From bill at bfccomputing.com  Thu Sep  1 01:28:06 2005
From: bill at bfccomputing.com (Bill McGonigle)
Date: Wed, 31 Aug 2005 11:28:06 -0400
Subject: make tests failure: openssh-SNAP-20050827 on Redhat 9
In-Reply-To: <Pine.BSO.4.63.0508311420090.24797@fuyu.mindrot.org>
References: <1ebf407aad2372740d51b9f038b5d579@bfccomputing.com>
	<Pine.BSO.4.63.0508311420090.24797@fuyu.mindrot.org>
Message-ID: <da8ce5e3a44d8b882edae563051d4e82@bfccomputing.com>

On Aug 31, 2005, at 00:21, Damien Miller wrote:

> Do you have any login banner configured for the system, e.g. using 
> pam_motd or similar? This could interfere with that test.

I haven't configured anything - unless it came from the distro install.

/etc/motd exists but is empty.

/etc/pam.d/sshd:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

#locate pam_motd
/lib/security/pam_motd.so

#more /etc/issue.net
Red Hat Linux release 9 (Shrike)
Kernel \r on an \m

It's not an area I've needed to explore before so I don't know much 
about it.  Just let me know what else to look for or a test to run.

-Bill
-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Mobile: 603.252.2606
http://www.bfccomputing.com/    Pager: 603.442.1833
Jabber: flowerpt at gmail.com      Text: bill+text at bfccomputing.com
RSS: http://blog.bfccomputing.com/rss



From laird at amskiurp.net  Thu Sep  1 02:48:02 2005
From: laird at amskiurp.net (laird w pruiksma)
Date: Wed, 31 Aug 2005 12:48:02 -0400
Subject: ssh develpers list
In-Reply-To: <Pine.BSO.4.63.0508310949250.28389@fuyu.mindrot.org>
References: <5F98E47AD7B1C349895ED4E2EDF3918B0187395A@stca209a>
	<Pine.BSO.4.63.0508310949250.28389@fuyu.mindrot.org>
Message-ID: <4315DF42.5020507@amskiurp.net>

Hi, Rochelle,

I was involved in a port of openSSH to a vxWorks platform.  A fair 
amount of the effort was in the glue connecting ssh to the proprietary 
'shell' application, which would have no relevance to anyone else's 
work.  And I am certainly not familiar with all the OS configuration 
options under which you may be operating.  Given those caveats, I'd be 
happy to discuss how I handled some of the porting issues, to the best 
of my memory. 

fwiw

:laird

Damien Miller wrote:

>On Tue, 30 Aug 2005, Rosenberg, Rochelle wrote:
>
>  
>
>>Hi,
>>I am software developer working on adding ssh server support to an  existing
>>embedded
>>device which is based on the VxWorks operating system.(very different than
>>windows/lynix/unix).
>>    
>>
>
>Quite a few people have asked on this list about porting OpenSSH to 
>VxWorks over the years and I am sure that some have succeeded. However, I 
>don't think any of them submitted their changes back to us for 
>integration.
>
>-d
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>  
>



From tim at multitalents.net  Thu Sep  1 03:32:11 2005
From: tim at multitalents.net (Tim Rice)
Date: Wed, 31 Aug 2005 10:32:11 -0700 (PDT)
Subject: Conflict between LDAP and Privilege Separation?
In-Reply-To: <20050830140950.27125.qmail@web50706.mail.yahoo.com>
References: <20050830140950.27125.qmail@web50706.mail.yahoo.com>
Message-ID: <Pine.UW2.4.63.0508311025030.19951@server01.int.multitalents.net>

On Tue, 30 Aug 2005, Lets Go Canes wrote:

> Hi all.
> 
> --- Tim Rice <tim at multitalents.net> wrote:
> 
> > Looks like a PAM configuration problem.
> > 
> > What does your /etc/pam.conf look like?
> 
> As far as I am aware, it is the Solaris default:
> 

OK, there are no ssh entries so basicly it's the "other" entries.
> 
> other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> other   account required        /usr/lib/security/$ISA/pam_projects.so.1
> other   account required        /usr/lib/security/$ISA/pam_unix.so.1
> other   session required        /usr/lib/security/$ISA/pam_unix.so.1
> other   password required       /usr/lib/security/$ISA/pam_unix.so.1

Your previous post said

> I am also seeing in /var/adm/messages:
> 
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
> open_module: stat(/lib/security/pam_limits.so) failed: No such file or
> directory
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
> load_modules: can not open module /lib/security/pam_limits.so
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 800047 auth.error] error:
> PAM: pam_open_session(): Dlopen failure
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 776383 auth.error]
> open_module: stat(/lib/security/pam_nologin.so) failed: No such file or
> directory
> Aug 29 16:47:55 ssh-host sshd[26773]: [ID 487707 auth.error]
> load_modules: can not open module /lib/security/pam_nologin.so

None of those (missing) modules are even listed in your pam.conf

Did you build your own PAM stack that uses a different configuration file?

Try running truss(1) on sshd and see what config file it opens.


-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net




From letsgonhlcanes at yahoo.com  Thu Sep  1 06:45:30 2005
From: letsgonhlcanes at yahoo.com (Lets Go Canes)
Date: Wed, 31 Aug 2005 13:45:30 -0700 (PDT)
Subject: Conflict between LDAP and Privilege Separation?
In-Reply-To: <Pine.UW2.4.63.0508311025030.19951@server01.int.multitalents.net>
Message-ID: <20050831204530.7644.qmail@web50704.mail.yahoo.com>

--- Tim Rice <tim at multitalents.net> wrote:
> None of those (missing) modules are even listed in your pam.conf
> 
> Did you build your own PAM stack that uses a different configuration
> file?

No.  I have done nothing with PAM, except build and configure OpenSSH
to utilize it.

> Try running truss(1) on sshd and see what config file it opens.

I downloaded today's snapshot and built it to see if it improved
things.  It didn't change the behavior, but I no longer get the
shared-library errors.  I do, however, still get the following in
/var/adm/messages on each "drop":

Aug 31 16:20:53 ssh-host sshd[28145]: [ID 800047 auth.error] error:
PAM: pam_open_session(): Can not make/remove entry for session

I'm still going through the truss output - I'll let you know if I find
anything that looks relevant.


And as with the prior release of OpenSSH, if I disable
PrivilegeSeparation, everything works (which would seem to suggest
that PAM is configured correctly).


I just did a lot of searching on bugzilla, and what I am seeing
*might* be related to http://bugzilla.mindrot.org/show_bug.cgi?id=926;
it isn't clear to me as I don't really know PAM.


--------------
Lets Go Canes!

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



From dtucker at zip.com.au  Thu Sep  1 10:56:03 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Thu, 01 Sep 2005 10:56:03 +1000
Subject: make tests failure: openssh-SNAP-20050827 on Redhat 9
In-Reply-To: <da8ce5e3a44d8b882edae563051d4e82@bfccomputing.com>
References: <1ebf407aad2372740d51b9f038b5d579@bfccomputing.com>	<Pine.BSO.4.63.0508311420090.24797@fuyu.mindrot.org>
	<da8ce5e3a44d8b882edae563051d4e82@bfccomputing.com>
Message-ID: <431651A3.8090902@zip.com.au>

Bill McGonigle wrote:
> On Aug 31, 2005, at 00:21, Damien Miller wrote:
>>Do you have any login banner configured for the system, e.g. using 
>>pam_motd or similar? This could interfere with that test.
> 
> I haven't configured anything - unless it came from the distro install.
> 
> /etc/motd exists but is empty.
[...]
> /etc/pam.d/sshd:
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth

This uses the config the system-auth service (/etc/pam.d/system-auth) so
you'll need to look in that file too.  Kind of like a "#include" for PAM
configs (but subtly different).

> #more /etc/issue.net
> Red Hat Linux release 9 (Shrike)
> Kernel \r on an \m
> 
> It's not an area I've needed to explore before so I don't know much 
> about it.  Just let me know what else to look for or a test to run.

Could you please try temporarily renaming /etc/motd, /etc/issue and
/etc/issue.net and rerunning the test?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From bill at bfccomputing.com  Thu Sep  1 13:42:13 2005
From: bill at bfccomputing.com (Bill McGonigle)
Date: Wed, 31 Aug 2005 23:42:13 -0400
Subject: make tests failure: openssh-SNAP-20050827 on Redhat 9
In-Reply-To: <431651A3.8090902@zip.com.au>
References: <1ebf407aad2372740d51b9f038b5d579@bfccomputing.com>	<Pine.BSO.4.63.0508311420090.24797@fuyu.mindrot.org>
	<da8ce5e3a44d8b882edae563051d4e82@bfccomputing.com>
	<431651A3.8090902@zip.com.au>
Message-ID: <d5c2f290021cbe5fbca81b6692770621@bfccomputing.com>

On Aug 31, 2005, at 20:56, Darren Tucker wrote:

> Could you please try temporarily renaming /etc/motd, /etc/issue and
> /etc/issue.net and rerunning the test?

OK, that didn't help.  Same failure.

> This uses the config the system-auth service (/etc/pam.d/system-auth) 
> so
> you'll need to look in that file too.

#more pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

--
Next?

-Bill
-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Mobile: 603.252.2606
http://www.bfccomputing.com/    Pager: 603.442.1833
Jabber: flowerpt at gmail.com      Text: bill+text at bfccomputing.com
RSS: http://blog.bfccomputing.com/rss



From djm at cvs.openbsd.org  Thu Sep  1 23:21:05 2005
From: djm at cvs.openbsd.org (Damien Miller)
Date: Thu, 1 Sep 2005 07:21:05 -0600 (MDT)
Subject: Announce: OpenSSH 4.2 released
Message-ID: <200509011321.j81DL504000295@cvs.openbsd.org>

OpenSSH 4.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support of the project, especially those who contributed source,
reported bugs, tested snapshots and purchased T-shirts or posters.

T-shirt, poster and CD sales directly support the project. Pictures 
and more information can be found at:
        http://www.openbsd.org/tshirts.html and
	http://www.openbsd.org/orders.html

For international orders use http://https.openbsd.org/cgi-bin/order
and for European orders, use http://https.openbsd.org/cgi-bin/order.eu

Changes since OpenSSH 4.1:
============================ 

  - SECURITY: Fix a bug introduced in OpenSSH 4.0 that caused 
    GatewayPorts to be incorrectly activated for dynamic ("-D") port 
    forwardings when no listen address was explicitly specified.

  - SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI 
    credentials to be delegated to users who log in with methods 
    other than GSSAPI authentication (e.g. public key) when the 
    client requests it. This behaviour has been changed in OpenSSH 
    4.2 to only delegate credentials to users who authenticate
    using the GSSAPI method. This eliminates the risk of credentials 
    being inadvertently exposed to an untrusted user/host (though 
    users should not activate GSSAPIDelegateCredentials to begin
    with when the remote user or host is untrusted)

  - Added a new compression method that delays the start of zlib
    compression until the user has been authenticated successfully. 
    The new method ("Compression delayed") is on by default in the 
    server. This eliminates the risk of any zlib vulnerability 
    leading to a compromise of the server from unauthenticated users.

    NB. Older OpenSSH (<3.5) versions have a bug that will cause them
    to refuse to connect to any server that does not offer compression
    when the client has compression requested. Since the new "delayed"
    server mode isn't supported by these older clients, they will
    refuse to connect to a new server unless compression is disabled
    (on the client end) or the original compression method is enabled
    on the server ("Compression yes" in sshd_config)

  - Another round of proactive changes for signed vs unsigned integer
    bugs has been completed, including changing the atomicio() API to
    encourage safer programming. This work is ongoing.

  - Added support for the improved arcfour cipher modes from
    draft-harris-ssh-arcfour-fixes-02. The improves the cipher's
    resistance to a number of attacks by discarding early keystream
    output.

  - Increase the default size of new RSA/DSA keys generated by
    ssh-keygen from 1024 to 2048 bits.

  - Many bugfixes and improvements to connection multiplexing,
    including:

    - Added ControlMaster=auto/autoask options to support opportunistic
      multiplexing (see the ssh_config(5) manpage for details).

    - The client will now gracefully fallback to starting a new TCP
      connection if it cannot connect to a specified multiplexing
      control socket

    - Added %h (target hostname), %p (target port) and %r (remote
      username) expansion sequences to ControlPath. Also allow
      ControlPath=none to disable connection multiplexing.

    - Implemented support for X11 and agent forwarding over multiplexed
      connections. Because of protocol limitations, the slave
      connections inherit the master's DISPLAY and SSH_AUTH_SOCK rather
      than distinctly forwarding their own.

  - Portable OpenSSH: Added support for long passwords (> 8-char) on
    UnixWare 7.

  - The following bugs from http://bugzilla.mindrot.org/ were closed:

     #471  - Misleading error message if /dev/tty perms wrong
     #623  - Don't use $HOME in manpages
     #829  - Don't allocate a tty if -n option is set
     #1025 - Correctly handle disabled special character in ttymodes
     #1033 - Fix compile-time warnings
     #1046 - AIX 5.3 Garbage on Login
     #1054 - Don't terminate connection on getpeername() failure
     #1076 - GSSAPIDelegateCredentials issue mentioned above

  - Lots of other improvements and fixes. Please refer to the ChangeLog
    for details

Thanks to everyone who has contributed patches, problem or test reports.

Checksums:
==========

- SHA1 (openssh-4.2.tar.gz) = d2bd777986a30e446268ceeb24cddbf2edf51b21
- SHA1 (openssh-4.2p1.tar.gz) = 5e7231cfa8ec673ea856ce291b78fac8b380eb78

Reporting Bugs:
===============

- please read http://www.openssh.com/report.html
  and http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice.



From skeleten at shillest.net  Fri Sep  2 23:38:14 2005
From: skeleten at shillest.net (Norihiko Murase)
Date: Fri, 02 Sep 2005 22:38:14 +0900
Subject: (4.2p1) Missing -R<path_to_libedit>/lib
Message-ID: <20050902223814.926ee0%skeleten@shillest.net>

Hi,

I tried building the version 4.2p1 on the FreeBSD box.

Even if I executed the configure script with 
    --with-rpath
and
    --with-libedit=/path/to/libedit
the -R options for libedit are NOT added in linking although
that for zlib and OpenSSL are correctly done.

This problem can be easily avoided by editing
openssh-4.2p1/Makefile after executing the configure script.
This means that you should add -R<path_to_libedit>/lib to
LDFLAGS.

I attach the patch configure.ac.diff, which does the
following:
    * replace -I$withval/include with -I${withval}/include
    * improve the output of "% ./configure --help"
as well as does fix the problem mentioned above.


penitence: I should have checked the daily snapshot in this
           point before 4.2p1 was released......  (;_;)

good news: Now, the libedit distributed at
               http://www.thrysoee.dk/editline/
           can be built also on the FreeBSD-4.x system! (^_^)/


Thanks,
---
Norihiko Murase
  The University of Aizu
E-mail: skeleten at shillest.net
        s1080224 at u-aizu.ac.jp
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: configure.ac.diff
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050902/56c109ed/attachment.ksh 

From zagar at arlut.utexas.edu  Sun Sep  4 03:38:39 2005
From: zagar at arlut.utexas.edu (Randy Zagar)
Date: Sat, 03 Sep 2005 12:38:39 -0500
Subject: Loggin of authorized keys
Message-ID: <1125769120.5731.1.camel@otter.ddns.cactus.org>

This is a follow-up on a thread from last year requesting that openssh
indicate which authorized key was accepted during a login as opposed to
just logging that a key was accepted...

Here's the old message:

        It is possible for ~user/.ssh/authorized_keys to have multiple
        entries.  It would be quite helpful if openssh would enhance the
        log to indicate WHICH key was accepted, not just that a key was
        accepted.
        
        In other words, would you please modify:
        
         $TIMESTAMP $HOST sshd[$PID]: Accepted publickey for $USER from $IP port
        $PORT $PROTOCOL
        
        to add an indication (e.g., the comment field) as to which key was used:
        
         $TIMESTAMP $HOST sshd[$PID]: Accepted publickey ($COMMENT) for $USER from
        $IP port $PORT $PROTOCOL
        
        	--- Noel

I understand that this has come up before and has generally been denied
on the basis that the comment field is arbitrary user input that
shouldn't be trusted.

I agree, but...

I cannot stress strongly enough that this kind of auditing record is a
requirement for any system operating under CAPP and/or NISPOM auditing
guidelines.  These guidelines are required in security-sensitive
environments, and they both require that logins need to be tied to a
specific authorized user...  not just an unspecified user who happens to
be authorized.

Since we both agree that the comment field isn't trustworthy, I'd like
to suggest some alternate ways of dealing with this:

     1. Convert the $COMMENT field to Base64.  That would be safe...
     2. You could use the MD5/SHA checksum of the $COMMENT field, or
     3. Use the checksum of the public key itself

The only reason I'm writing today is because it didn't look like there
was a clear explanation of why this extra information is needed in the
audit log.  Hopefully, this provides a little more background.

So, is this something that we can move forward with or am I looking at
another rejected feature request?

-RZ

p.s.  Here are some reference documents 4 U...  

CAPP -		Controlled Access Protection Profile
		http://niap.nist.gov/cc-scheme/pp/PP_CAPP_V1.d.pdf

NISPOM -	National Industrial Security Program Operations Manual
		http://www.dss.mil/isec/nispom.pdf
		



From djm at mindrot.org  Sun Sep  4 10:34:03 2005
From: djm at mindrot.org (Damien Miller)
Date: Sun, 04 Sep 2005 10:34:03 +1000
Subject: Loggin of authorized keys
In-Reply-To: <1125769120.5731.1.camel@otter.ddns.cactus.org>
References: <1125769120.5731.1.camel@otter.ddns.cactus.org>
Message-ID: <431A40FB.4010007@mindrot.org>

Randy Zagar wrote:
> This is a follow-up on a thread from last year requesting that openssh
> indicate which authorized key was accepted during a login as opposed to
> just logging that a key was accepted...

We have answered this many times: Set "LogLevel verbose" in sshd_config.
E.g.

Sep  4 10:33:06 baragon sshd[14039]: Found matching RSA key: 
15:4f:de:f6:66:88:90:b4:a3:87:43:f2:28:35:65:f6



From dwmw2 at infradead.org  Mon Sep  5 02:46:33 2005
From: dwmw2 at infradead.org (David Woodhouse)
Date: Sun, 04 Sep 2005 17:46:33 +0100
Subject: ControlPersist and multiple X11 forwarding.
Message-ID: <1125852393.6146.52.camel@baythorne.infradead.org>

Three patches attached.

One implements a 'ControlPersist' option, which when used with
'ControlMaster auto' or 'ControlMaster 'yes' make makes the master
background itself and stick around after its own primary session is
completed.

The second causes control clients to pass X11 display, auth proto and
auth data over the control socket so that appropriate X11 forwarding can
happen for each, instead of using $DISPLAY and $XAUTHORITY of the master
even for all the clients.

The third dispenses with the 'Already forwarding for a different
$DISPLAY' error, to make the second patch actually useful. We delay
opening the connection to the X server until after we've seen an
authentication attempt, and since each set of fake authentication data
is unique, we can use that to work out which server to connect to.

The third patch isn't quite ready yet. Is the way I did the use count on
the X11 forwarding structure the best way to do it? And why does the X11
connection stall after authentication, until after some other traffic
occurs between client and server?

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-4.2p1-controlpersist.patch
Type: text/x-patch
Size: 2148 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050904/cbb54e4c/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-4.2p1-controldisplay.patch
Type: text/x-patch
Size: 4241 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050904/cbb54e4c/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-4.2p1-multidisplay.patch
Type: text/x-patch
Size: 12412 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050904/cbb54e4c/attachment-0002.bin 

From dwmw2 at infradead.org  Mon Sep  5 19:02:24 2005
From: dwmw2 at infradead.org (David Woodhouse)
Date: Mon, 05 Sep 2005 10:02:24 +0100
Subject: Clean up dead control sockets.
Message-ID: <1125910944.6146.96.camel@baythorne.infradead.org>

With 'ControlMaster auto' a stale socket will prevent ssh from being
able to connect. It'll try to use the socket, fail, then connect for
itself... but will then abort when it can't create its own socket.

--- openssh-4.2p1/ssh.c~	2005-09-05 09:49:31.000000000 +0100
+++ openssh-4.2p1/ssh.c	2005-09-05 09:56:34.000000000 +0100
@@ -1247,7 +1247,11 @@ control_client(const char *path)
 		}
 		if (errno == ENOENT)
 	 		debug("Control socket \"%.100s\" does not exist", path);
-		else {
+		else if (errno == ECONNREFUSED) {
+	 		debug("Control socket connect(%.100s): %s", path,
+			    strerror(errno));
+			unlink(path);
+		} else {
 	 		error("Control socket connect(%.100s): %s", path,
 			    strerror(errno));
 		}

-- 
dwmw2




From dwmw2 at infradead.org  Mon Sep  5 19:15:17 2005
From: dwmw2 at infradead.org (David Woodhouse)
Date: Mon, 05 Sep 2005 10:15:17 +0100
Subject: ControlPersist and multiple X11 forwarding.
In-Reply-To: <1125852393.6146.52.camel@baythorne.infradead.org>
References: <1125852393.6146.52.camel@baythorne.infradead.org>
Message-ID: <1125911717.6146.99.camel@baythorne.infradead.org>

On Sun, 2005-09-04 at 17:46 +0100, David Woodhouse wrote:
> And why does the X11 connection stall after authentication, until
> after some other traffic occurs between client and server?

To answer my own question... it's because we allocated a new file
descriptor and increased channel_fd_max, but we did so only _after_
channel_prepare_select() had already set *maxfdp and made sure that the
fd_sets were large enough to cope. So we don't get to select on the new
one until the _next_ time round the loop.

Not only that, but when we do FD_SET the new file descriptor in an
existing fd_set, we could be scribbling over random memory because the
fd_set isn't actually large enough.

A quick but dirty workaround is just to have channel_prepare_select()
allow for one or two more file descriptors than we actually need. If we
can get _many_ simultaneous X11 authentication packets, though, all on
different connections, then that won't be sufficient. Better
suggestions...?

--- openssh-4.2p1/channels.c~	2005-09-05 09:05:21.000000000 +0100
+++ openssh-4.2p1/channels.c	2005-09-05 09:05:56.000000000 +0100
@@ -1779,7 +1779,8 @@ channel_prepare_select(fd_set **readsetp
 {
 	u_int n, sz;
 
-	n = MAX(*maxfdp, channel_max_fd);
+	/* Allow for two more fds to be allocated */
+	n = MAX(*maxfdp, channel_max_fd + 2);
 
 	sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
 	/* perhaps check sz < nalloc/2 and shrink? */


-- 
dwmw2




From guyverdh at mchsi.com  Tue Sep  6 13:58:28 2005
From: guyverdh at mchsi.com (guyverdh at mchsi.com)
Date: Tue, 06 Sep 2005 03:58:28 +0000
Subject: Knock SSHD call in and SSH call out scripts
Message-ID: <090620050358.5539.431D13E3000CA2C8000015A32197912995080B9D0A90979A09@mchsi.com>

Okay, I finally took the time to re-write the scripts that I had talked about 
a few threads earlier.

I have 2 versions of them, and they currently work for Redhat Enterprise 4 and 
SuSE Enterprise 9.  (using iptables, and xinetd.d)

The 2 varieties are:
#1 knock, to be allowed to connect from the IP address written by the knock 
sequence.  This adds an iptable entry to allow the specified IP address to 
connect to specified knock ssh port (I used 32022 for my example), opens a 
listener for 30 seconds, then kills the listener and drops the iptable entry.

#2 knock, to have the server ssh to the IP address specified, to open a back 
channel into the servers ssh daemon.  This allows the knocking client to 
connect to the server over the R mapped port (I used 2022 for my example).  
The nice thing about this, is that the reverse mapping stays open until you 
kill the ssh connection.

Now, my question is, where would be a good place to write this up, and share 
my sample scripts?

Is there even any interest in this?

Thanks for your time.



From support at lancronix.ru  Tue Sep  6 18:08:56 2005
From: support at lancronix.ru (support at lancronix.ru)
Date: Tue, 6 Sep 2005 12:08:56 +0400
Subject: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)
In-Reply-To: <200509052316.j85NGZr3001735@cvs.openbsd.org>
References: Your message of "Tue, 06 Sep 2005 01:08:23 +0400."
	<1606963153.20050906010823@lancronix.ru>
	<200509052316.j85NGZr3001735@cvs.openbsd.org>
Message-ID: <885610881.20050906120856@lancronix.ru>

 Hello.
 Installed OpenSSL-0.98
 I cannot collect new OpenSSH-4.2p1 at assembly there is a mistake:



 if test ! -z ""; then \
         /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; \
 fi
 (cd openbsd-compat && make)
 make[1]: Entering directory `/home/pkg/openssh-4.2p1/openbsd-compat'
 make[1]: ???? `all' ?? ??????? ?????????? ??????.
 make[1]: Leaving directory `/home/pkg/openssh-4.2p1/openbsd-compat'
 gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib
 -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x35): In function `dlfcn_load':
 : undefined reference to `dlopen'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x95): In function `dlfcn_load':
 : undefined reference to `dlclose'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xbc): In function `dlfcn_load':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x147): In function `dlfcn_bind_var':
 : undefined reference to `dlsym'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x172): In function `dlfcn_bind_var':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x237): In function `dlfcn_bind_func':
 : undefined reference to `dlsym'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x262): In function `dlfcn_bind_func':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x51b): In function `dlfcn_unload':
 : undefined reference to `dlclose'
 collect2: ld returned 1 exit status
 make: *** [ssh] Error 1






_______________________________
? ????????? ?????? ?????????.
???. 772-61-07
Email: support at lancronix.ru




From dwmw2 at infradead.org  Tue Sep  6 21:57:10 2005
From: dwmw2 at infradead.org (David Woodhouse)
Date: Tue, 06 Sep 2005 12:57:10 +0100
Subject: ControlPersist and multiple X11 forwarding.
In-Reply-To: <1125852393.6146.52.camel@baythorne.infradead.org>
References: <1125852393.6146.52.camel@baythorne.infradead.org>
Message-ID: <1126007830.6146.176.camel@baythorne.infradead.org>

On Sun, 2005-09-04 at 17:46 +0100, David Woodhouse wrote:
> The second causes control clients to pass X11 display, auth proto and
> auth data over the control socket so that appropriate X11 forwarding can
> happen for each, instead of using $DISPLAY and $XAUTHORITY of the master
> even for all the clients.

I hadn't realised that xfree(NULL) was forbidden. Updated patch #2.
Note that this also fixes a memory leak in client_process_control() in
the case where sending an empty buffer back to the client fails.

I've collected the current set of patches at
http://david.woodhou.se/openssh-control.html

I've dealt with the most important features I think are lacking in 4.2,
but there's a few more minor things to fix yet.

- I'd like a better answer than the 'slack-fds' patch, and especially 
  the hard-coded '+2' in it. Perhaps we should keep count of the
  number of 'pending' file descriptors which may be opened by the 
  channel_pre handlers at any time?

- The master should permit X11 forwarding for clients, even if X11
  forwarding wasn't enabled on the original connection. While we're at
  it, we should pass the 'forward_x11_trusted' option over the control
  socket too.

- Should investigate multiple agent forwarding. That's somewhat harder
  than multiple X11 forwarding, and may not be possible at all. But the
  lack of multiple agent forwarding is less of a problem than the lack
  of multiple X11 forwarding; at least for me.

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-4.2p1-controldisplay.patch
Type: text/x-patch
Size: 4304 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050906/dbefd8ac/attachment.bin 

From vdanen at linsec.ca  Wed Sep  7 01:58:56 2005
From: vdanen at linsec.ca (Vincent Danen)
Date: Tue, 6 Sep 2005 09:58:56 -0600
Subject: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)
In-Reply-To: <885610881.20050906120856@lancronix.ru>
References: <1606963153.20050906010823@lancronix.ru>
	<200509052316.j85NGZr3001735@cvs.openbsd.org>
	<885610881.20050906120856@lancronix.ru>
Message-ID: <20050906155856.GE11318@annvix.org>

* support at lancronix.ru <support at lancronix.ru> [2005-09-06 12:08:56 +0400]:

>  Installed OpenSSL-0.98
>  I cannot collect new OpenSSH-4.2p1 at assembly there is a mistake:
> 
> 
> 
>  if test ! -z ""; then \
>          /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; \
>  fi
>  (cd openbsd-compat && make)
>  make[1]: Entering directory `/home/pkg/openssh-4.2p1/openbsd-compat'
>  make[1]: ???? `all' ?? ??????? ?????????? ??????.
>  make[1]: Leaving directory `/home/pkg/openssh-4.2p1/openbsd-compat'
>  gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib
>  -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x35): In function `dlfcn_load':
>  : undefined reference to `dlopen'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x95): In function `dlfcn_load':
>  : undefined reference to `dlclose'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xbc): In function `dlfcn_load':
>  : undefined reference to `dlerror'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x147): In function `dlfcn_bind_var':
>  : undefined reference to `dlsym'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x172): In function `dlfcn_bind_var':
>  : undefined reference to `dlerror'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x237): In function `dlfcn_bind_func':
>  : undefined reference to `dlsym'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x262): In function `dlfcn_bind_func':
>  : undefined reference to `dlerror'
>  /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x51b): In function `dlfcn_unload':
>  : undefined reference to `dlclose'
>  collect2: ld returned 1 exit status
>  make: *** [ssh] Error 1

I don't know specifically what the problem is, but I do know that
openssh 4.2 does play nice with openssl 0.9.8:

[vdanen at build ~]$ rpm -q openssl
openssl-0.9.8-2avx
[vdanen at build ~]$ rpm -q openssh
openssh-4.2p1-3avx

This is on an Annvix 1.1-CURRENT system (2.4 Linux-based).  Works just
peachy.

I'm not an expert or anything, so I'll defer to others on this, just
wanted to pipe up to say that openssh does work with that version of
openssl (works and compiles fine).

However, you didn't note what operating system you're using, etc. which
makes it a little difficult to help diagnose.

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050906/86c09e53/attachment.bin 

From wfielder at mail.com  Wed Sep  7 05:35:34 2005
From: wfielder at mail.com (Winter)
Date: Tue, 6 Sep 2005 15:35:34 -0400
Subject: make install error, 4.2p1
Message-ID: <001c01c5b31a$27fde740$d428849c@winter>

Good day and well met.

I'm trying to compile and install openssh-4.2p1 on a Sun Ultra-250 running 
Solaris 8.
It's not happy about something.  I've searched the bug list and the mail 
archives but haven't seen another posting about this.  Apologies if there is 
one and my eyes just slid right over it.


I've run a configure with the following options, and with no options at all:

./configure --prefix=/usr/local/ossh --sysconfdir=/etc/ossh --with-tcpwrappers


make clean
make
make install


if test ! -z ""; then \
        /usr/bin/perl ./fixprogs ssh_prng_cmds ; \
fi
(cd openbsd-compat && make)
make[1]: Entering directory `/usr/local/src/openssh-4.2p1/openbsd-compat'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/usr/local/src/openssh-4.2p1/openbsd-compat'
(cd scard && make DESTDIR= install)
make[1]: Entering directory `/usr/local/src/openssh-4.2p1/scard'
../mkinstalldirs /usr/local/share
/usr/local/bin/install -c -m 0644 ./Ssh.bin /usr/local/share/Ssh.bin
install: The -c, -f, -n options each require a directory following!
make[1]: *** [install] Error 2
make[1]: Leaving directory `/usr/local/src/openssh-4.2p1/scard'
make: *** [scard-install] Error 2



I've not posted the entire makefile out of respect to the bandwith gods, and 
I'm not sure which specific section of it would be the most helpful.

Any help would be most appreciated.

W. 



From tim at multitalents.net  Wed Sep  7 06:31:39 2005
From: tim at multitalents.net (Tim Rice)
Date: Tue, 6 Sep 2005 13:31:39 -0700 (PDT)
Subject: make install error, 4.2p1
In-Reply-To: <001c01c5b31a$27fde740$d428849c@winter>
References: <001c01c5b31a$27fde740$d428849c@winter>
Message-ID: <Pine.UW2.4.63.0509061329400.27821@server01.int.multitalents.net>

On Tue, 6 Sep 2005, Winter wrote:

> Good day and well met.
> 
> I'm trying to compile and install openssh-4.2p1 on a Sun Ultra-250 running 
> Solaris 8.
[snip]
> /usr/local/bin/install -c -m 0644 ./Ssh.bin /usr/local/share/Ssh.bin
> install: The -c, -f, -n options each require a directory following!

Your install program in /usr/local/bin is incompatable.
Try /usr/ucb/install or install-sh in the OpenSSH source tree.

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net




From derek at ximbiot.com  Wed Sep  7 06:36:40 2005
From: derek at ximbiot.com (Derek Price)
Date: Tue, 06 Sep 2005 16:36:40 -0400
Subject: ssh launched from xterm still running after xterm killed on Cygwin
Message-ID: <431DFDD8.5060202@ximbiot.com>

When I launch ssh sessions from xterms and exit them via the command
line, the processes go away, but if I just kill the xterm window an ssh
was launched from via a mouse click, the ssh.exe hangs around taking up
system resources until I kill it via the task manager, if I can figure
out which ssh.exes are the zombies.

The same problem *does not* occur from a simple bash shell window
(launched via C:\cygwin\bin\bash --login -i).  Closing this bash shell
does properly kill the ssh session, so I expect this problem will end up
having something to do with xterm.

This is with the latest Cygwin (upgraded a few minutes ago via the
kernel.org mirror) on Windows NT SP2 with all the latest updates. 
Output of `cygcheck -s -v -r > cygcheck.out' attached.

(Incidentally, my ssh-agents also keep running, though I *like* that -
it means that the following script doesn't care if I exit the original
bash-shell:

export SSH_AUTH_SOCK=$HOME/.ssh-agent/`hostname`-ssh-auth-sock
if test -d "$HOME/.ssh-agent"; then :; else
        mkdir "$HOME/.ssh-agent"
fi
if ssh-add -l >/dev/null 2>&1; then :; else
        rm "$SSH_AUTH_SOCK"
fi
if test -S "$SSH_AUTH_SOCK"; then :; else
        ssh-agent -a "$SSH_AUTH_SOCK"
        ssh-add
fi


But I suppose there will be some way to get that behavior back via nohup
or whatever if this gets fixed.)


Please CC me with any response since I am not a member of these lists.

Regards,

Derek

-- 
Derek R. Price
CVS Solutions Architect
Ximbiot <http://ximbiot.com>
v: +1 717.579.6168
f: +1 717.234.3125
<mailto:derek at ximbiot.com>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cygcheck.out
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050906/8177c406/attachment.ksh 

From djm at mindrot.org  Wed Sep  7 20:53:34 2005
From: djm at mindrot.org (Damien Miller)
Date: Wed, 07 Sep 2005 20:53:34 +1000
Subject: ControlPersist and multiple X11 forwarding.
In-Reply-To: <1126007830.6146.176.camel@baythorne.infradead.org>
References: <1125852393.6146.52.camel@baythorne.infradead.org>
	<1126007830.6146.176.camel@baythorne.infradead.org>
Message-ID: <431EC6AE.70603@mindrot.org>

David Woodhouse wrote:
> I've dealt with the most important features I think are lacking in 4.2,
> but there's a few more minor things to fix yet.
> 
> - I'd like a better answer than the 'slack-fds' patch, and especially 
>   the hard-coded '+2' in it. Perhaps we should keep count of the
>   number of 'pending' file descriptors which may be opened by the 
>   channel_pre handlers at any time?

The X11 multiple forwarding diff I sent you a while back handled this
correctly. IIRC it set a flag that caused channel_prepare_select() to
recalculate the maximum fd.

But, like I said then: I'm not interested in multiple X
forwarding unless we correctly do multiple agent forwarding.

> - The master should permit X11 forwarding for clients, even if X11
>   forwarding wasn't enabled on the original connection. While we're at
>   it, we should pass the 'forward_x11_trusted' option over the control
>   socket too.

I disagree. X11 forwarding activation should be the logical AND of the
master's setting and any slave request, otherwise you need another
config option to disallow all X11/agent forwarding on a given connection
(and we don't want any more config options).

> - Should investigate multiple agent forwarding. That's somewhat harder
>   than multiple X11 forwarding, and may not be possible at all. But the
>   lack of multiple agent forwarding is less of a problem than the lack
>   of multiple X11 forwarding; at least for me.

This requires a protocol extension. I'd prefer to also use a protocol
extension for multiple X11 forwarding. E.g. the master gets forwarded
using the current standard extension, slaves with different $DISPLAYs
get forwarded using the extension. That gets us backwards compatibility.

Anyway, before adding features I think the multiplexing code more
urgently needs a working escape char handler for the slave channels :)

-d



From dwmw2 at infradead.org  Wed Sep  7 21:27:30 2005
From: dwmw2 at infradead.org (David Woodhouse)
Date: Wed, 07 Sep 2005 12:27:30 +0100
Subject: ControlPersist and multiple X11 forwarding.
In-Reply-To: <431EC6AE.70603@mindrot.org>
References: <1125852393.6146.52.camel@baythorne.infradead.org>
	<1126007830.6146.176.camel@baythorne.infradead.org>
	<431EC6AE.70603@mindrot.org>
Message-ID: <1126092450.4171.42.camel@baythorne.infradead.org>

On Wed, 2005-09-07 at 20:53 +1000, Damien Miller wrote:
> The X11 multiple forwarding diff I sent you a while back handled this
> correctly. IIRC it set a flag that caused channel_prepare_select() to
> recalculate the maximum fd.

OK. I'll dig that out and take a look.

> But, like I said then: I'm not interested in multiple X
> forwarding unless we correctly do multiple agent forwarding.

It would be unfortunate for X11 forwarding to work correctly for the
clients while agent forwarding still doesn't, I agree. But to me, the
fact that X11 forwarding doesn't work as expected is _more_ of an issue
than the asymmetry which would result if it were fixed. It's better to
fix X11 alone than to fix neither.

If you _really_ think that the asymmetry is more of a problem than the
lack of separate forwarding, p'raps we could make the correct handling
of multiple X11 forwarding optional, so that it can be disabled by
default? I don't really think that's appropriate though.

> I disagree. X11 forwarding activation should be the logical AND of the
> master's setting and any slave request, otherwise you need another
> config option to disallow all X11/agent forwarding on a given connection
> (and we don't want any more config options).

How about turning the ForwardX11 option into a yes/no/never option
instead of just yes/no? Then it's not a _new_ option we're adding,
right?

Otherwise, if you want to change the semantics of the existing '-x' cor
'ForwardX11 no' setting to mean 'never', instead of just 'not for this
session', then we'd need to reconsider whether scp should be setting it
when it invokes ssh to make the connection.

Another way to fix the immediate problem would be to make scp use 
'-o ControlPersist no' when invoking ssh, so that it doesn't start up a
master with X11 and agent forwarding disabled. But I don't like that
much.

> > - Should investigate multiple agent forwarding. That's somewhat harder
> >   than multiple X11 forwarding, and may not be possible at all. But the
> >   lack of multiple agent forwarding is less of a problem than the lack
> >   of multiple X11 forwarding; at least for me.
> 
> This requires a protocol extension. 

Yes. Multiple agent forwarding can't be done with the existing protocol.

> I'd prefer to also use a protocol extension for multiple X11
> forwarding. E.g. the master gets forwarded using the current standard
> extension, slaves with different $DISPLAYs get forwarded using the
> extension. That gets us backwards compatibility.

I'm not sure I understand. With the trick of distinguishing between
displays by X11 auth data, we _have_ backwards compatibility -- the
resulting ssh client program works happily with old servers, using
multiple displays. There's no change at the server side. 

If there was a protocol extension for X11, then surely it wouldn't work
with older servers? We'd be _losing_ backwards compatibility, not
gaining it?

I'd understand (and _perhaps_ concede) an argument that we should extend
the protocol because using the authentication cookie in this way is an
ugly hack, but I don't understand why backwards compatibility is
relevant.

> Anyway, before adding features I think the multiplexing code more
> urgently needs a working escape char handler for the slave channels :)

Yeah. I was coming to that conclusion too ;)

-- 
dwmw2




From dwmw2 at infradead.org  Wed Sep  7 21:58:27 2005
From: dwmw2 at infradead.org (David Woodhouse)
Date: Wed, 07 Sep 2005 12:58:27 +0100
Subject: ControlPersist and multiple X11 forwarding.
In-Reply-To: <1126092450.4171.42.camel@baythorne.infradead.org>
References: <1125852393.6146.52.camel@baythorne.infradead.org>
	<1126007830.6146.176.camel@baythorne.infradead.org>
	<431EC6AE.70603@mindrot.org>
	<1126092450.4171.42.camel@baythorne.infradead.org>
Message-ID: <1126094307.4171.53.camel@baythorne.infradead.org>

On Wed, 2005-09-07 at 12:27 +0100, David Woodhouse wrote:
> On Wed, 2005-09-07 at 20:53 +1000, Damien Miller wrote:
> > The X11 multiple forwarding diff I sent you a while back handled this
> > correctly. IIRC it set a flag that caused channel_prepare_select() to
> > recalculate the maximum fd.
> 
> OK. I'll dig that out and take a look.

Ah, ok. We repeat the entire set of channel_pre handlers if the size of
the fdset changes. This replaces my 'slack-fds' hack then...

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-4.2p1-multidisplay-2.patch
Type: text/x-patch
Size: 3902 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050907/7fe28b8e/attachment.bin 

From maf at appgate.com  Fri Sep  9 02:08:49 2005
From: maf at appgate.com (maf at appgate.com)
Date: Thu, 8 Sep 2005 18:08:49 +0200 (CEST)
Subject: Blocking the password-guessing bots
Message-ID: <tkrat.3ee989bb7d19d0d7@appgate.com>

Recently I grew tired of the repeated ssh brute-force scanning bots so I
implemented a blocking algorithm in our version of OpenSSH. My goal was
to find an algorithm which could block most of the brute-force attempts
while being simple to implement and not rely on any external software.

The algorithm I came up with is that login attempts are blocked if there
has been X failed, and no successful, login attempts from the same
address during the last Y seconds. A blocked login counts as a failed
login.

The value X controls how many real shots at guessing a password the bot
gets so we want to keep it small. At the same time we need to allow
users to miss-type their passwords, so it can not be too low. I have
settled on a value of 3. The bots typically make one attempt every few
second so the value of Y can be pretty low, 20-30 seconds should work
just fine in todays environment.

Looking at my logs for the last three months I see that this algorithm
would have blocked approximately 98.5% of all bot-attempts.

My question now is if the OpenSSH developers are interested in an
implementation of this? Or would I waste my time if I ported it to
standard OpenSSH?

	/MaF
-- 
Martin Forssen <maf at appgate.com>              Development Manager
Phone: +46 31 7744361                         AppGate Network Security AB



From Jason.C.Burns at wellsfargo.com  Fri Sep  9 03:18:53 2005
From: Jason.C.Burns at wellsfargo.com (Jason.C.Burns at wellsfargo.com)
Date: Thu, 8 Sep 2005 12:18:53 -0500
Subject: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)
Message-ID: <F5D8B3CDB523D94BAE9342E416E63BC816ED31@msgswbiadsm25.wellsfargo.com>

I am also seeing this problem on a Redhat EL with a kernel of 2.4.21-4.

nm'ing the openssl libraries that are being used to compile openssh show that those symbols are undefined there as well.  I'll begin looking there, but hopefully someone else knows what's going on with these functions.

Jason Burns

-----Original Message-----
From: openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org [mailto:openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org] On Behalf Of support at lancronix.ru
Sent: Tuesday, September 06, 2005 1:09 AM
To: openssh-unix-dev at mindrot.org
Subject: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)

 Hello.
 Installed OpenSSL-0.98
 I cannot collect new OpenSSH-4.2p1 at assembly there is a mistake:



 if test ! -z ""; then \
         /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; \
 fi
 (cd openbsd-compat && make)
 make[1]: Entering directory `/home/pkg/openssh-4.2p1/openbsd-compat'
 make[1]: ???? `all' ?? ??????? ?????????? ??????.
 make[1]: Leaving directory `/home/pkg/openssh-4.2p1/openbsd-compat'
 gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib
 -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x35): In function `dlfcn_load':
 : undefined reference to `dlopen'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x95): In function `dlfcn_load':
 : undefined reference to `dlclose'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xbc): In function `dlfcn_load':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x147): In function `dlfcn_bind_var':
 : undefined reference to `dlsym'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x172): In function `dlfcn_bind_var':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x237): In function `dlfcn_bind_func':
 : undefined reference to `dlsym'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x262): In function `dlfcn_bind_func':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x51b): In function `dlfcn_unload':
 : undefined reference to `dlclose'
 collect2: ld returned 1 exit status
 make: *** [ssh] Error 1






_______________________________
? ????????? ?????? ?????????.
???. 772-61-07
Email: support at lancronix.ru


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev



From Jason.C.Burns at wellsfargo.com  Fri Sep  9 03:41:43 2005
From: Jason.C.Burns at wellsfargo.com (Jason.C.Burns at wellsfargo.com)
Date: Thu, 8 Sep 2005 12:41:43 -0500
Subject: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)
Message-ID: <F5D8B3CDB523D94BAE9342E416E63BC816ED39@msgswbiadsm25.wellsfargo.com>

It's always the simplest of stuff that stumps you... Geez!

add "--with-ldflags=-ldl" at the configure step to compile correctly with OpenSSL 0.9.8.

Jason Burns

-----Original Message-----
From: openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org [mailto:openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org] On Behalf Of Jason.C.Burns at wellsfargo.com
Sent: Thursday, September 08, 2005 10:19 AM
To: openssh-unix-dev at mindrot.org
Subject: RE: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)

I am also seeing this problem on a Redhat EL with a kernel of 2.4.21-4.

nm'ing the openssl libraries that are being used to compile openssh show that those symbols are undefined there as well.  I'll begin looking there, but hopefully someone else knows what's going on with these functions.

Jason Burns

-----Original Message-----
From: openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org [mailto:openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org] On Behalf Of support at lancronix.ru
Sent: Tuesday, September 06, 2005 1:09 AM
To: openssh-unix-dev at mindrot.org
Subject: OpenSSH-4.2p1 with OpenSSL-0.98 (bug)

 Hello.
 Installed OpenSSL-0.98
 I cannot collect new OpenSSH-4.2p1 at assembly there is a mistake:



 if test ! -z ""; then \
         /usr/bin/perl5 ./fixprogs ssh_prng_cmds ; \
 fi
 (cd openbsd-compat && make)
 make[1]: Entering directory `/home/pkg/openssh-4.2p1/openbsd-compat'
 make[1]: ???? `all' ?? ??????? ?????????? ??????.
 make[1]: Leaving directory `/home/pkg/openssh-4.2p1/openbsd-compat'
 gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib
 -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x35): In function `dlfcn_load':
 : undefined reference to `dlopen'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x95): In function `dlfcn_load':
 : undefined reference to `dlclose'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xbc): In function `dlfcn_load':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x147): In function `dlfcn_bind_var':
 : undefined reference to `dlsym'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x172): In function `dlfcn_bind_var':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x237): In function `dlfcn_bind_func':
 : undefined reference to `dlsym'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x262): In function `dlfcn_bind_func':
 : undefined reference to `dlerror'
 /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x51b): In function `dlfcn_unload':
 : undefined reference to `dlclose'
 collect2: ld returned 1 exit status
 make: *** [ssh] Error 1






_______________________________
? ????????? ?????? ?????????.
???. 772-61-07
Email: support at lancronix.ru


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev



From rapier at psc.edu  Fri Sep  9 06:03:31 2005
From: rapier at psc.edu (Chris Rapier)
Date: Thu, 08 Sep 2005 16:03:31 -0400
Subject: HPN Patch for OpenSSH 4.2p1 Available
Message-ID: <43209913.7020801@psc.edu>

Howdy,

As a note, we now have HPN patch for OpenSSH 4.2 at 
http://www.psc.edu/networking/projects/hpn-ssh/

Its still part of the last set of patches (HPN11) so there aren't any 
additional changes in the code. It patches, configures, compiles, and 
passes make tests without a problem. I've not done extensive testing for 
this version of openssh but I don't foresee any problems.

I did run a couple tests between two patched 4.2 installs (one in 
switzerland, the other in pennsylvania, usa) and hit around 12MB/s with 
the hpn patch and 500KB/s with the standard install. So it still seems 
to work as expected.


Chris Rapier
Network Applications Engineer
Pittsburgh Supercomputing Center



From phil at usc.edu  Fri Sep  9 15:15:24 2005
From: phil at usc.edu (Phil Dibowitz)
Date: Thu, 8 Sep 2005 22:15:24 -0700
Subject: OpenSSH sget/sput suggestion
In-Reply-To: <20050823071241.GA19176@usc.edu>
References: <mailman.62.1124773845.3777.openssh-unix-dev@mindrot.org>
	<20050823071241.GA19176@usc.edu>
Message-ID: <20050909051524.GN25704@usc.edu>


I didn't see any responses to this email. I'd like to see what people think
about the and if no one wants to impliment it, maybe I'll sit down and do
it... but certianly not if the developers don't think that's where the feature
belongs.


On Tue, Aug 23, 2005 at 12:12:41AM -0700, Phil Dibowitz wrote:
> On Tue, Aug 23, 2005 at 03:10:45PM +1000, openssh-unix-dev-request at mindrot.org wrote:
> > Date: Fri, 19 Aug 2005 17:56:19 +1000
> > From: Darren Tucker <dtucker at zip.com.au>
> > Subject: Re: OpenSSH sget/sput suggestion
> > To: CRX Driver <crxssi at hotmail.com>
> > Cc: openssh-unix-dev at mindrot.org
> > Message-ID: <430590A3.1090506 at zip.com.au>
> > Content-Type: text/plain; charset=ISO-8859-1
> > 
> > CRX Driver wrote:
> > >>>Imagine this:
> > >>>
> > >>>ssh user at machine.com
> > >>>cd /home/user
> > >>>ls
> > >>>rm junk
> > >>>sget logfile
> > > 
> > >>You can already do this with sftp.
> > > 
> > > You can file browse with sftp, but you cannot run programs, kill processes 
> > > and then grab a file all while already on-line through an existing ssh.
> > 
> > See also the related discussion earlier on this list:
> > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=112116732631189&w=2
> 
> Regarding the above thread and the above linked thread...
> 
> Having the "ssh -MS ..." is nice, but is NOT the same feature. I've been
> meaning to impliment the feature referenced in the above thread for over a
> year now.
> 
> There's no reason I shouldn't be able to be in the middle of some work on a
> shell and put or get a file - though instead of making a ~S, I would have
> implimented it in the ~C cli interface.
> 
> For example, it would be great to be doing something on a remote box, realize
> I need the 4-line script in my local ~/bin and do a ~C, sput ~/bin/script,
> quit, ./script.
> 
> Or have some long shell-pipeline and then redirect it to a file and then do ~C
> sget file, quit, and continue working.
> 
> -- 
> Phil Dibowitz
> 



-- 
Phil Dibowitz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050908/2fffa2a2/attachment.bin 

From kevin at planetsaphire.com  Sat Sep 10 04:25:36 2005
From: kevin at planetsaphire.com (Kevin McBride)
Date: Fri, 09 Sep 2005 14:25:36 -0400
Subject: Banner Won't Display
Message-ID: <4321D3A0.2000802@planetsaphire.com>

Hello.  I've installed the newest version of OpenSSH (version 4.2
portable) onto my Fedora Core 3 system.  Now, the banner won't display.
  I even tried copying the banner to my root directory "/", chmodd'ed it
appropriately, changed my config file appropriately "Banner /ssh.txt",
and the banner still won't display.  Any ideas as to what I have done wrong?



From tlitsch at gmx.de  Sun Sep 11 06:41:41 2005
From: tlitsch at gmx.de (Thomas Litsch)
Date: Sat, 10 Sep 2005 22:41:41 +0200
Subject: Compile of openssh 4.2 failed with openssl 0.9.8
Message-ID: <43234505.2000000@gmx.de>

Hi,

I tried to compile openssh 4.2 with gcc 3.2.2 and openssl 0.9.8 on linux 
running Kernel 2.4.29.

The error I get is:

make[1]: Verlassen des Verzeichnisses 
?/home/tlitsch/openssh-4.2p1/openbsd-compat?
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o 
sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/include/openssl 
  -ldl -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
./libssh.a(rsa.o): In function `rsa_generate_additional_parameters':
rsa.o(.text+0x2b4): undefined reference to `BN_mod'
rsa.o(.text+0x2e6): undefined reference to `BN_mod'
collect2: ld returned 1 exit status
make: *** [ssh] Fehler 1

I did the ./configure with this Shell-Script:

#! /bin/bash
#
# Build or openssh

export CFLAGS="-O3 -pipe"
export CXXFLAGS="-O3 -pipe"

./configure --prefix=/usr --sysconfdir=/etc/ssh \
         --libexecdir=/usr/lib/ssh \
         --localstatedir=/var/state --mandir=/usr/share/man \
         --with-pam --with-zlib \
         --with-ssl-dir=/usr/include/openssl \
         --with-tcp-wrappers \
         --with-ldflags=-ldl

#EOF

I also tried with "--with-ssl-dir=/usr/lib" becaus ethis is, where 
libcrypto.so lives:

-rw-r--r--    1 root     root      2015040 2005-09-10 07:53 
/usr/lib/libcrypto.a
lrwxrwxrwx    1 root     root           18 2005-09-10 07:53 
/usr/lib/libcrypto.so -> libcrypto.so.0.9.8
lrwxrwxrwx    1 root     root           21 2005-09-10 12:25 
/usr/lib/libcrypto.so.0 -> /usr/lib/libcrypto.so
-r-xr-xr-x    1 root     root       853655 2004-03-31 11:33 
/usr/lib/libcrypto.so.0.9.6
-r-xr-xr-x    1 root     root      1398303 2005-09-10 07:53 
/usr/lib/libcrypto.so.0.9.8

But the error remains the same.


A few words to my background:

I'm involved in maintaining a special Linux Distribution for german 
Schools, so what we have here is something based on SuSE 9.0 with a lot 
of self-compiled programs.


Can anybody help me?


-- 
Gruss,                        /"\
Thomas Litsch                 \ /  ASCII ribbon campain
www.linux-schule.de            X   against HTML mailing
skype Kontakt: tlitsch        / \  and posting



From tim at multitalents.net  Sun Sep 11 09:36:54 2005
From: tim at multitalents.net (Tim Rice)
Date: Sat, 10 Sep 2005 16:36:54 -0700 (PDT)
Subject: Compile of openssh 4.2 failed with openssl 0.9.8
In-Reply-To: <43234505.2000000@gmx.de>
References: <43234505.2000000@gmx.de>
Message-ID: <Pine.UW2.4.63.0509101634030.19286@server01.int.multitalents.net>

On Sat, 10 Sep 2005, Thomas Litsch wrote:

> Hi,
> 
> I tried to compile openssh 4.2 with gcc 3.2.2 and openssl 0.9.8 on linux 
> running Kernel 2.4.29.
> 
> The error I get is:
> 
> make[1]: Verlassen des Verzeichnisses 
> ?/home/tlitsch/openssh-4.2p1/openbsd-compat?
> gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o 
> sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/include/openssl 
                                                    ^^^^^^^^^^^^^^^^^^^^^^
I suspect this is your problem

>   -ldl -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt
> ./libssh.a(rsa.o): In function `rsa_generate_additional_parameters':
> rsa.o(.text+0x2b4): undefined reference to `BN_mod'
> rsa.o(.text+0x2e6): undefined reference to `BN_mod'
> collect2: ld returned 1 exit status
> make: *** [ssh] Fehler 1
> 
> I did the ./configure with this Shell-Script:
> 
> #! /bin/bash
> #
> # Build or openssh
> 
> export CFLAGS="-O3 -pipe"
> export CXXFLAGS="-O3 -pipe"
> 
> ./configure --prefix=/usr --sysconfdir=/etc/ssh \
>          --libexecdir=/usr/lib/ssh \
>          --localstatedir=/var/state --mandir=/usr/share/man \
>          --with-pam --with-zlib \
>          --with-ssl-dir=/usr/include/openssl \

Try droping the --with-ssl-dir= line.

>          --with-tcp-wrappers \
>          --with-ldflags=-ldl
> 
> #EOF

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

From opsadmin at progress.com  Mon Sep 12 01:59:32 2005
From: opsadmin at progress.com (Opsadmin)
Date: Sun, 11 Sep 2005 11:59:32 -0400
Subject: Crash with OpenSSL 0.9.8 and OpenSSH 4.2p1
Message-ID: <591FDCF98D5E3E418F3B8041902E17F001011DD5@MAIL01.bedford.progress.com>

Hi,

I'm using OpenSSL 0.9.8 with OpenSSH 4.2p1

I can ssh <hostname> and connect successfully.

The very next time I get a crash and core file.

The next time is successful.  The next time a crash.

I'm using the authmethod gssapi-with-mic using Windows 2000 as the KDC

running ssh and sshd from a Solaris 9 box.

Here's the backtrace from the core file:

(gdb) bt
#0  0xff1ff3d4 in bn_sub_words () from /usr/local/lib/libcrypto.so.0.9.8
#1  0xff1f8918 in bn_sub_part_words () from
/usr/local/lib/libcrypto.so.0.9.8
#2  0xff1f9018 in bn_mul_recursive () from
/usr/local/lib/libcrypto.so.0.9.8
#3  0xff1f9260 in bn_mul_recursive () from
/usr/local/lib/libcrypto.so.0.9.8
(gdb)

Please Reply to postman at progress.com and opsadmin at progress.com

Let me know if I need to provide any thing else and how to gather it up.



From tlitsch at gmx.de  Mon Sep 12 07:37:36 2005
From: tlitsch at gmx.de (Thomas Litsch)
Date: Sun, 11 Sep 2005 23:37:36 +0200
Subject: Compile of openssh 4.2 failed with openssl 0.9.8
In-Reply-To: <Pine.UW2.4.63.0509101634030.19286@server01.int.multitalents.net>
References: <43234505.2000000@gmx.de>
	<Pine.UW2.4.63.0509101634030.19286@server01.int.multitalents.net>
Message-ID: <4324A3A0.8020904@gmx.de>

Hello,

Tim Rice wrote:

>>sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/include/openssl 
> 
>                                                     ^^^^^^^^^^^^^^^^^^^^^^
> I suspect this is your problem

Unfortunately not.

>>./configure --prefix=/usr --sysconfdir=/etc/ssh \
>>         --libexecdir=/usr/lib/ssh \
  >
> Try droping the --with-ssl-dir= line.

I tried without the ssl line: error again.
I tried with no options passed to configure, but the error occured again.


I'm not a programmer, but could it be a problem of an too old gcc?
I'm using gcc Version 3.2.2.


Here's  the Output again:
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o 
sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/  -lssh 
-lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
./libssh.a(rsa.o): In function `rsa_generate_additional_parameters':
/root/openssh-4.2p1/rsa.c:136: undefined reference to `BN_mod'
/root/openssh-4.2p1/rsa.c:139: undefined reference to `BN_mod'
collect2: ld returned 1 exit status


-- 
Gruss,                        /"\
Thomas Litsch                 \ /  ASCII ribbon campain
www.linux-schule.de            X   against HTML mailing
skype Kontakt: tlitsch        / \  and posting



From g.caramia at poliba.it  Mon Sep 12 22:17:29 2005
From: g.caramia at poliba.it (Giovanni Caramia)
Date: Mon, 12 Sep 2005 14:17:29 +0200
Subject: Problems Compiling OpenSSH 4.2p1 on Tru64 UNIX 5.1b
Message-ID: <200509121417.29094.g.caramia@poliba.it>

I configure as follows:
./configure --with-zlib=/usr/local/include

cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o  
sshpty.o sshlogin.o servconf.o serverloop.o  auth.o auth1.o auth2.o 
auth-options.o session.o  auth-chall.o auth2-chall.o groupaccess.o  
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o  auth2-none.o 
auth2-passwd.o auth2-pubkey.o  monitor_mm.o monitor.o monitor_wrap.o kexdhs.o 
kexgexs.o  auth-krb5.o  auth2-gss.o gss-serv.o gss-serv-krb5.o  loginrec.o 
auth-pam.o auth-shadow.o auth-sia.o md5crypt.o  audit.o audit-bsm.o -L. 
-Lopenbsd-compat/ -L/usr/local/include  -lssh -lopenbsd-compat   -lcrypto 
-lrt -lz  -lsecurity -ldb -lm -laud
ld:
Unresolved:
deflateInit
inflateInit
*** Exit 1
Stop.

Thanks in advance,
Giovanni
-- 
Ing. Giovanni Caramia
Dipartimento di Ingegneria Meccanica e Gestionale
(Sezione Macchine ed Energetica)
via Re David 200
Politecnico di Bari
70125   BARI   ITALY
Phone: +39/080/5963795
Fax:     +39/080/5963411
Email:   g.caramia at poliba.it
PGP Public Key @ http://www.keyserver.net



From tim at multitalents.net  Tue Sep 13 02:02:15 2005
From: tim at multitalents.net (Tim Rice)
Date: Mon, 12 Sep 2005 09:02:15 -0700 (PDT)
Subject: Problems Compiling OpenSSH 4.2p1 on Tru64 UNIX 5.1b
In-Reply-To: <200509121417.29094.g.caramia@poliba.it>
References: <200509121417.29094.g.caramia@poliba.it>
Message-ID: <Pine.UW2.4.63.0509120901260.19540@server01.int.multitalents.net>

On Mon, 12 Sep 2005, Giovanni Caramia wrote:

> I configure as follows:
> ./configure --with-zlib=/usr/local/include

Try --with-zlib=/usr/local

> 
> cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o  
> sshpty.o sshlogin.o servconf.o serverloop.o  auth.o auth1.o auth2.o 
> auth-options.o session.o  auth-chall.o auth2-chall.o groupaccess.o  
> auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o  auth2-none.o 
> auth2-passwd.o auth2-pubkey.o  monitor_mm.o monitor.o monitor_wrap.o kexdhs.o 
> kexgexs.o  auth-krb5.o  auth2-gss.o gss-serv.o gss-serv-krb5.o  loginrec.o 
> auth-pam.o auth-shadow.o auth-sia.o md5crypt.o  audit.o audit-bsm.o -L. 
> -Lopenbsd-compat/ -L/usr/local/include  -lssh -lopenbsd-compat   -lcrypto 
> -lrt -lz  -lsecurity -ldb -lm -laud
> ld:
> Unresolved:
> deflateInit
> inflateInit
> *** Exit 1
> Stop.
> 
> Thanks in advance,
> Giovanni
> 

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net




From tim at multitalents.net  Tue Sep 13 10:14:31 2005
From: tim at multitalents.net (Tim Rice)
Date: Mon, 12 Sep 2005 17:14:31 -0700 (PDT)
Subject: Compile of openssh 4.2 failed with openssl 0.9.8
In-Reply-To: <4324A3A0.8020904@gmx.de>
References: <43234505.2000000@gmx.de>
	<Pine.UW2.4.63.0509101634030.19286@server01.int.multitalents.net>
	<4324A3A0.8020904@gmx.de>
Message-ID: <Pine.UW2.4.63.0509112105420.2659@server01.int.multitalents.net>

On Sun, 11 Sep 2005, Thomas Litsch wrote:

[snip]
> I'm not a programmer, but could it be a problem of an too old gcc?
> I'm using gcc Version 3.2.2.

Not too old. I compile on a 2.7.x.x just fine.

> 
> 
> Here's  the Output again:
> gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o 
> sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/  -lssh 
> -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt
> ./libssh.a(rsa.o): In function `rsa_generate_additional_parameters':
> /root/openssh-4.2p1/rsa.c:136: undefined reference to `BN_mod'
> /root/openssh-4.2p1/rsa.c:139: undefined reference to `BN_mod'
                                                         ^^^^^^^
BN_mod is a define in openssl/bn.h
Maybe your openssl is messed up.
Use nm(1) to see if you have BN_div in libcrypto.0.9.8

> collect2: ld returned 1 exit status
> 
> 
> 

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net




From g.caramia at poliba.it  Tue Sep 13 20:22:24 2005
From: g.caramia at poliba.it (Giovanni Caramia)
Date: Tue, 13 Sep 2005 12:22:24 +0200
Subject: Problems Compiling OpenSSH 4.2p1 on Tru64 UNIX 5.1b
In-Reply-To: <Pine.UW2.4.63.0509120901260.19540@server01.int.multitalents.net>
References: <200509121417.29094.g.caramia@poliba.it>
	<Pine.UW2.4.63.0509120901260.19540@server01.int.multitalents.net>
Message-ID: <200509131222.24277.g.caramia@poliba.it>

> On Mon, 12 Sep 2005, Giovanni Caramia wrote:
> > I configure as follows:
> > ./configure --with-zlib=/usr/local/include
>
> Try --with-zlib=/usr/local
>
> > cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o
> > sshpty.o sshlogin.o servconf.o serverloop.o  auth.o auth1.o auth2.o
> > auth-options.o session.o  auth-chall.o auth2-chall.o groupaccess.o
> > auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o  auth2-none.o
> > auth2-passwd.o auth2-pubkey.o  monitor_mm.o monitor.o monitor_wrap.o
> > kexdhs.o kexgexs.o  auth-krb5.o  auth2-gss.o gss-serv.o gss-serv-krb5.o 
> > loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o  audit.o
> > audit-bsm.o -L. -Lopenbsd-compat/ -L/usr/local/include  -lssh
> > -lopenbsd-compat   -lcrypto -lrt -lz  -lsecurity -ldb -lm -laud
> > ld:
> > Unresolved:
> > deflateInit
> > inflateInit
> > *** Exit 1
> > Stop.

I tried but nothing has changed.

-- 
Ing. Giovanni Caramia
Dipartimento di Ingegneria Meccanica e Gestionale
(Sezione Macchine ed Energetica)
via Re David 200
Politecnico di Bari
70125   BARI   ITALY
Phone: +39/080/5963795
Fax:     +39/080/5963411
Email:   g.caramia at poliba.it
PGP Public Key @ http://www.keyserver.net



From g.caramia at poliba.it  Mon Sep 19 16:37:08 2005
From: g.caramia at poliba.it (Giovanni Caramia)
Date: Mon, 19 Sep 2005 08:37:08 +0200
Subject: Problems Compiling OpenSSH 4.2p1 on Tru64 UNIX 5.1b
In-Reply-To: <Pine.UW2.4.63.0509130923360.12937@server01.int.multitalents.net>
References: <200509121417.29094.g.caramia@poliba.it>
	<200509131222.24277.g.caramia@poliba.it>
	<Pine.UW2.4.63.0509130923360.12937@server01.int.multitalents.net>
Message-ID: <200509190837.08434.g.caramia@poliba.it>

Alle 18:24, marted? 13 settembre 2005, hai scritto:
> On Tue, 13 Sep 2005, Giovanni Caramia wrote:
> > > On Mon, 12 Sep 2005, Giovanni Caramia wrote:
> > > > I configure as follows:
> > > > ./configure --with-zlib=/usr/local/include
> > >
> > > Try --with-zlib=/usr/local
>
> [snip]
>
> > I tried but nothing has changed.
>
> Did you "make distclean" first?
OK everything is working,
thank you very much,
Giovanni
-- 
Ing. Giovanni Caramia
Dipartimento di Ingegneria Meccanica e Gestionale
(Sezione Macchine ed Energetica)
via Re David 200
Politecnico di Bari
70125   BARI   ITALY
Phone: +39/080/5963795
Fax:     +39/080/5963411
Email:   g.caramia at poliba.it
PGP Public Key @ http://www.keyserver.net



From sxw at inf.ed.ac.uk  Wed Sep 21 20:20:21 2005
From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk)
Date: Wed, 21 Sep 2005 11:20:21 +0100 (BST)
Subject: Incorrect description of GSSAPI vulnerability in 4.2 release note.
Message-ID: <Pine.LNX.4.62.0509211113570.21134@hadrian.inf.ed.ac.uk>


The 4.2 release notes describes the GSSAPI credential delegating issue as:

     SECURITY: sshd in OpenSSH versions prior to 4.2 allow GSSAPI
     credentials to be delegated to users who log in with methods
     other than GSSAPI authentication (e.g. public key) when the
     client requests it. This behaviour has been changed in OpenSSH
     4.2 to only delegate credentials to users who authenticate
     using the GSSAPI method.

This description significantly overstates the actual nature of the 
problem.

The issue only occurs when a user succesfully performs GSSAPI 
userauth against a host, and then is rejected by local policy. When the 
connection falls back to an alternate authentication scheme, the 
credentials established through this GSSAPI connection were still being 
made available.

In any version of OpenSSH you cannot get GSSAPI credentials delegated 
without using GSSAPI authentication.

Cheers,

Simon.



From Jean-Pierre.Eckmann at physics.unige.ch  Tue Sep 20 05:55:01 2005
From: Jean-Pierre.Eckmann at physics.unige.ch (Jean-Pierre.Eckmann at physics.unige.ch)
Date: Mon, 19 Sep 2005 21:55:01 +0200 (CEST)
Subject: ssh hangs or gives Segmentation fault
Message-ID: <Pine.LNX.4.62.0509192148170.2480@apollo04.unige.ch>

Details of installation attached.

Effect: when I build and test (with full path names) ssh in the openssh... 
directory, everything works fine. When I "install" it as per attached file 
into a test-directory and run it from there, there are 2 phenomena:

either it just hangs, eating 96% of CPU
or     it dies with a Segmentation fault (this is what happens most often)

Help needed
-------------- next part --------------
PLEASE NOTE: Is this a bug?

I can run ssh in the directory in which I build it , but it crashes or
hangs in the install directory. 



openssh-survey-version: 1

openssh-version: OpenSSH_4.2p1, OpenSSL 0.9.7d 17 Mar 2004

configure-invocation: configure --prefix=/users/eckmann/export/ssh

host: i686-pc-linux-gnu

uname: Linux

uname-r: 2.6.13

uname-m: i686

uname-p: i686

oslevel: 

oslevel-r: 

cc: gcc

cflags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -std=gnu99 

cppflags: 

ldflags: 

libs: -lresolv -lcrypto -lutil -lz -lnsl  -lcrypt

ccver-v: Reading specs from /usr/lib/gcc-lib/i586-suse-linux/3.3.3/specs
Configured with: ../configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --enable-languages=c,c++,f77,objc,java,ada --disable-checking --libdir=/usr/lib --enable-libgcj --with-gxx-include-dir=/usr/include/g++ --with-slibdir=/lib --with-system-zlib --enable-shared --enable-__cxa_atexit i586-suse-linux
Thread model: posix
gcc version 3.3.3 (SuSE Linux)

ccver-V: gcc: `-V' option must have argument

cppdefines:
#define __DBL_MIN_EXP__ (-1021)
#define __FLT_MIN__ 1.17549435e-38F
#define __CHAR_BIT__ 8
#define __WCHAR_MAX__ 2147483647
#define __DBL_DENORM_MIN__ 4.9406564584124654e-324
#define __FLT_EVAL_METHOD__ 2
#define __unix__ 1
#define unix 1
#define __i386__ 1
#define __SIZE_TYPE__ unsigned int
#define __ELF__ 1
#define __DBL_MIN_10_EXP__ (-307)
#define __FINITE_MATH_ONLY__ 0
#define __GNUC_PATCHLEVEL__ 3
#define __FLT_RADIX__ 2
#define __LDBL_EPSILON__ 1.08420217248550443401e-19L
#define __SHRT_MAX__ 32767
#define __LDBL_MAX__ 1.18973149535723176502e+4932L
#define __linux 1
#define __unix 1
#define __LDBL_MAX_EXP__ 16384
#define __LONG_MAX__ 2147483647L
#define __linux__ 1
#define __SCHAR_MAX__ 127
#define __DBL_DIG__ 15
#define __USER_LABEL_PREFIX__ 
#define linux 1
#define __tune_pentium__ 1
#define __STDC_HOSTED__ 1
#define __LDBL_MANT_DIG__ 64
#define __FLT_EPSILON__ 1.19209290e-7F
#define __LDBL_MIN__ 3.36210314311209350626e-4932L
#define __WCHAR_TYPE__ long int
#define __FLT_DIG__ 6
#define __FLT_MAX_10_EXP__ 38
#define __INT_MAX__ 2147483647
#define __gnu_linux__ 1
#define __FLT_MAX_EXP__ 128
#define __DECIMAL_DIG__ 21
#define __DBL_MANT_DIG__ 53
#define __WINT_TYPE__ unsigned int
#define __GNUC__ 3
#define __LDBL_MIN_EXP__ (-16381)
#define __tune_i586__ 1
#define __LDBL_MAX_10_EXP__ 4932
#define __DBL_EPSILON__ 2.2204460492503131e-16
#define __DBL_MAX__ 1.7976931348623157e+308
#define __DBL_MAX_EXP__ 1024
#define __FLT_DENORM_MIN__ 1.40129846e-45F
#define __LONG_LONG_MAX__ 9223372036854775807LL
#define __FLT_MAX__ 3.40282347e+38F
#define __GXX_ABI_VERSION 102
#define __FLT_MIN_10_EXP__ (-37)
#define __FLT_MIN_EXP__ (-125)
#define i386 1
#define __GNUC_MINOR__ 3
#define __DBL_MAX_10_EXP__ 308
#define __LDBL_DENORM_MIN__ 3.64519953188247460253e-4951L
#define __DBL_MIN__ 2.2250738585072014e-308
#define __PTRDIFF_TYPE__ int
#define __LDBL_MIN_10_EXP__ (-4931)
#define __REGISTER_PREFIX__ 
#define __LDBL_DIG__ 18
#define __NO_INLINE__ 1
#define __i386 1
#define __FLT_MANT_DIG__ 24
#define __VERSION__ "3.3.3 (SuSE Linux)"

config.h:
#define _CONFIG_H
/* #undef SETEUID_BREAKS_SETUID */
/* #undef BROKEN_SETREUID */
/* #undef BROKEN_SETREGID */
/* #undef BROKEN_SETRESUID */
/* #undef BROKEN_SETRESGID */
#define SPT_TYPE SPT_REUSEARGV
/* #undef SPT_PADCHAR */
/* #undef BROKEN_SYS_TERMIO_H */
/* #undef HAVE_SECUREWARE */
#define LOGIN_PROGRAM_FALLBACK "/bin/login"
#define _PATH_PASSWD_PROG "/usr/bin/passwd"
/* #undef HAVE_PW_CLASS_IN_PASSWD */
/* #undef HAVE_PW_EXPIRE_IN_PASSWD */
/* #undef HAVE_PW_CHANGE_IN_PASSWD */
/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */
#define HAVE_CONTROL_IN_MSGHDR 1
/* #undef BROKEN_INET_NTOA */
#define HAVE_SYS_ERRLIST 1
#define HAVE_SYS_NERR 1
/* #undef IP_TOS_IS_BROKEN */
/* #undef HAVE_GETUSERATTR */
#define HAVE_BASENAME 1
#define PAM_TTY_KLUDGE 1
/* #undef SSHPAM_CHAUTHTOK_NEEDS_RUID */
/* #undef USE_PIPES */
/* #undef BROKEN_SNPRINTF */
/* #undef HAVE_CYGWIN */
/* #undef BROKEN_REALPATH */
/* #undef HAVE_NEXT */
/* #undef USE_PAM */
/* #undef WITH_AIXAUTHENTICATE */
/* #undef AIX_LOGINFAILED_4ARG */
/* #undef SKEYCHALLENGE_4ARG */
/* #undef WITH_IRIX_ARRAY */
/* #undef WITH_IRIX_PROJECT */
/* #undef WITH_IRIX_AUDIT */
/* #undef WITH_IRIX_JOBS */
/* #undef PRNGD_SOCKET */
/* #undef PRNGD_PORT */
#define ENTROPY_TIMEOUT_MSEC 200
#define SSH_PRIVSEP_USER "sshd"
/* #undef MANTYPE */
#define HAVE_OPENSSL 1
/* #undef RSAREF */
#define HAVE_STRUCT_TIMEVAL 1
#define HAVE_HOST_IN_UTMP 1
#define HAVE_HOST_IN_UTMPX 1
#define HAVE_ADDR_IN_UTMP 1
#define HAVE_ADDR_IN_UTMPX 1
#define HAVE_ADDR_V6_IN_UTMP 1
#define HAVE_ADDR_V6_IN_UTMPX 1
/* #undef HAVE_SYSLEN_IN_UTMPX */
#define HAVE_PID_IN_UTMP 1
#define HAVE_TYPE_IN_UTMP 1
#define HAVE_TYPE_IN_UTMPX 1
#define HAVE_TV_IN_UTMP 1
#define HAVE_TV_IN_UTMPX 1
#define HAVE_ID_IN_UTMP 1
#define HAVE_ID_IN_UTMPX 1
#define HAVE_EXIT_IN_UTMP 1
/* #undef HAVE_TIME_IN_UTMP */
/* #undef HAVE_TIME_IN_UTMPX */
/* #undef DISABLE_LOGIN */
/* #undef DISABLE_PUTUTLINE */
/* #undef DISABLE_PUTUTXLINE */
/* #undef DISABLE_LASTLOG */
/* #undef NO_SSH_LASTLOG */
/* #undef DISABLE_UTMP */
#define DISABLE_UTMPX 1
/* #undef DISABLE_WTMP */
#define DISABLE_WTMPX 1
/* #undef LOGIN_NEEDS_UTMPX */
/* #undef LOGIN_NEEDS_TERM */
/* #undef LOGIN_NO_ENDOPT */
/* #undef CONF_LASTLOG_FILE */
/* #undef CONF_UTMP_FILE */
/* #undef CONF_WTMP_FILE */
/* #undef CONF_UTMPX_FILE */
/* #undef CONF_WTMPX_FILE */
/* #undef USE_EXTERNAL_ASKPASS */
#define HAVE___PROGNAME 1
#define HAVE___FUNCTION__ 1
#define HAVE___func__ 1
/* #undef GSSAPI */
/* #undef KRB5 */
/* #undef HEIMDAL */
/* #undef USE_AFS */
/* #undef SKEY */
/* #undef LIBWRAP */
#define HAVE_LOGIN 1
#define HAVE_DAEMON 1
#define HAVE_GETPAGESIZE 1
#define XAUTH_PATH "/usr/X11R6/bin/xauth"
/* #undef HAVE_MD5_PASSWORDS */
/* #undef DISABLE_SHADOW */
#define HAS_SHADOW_EXPIRE 1
/* #undef HAVE_OSF_SIA */
/* #undef HAVE_GETPWANAM */
/* #undef HAVE_OLD_PAM */
/* #undef PAM_SUN_CODEBASE */
/* #undef MAIL_DIRECTORY */
#define HAVE_U_INT 1
#define HAVE_INTXX_T 1
#define HAVE_U_INTXX_T 1
#define HAVE_UINTXX_T 1
#define HAVE_INT64_T 1
#define HAVE_U_INT64_T 1
#define HAVE_U_CHAR 1
#define HAVE_SIZE_T 1
#define HAVE_SSIZE_T 1
#define HAVE_CLOCK_T 1
#define HAVE_MODE_T 1
#define HAVE_PID_T 1
#define HAVE_SA_FAMILY_T 1
#define HAVE_STRUCT_SOCKADDR_STORAGE 1
#define HAVE_STRUCT_ADDRINFO 1
#define HAVE_STRUCT_IN6_ADDR 1
#define HAVE_STRUCT_SOCKADDR_IN6 1
#define HAVE_SS_FAMILY_IN_SS 1
/* #undef HAVE___SS_FAMILY_IN_SS */
/* #undef HAVE_DEV_PTMX */
/* #undef HAVE_DEV_PTS_AND_PTC */
/* #undef IPADDR_IN_DISPLAY */
#define USER_PATH "/usr/bin:/bin:/usr/sbin:/sbin:/users/eckmann/export/ssh/bin"
#define _PATH_SSH_PIDDIR "/var/run"
/* #undef BROKEN_GETADDRINFO */
/* #undef BROKEN_UPDWTMPX */
#define DONT_TRY_OTHER_AF 1
#define IPV4_IN_IPV6 1
/* #undef BSD_AUTH */
/* #undef NO_X11_UNIX_SOCKETS */
/* #undef NO_IPPORT_RESERVED_CONCEPT */
/* #undef BROKEN_SAVED_UIDS */
#define GLOB_HAS_ALTDIRFUNC 1
/* #undef GLOB_HAS_GL_MATCHC */
/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */
/* #undef HAVE_ETC_DEFAULT_LOGIN */
/* #undef HAVE_GETOPT_OPTRESET */
/* #undef MISSING_NFDBITS */
/* #undef MISSING_HOWMANY */
/* #undef MISSING_FD_MASK */
/* #undef SMARTCARD */
/* #undef USE_SECTOK */
/* #undef USE_OPENSC */
#define OPENSSL_PRNG_ONLY 1
/* #undef WITH_ABBREV_NO_TTY */
/* #undef SUPERUSER_PATH */
/* #undef PRIVSEP_PATH */
/* #undef DISABLE_FD_PASSING */
#define HAVE_STRICT_MKSTEMP 1
#define HAVE_NANOSLEEP 1
/* #undef SSHD_ACQUIRES_CTTY */
/* #undef BROKEN_CMSG_TYPE */
#define LINK_OPNOTSUPP_ERRNO EPERM
/* #undef LOCKED_PASSWD_STRING */
#define LOCKED_PASSWD_PREFIX "!"
/* #undef LOCKED_PASSWD_SUBSTR */
/* #undef HAVE_GETRRSETBYNAME */
#define HAVE_HEADER_AD 1
/* #undef BIND_8_COMPAT */
#define HAVE_PROC_PID 1
/* #undef AIX_GETNAMEINFO_HACK */
/* #undef BROKEN_GETGROUPS */
/* #undef BROKEN_LIBIAF */
/* #undef BROKEN_MMAP */
/* #undef BROKEN_SETVBUF */
#define GETPGRP_VOID 1
/* #undef GETSPNAM_CONFLICTING_DEFS */
/* #undef HAVE_ARC4RANDOM */
/* #undef HAVE_ATTRIBUTE__SENTINEL__ */
/* #undef HAVE_B64_NTOP */
/* #undef HAVE_B64_PTON */
#define HAVE_BCOPY 1
/* #undef HAVE_BINDRESVPORT_SA */
/* #undef HAVE_BSM_AUDIT_H */
/* #undef HAVE_BSTRING_H */
#define HAVE_CLOCK 1
/* #undef HAVE_CLOSEFROM */
#define HAVE_CONST_GAI_STRERROR_PROTO 1
#define HAVE_CRYPT_H 1
/* #undef HAVE_DECL_AUTHENTICATE */
#define HAVE_DECL_H_ERRNO 1
/* #undef HAVE_DECL_LOGINFAILED */
/* #undef HAVE_DECL_LOGINRESTRICTIONS */
/* #undef HAVE_DECL_LOGINSUCCESS */
/* #undef HAVE_DECL_PASSWDEXPIRED */
/* #undef HAVE_DECL_SETAUTHDB */
#define HAVE_DECL__GETLONG 0
#define HAVE_DECL__GETSHORT 0
#define HAVE_DIRENT_H 1
#define HAVE_DIRFD 1
#define HAVE_DIRNAME 1
#define HAVE_ENDIAN_H 1
#define HAVE_ENDUTENT 1
#define HAVE_ENDUTXENT 1
#define HAVE_FCHMOD 1
#define HAVE_FCHOWN 1
#define HAVE_FEATURES_H 1
/* #undef HAVE_FLOATINGPOINT_H */
#define HAVE_FREEADDRINFO 1
#define HAVE_FUTIMES 1
#define HAVE_GAI_STRERROR 1
#define HAVE_GETADDRINFO 1
/* #undef HAVE_GETAUDIT */
/* #undef HAVE_GETAUDIT_ADDR */
#define HAVE_GETCWD 1
#define HAVE_GETGROUPLIST 1
/* #undef HAVE_GETLUID */
#define HAVE_GETNAMEINFO 1
#define HAVE_GETOPT 1
#define HAVE_GETOPT_H 1
/* #undef HAVE_GETPEEREID */
/* #undef HAVE_GETPWANAM */
#define HAVE_GETRLIMIT 1
/* #undef HAVE_GETRUSAGE */
#define HAVE_GETTIMEOFDAY 1
#define HAVE_GETTTYENT 1
#define HAVE_GETUTENT 1
#define HAVE_GETUTID 1
#define HAVE_GETUTLINE 1
#define HAVE_GETUTXENT 1
#define HAVE_GETUTXID 1
#define HAVE_GETUTXLINE 1
#define HAVE_GLOB 1
#define HAVE_GLOB_H 1
/* #undef HAVE_GSSAPI_GENERIC_H */
/* #undef HAVE_GSSAPI_GSSAPI_GENERIC_H */
/* #undef HAVE_GSSAPI_GSSAPI_H */
/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
/* #undef HAVE_GSSAPI_H */
/* #undef HAVE_GSSAPI_KRB5_H */
/* #undef HAVE_IAF_H */
/* #undef HAVE_IA_H */
#define HAVE_INET_ATON 1
#define HAVE_INET_NTOA 1
#define HAVE_INET_NTOP 1
#define HAVE_INNETGR 1
#define HAVE_INTTYPES_H 1
#define HAVE_IN_ADDR_T 1
#define HAVE_LASTLOG_H 1
/* #undef HAVE_LIBBSM */
/* #undef HAVE_LIBCRYPT */
/* #undef HAVE_LIBDL */
#define HAVE_LIBGEN_H 1
/* #undef HAVE_LIBIAF */
#define HAVE_LIBNSL 1
/* #undef HAVE_LIBPAM */
/* #undef HAVE_LIBSECTOK */
/* #undef HAVE_LIBSOCKET */
/* #undef HAVE_LIBUTIL_H */
/* #undef HAVE_LIBXNET */
#define HAVE_LIBZ 1
#define HAVE_LIMITS_H 1
/* #undef HAVE_LOGIN_CAP_H */
/* #undef HAVE_LOGIN_GETCAPBOOL */
/* #undef HAVE_LOGIN_H */
#define HAVE_LOGOUT 1
#define HAVE_LOGWTMP 1
/* #undef HAVE_MAILLOCK_H */
/* #undef HAVE_MD5_CRYPT */
#define HAVE_MEMMOVE 1
#define HAVE_MEMORY_H 1
#define HAVE_MKDTEMP 1
#define HAVE_MMAP 1
/* #undef HAVE_NDIR_H */
#define HAVE_NETDB_H 1
/* #undef HAVE_NETGROUP_H */
#define HAVE_NETINET_IN_SYSTM_H 1
/* #undef HAVE_NGETADDRINFO */
/* #undef HAVE_NSLEEP */
/* #undef HAVE_OGETADDRINFO */
/* #undef HAVE_OPENLOG_R */
#define HAVE_OPENPTY 1
/* #undef HAVE_PAM_GETENVLIST */
/* #undef HAVE_PAM_PAM_APPL_H */
/* #undef HAVE_PAM_PUTENV */
#define HAVE_PATHS_H 1
#define HAVE_PRCTL 1
/* #undef HAVE_PSTAT */
#define HAVE_PTY_H 1
#define HAVE_PUTUTLINE 1
#define HAVE_PUTUTXLINE 1
/* #undef HAVE_READPASSPHRASE */
/* #undef HAVE_READPASSPHRASE_H */
#define HAVE_REALPATH 1
#define HAVE_RECVMSG 1
#define HAVE_RPC_TYPES_H 1
#define HAVE_RRESVPORT_AF 1
/* #undef HAVE_SECTOK_H */
/* #undef HAVE_SECURITY_PAM_APPL_H */
#define HAVE_SENDMSG 1
/* #undef HAVE_SETAUTHDB */
/* #undef HAVE_SETDTABLESIZE */
#define HAVE_SETEGID 1
#define HAVE_SETENV 1
#define HAVE_SETEUID 1
#define HAVE_SETGROUPS 1
/* #undef HAVE_SETLOGIN */
/* #undef HAVE_SETLUID */
/* #undef HAVE_SETPCRED */
/* #undef HAVE_SETPROCTITLE */
#define HAVE_SETREGID 1
#define HAVE_SETRESGID 1
#define HAVE_SETRESUID 1
#define HAVE_SETREUID 1
#define HAVE_SETRLIMIT 1
#define HAVE_SETSID 1
#define HAVE_SETUTENT 1
#define HAVE_SETUTXENT 1
#define HAVE_SETVBUF 1
#define HAVE_SHADOW_H 1
#define HAVE_SIGACTION 1
#define HAVE_SIGVEC 1
#define HAVE_SIG_ATOMIC_T 1
#define HAVE_SNPRINTF 1
#define HAVE_SOCKETPAIR 1
#define HAVE_SO_PEERCRED 
#define HAVE_STDDEF_H 1
#define HAVE_STDINT_H 1
#define HAVE_STDLIB_H 1
#define HAVE_STRDUP 1
#define HAVE_STRERROR 1
#define HAVE_STRFTIME 1
#define HAVE_STRINGS_H 1
#define HAVE_STRING_H 1
/* #undef HAVE_STRLCAT */
/* #undef HAVE_STRLCPY */
/* #undef HAVE_STRMODE */
/* #undef HAVE_STRNVIS */
#define HAVE_STRSEP 1
#define HAVE_STRTOLL 1
/* #undef HAVE_STRTONUM */
#define HAVE_STRTOUL 1
#define HAVE_STRUCT_STAT_ST_BLKSIZE 1
#define HAVE_STRUCT_TIMESPEC 1
#define HAVE_SYSCONF 1
/* #undef HAVE_SYS_AUDIT_H */
#define HAVE_SYS_BITYPES_H 1
/* #undef HAVE_SYS_BSDTTY_H */
#define HAVE_SYS_CDEFS_H 1
#define HAVE_SYS_DIR_H 1
#define HAVE_SYS_MMAN_H 1
/* #undef HAVE_SYS_NDIR_H */
#define HAVE_SYS_PRCTL_H 1
/* #undef HAVE_SYS_PSTAT_H */
/* #undef HAVE_SYS_PTMS_H */
#define HAVE_SYS_SELECT_H 1
#define HAVE_SYS_STAT_H 1
/* #undef HAVE_SYS_STREAM_H */
#define HAVE_SYS_STROPTS_H 1
/* #undef HAVE_SYS_STRTIO_H */
/* #undef HAVE_SYS_SYSLOG_H */
#define HAVE_SYS_SYSMACROS_H 1
/* #undef HAVE_SYS_TIMERS_H */
#define HAVE_SYS_TIME_H 1
#define HAVE_SYS_TYPES_H 1
#define HAVE_SYS_UN_H 1
#define HAVE_TCGETPGRP 1
#define HAVE_TCSENDBREAK 1
#define HAVE_TIME 1
#define HAVE_TIME_H 1
/* #undef HAVE_TMPDIR_H */
#define HAVE_TRUNCATE 1
#define HAVE_TTYENT_H 1
#define HAVE_UNISTD_H 1
#define HAVE_UNSETENV 1
#define HAVE_UPDWTMP 1
#define HAVE_UPDWTMPX 1
/* #undef HAVE_USERSEC_H */
/* #undef HAVE_UTIL_H */
#define HAVE_UTIMES 1
#define HAVE_UTIME_H 1
#define HAVE_UTMPNAME 1
#define HAVE_UTMPXNAME 1
#define HAVE_UTMPX_H 1
#define HAVE_UTMP_H 1
#define HAVE_VHANGUP 1
/* #undef HAVE_VIS_H */
#define HAVE_VSNPRINTF 1
#define HAVE_WAITPID 1
#define HAVE__GETLONG 1
/* #undef HAVE__GETPTY */
#define HAVE__GETSHORT 1
/* #undef HAVE___B64_NTOP */
/* #undef HAVE___B64_PTON */
/* #undef LLONG_MAX */
/* #undef LLONG_MIN */
/* #undef NEED_SETPRGP */
#define PACKAGE_BUGREPORT "openssh-unix-dev at mindrot.org"
#define PACKAGE_NAME "OpenSSH"
#define PACKAGE_STRING "OpenSSH Portable"
#define PACKAGE_TARNAME "openssh"
#define PACKAGE_VERSION "Portable"
/* #undef PASSWD_NEEDS_USERNAME */
#define SIZEOF_CHAR 1
#define SIZEOF_INT 4
#define SIZEOF_LONG_INT 4
#define SIZEOF_LONG_LONG_INT 8
#define SIZEOF_SHORT_INT 2
/* #undef SSH_AUDIT_EVENTS */
#define STDC_HEADERS 1
/* #undef UNIXWARE_LONG_PASSWORDS */
/* #undef USE_BSM_AUDIT */
#define USE_BTMP 1
/* #undef USE_LIBEDIT */
/* #undef WORDS_BIGENDIAN */
#define _FILE_OFFSET_BITS 64
/* #undef _LARGE_FILES */
#define _PATH_BTMP "/var/log/btmp"
/* #undef inline */
/* #undef socklen_t */


From dtucker at zip.com.au  Thu Sep 22 16:31:58 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Thu, 22 Sep 2005 16:31:58 +1000
Subject: ssh hangs or gives Segmentation fault
In-Reply-To: <Pine.LNX.4.62.0509192148170.2480@apollo04.unige.ch>
References: <Pine.LNX.4.62.0509192148170.2480@apollo04.unige.ch>
Message-ID: <43324FDE.5000902@zip.com.au>

Jean-Pierre.Eckmann at physics.unige.ch wrote:
> Effect: when I build and test (with full path names) ssh in the
> openssh... directory, everything works fine. When I "install" it as per
> attached file into a test-directory and run it from there, there are 2
> phenomena:
[...]
> PLEASE NOTE: Is this a bug?

Probably.  Where it is is another question.

> I can run ssh in the directory in which I build it , but it crashes or
> hangs in the install directory. 

That sounds like the install process is corrupting the binaries.  I'm
guessing it's the "strip" call, try disabling it like so:

$ make install STRIP_OPT=""

You can also try running your installed binaries under gdb to get a
backtrace (however since they're stripped it would give a lot of
information):

$ gdb /path/to/ssh
(gdb) set args -vvv server.example.com
(gdb) run
[wait for the crash]
(gdb) backtrace

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From emmanuel.bouillon at cea.fr  Tue Sep 20 22:01:30 2005
From: emmanuel.bouillon at cea.fr (Emmanuel Bouillon)
Date: Tue, 20 Sep 2005 14:01:30 +0200
Subject: GSSAPI credentials deletion
Message-ID: <200509201202.OAA23103@styx.bruyeres.cea.fr>

Hello,

I have a problem dealing with GSSAPI credentials cleanup with OpenSSH 
4.x (GSSAPI libs from Kerberos MIT's implementation 1.4.2). Although I 
use "GSSAPICleanupCredentials yes", credentials remain undeleted after 
connection. The same test with OpenSSH 3.9p1 is successful.
Has anyone encountered the same problem?

Best regards,

Emmanuel



From skeleten at shillest.net  Thu Sep 22 18:39:20 2005
From: skeleten at shillest.net (Norihiko Murase)
Date: Thu, 22 Sep 2005 17:39:20 +0900
Subject: RE-SEND: 2005/09/02: (4.2p1) Missing -R<path_to_libedit>/lib
In-Reply-To: (Your message of "Fri, 02 Sep 2005 22:38:14 +0900")
	<20050902223814.926ee0%skeleten@shillest.net>
References: <20050902223814.926ee0%skeleten@shillest.net>
Message-ID: <20050922173920.2ae6aa%skeleten@shillest.net>

I'm very happy if any comments are given...

# I did send again also on Sep. 19th, but the mail server
# did REJECT! I wonder what happened...


------------------------------
Message-Id: <20050902223814.926ee0%skeleten at shillest.net>
Date: Fri, 02 Sep 2005 22:38:14 +0900
From: Norihiko Murase <skeleten at shillest.net>
To: openssh-unix-dev at mindrot.org
Subject: (4.2p1) Missing -R<path_to_libedit>/lib
URL: http://www.mindrot.org/pipermail/openssh-unix-dev/2005-September/023650.html

Hi,

I tried building the version 4.2p1 on the FreeBSD box.

Even if I executed the configure script with 
    --with-rpath
and
    --with-libedit=/path/to/libedit
the -R options for libedit are NOT added in linking although
that for zlib and OpenSSL are correctly done.

This problem can be easily avoided by editing
openssh-4.2p1/Makefile after executing the configure script.
This means that you should add -R<path_to_libedit>/lib to
LDFLAGS.

I attach the patch configure.ac.diff, which does the
following:
    * replace -I$withval/include with -I${withval}/include
    * improve the output of "% ./configure --help"
as well as does fix the problem mentioned above.


penitence: I should have checked the daily snapshot in this
           point before 4.2p1 was released......  (;_;)

good news: Now, the libedit distributed at
               http://www.thrysoee.dk/editline/
           can be built also on the FreeBSD-4.x system! (^_^)/


Thanks,
---
Norihiko Murase
  The University of Aizu
E-mail: skeleten at shillest.net
        s1080224 at u-aizu.ac.jp



From senthilkumar_sen at hotpop.com  Thu Sep 22 19:28:08 2005
From: senthilkumar_sen at hotpop.com (Senthil Kumar)
Date: Thu, 22 Sep 2005 14:58:08 +0530
Subject: Permission denied message and leak with it
Message-ID: <9ab701c5bf57$fedfb1a0$220110ac@sekco>

Hello All,

I am using OpenSSH 4.x versions. If I try to ssh to a system with a user 
account and if all my auth methods fails, the client side gets the following 
message.

Permission denied (publickey,password,keyboard-interactive).

This looks like an information leak, where a malicious user can detect all 
the allowed authmethods on the server system.  I would like to know if there 
are some reasons for giving these informations out.


Thanks,
Senthil Kumar. 




From dtucker at zip.com.au  Thu Sep 22 19:44:09 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Thu, 22 Sep 2005 19:44:09 +1000
Subject: Permission denied message and leak with it
In-Reply-To: <9ab701c5bf57$fedfb1a0$220110ac@sekco>
References: <9ab701c5bf57$fedfb1a0$220110ac@sekco>
Message-ID: <20050922094409.GA4570@gate.dodgy.net.au>

On Thu, Sep 22, 2005 at 02:58:08PM +0530, Senthil Kumar wrote:
> I am using OpenSSH 4.x versions. If I try to ssh to a system with a user 
> account and if all my auth methods fails, the client side gets the following 
> message.
> 
> Permission denied (publickey,password,keyboard-interactive).
> 
> This looks like an information leak, where a malicious user can detect all 
> the allowed authmethods on the server system.  I would like to know if there 
> are some reasons for giving these informations out.

Yes, it's part of the SSHv2 protocol spec.

Have a browse of http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-27.txt
and look for "authentications that can continue".

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From dtucker at zip.com.au  Thu Sep 22 20:34:59 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Thu, 22 Sep 2005 20:34:59 +1000
Subject: RE-SEND: 2005/09/02: (4.2p1) Missing -R<path_to_libedit>/lib
In-Reply-To: <20050922173920.2ae6aa%skeleten@shillest.net>
References: <20050902223814.926ee0%skeleten@shillest.net>
	<20050922173920.2ae6aa%skeleten@shillest.net>
Message-ID: <433288D3.1060809@zip.com.au>

Norihiko Murase wrote:
> I'm very happy if any comments are given...
> 
> # I did send again also on Sep. 19th, but the mail server
> # did REJECT! I wonder what happened...

There was a problem with the list server which has since been fixed.

> Subject: (4.2p1) Missing -R<path_to_libedit>/lib
> URL: http://www.mindrot.org/pipermail/openssh-unix-dev/2005-September/023650.html

Applied, thanks.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From senthilkumar_sen at hotpop.com  Thu Sep 22 21:28:29 2005
From: senthilkumar_sen at hotpop.com (Senthil Kumar)
Date: Thu, 22 Sep 2005 16:58:29 +0530
Subject: Permission denied message and leak with it
References: <9ab701c5bf57$fedfb1a0$220110ac@sekco>
	<20050922094409.GA4570@gate.dodgy.net.au>
Message-ID: <a1ad01c5bf68$c46b7d90$220110ac@sekco>

Darren Tucker (dtucker at zip.com.au) wrote:

> Yes, it's part of the SSHv2 protocol spec.
>
> Have a browse of 
> http://www.ietf.org/internet-drafts/draft-ietf-secsh-userauth-27.txt
> and look for "authentications that can continue".

Thanks. But the doc. seems to be expired on 15th of September.

Thanks,
Senthil Kumar. 




From simon at sxw.org.uk  Tue Sep 27 04:28:46 2005
From: simon at sxw.org.uk (Simon Wilkinson)
Date: Mon, 26 Sep 2005 19:28:46 +0100
Subject: New GSSAPI Key Exchange patch for OpenSSH 4.2p1
Message-ID: <43383DDE.10206@sxw.org.uk>

Hi,

This is to announce the availability of a new version of my GSSAPI key
exchange patch for OpenSSH.

The code is available from
http://www.sxw.org.uk/computing/patches/openssh.html

Changes since the last release are:

   *) Implement GSS group exchange
   *) Disable DNS canonicalization of the hostname passed to the GSSAPI
      library - an option is provided to allow this to be overriden on a
      host by host basis.
   *) Fix the crash when connecting to a server which supports sending a
      hostkey as part of the GSSAPI key exchange.
   *) Make GSS rekeying work when privsep is enabled
   *) Fix incorrect naming of keyex userauth mechanism
   *) Fix client crash when doing key exchange with expired credentials
   *) Assorted buffer initialization fixes

Why Key Exchange?

Whilst OpenSSH contains support for doing GSSAPI user authentication,
this only allows the underlying security mechanism to authenticate the
user to the server, and continues to use SSH host keys to authenticate
the server to the user. For many sites who already have security
infrastructures such as Kerberos deployed, managing large numbers of SSH
host keys is an additional, unneccessary, burden. GSSAPI key exchange
allows the use of security mechanisms such as Kerberos to authenticate
the server to the user, removing the need for trusted ssh host keys, and
allowing the use of a single security architecture.

Cheers,

Simon.



From otyugh at sbcglobal.net  Wed Sep 28 08:10:14 2005
From: otyugh at sbcglobal.net (Mike Cochran)
Date: Tue, 27 Sep 2005 15:10:14 -0700
Subject: make fails with ssl 0.9.8
Message-ID: <A624C412-A784-4B89-A3EC-5A8B5E0AF5C5@sbcglobal.net>

Openssh gurus,


On Suse Linux 9.3 using kernel 2.6.11.4-21.9-default, x86_64 system  
with an athlon64:

If I make openssh 4.2p1 using the system's default ssl 0.9.7e, all is  
well; however, make fails if I install the newer ssl 0.9.8 and  
configure openssh with:

./configure --with-ssl-dir=/usr/local/ssl

A snippet from the last output from make is:

_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty 
\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" - 
DHAVE_CONFIG_H -c sshconnect2.c
gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o  
sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/ 
lib  -lssh -lopenbsd-compat -lcrypto -lutil -lz -lnsl  -lcrypt - 
lresolv -lresolv
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x2d4): In function  
`dlfcn_bind_func':
dso_dlfcn.c: undefined reference to `dlsym'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x32c):dso_dlfcn.c:  
undefined reference to `dlerror'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x3cc): In function  
`dlfcn_bind_var':
dso_dlfcn.c: undefined reference to `dlsym'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x448):dso_dlfcn.c:  
undefined reference to `dlerror'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x49d): In function  
`dlfcn_unload':
dso_dlfcn.c: undefined reference to `dlclose'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x551): In function  
`dlfcn_load':
dso_dlfcn.c: undefined reference to `dlopen'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x5c6):dso_dlfcn.c:  
undefined reference to `dlclose'
/usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x5ff):dso_dlfcn.c:  
undefined reference to `dlerror'
collect2: ld returned 1 exit status
make: *** [ssh] Error 1

Is there an easy fix I'm missing?


Mike





From dtucker at zip.com.au  Wed Sep 28 08:30:42 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 28 Sep 2005 08:30:42 +1000
Subject: make fails with ssl 0.9.8
In-Reply-To: <A624C412-A784-4B89-A3EC-5A8B5E0AF5C5@sbcglobal.net>
References: <A624C412-A784-4B89-A3EC-5A8B5E0AF5C5@sbcglobal.net>
Message-ID: <4339C812.6010300@zip.com.au>

Mike Cochran wrote:
[...]
> /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x2d4): In function  
> `dlfcn_bind_func':
> dso_dlfcn.c: undefined reference to `dlsym'
[...]
> Is there an easy fix I'm missing?

$ ./configure --with-libs=-ldl

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From Vince.McIntyre at atnf.CSIRO.AU  Wed Sep 28 12:02:28 2005
From: Vince.McIntyre at atnf.CSIRO.AU (Vincent McIntyre)
Date: Wed, 28 Sep 2005 12:02:28 +1000 (EST)
Subject: multiple Host entries in ssh_config
Message-ID: <Pine.LNX.4.44.0509281146290.22937-100000@bedlam.atnf.CSIRO.AU>

Hi list,

I have looked over the documentation and done some experiments,
and I'm now really confused about how this supposed to work so I'm
appealing to you. If this is a faq perhaps I can write it up in a
patch to the existing faq.

I'm running ssh 3.8.1p1 on Debian Sarge. I looked briefly at the
4.x manpages but haven't tried that version of the software, the
manpage looks no different.

What I want to do is write an /etc/ssh/ssh_config that allows X11
forwarding to _some_ hosts by default, and not others, viz:
  ssh baz                 X11 forwarded
  ssh baz.my.domain       X11 forwarded
  ssh biff.notmydom.com   not forwarded
ie I want to trust hosts in my domain but not outside it.

I tried various orderings of
  Host *
    ForwardX11 yes
  Host *.my.domain
    ForwardX11 yes
  Host *.*
    ForwardX11 no

but couldn't find anything that seemed to work as desired.
In particular, it seems it is not possible to override X11 forwarding
again once one of the entries has turned it on. Take the notmydomain.com
case - it matches *, then matches *.*, but X11 forwarding is still
allowed. I presume this is due to the first match?

Is this the way it is supposed to work? If so, why?

Kind regards
Vincent McIntyre                                vmcintyr at atnf.csiro.au
Australia Telescope National Facility, CSIRO     voice:+61-2-9372-4643
PO Box 76, Epping, NSW 1710, AUSTRALIA             fax:+61-2-9372-4442




From jdvf at optonline.net  Wed Sep 28 12:37:41 2005
From: jdvf at optonline.net (John Devitofranceschi)
Date: Tue, 27 Sep 2005 22:37:41 -0400
Subject: Solaris 8 sshd seg fault with 4.2p1 & PAM
Message-ID: <433A01F5.70106@optonline.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Can anyone reproduce this on a Solaris 8 system with 4.2p1:

openssh is configured to use PAM and sshd_config has "UsePam" set to "yes"

pam.conf has something like this:

other	auth 	required	pam_get_authtok
other	auth	sufficient	pam_krb5.so.1 use_first_pass
other	auth	required	pam_unix.so.1 use_first_pass

Now, If I log in via ssh as a user who has a Kerberos principal,
everything works just fine. If a local account is used, sshd segfaults.
 If I remove the pam_krb5.so.1 reference auth line, the local user can
successfully authenticate.

I'll gather more debugging info if this is not already a known problem.

jd

- --
John Devitofranceschi, E-Mail: jdvf at optonline.net Fax: +1 203 348 8219
PGP Fingerprint: 0D33 5A27 0810 9543 64FB  DF4A 54CF 4B40 1335 4673
"What," asked Mr. Croup, "do you want?"
"What," asked the marquis de Carabas, a little more rhetorically, "does
anyone want?"
"Dead things," suggested Mr. Vandemar. "Extra teeth."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFDOgHzVM9LQBM1RnMRAocHAJ9bNFMwRbJJPjGe8PBQxYMlalobwgCfQRpB
JXO80EfQPfQ4ReJhhNKp9y4=
=BJLz
-----END PGP SIGNATURE-----



From dtucker at zip.com.au  Wed Sep 28 15:03:12 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 28 Sep 2005 15:03:12 +1000
Subject: Solaris 8 sshd seg fault with 4.2p1 & PAM
In-Reply-To: <433A01F5.70106@optonline.net>
References: <433A01F5.70106@optonline.net>
Message-ID: <433A2410.7080600@zip.com.au>

John Devitofranceschi wrote:
> Can anyone reproduce this on a Solaris 8 system with 4.2p1:
> 
> openssh is configured to use PAM and sshd_config has "UsePam" set to "yes"
> 
> pam.conf has something like this:
> 
> other	auth 	required	pam_get_authtok

You mean "pam_authtok_get.so.1"?  The example in pam.conf has it listed 
as "requisite", not sure if that matters.

> other	auth	sufficient	pam_krb5.so.1 use_first_pass
> other	auth	required	pam_unix.so.1 use_first_pass
> 
> Now, If I log in via ssh as a user who has a Kerberos principal,
> everything works just fine. If a local account is used, sshd segfaults.
>  If I remove the pam_krb5.so.1 reference auth line, the local user can
> successfully authenticate.
> 
> I'll gather more debugging info if this is not already a known problem.

Not a known problem as far as I am aware.  Please open a bug at 
http://bugzilla.mindrot.org and attach a debug trace ("/path/to/sshd 
-ddde").

The other thing you might like to try is this test rig:
http://www.zip.com.au/~dtucker/patches/index.html#pamtest

#  gcc pam-test-harness.c -o pam-test-harness -lpam
# ./pam-test-harness -s sshd -u youruser

This will help determine if the problem lies in sshd or the pam module.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From dtucker at zip.com.au  Wed Sep 28 15:50:34 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 28 Sep 2005 15:50:34 +1000
Subject: multiple Host entries in ssh_config
In-Reply-To: <Pine.LNX.4.44.0509281146290.22937-100000@bedlam.atnf.CSIRO.AU>
References: <Pine.LNX.4.44.0509281146290.22937-100000@bedlam.atnf.CSIRO.AU>
Message-ID: <433A2F2A.1090902@zip.com.au>

Vincent McIntyre wrote:
> Hi list,
> 
> I have looked over the documentation and done some experiments,
> and I'm now really confused about how this supposed to work so I'm
> appealing to you. If this is a faq perhaps I can write it up in a
> patch to the existing faq.
> 
> I'm running ssh 3.8.1p1 on Debian Sarge. I looked briefly at the
> 4.x manpages but haven't tried that version of the software, the
> manpage looks no different.
> 
> What I want to do is write an /etc/ssh/ssh_config that allows X11
> forwarding to _some_ hosts by default, and not others, viz:
>   ssh baz                 X11 forwarded
>   ssh baz.my.domain       X11 forwarded
>   ssh biff.notmydom.com   not forwarded
> ie I want to trust hosts in my domain but not outside it.
> 
> I tried various orderings of
>   Host *
>     ForwardX11 yes
>   Host *.my.domain
>     ForwardX11 yes
>   Host *.*
>     ForwardX11 no
> 
> but couldn't find anything that seemed to work as desired.
> In particular, it seems it is not possible to override X11 forwarding
> again once one of the entries has turned it on. Take the notmydomain.com
> case - it matches *, then matches *.*, but X11 forwarding is still
> allowed. I presume this is due to the first match?
> 
> Is this the way it is supposed to work? If so, why?

Yes, the config keywords are first-match.  Why?  Dunno, but it's been 
that way for a long time.

It does mean you can use a leading "Host *" block as a global override, 
and a trailing "Host *" as a global default.

This ought to do what you want:

	# match local domain
	Host *.my.domain
         	ForwardX11 yes

	# match any other qualified domain
	Host *.*
         	ForwardX11 no

	# match remaining (local) hosts
	Host *
		ForwardX11 yes

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From Vincent.McIntyre at csiro.au  Wed Sep 28 17:15:24 2005
From: Vincent.McIntyre at csiro.au (Vincent.McIntyre at csiro.au)
Date: Wed, 28 Sep 2005 17:15:24 +1000 (EST)
Subject: multiple Host entries in ssh_config
In-Reply-To: <433A2F2A.1090902@zip.com.au>
Message-ID: <Pine.LNX.4.44.0509281641560.5428-200000@bedlam.atnf.CSIRO.AU>

>
> Yes, the config keywords are first-match.  Why?  Dunno, but it's been
> that way for a long time.

to clarify, you're saying keywords are first-match-wins-all ?

> It does mean you can use a leading "Host *" block as a global override,
> and a trailing "Host *" as a global default.
>
> This ought to do what you want:
>
> 	# match local domain
> 	Host *.my.domain
>          	ForwardX11 yes
>
> 	# match any other qualified domain
> 	Host *.*
>          	ForwardX11 no
>
> 	# match remaining (local) hosts
> 	Host *
> 		ForwardX11 yes

In fact it does. I had actually tried this ordering.
I think I was getting thrown off by seeing

  debug1: Applying options for *.*
  debug1: Applying options for *

in the log, which made me think that perhaps last-match-wins applied.

Also I think I had a "ForwardX11Trusted yes" in each stanza as well,
which I had not commented out.

Thanks for the quick reply.
Attached is a suggested patch to ssh_config.5 for the 4.2 release that
I think would help the next person with this problem.
Should I open a bug, or is posting here enough?

Cheers
Vince

-------------- next part --------------
--- ssh_config.5.orig	Wed Sep 28 16:49:53 2005
+++ ssh_config.5	Wed Sep 28 17:12:47 2005
@@ -115,6 +115,22 @@
 .Ar hostname
 argument given on the command line (i.e., the name is not converted to
 a canonicalized host name before matching).
+.Pp
+As noted above, the first value obtained for any particular parameter is
+the one that will be used (first-match-wins). So if you have multiple
+.Cm Host
+statements, put the more specific ones earlier in the config file.
+More than one of these
+.Cm Host
+statements may be matched during
+.Nm ssh
+startup (the matches will be noted in the debug output given by the
+.Nm -v 
+switch for
+.Nm ssh
+), but only the value from the first matching
+.Cm Host
+specification will actually be used.
 .It Cm AddressFamily
 Specifies which address family to use when connecting.
 Valid arguments are

From dtucker at zip.com.au  Wed Sep 28 17:37:49 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 28 Sep 2005 17:37:49 +1000
Subject: multiple Host entries in ssh_config
In-Reply-To: <Pine.LNX.4.44.0509281641560.5428-200000@bedlam.atnf.CSIRO.AU>
References: <Pine.LNX.4.44.0509281641560.5428-200000@bedlam.atnf.CSIRO.AU>
Message-ID: <433A484D.10400@zip.com.au>

Vincent.McIntyre at csiro.au wrote:
>> Yes, the config keywords are first-match.  Why?  Dunno, but it's been
>> that way for a long time.
> 
> to clarify, you're saying keywords are first-match-wins-all ?

I don't see a difference between that and "first match".

Do you mean that, given the following config:

Host foo
	HostKeyAlias bar

Host *
	CheckHostIP no

what options are active for "ssh foo" ?  In this example, both the 
HostKeyAlias and CheckHostIP would apply to "ssh foo".

[...]
> Attached is a suggested patch to ssh_config.5 for the 4.2 release that
> I think would help the next person with this problem.
> Should I open a bug, or is posting here enough?

Posting here is usually enough for small things like this (provided we 
don't get sidetracked :-).

Anything where there's significant context (logs, traces, work history) 
is better in bugzilla.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From Vincent.McIntyre at csiro.au  Wed Sep 28 18:05:30 2005
From: Vincent.McIntyre at csiro.au (Vincent.McIntyre at csiro.au)
Date: Wed, 28 Sep 2005 18:05:30 +1000 (EST)
Subject: multiple Host entries in ssh_config
In-Reply-To: <433A484D.10400@zip.com.au>
Message-ID: <Pine.LNX.4.44.0509281743080.5428-100000@bedlam.atnf.CSIRO.AU>

> > to clarify, you're saying keywords are first-match-wins-all ?
>
> I don't see a difference between that and "first match".

It's the same thing just a bit more verbose. I like a bit of
redundancy, this "English" protocol thing can be rather ambiguous...

> Do you mean that, given the following config:
>
> Host foo
> 	HostKeyAlias bar
>
> Host *
> 	CheckHostIP no
>
> what options are active for "ssh foo" ?  In this example, both the
> HostKeyAlias and CheckHostIP would apply to "ssh foo".

Yes, that's the idea. It's confusing at first, that for a given
destination some elements of the configuration for that session will
come from one Host "statement group" and some will come from others.
It's actually a good design, once you get your head around it.
But difficult to express succinctly, the patch I sent could also
use a tweak to capture this better.

At the risk of sidetracking you... I don't know if this is a lot of
work or exists already, but it might be useful to have an option to
ssh like --config-summary or --show-config that prints the accumulated
configuration from all the inputs (commandline, $HOME/.ssh/config,
/etc/ssh/ssh_config, compilation) and exits. "-O" looks to be free...


> Posting here is usually enough for small things like this (provided we
> don't get sidetracked :-).

ok, thanks.

Cheers
Vince



From dtucker at zip.com.au  Wed Sep 28 19:52:06 2005
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 28 Sep 2005 19:52:06 +1000
Subject: multiple Host entries in ssh_config
In-Reply-To: <Pine.LNX.4.44.0509281743080.5428-100000@bedlam.atnf.CSIRO.AU>
References: <Pine.LNX.4.44.0509281743080.5428-100000@bedlam.atnf.CSIRO.AU>
Message-ID: <433A67C6.8020005@zip.com.au>

Vincent.McIntyre at csiro.au wrote:
>>> to clarify, you're saying keywords are first-match-wins-all ?
>> I don't see a difference between that and "first match".
> 
> It's the same thing just a bit more verbose. I like a bit of
> redundancy, this "English" protocol thing can be rather ambiguous...

I just went and compared your patch to the existing text and it doesn't 
seem to add anything that's not already on the previous page.

I'd rather clarify the existing text if needed than add redundancy 
(quoth our fearless leader, "they're manual pages not tea-time 
chit-chats" :-)

Maybe they need an EXAMPLES section, though?

[...]
> Yes, that's the idea. It's confusing at first, that for a given
> destination some elements of the configuration for that session will
> come from one Host "statement group" and some will come from others.
> It's actually a good design, once you get your head around it.
> But difficult to express succinctly, the patch I sent could also
> use a tweak to capture this better.

There's probably a decent demand for some more detailed user-level 
documentation to cover this and things like it in a different style 
(conversational/tutorial, examples, that sort of thing) rather than man 
page style (comprehensive, authoritative, succint).

If someone wants a spare-time project this would probably be a good one. 
  If the quality is good enough then we would probably put it up on 
openssh.com.

There's some good source material around: man pages and FAQ, djm's 
presentation and tutorial[1], Markus' presentation [2] (if you can lesen 
Sie Deutschen :-)

> At the risk of sidetracking you... I don't know if this is a lot of
> work or exists already, but it might be useful to have an option to
> ssh like --config-summary or --show-config that prints the accumulated
> configuration from all the inputs (commandline, $HOME/.ssh/config,
> /etc/ssh/ssh_config, compilation) and exits. "-O" looks to be free...

I like that idea (it would make debugging reported problems easier for 
one thing, since you would not have to guess which options were in 
effect) but I would just add them as debug3's.

[1] http://www.mindrot.org/~djm/auug2002/
[2] http://www.openbsd.org/papers/cebit2003/index.html

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



From openssh-unix-dev at kaleta.sk  Fri Sep 30 06:22:03 2005
From: openssh-unix-dev at kaleta.sk (Kaleta Stanley)
Date: Thu, 29 Sep 2005 22:22:03 +0200 (CEST)
Subject: idea against hacks - help to IDS of a new generation
Message-ID: <Pine.LNX.4.61.0509292200120.5063@kaleta.sk>


Hi,

i just subscribed and created new email account only for this purpose,
to send you an idea (or 2).
;)


the problem:

i have full logs of intrussions from some automats trying dictionary 
passwords for other dictionary logins.

the status:

these are some "actions" during client-server handshaking:
1. client connects
2. client waits for server feedback
3. server responds
4. client sends a login (or keys handshake ...)
5. server accepts the connection and sends back the confirmation
6. communication

question I.:
what about to add some "delay" as '-' option[s] to sshd
that will wait/sleep some nans/tens of seconds between some of these 
handshakes
?


i think it would not be problem to update all the client SW's
to accept this option...


but in between,
some CPU could be used for IDS SW's to indetify the intrussion.
to put some iptables -I ... for instance...


(i have some own simple IDS and i'm really missing such "delay" and CPU 
to make an action...)


i use login password identification mostly,
and i have no problem to wait (if keys) 2-5 seconds for 
authentification...
... but intrussion SW's don't wait - they just try ...


question II.:
another possibility ;)
what about to add "optional action" as parameter of sshd
(could be used for IDS' )
in case of intrussion detection (anyway logged to syslog)
to run some rule based "anything"
?



br
Stanley



From stuge-openssh-unix-dev at cdy.org  Fri Sep 30 07:29:27 2005
From: stuge-openssh-unix-dev at cdy.org (Peter Stuge)
Date: Thu, 29 Sep 2005 23:29:27 +0200
Subject: idea against hacks - help to IDS of a new generation
In-Reply-To: <Pine.LNX.4.61.0509292200120.5063@kaleta.sk>
References: <Pine.LNX.4.61.0509292200120.5063@kaleta.sk>
Message-ID: <20050929212927.16011.qmail@cdy.org>

On Thu, Sep 29, 2005 at 10:22:03PM +0200, Kaleta Stanley wrote:
> what about to add "optional action" as parameter of sshd
> (could be used for IDS' )
> in case of intrussion detection (anyway logged to syslog)

Both your suggestions have been seen before, and the answer is that
OpenSSH already exports the needed information through syslog, and
that's where you (and tools) should look in order to make any
decisions based on failed logins.


//Peter



From djm at mindrot.org  Fri Sep 30 13:14:06 2005
From: djm at mindrot.org (Damien Miller)
Date: Fri, 30 Sep 2005 13:14:06 +1000 (EST)
Subject: idea against hacks - help to IDS of a new generation
In-Reply-To: <20050929212927.16011.qmail@cdy.org>
References: <Pine.LNX.4.61.0509292200120.5063@kaleta.sk>
	<20050929212927.16011.qmail@cdy.org>
Message-ID: <Pine.BSO.4.63.0509301312570.6467@fuyu.mindrot.org>

On Thu, 29 Sep 2005, Peter Stuge wrote:

> On Thu, Sep 29, 2005 at 10:22:03PM +0200, Kaleta Stanley wrote:
>> what about to add "optional action" as parameter of sshd
>> (could be used for IDS' )
>> in case of intrussion detection (anyway logged to syslog)
>
> Both your suggestions have been seen before, and the answer is that
> OpenSSH already exports the needed information through syslog, and
> that's where you (and tools) should look in order to make any
> decisions based on failed logins.

Yes, and at the risk of repeating myself: a system that monitors and 
reacts to system logs can help with *all* password guessing attacks, not 
just those that happen to target ssh.

-d