheme proposed by MIT has been > implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH". > Looking at my own ~/.ssh/known_hosts file, the entries appear to be > encrypted, by default; i assume this is a Good Thing. Installed ssh > package = openssh-server-3.9p1-8.0.1. Shall i now resume my warm fuzzies > and assume all is snug and secure in openssh-land? No - unless your admins have modified 3.9p1 for you, your file probably looks like: hostname ssh-rsa AAAAAPO7JD765SPF2OJ337FSAPSO... This change is about hashing "hostname" so noone can tell what hosts you have visited. -d From christian.lestrade at free.fr Fri May 20 07:42:06 2005 From: christian.lestrade at free.fr (Christian LESTRADE) Date: Thu, 19 May 2005 23:42:06 +0200 Subject: ssh-keygen private keys export - new feature Message-ID: <5.1.0.14.2.20050519233145.00a43ca0@pop.free.fr> Hello, I had some difficulties in order to convert private keys between different implementations of SSH. So, I wrote the following patch to allow export of SSH2 RSA and DSA private keys into IETF SECSH format. Note that I also slightly revised the IETF SECSH key import code. Usage: use of the "-e" option on a private key file generates an unencrypted private key file in IETF SECSH format. I suggest you incorporate this patch into both the OpenBSD and portable OpenSSH. --- authfile.c.orig 2004-12-11 03:39:50.000000000 +0100 +++ authfile.c 2005-05-19 22:16:51.000000000 +0200 @@ -598,7 +598,7 @@ return prv; } -static int +int key_try_load_public(Key *k, const char *filename, char **commentp) { FILE *f; --- authfile.h.orig 2002-06-06 21:57:34.000000000 +0200 +++ authfile.h 2005-05-19 23:03:35.000000000 +0200 @@ -18,6 +18,7 @@ int key_save_private(Key *, const char *, const char *, const char *); Key *key_load_public(const char *, char **); Key *key_load_public_type(int, const char *, char **); +int key_try_load_public(Key *, const char *, char **); Key *key_load_private(const char *, const char *, char **); Key *key_load_private_type(int, const char *, const char *, char **); Key *key_load_private_pem(int, int, const char *, char **); --- ssh-keygen.c.orig 2005-03-02 02:33:04.000000000 +0100 +++ ssh-keygen.c 2005-05-19 22:20:02.000000000 +0200 @@ -24,6 +24,7 @@ #include "uuencode.h" #include "buffer.h" #include "bufaux.h" +#include "getput.h" #include "pathnames.h" #include "log.h" #include "misc.h" @@ -152,8 +153,104 @@ #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----" #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" +#define SSH_COM_PRIVATE_END "---- END SSH2 ENCRYPTED PRIVATE KEY ----" #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb +static int +buffer_put_bignum_bits(Buffer *b, const BIGNUM *value) +{ + u_int bignum_bits = BN_num_bits(value); + u_int bytes = (bignum_bits + 7) / 8; + u_char *buf = xmalloc(bytes); + int oi; + + /* Get the value of in binary */ + oi = BN_bn2bin(value, buf); + if (oi != bytes) { + error("buffer_put_bignum_bits: BN_bn2bin() failed: oi %d != bytes %d", + oi, bytes); + return (-1); + } + + buffer_put_int(b, bignum_bits); + /* Store the binary data. */ + buffer_append(b, (char *)buf, oi); + + memset(buf, 0, bytes); + xfree(buf); + + return (0); +} + +static int +do_convert_private_ssh2_to_blob(const Key *key, u_char **blobp, u_int *lenp) +{ + Buffer b; + int len, len1; + char *pb; + + if (key == NULL) { + error("do_convert_private_ssh2_to_blob: key == NULL"); + return 0; + } + buffer_init(&b); + buffer_put_int(&b, SSH_COM_PRIVATE_KEY_MAGIC); + buffer_put_int(&b, 0); + + switch (key->type) { + case KEY_DSA: + buffer_put_cstring(&b, "dl-modp{sign{dsa-nist-sha1},dh{plain}}"); + break; + case KEY_RSA: + buffer_put_cstring(&b, "if-modn{sign{rsa-pkcs1-md5}}"); + break; + default: + error("do_convert_private_ssh2_to_blob: unsupported key type %d", + key->type); + buffer_free(&b); + return 0; + } + + buffer_put_cstring(&b, "none"); + + len1 = buffer_len(&b); + buffer_put_int(&b, 0); + buffer_put_int(&b, 0); + + switch (key->type) { + case KEY_DSA: + buffer_put_int(&b, 0); + buffer_put_bignum_bits(&b, key->dsa->p); + buffer_put_bignum_bits(&b, key->dsa->g); + buffer_put_bignum_bits(&b, key->dsa->q); + buffer_put_bignum_bits(&b, key->dsa->pub_key); + buffer_put_bignum_bits(&b, key->dsa->priv_key); + break; + case KEY_RSA: + buffer_put_bignum_bits(&b, key->rsa->e); + buffer_put_bignum_bits(&b, key->rsa->d); + buffer_put_bignum_bits(&b, key->rsa->n); + buffer_put_bignum_bits(&b, key->rsa->iqmp); + buffer_put_bignum_bits(&b, key->rsa->q); + buffer_put_bignum_bits(&b, key->rsa->p); + break; + } + len = buffer_len(&b); + if (lenp != NULL) + *lenp = len; + pb = buffer_ptr(&b); + PUT_32BIT(pb + 4, len); + PUT_32BIT(pb + len1, len - len1 - 4); + PUT_32BIT(pb + len1 + 4, len - len1 - 8); + if (blobp != NULL) { + *blobp = xmalloc(len); + memcpy(*blobp, pb, len); + } + memset(pb, 0, len); + buffer_free(&b); + return len; +} + static void do_convert_to_ssh2(struct passwd *pw) { @@ -161,6 +258,7 @@ u_int len; u_char *blob; struct stat st; + int private = 0; if (!have_identity) ask_filename(pw, "Enter file in which the key is"); @@ -168,27 +266,39 @@ perror(identity_file); exit(1); } - if ((k = key_load_public(identity_file, NULL)) == NULL) { + k = key_new(KEY_UNSPEC); + if (key_try_load_public(k, identity_file, NULL) != 1) { if ((k = load_identity(identity_file)) == NULL) { fprintf(stderr, "load failed\n"); exit(1); } + private = 1; } if (k->type == KEY_RSA1) { fprintf(stderr, "version 1 keys are not supported\n"); exit(1); } - if (key_to_blob(k, &blob, &len) <= 0) { - fprintf(stderr, "key_to_blob failed\n"); - exit(1); + if (private) { + if (do_convert_private_ssh2_to_blob(k, &blob, &len) <= 0) { + fprintf(stderr, "do_convert_private_ssh2_to_blob failed\n"); + exit(1); + } } - fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN); + else { + if (key_to_blob(k, &blob, &len) <= 0) { + fprintf(stderr, "key_to_blob failed\n"); + exit(1); + } + } + fprintf(stdout, "%s\n", + private?SSH_COM_PRIVATE_BEGIN:SSH_COM_PUBLIC_BEGIN); fprintf(stdout, "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n", key_size(k), key_type(k), pw->pw_name, hostname); dump_base64(stdout, blob, len); - fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END); + fprintf(stdout, "%s\n", + private?SSH_COM_PRIVATE_END:SSH_COM_PUBLIC_END); key_free(k); xfree(blob); exit(0); @@ -216,7 +326,6 @@ u_char *sig, data[] = "abcde12345"; int magic, rlen, ktype, i1, i2, i3, i4; u_int slen; - u_long e; buffer_init(&b); buffer_append(&b, blob, blen); @@ -232,8 +341,7 @@ cipher = buffer_get_string(&b, NULL); i2 = buffer_get_int(&b); i3 = buffer_get_int(&b); - i4 = buffer_get_int(&b); - debug("ignore (%d %d %d %d)", i1,i2,i3,i4); + debug("ignore (%d %d %d)", i1,i2,i3); if (strcmp(cipher, "none") != 0) { error("unsupported cipher %s", cipher); xfree(cipher); @@ -257,6 +365,7 @@ switch (key->type) { case KEY_DSA: + i4 = buffer_get_int(&b); buffer_get_bignum_bits(&b, key->dsa->p); buffer_get_bignum_bits(&b, key->dsa->g); buffer_get_bignum_bits(&b, key->dsa->q); @@ -264,21 +373,7 @@ buffer_get_bignum_bits(&b, key->dsa->priv_key); break; case KEY_RSA: - e = buffer_get_char(&b); - debug("e %lx", e); - if (e < 30) { - e <<= 8; - e += buffer_get_char(&b); - debug("e %lx", e); - e <<= 8; - e += buffer_get_char(&b); - debug("e %lx", e); - } - if (!BN_set_word(key->rsa->e, e)) { - buffer_free(&b); - key_free(key); - return NULL; - } + buffer_get_bignum_bits(&b, key->rsa->e); buffer_get_bignum_bits(&b, key->rsa->d); buffer_get_bignum_bits(&b, key->rsa->n); buffer_get_bignum_bits(&b, key->rsa->iqmp); From markus at openbsd.org Fri May 20 17:11:48 2005 From: markus at openbsd.org (Markus Friedl) Date: Fri, 20 May 2005 09:11:48 +0200 Subject: ssh-keygen private keys export - new feature In-Reply-To: <5.1.0.14.2.20050519233145.00a43ca0@pop.free.fr> References: <5.1.0.14.2.20050519233145.00a43ca0@pop.free.fr> Message-ID: <20050520071148.GA1130@folly> On Thu, May 19, 2005 at 11:42:06PM +0200, Christian LESTRADE wrote: > Hello, > > I had some difficulties in order to convert private keys between different > implementations of SSH. > > So, I wrote the following patch to allow export of SSH2 RSA and DSA private > keys into IETF SECSH format. > > Note that I also slightly revised the IETF SECSH key import code. > > Usage: use of the "-e" option on a private key file generates an unencrypted > private key file in IETF SECSH format. is there a private key IETF SECSH format? From Peter_Losher at isc.org Sat May 21 19:48:53 2005 From: Peter_Losher at isc.org (Peter Losher) Date: Sat, 21 May 2005 02:48:53 -0700 Subject: Compiling openssh-4.0p1 on Solaris 10. Message-ID: <200505210249.02881.Peter_Losher@isc.org> I am trying to compile OpenSSH 4.0p1 on a new Solaris 10 system using the OpenSSL that comes w/ the OS (0.9.7d) as well as MIT Krb5 1.4.1 (for various reasons we are not using Sun's Krb5 implementation): ./configure --prefix=/usr/local --with-kerberos5=/usr/local/krb5 --with-ssl-dir=/usr/sfw And it looks to be bombing here (adding in random support?): -=- gmake[1]: Entering directory `/var/tmp/openssh-4.0p1/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/sfw/include -I/usr/local/krb5/include -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from bsd-arc4random.c:18: ../log.h: In function `fatal': ../log.h:56: warning: empty declaration ../log.h:65: error: parse error before "volatile" ../log.h:65: error: old-style parameter declarations in prototyped function definition ../log.h:56: error: parameter name omitted bsd-arc4random.c:20: error: `rcsid' undeclared (first use in this function) bsd-arc4random.c:20: error: (Each undeclared identifier is reported only once bsd-arc4random.c:20: error: for each function it appears in.) bsd-arc4random.c:20: warning: left-hand operand of comma expression has no effect bsd-arc4random.c:20: error: parse error before '}' token gmake[1]: *** [bsd-arc4random.o] Error 1 gmake[1]: Leaving directory `/var/tmp/openssh-4.0p1/openbsd-compat' gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2 -=- Any possible solutions to work around this? (I see via google this has come up w/ someone compiling 3.9p1 on Solaris 8, using the OpenSSL package from SunFreeware.com) Best WIshes - Peter -- Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050521/0f0ac15f/attachment.bin From dtucker at zip.com.au Sat May 21 20:09:45 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 May 2005 20:09:45 +1000 Subject: Compiling openssh-4.0p1 on Solaris 10. In-Reply-To: <200505210249.02881.Peter_Losher@isc.org> References: <200505210249.02881.Peter_Losher@isc.org> Message-ID: <428F08E9.4060907@zip.com.au> Peter Losher wrote: > I am trying to compile OpenSSH 4.0p1 on a new Solaris 10 system using the > OpenSSL that comes w/ the OS (0.9.7d) That version of OpenSSL may not work since the one that ships with Solaris is missing some AES functions. > as well as MIT Krb5 1.4.1 (for various > reasons we are not using Sun's Krb5 implementation): [...] > gmake[1]: Entering directory `/var/tmp/openssh-4.0p1/openbsd-compat' > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/sfw/include -I/usr/local/krb5/include -DHAVE_CONFIG_H -c > bsd-arc4random.c > In file included from bsd-arc4random.c:18: > ../log.h: In function `fatal': > ../log.h:56: warning: empty declaration > ../log.h:65: error: parse error before "volatile" > ../log.h:65: error: old-style parameter declarations in prototyped function > definition Sounds like this, which turned out to be a compiler installation problem: http://bugzilla.mindrot.org/show_bug.cgi?id=1013 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat May 21 20:20:48 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 May 2005 20:20:48 +1000 Subject: Compiling openssh-4.0p1 on Solaris 10. In-Reply-To: <428F08E9.4060907@zip.com.au> References: <200505210249.02881.Peter_Losher@isc.org> <428F08E9.4060907@zip.com.au> Message-ID: <428F0B80.20404@zip.com.au> Darren Tucker wrote: > That version of OpenSSL may not work since the one that ships with > Solaris is missing some AES functions. Forgot to add: apparently if you install the "Solaris Data Encryption Supplement" (SUNWcry and SUNWcryr packages) then it will restore the missing functions. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From hkb2tw_ at ssl-mail.com Mon May 23 02:15:09 2005 From: hkb2tw_ at ssl-mail.com (hkb2tw_ at ssl-mail.com) Date: Sun, 22 May 2005 18:15:09 +0200 Subject: ssh client password option Message-ID: <1116778509.3394.21.camel@localhost> Hello List, i need the feature of a password option (like --password) for scripting/testing purpose. I know its not secure and i am aware of that, i just need it for internal testing purpose. I did have a little look at the ssh source code, to see where i would hook in my code, but couldn't really find anything useful. I am really new to C. Is there a workaround or already an unofficial patch or something like that out there? Thanks, Mario From bob at proulx.com Mon May 23 04:34:34 2005 From: bob at proulx.com (Bob Proulx) Date: Sun, 22 May 2005 12:34:34 -0600 Subject: ssh client password option In-Reply-To: <1116778509.3394.21.camel@localhost> References: <1116778509.3394.21.camel@localhost> Message-ID: <20050522183434.GA19724@dementia.proulx.com> hkb2tw_ at ssl-mail.com wrote: > i need the feature of a password option (like --password) for > scripting/testing purpose. > > I know its not secure and i am aware of that, i just need it for > internal testing purpose. You might look at using expect. http://expect.nist.gov/ Or one of the expect follow-ons such as these perl modules: http://search.cpan.org/search?query=expect&mode=all Bob From maillists.stdout at gmail.com Mon May 23 06:12:13 2005 From: maillists.stdout at gmail.com (stdout azi) Date: Sun, 22 May 2005 20:12:13 +0000 Subject: Killing ssshd seassions Message-ID: Hello, First, I'd like to say sorry if this isn't the right mailing list to ask my question. I'm writting some application(on Linux) wich relys on sshd, so I thought there is nothing wrong in posting my mail here. The aplication i'm writting should, at some point, kill the user from his terminal line. To achieve this I read the users utmp entry and kill the ut_pid in it.. It works fine if the user is not loged trought ssh. If the user has a sshd seassion, killing the ut_pid doesnt work though. I've done some workaround and got to this point : ps -aux root 26621 0.0 0.3 5940 1644 ? S 21:33 0:00 sshd: janez [priv] <- the pid in utmp janez 2356 0.0 0.3 5940 1720 ? S 21:34 0:00 sshd: janez at pts/5 <- the right one to kill pstree -hupa |-sshd,19460 | `-sshd,26621 | `-sshd,2356,janez | `-bash,10753 If killing the pid from utmp i get orphaned processes : |-sshd,19460 |-sshd,2356,janez | `-bash,10753 From stuge-openssh-unix-dev at cdy.org Mon May 23 12:18:54 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 23 May 2005 04:18:54 +0200 Subject: Killing ssshd seassions In-Reply-To: References: Message-ID: <20050523021854.GA2057@foo.birdnet.se> On Sun, May 22, 2005 at 08:12:13PM +0000, stdout azi wrote: > The aplication i'm writting should, at some point, kill the user > from his terminal line. To achieve this I read the users utmp entry > and kill the ut_pid in it.. It works fine if the user is not loged > trought ssh. If the user has a sshd seassion, killing the ut_pid > doesnt work though. I've done some workaround and got to this > point: > > ps -aux > > root 26621 0.0 0.3 5940 1644 ? S 21:33 0:00 sshd: janez [priv] <- > the pid in utmp > janez 2356 0.0 0.3 5940 1720 ? S 21:34 0:00 sshd: janez at pts/5 <- the > right one to kill You could go through the process table and kill the process that has it's PPID==ut_pid. //Peter From dtucker at zip.com.au Mon May 23 12:33:34 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 23 May 2005 12:33:34 +1000 Subject: Killing ssshd seassions In-Reply-To: References: Message-ID: <429140FE.3020409@zip.com.au> stdout azi wrote: > First, I'd like to say sorry if this isn't the right mailing list > to ask my question. I'm writting some application(on Linux) wich relys > on sshd, so I thought there is nothing wrong in posting my mail here. This is the right place. > The aplication i'm writting should, at some point, kill the user from > his terminal line. To achieve this I read the users utmp entry and > kill the ut_pid in it.. It works fine if the user is not loged trought > ssh. If the user has a sshd seassion, killing the ut_pid doesnt work > though. I've done some workaround and got to this point : What version of OpenSSH is this? There was a change between 3.6.1 and 3.7 that caused the monitor to kill the non-priviliged child the monitor was terminated. It will pass through SIGTERM and SIGHUP. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From hkb2tw_ at ssl-mail.com Mon May 23 20:54:20 2005 From: hkb2tw_ at ssl-mail.com (hkb2tw_ at ssl-mail.com) Date: Mon, 23 May 2005 03:54:20 -0700 Subject: ssh client password option In-Reply-To: <20050522183434.GA19724@dementia.proulx.com> References: <1116778509.3394.21.camel@localhost> <20050522183434.GA19724@dementia.proulx.com> Message-ID: <1116845660.26051.234730989@webmail.messagingengine.com> On Sun, 22 May 2005 12:34:34 -0600, "Bob Proulx" said: > hkb2tw_ at ssl-mail.com wrote: > > i need the feature of a password option (like --password) for > > scripting/testing purpose. > > > > I know its not secure and i am aware of that, i just need it for > > internal testing purpose. > > You might look at using expect. > > http://expect.nist.gov/ > > Or one of the expect follow-ons such as these perl modules: > > http://search.cpan.org/search?query=expect&mode=all > I was rather looking forward to modify openssh source a little. Cheers, Mario -- hkb2tw_ at ssl-mail.com From J.S.Peatfield at damtp.cam.ac.uk Mon May 23 22:28:38 2005 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Mon, 23 May 2005 13:28:38 +0100 (BST) Subject: ssh client password option In-Reply-To: <20050522183434.GA19724@dementia.proulx.com> References: <1116778509.3394.21.camel@localhost> <20050522183434.GA19724@dementia.proulx.com> Message-ID: On Sun, 22 May 2005, Bob Proulx wrote: > hkb2tw_ at ssl-mail.com wrote: > > i need the feature of a password option (like --password) for > > scripting/testing purpose. > > > > I know its not secure and i am aware of that, i just need it for > > internal testing purpose. > > You might look at using expect. > > http://expect.nist.gov/ > > Or one of the expect follow-ons such as these perl modules: > > http://search.cpan.org/search?query=expect&mode=all I find it easier to get openssh to use it's ssh_askpass code, pointed at a script to echo the required password. No expect or anything needed, though one does (seem to) need to fool openssh into thinking that it doesn't have a controlling terminal (if it would otherwise have one), e.g. by using setsid on systems which support that. By default iff there is a controlling terminal ssh prompts for the password there, otherwise it calls the ssh_askpass. At some point I did intend to add an option hack to tell ssh to ignore the controlling terminal and always use ssh-askpass -- some people prefer the ssh-askpass password prompts. e.g. on a linux system with setsid: SSH_ASKPASS=~/mypass setsid ssh -vvv testacc at foobar uptime where ~/mypass is (in this case) just: echo "wibble" Not that this is a very sane password... -- Jon From lemsx1 at gmail.com Wed May 25 02:30:08 2005 From: lemsx1 at gmail.com (Luis M) Date: Tue, 24 May 2005 12:30:08 -0400 Subject: scp remote-to-remote implementation Message-ID: (Please when replying include my email since i'm not subscribe to this list) Hello all, I always wanted to be able to copy from one remote location to another from a master server/workstation using something like: scp [-r] server1:/path/to/dir server2:/path/to/dir2 And have scp "know" that i mean to copy from server1 to localhost and from localhost to server2 or something of that sort. For as long as it is transparent to the end user. I know that I could simply write a wrapper for scp and get the job done quickly, however, I wanted to get down and dirty and make the whole thing part of scp itself. Before i do, however, i wanted to make sure that this has not been attempted before (or no one is already working on this). I also know that there is a better way of having this done (having a pipe created locally that automatically pipes things through from server1->localhost->server2 or something). But i just want something quick and dirty that gets the job done. The limitations i see so far are: 1. the server from which stuff is copying from must be the first one in the argument list 2. there might be no way to check if there is space available to copy the files from server1 to localhost and then to server2, so the user must know this before hand. for now, the whole thing should fail as usual when there is not enough disk space on any of the computers involved. And i know other things might pop up as I go through the code... Can anybody give me pointers, perhaps to people who have implemented this before. I did a quick google check and couldn't find anything. I also looked in the mailing list archives (perhaps not hard enough since the word: remote to remote is very ambiguous). Here is an excerpt of my layout (pseudo code) in scp.c: if ( (targ = colon(argv[argc - 1])) && colon(argv[argc - 2]) ) { /* both Dest are remote, copy locally from first host * then push from local to second host */ /* FIXME * get 1stRemoteHostName * get 2ndRemoteHostName * create _tmp_local = mktemp($ENV{TMP}/1stRemoteHostName.$$) */ /* FIXME modify argv to have _tmp_local * as destination */ tolocal(argc, argv); /* TODO make dest local host from server1 (argc-2 ?) */ verifydir( _tmp_local ); /* FIXME modify argv to have _tmp_local as the copying from source * and the 2ndRemoteHostName as the destination */ toremote(targ, argc, argv); /* TODO make dest remote server2 */ } else if ((targ = colon(argv[argc - 1]))) /* Dest is remote host. */ toremote(targ, argc, argv); else { tolocal(argc, argv); /* Dest is local host. */ if (targetshouldbedirectory) verifydir(argv[argc - 1]); } -- ----)(----- Luis M System Administrator Kiskeyix.org "We think basically you watch television to turn your brain off, and you work on your computer when you want to turn your brain on" -- Steve Jobs in an interview for MacWorld Magazine 2004-Feb No .doc: http://www.fsf.org/philosophy/no-word-attachments.es.html From reed at reedmedia.net Thu May 26 06:33:23 2005 From: reed at reedmedia.net (Jeremy C. Reed) Date: Wed, 25 May 2005 13:33:23 -0700 (PDT) Subject: no wtmp updates Message-ID: Please carbon-copy me on replies. For some reason, my wtmp is never updated when I login via openssh. Some information about my system: Linux kernel 2.6.9 running glibc-2.3.4. And the opensshd is openssh-3.9p1 (pkgsrc package openssh-3.9.1nb6). $ ls -l /var/log/lastlog /var/log/wtmp /var/run/utmp -rw-rw-r-- 1 root utmp 29492 May 25 13:12 /var/log/lastlog -rw-rw-r-- 1 root utmp 0 May 25 10:41 /var/log/wtmp -rw-rw-r-- 1 root utmp 4224 May 25 11:12 /var/run/utmp lastlog shows me an entry from my last ssh login. And last and who don't show any of my ssh logins. The following is my ./configure log (scroll down a little) and the generated config.h: http://pilchuck.reedmedia.net/jeremy/tmp-o8ttye68/configure.log http://pilchuck.reedmedia.net/jeremy/tmp-o8ttye68/config.h I am not sure if this is openssh related yet. Any ideas? Please CC to me on replies. Thanks, Jeremy C. Reed technical support & remote administration http://www.pugetsoundtechnology.com/ From reed at reedmedia.net Thu May 26 09:21:16 2005 From: reed at reedmedia.net (Jeremy C. Reed) Date: Wed, 25 May 2005 16:21:16 -0700 (PDT) Subject: no wtmp updates In-Reply-To: Message-ID: On Wed, 25 May 2005, Jeremy C. Reed wrote: > For some reason, my wtmp is never updated when I login via > openssh. ... > I am not sure if this is openssh related yet. Sorry for the noise. This was caused by a typo in an old patch that was included in the build system for openssh I am using. It was a patch for loginrec.c that changed checks for defined USE_LOGIN to also check for HAVE_UTMP_H to be defined too. (But one had a typo HAVE_UMTP_H.) Jeremy C. Reed BSD News, BSD tutorials, BSD links http://www.bsdnewsletter.com/ From djm at cvs.openbsd.org Thu May 26 15:38:31 2005 From: djm at cvs.openbsd.org (Damien Miller) Date: Wed, 25 May 2005 23:38:31 -0600 (MDT) Subject: OpenSSH 4.1 released Message-ID: <200505260538.j4Q5cVBX025196@cvs.openbsd.org> OpenSSH 4.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Changes since OpenSSH 4.0: ============================ * This is a bugfix release, no new features have been added. Some notable fixes are: - Fix segfault when using forwardings configured in ssh_config(5) and ClearAllForwardings (bugzilla #996) - Limit input buffer size for channels. A peer could send more data than the buffer code was willing to accept. This would cause OpenSSH to abort the connection (bugzilla #896) * Several improvements to the regression tests * Portable OpenSSH: - OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to IPv4 addresses. This means that IPv4 addresses in log messages on IPv6 enabled machines will no longer be prefixed by "::ffff:" and AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only for 4-in-6 mapped connections. This ensures a consistent representation of IPv4 addresses regardless of whether or not the machine is IPv6 enabled. * Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006, #1024, and #1038 Changes since OpenSSH 3.9: ============================ * ssh(1) now allows the optional specification of an address to bind to in port forwarding connections (local, remote and dynamic). Please refer to the documentation for the -L and -R options in the ssh(1) manual page and the LocalForward and RemoteForward options in the ssh_config(5) manpage. (Bugzilla #413) * To control remote bindings while retaining backwards compatibility, sshd(8)'s GatewayPorts option has been extended. To allow client specified bind addresses for remote (-R) port forwardings, the server must be configured with "GatewayPorts clientspecified". * ssh(1) and ssh-keyscan(1) now support hashing of host names and addresses added to known_hosts files, controlled by the ssh(1) HashKnownHosts configuration directive. This option improves user privacy by hiding which hosts have been visited. At present this option is off by default, but may be turned on once it receives sufficient testing. * Added options for managing keys in known_hosts files to ssh-keygen(1), including the ability to search for hosts by name, delete hosts by name and convert an unhashed known_hosts file into one with hashed names. These are particularly useful for managing known_hosts files with hashed hostnames. * Improve account and password expiry support in sshd(8). Ther server will now warn in advance for both account and password expiry. * sshd(8) will now log the source of connections denied by AllowUsers, DenyUsers, AllowGroups and DenyGroups (Bugzilla #909) * Added AddressFamily option to sshd(8) to allow global control over IPv4/IPv6 usage. (Bugzilla #989) * Improved sftp(1) client, including bugfixes and optimisations for the ``ls'' command and command history and editing support using libedit. * Improved the handling of bad data in authorized_keys files, eliminating fatal errors on corrupt or very large keys. (Bugzilla #884) * Improved connection multiplexing support in ssh(1). Several bugs have been fixed and a new "command mode" has been added to allow the control of a running multiplexing master connection, including checking that it is up, determining its PID and asking it to exit. * Have scp(1) and sftp(1) wait for the spawned ssh to exit before they exit themselves. This prevents ssh from being unable to restore terminal modes (not normally a problem on OpenBSD but common with -Portable on POSIX platforms). (Bugzilla #950) * Portable OpenSSH: - Add *EXPERIMENTAL* BSM audit support for Solaris systems (Bugzilla #125) - Enable IPv6 on AIX where possible (see README.platform for details), working around a misfeature of AIX's getnameinfo. (Bugzilla #835) - Teach sshd(8) to write failed login records to btmp for unsuccessful auth attempts. Currently this is only for password, keyboard-interactive and challenge/response authentication methods and only on Linux and HP-UX. - sshd(8) now sends output from failing PAM session modules to the user before exiting, similar to the way /etc/nologin is handled - Store credentials from gssapi-with-mic authentication early enough to be available to PAM session modules when privsep=yes. Checksums: ========== - SHA1 (openssh-4.1.tar.gz) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb - SHA1 (openssh-4.1p1.tar.gz) = c872b4f479f372bbcf0116a37d26b0c98b3ca475 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From Sergio.Gelato at astro.su.se Thu May 26 20:31:55 2005 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Thu, 26 May 2005 12:31:55 +0200 Subject: scp remote-to-remote implementation In-Reply-To: References: Message-ID: <20050526103154.GD1143@hanuman.astro.su.se> * Luis M [2005-05-24 12:30:08 -0400]: > (Please when replying include my email since i'm not subscribe to this list) > I always wanted to be able to copy from one remote location to another > from a master server/workstation using something like: > scp [-r] server1:/path/to/dir server2:/path/to/dir2 > And have scp "know" that i mean to copy from server1 to localhost and > from localhost to server2 or something of that sort. For as long as it > is transparent to the end user. (Un?)fortunately for you, that syntax already has the effect to make scp copy the files from server1 to server2 directly (i.e., without going through localhost). If there is direct connectivity between server1 and server2 and you've sorted out any credentials forwarding issues, it could be both simpler and more efficient than sending the data through localhost. Also note that scp is meant to be a drop-in replacement for rcp, and will probably not be developed beyond what is required for rcp compatibility. If you are looking for a project, consider enhancing sftp instead. I mentioned credentials forwarding issues. I find that things work smoothly for me with either HostbasedAuthentication or GSSAPIAuthentication (with credentials delegation enabled, of course). Less so with ssh-agent (I used the -c option to ssh-add, and have agent forwarding turned off by default; maybe it works when the default is ForwardAgent=yes). Presumably in an environment where such things are meant to be transparent to the end user you'll have the right settings in ssh_config. > I also know that there is a better way of having this done (having a > pipe created locally that automatically pipes things through from > server1->localhost->server2 Is there any particular reason why you must go through localhost? The only one I can imagine is if direct connectivity between server1 and server2 is poor or nonexistent. Quick-and-dirty might be ssh server1 tar cf - -C /path/to/dir . | \ ssh server2 tar xf - -C /path/to/dir2 Or maybe, if you can initiate the transfer from either server1 or server2, you could use rsync with a suitable -e option ("ssh mitm ssh", where mitm is a name by which these servers know your local host). I haven't tested this; there might be a snag or two I've missed, hence the "maybe". From djm at cvs.openbsd.org Thu May 26 21:15:59 2005 From: djm at cvs.openbsd.org (Damien Miller) Date: Thu, 26 May 2005 05:15:59 -0600 (MDT) Subject: OpenSSH 4.1 released Message-ID: <200505261115.j4QBFxsC030931@cvs.openbsd.org> Hi, The SHA1 checksum on the last announcement was incorrect for the portable OpenSSH tarball. The correct checksums are: SHA1 (openssh-4.1.tar.gz) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb SHA1 (openssh-4.1p1.tar.gz) = e85d389da8ad8290f5031b8f9972e2623c674e46 Apologies for any inconvenience. Regards, Damien Miller From vinschen at redhat.com Thu May 26 18:32:49 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 26 May 2005 10:32:49 +0200 Subject: OpenSSH 4.1 released In-Reply-To: <200505260538.j4Q5cVBX025196@cvs.openbsd.org> References: <200505260538.j4Q5cVBX025196@cvs.openbsd.org> Message-ID: <20050526083249.GS22615@calimero.vinschen.de> On May 25 23:38, Damien Miller wrote: > OpenSSH 4.1 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. > [...] > Checksums: > ========== > > - SHA1 (openssh-4.1.tar.gz) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb > - SHA1 (openssh-4.1p1.tar.gz) = c872b4f479f372bbcf0116a37d26b0c98b3ca475 Downloaded from two different mirrors: $ openssl sha1 openssh-4.1p1.tar.gz SHA1(openssh-4.1p1.tar.gz)= e85d389da8ad8290f5031b8f9972e2623c674e46 Please confirm, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From dtucker at zip.com.au Thu May 26 23:26:02 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 May 2005 23:26:02 +1000 Subject: OpenSSH 4.1 released In-Reply-To: <20050526083249.GS22615@calimero.vinschen.de> References: <200505260538.j4Q5cVBX025196@cvs.openbsd.org> <20050526083249.GS22615@calimero.vinschen.de> Message-ID: <4295CE6A.2080709@zip.com.au> Corinna Vinschen wrote: > Downloaded from two different mirrors: > > $ openssl sha1 openssh-4.1p1.tar.gz > SHA1(openssh-4.1p1.tar.gz)= e85d389da8ad8290f5031b8f9972e2623c674e46 The release notes have been updated with the correct checksums: http://www.openssh.com/txt/release-4.1 - SHA1 (openssh-4.1.tar.gz) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb - SHA1 (openssh-4.1p1.tar.gz) = e85d389da8ad8290f5031b8f9972e2623c674e46 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From matthews at fetchsoftworks.com Fri May 27 01:28:51 2005 From: matthews at fetchsoftworks.com (Jim Matthews) Date: Thu, 26 May 2005 11:28:51 -0400 Subject: SFTP SSH_FXF_TEXT file open flag In-Reply-To: <20050526055520.7365527CE40@shitei.mindrot.org> References: <20050526055520.7365527CE40@shitei.mindrot.org> Message-ID: Are there any plans to support the SSH_FXF_TEXT file open flag (as specified in draft-ietf-secsh-filexfer-08.txt) in OpenSSH's sftpd? How about some of the other extensions (e.g. retrieving MD5 hashes and UTF-8 filenames)? Thanks for any info, -- Jim Matthews Fetch Softworks http://fetchsoftworks.com From vinschen at redhat.com Fri May 27 01:31:58 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 26 May 2005 17:31:58 +0200 Subject: OpenSSH 4.1 released In-Reply-To: <200505261115.j4QBFxsC030931@cvs.openbsd.org> References: <200505261115.j4QBFxsC030931@cvs.openbsd.org> Message-ID: <20050526153158.GV22615@calimero.vinschen.de> On May 26 05:15, Damien Miller wrote: > Hi, > > The SHA1 checksum on the last announcement was incorrect for the portable > OpenSSH tarball. The correct checksums are: > > SHA1 (openssh-4.1.tar.gz) = 62fc9596b20244bb559d5fee3ff3ecc0dfd557cb > SHA1 (openssh-4.1p1.tar.gz) = e85d389da8ad8290f5031b8f9972e2623c674e46 Thanks to both of you, Damien and Darren. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From goebel at emunix.emich.edu Fri May 27 04:21:27 2005 From: goebel at emunix.emich.edu (Matt Goebel) Date: Thu, 26 May 2005 14:21:27 -0400 (EDT) Subject: openssh-4.1p1.tar.gz.asc has bad signature? Message-ID: <200505261821.j4QILRPj014034@poe.emich.edu> Hi, #tcsh#machine# gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz gpg: Signature made Wed May 25 08:26:24 2005 EDT using DSA key ID 86FF9C48 gpg: BAD signature from "Damien Miller (Personal Key) " I made sure that I had the same key loaded that the signature was made with, but that didn't change the error. Thanks, Matt -- Matthew Goebel : goebel at emunix.emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating Furry Fan. "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer From dtucker at zip.com.au Sun May 29 12:18:48 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 May 2005 12:18:48 +1000 Subject: openssh-4.1p1.tar.gz.asc has bad signature? In-Reply-To: <200505261821.j4QILRPj014034@poe.emich.edu> References: <200505261821.j4QILRPj014034@poe.emich.edu> Message-ID: <42992688.8050802@zip.com.au> Matt Goebel wrote: > #tcsh#machine# gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz > gpg: Signature made Wed May 25 08:26:24 2005 EDT using DSA key ID 86FF9C48 > gpg: BAD signature from "Damien Miller (Personal Key) " From the datestamps it looks like the signature has been updated. The current one does verify. There was a last-minute change to the tarball and I suspect the signature were not updated at the time of the release. $ gpg --verify openssh-4.1p1.tar.gz.asc openssh-4.1p1.tar.gz gpg: Signature made Thu 26 May 2005 06:31:21 PM EST using DSA key ID 86FF9C48 gpg: Good signature from "Damien Miller (Personal Key) " $ openssl sha1 openssh-4.1p1.tar.gz openssh-4.1p1.tar.gz.asc SHA1(openssh-4.1p1.tar.gz)= e85d389da8ad8290f5031b8f9972e2623c674e46 SHA1(openssh-4.1p1.tar.gz.asc)= 1e59229f4ca6eb5aa0a3f13aeee8150559b98139 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Sun May 29 17:25:50 2005 From: djm at mindrot.org (Damien Miller) Date: Sun, 29 May 2005 17:25:50 +1000 Subject: openssh-4.1p1.tar.gz.asc has bad signature? In-Reply-To: <42992688.8050802@zip.com.au> References: <200505261821.j4QILRPj014034@poe.emich.edu> <42992688.8050802@zip.com.au> Message-ID: <42996E7E.3000302@mindrot.org> Darren Tucker wrote: > From the datestamps it looks like the signature has been updated. The > current one does verify. > > There was a last-minute change to the tarball and I suspect the > signature were not updated at the time of the release. Close - the release scripts now sign the tar.gz files directly with gzsig[1], but I erroneously added this *after* the gpg/sha1 signature generation. Since it modified the .gz file, it broke the signature. This was noticed very quickly, but getting the updated signature distributed to the mirrors took some time because the master ftp server had "issues". -d [1] http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/gzsig/ http://monkey.org/~dugsong/gzsig-1.0.tar.gz From tdbrown at uiuc.edu Tue May 31 21:27:14 2005 From: tdbrown at uiuc.edu (Tom Brown) Date: Tue, 31 May 2005 06:27:14 -0500 Subject: ssh exit_status not 255 for many errors Message-ID: <20050531112714.GU6914@kwai.cs.uiuc.edu> Hello openssh developers, I'm having some trouble with ssh version 3.8.1p1 but see the same problem in the source I just pulled from openssh at anoncvs.at.openbsd.org:/cvs The man page for ssh says... ssh exits with the exit status of the remote command or with 255 if an error occurred. thus I expect ssh to always return either 255 or the exit value of the remote command but it frequently returns other values. I want it to return 255 when it cannot connect, for example in this case: $ ssh -v -o ConnectTimeout=5 tdbrown at paypal.com echo hi OpenSSH_3.8.1p1, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to paypal.com [216.113.188.64] port 22. debug1: connect to address 216.113.188.64 port 22: Connection timed out debug1: Connecting to paypal.com [216.113.188.34] port 22. debug1: connect to address 216.113.188.34 port 22: Connection timed out ssh: connect to host paypal.com port 22: Connection timed out $ echo $? 1 <-- Return value of ssh The following fixes my problem --- openssh-3.8.1p1/ssh.c 2005-05-26 13:25:16.000000000 -0700 +++ openssh-3.8.1p1.mine/ssh.c 2005-05-26 13:24:51.000000000 -0700 @@ -579,7 +579,7 @@ original_effective_uid == 0 && options.use_privileged_port, #endif options.proxy_command) != 0) - exit(1); + exit(255); /* * If we successfully made the connection, load the host * private key but `grep exit\( *.c` (both in 3.8.1p1 and cvs ssh.c -r1.255) reveals that ssh frequently returns 1 instead of 255 when it has an error. Is this considered by design or a bug? I only found a problem with scp incorrectly outputting 0 or >0 when searching for "exit" in Bugzilla. Do you think any scripts that call ssh depend on the specific >0 value it returns? I want to write a script that can easily and reliably differentiate between when the remote command has exit status 1 and the command not being run. Thank you for considering my question, Tom -- Tom Brown tdbrown at uiuc.edu