From eric at andante.org Wed Mar 1 02:22:09 2006 From: eric at andante.org (Eric Youngdale) Date: Tue, 28 Feb 2006 10:22:09 -0500 Subject: Bug in Kerberos support for openssh. In-Reply-To: References: <44031D41.6090702@andante.org> Message-ID: <44046AA1.1090407@andante.org> sxw at inf.ed.ac.uk wrote: > GSSAPI is an IETF standard. If your GSSAPI library doesn't allow > gss_export_name to be called with the client name returned by > gss_accept_sec_context then it is broken. The type of the client name > is, as others have noted on the Kerberos mailing list, opaque. An > implementation can chose to make this whatever it likes, as long as that > decision is consistent across every call. > > The OpenSSH code has been tested with (to my knowledge) GSSAPI > implementations from MIT, Heimdal and Globus, and works correctly with > all of these. > > SuSe 10 ships with a library called 'libgssapi', which isn't a > Kerberos GSSAPI library at all (the Kerberos GSSAPI library from the > MIT code is called libgssapi_krb5.so). It's a version of the > 'mechglue' code which, I believe, CITI have packaged up to work with > NFSv4. It acts as a 'shim' layer, > allowing multiple different GSSAPI libraries to be used by the one > application. Correct. It loads function pointers for libgssapi_krb5.so and calls through. > Unfortunately this code has issues that are causing problems for a > number of people trying to do GSSAPI on SuSE 10. Firstly, it calls > exit() when it encounters problems - not particular great behaviour > from a shared library. I first encountered this with Thunderbird's > Kerberos support - both Thunderbird and Firefox now explicitly check > for this library and don't use it if found. > > Secondly, as you've noted, its support for calling 'export_name' is > broken. In fact, the version of the library that I have to hand > doesn't even support export_name - so I suspect that you're falling > back to using the native export_name provided by libgssapi_krb5, > although I'm not familiar enough with the behaviour of Linux's linker > to work out how. > > The short answer is - don't build OpenSSH against libgssapi - build it > against the GSSAPI library (libgssapi_krb5) which ships with MIT > Kerberos. File a bug with your vendor about the fact that they're > shipping a broken GSSAPI library. That would probably fix it. It wasn't until I read this message that it even occurred to me that I could build without libgssapi-0.7 - I just assumed that this was required and I couldn't figure out how this could have possibly worked for anyone else. When I first built openssh with kerberos turned on, I just ran configure, and the resulting Makefile was using libgssapi.so, so this was why I assumed that it was required. I rejiggered things to bypass it, and it was able to relink - I haven't retested, but I expect it to work. Given the current state of affairs, would it not be reasonable for the configure script for openssh to ignore this library if it is encountered? Is there any circumstance where using libgssapi.so is the right thing to do (i.e. are there platforms where you do want to use this shared library)? From aphor at speakeasy.net Wed Mar 1 02:45:32 2006 From: aphor at speakeasy.net (Jeremy McMillan) Date: Tue, 28 Feb 2006 09:45:32 -0600 Subject: openssh-unix-dev Digest, Vol 35, Issue 1 In-Reply-To: References: Message-ID: OpenSSH depends heavily upon OpenSSL. Both cleanly build 64 bit binaries. In the case of sparcv9 binaries, you should probably make sure you have *both* 32bit and 64bit OpenSSL binaries installed, and take extra care to configure your so library paths. On systems that are 100% 64bit, (Linux, FreeBSD in my experience) it just works. On Feb 28, 2006, at 9:23 AM, openssh-unix-dev-request at mindrot.org wrote: > Date: Mon, 27 Feb 2006 14:19:25 +0100 > From: Simon Vallet > Subject: Re: Openssh src - 64 bit clean > To: "Rathi, Dinesh" > Cc: openssh-unix-dev at mindrot.org > Message-ID: <20060227141925.12ac231b.svallet at genoscope.cns.fr> > Content-Type: text/plain; charset=ISO-8859-15 > > On Mon, 27 Feb 2006 17:32:15 +0530 > "Rathi, Dinesh" wrote: > >> Hi >> ??????????? I wanted to know if openssh src is 64 bit clean? I >> need to use it on sun 64/ aix 64/ linux 64 and hp-ipf 64 bit >> platforms. Has anyone tried it on any of these platforms? > > It compiled and ran fine for us on Solaris 7/8/9 Sparc64 > > Simon From sxw at inf.ed.ac.uk Wed Mar 1 06:15:40 2006 From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) Date: Tue, 28 Feb 2006 19:15:40 +0000 (GMT) Subject: Bug in Kerberos support for openssh. In-Reply-To: <44046AA1.1090407@andante.org> References: <44031D41.6090702@andante.org> <44046AA1.1090407@andante.org> Message-ID: On Tue, 28 Feb 2006, Eric Youngdale wrote: > When I first built openssh with kerberos turned on, I just ran configure, and > the resulting Makefile was using libgssapi.so, That's very odd. Recent OpenSSH's use krb5-config to work out which libraries to use, and MIT's krb5-config certainly tells it to use libgssapi_krb5.so Could you send me (off list) 1) The command you're running configure with 2) The contents of config.log 3) The results of running 'krb5-config' 4) The results of running 'krb5-config --libs gssapi' > Given the current state of affairs, would it not be reasonable for the > configure script for openssh to ignore this library if it is encountered? Is > there any circumstance where using libgssapi.so is the right thing to do > (i.e. are there platforms where you do want to use this shared library)? Heimdal's GSSAPI library is installed as libgssapi - we have to check for this one so that OpenSSH will build against Heimdal. I agree with you that we shouldn't link OpenSSH against the CITI libgssapi, though. Even if it worked correctly, it wouldn't be suitable for our purposes as it doesn't provide a mechanism to convert GSSAPI credentials into Kerberos ones (which we need in order to support credential delegation). The test I wrote for Thunderbird checks whether the selected GSSAPI library includes the functions 'internal_krb5_gss_initialize' and 'gssd_pname_to_uid' - perhaps the OpenSSH should have a similar test in configure.ac, and bomb out if you're trying to link against this library. Cheers, Simon. From imorgan at nas.nasa.gov Wed Mar 1 10:58:27 2006 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 28 Feb 2006 15:58:27 -0800 (PST) Subject: scp and SGI DMF Message-ID: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> Hello, For some time now, our users have been encountering a problem when using scp to overwrite files on our mass-storage system, which uses SGI's DMF product. I don't have any data as to whether or not any other HSMs would be similarly affected. The scenario is that a user is overwriting a file (via scp) that has previously been migrated to tape. The scp opens the file for writing, but does not truncate the file. This causes DMF (the HSM) to recall the file from tape and the scp hangs until it is successfully recalled. Unfortunately, these recalls can take several hours depending on how active the tape drives are. So, I'm wondering if there would be any interest in either adding (yet another) command-line option to add O_TRUNC to the open() flags when writing a file or perhaps to change the default behaviour. (I'm assuming the latter is unlikely.) I should note that sftp doesn't seem to have the same problem. However, the lack of a recursive copy makes it problematic for many of our users. Thanks -- Iain Morgan From stuge-openssh-unix-dev at cdy.org Wed Mar 1 12:08:16 2006 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 1 Mar 2006 02:08:16 +0100 Subject: scp and SGI DMF In-Reply-To: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> References: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> Message-ID: <20060301010816.2564.qmail@cdy.org> On Tue, Feb 28, 2006 at 03:58:27PM -0800, Iain Morgan wrote: > This causes DMF (the HSM) to recall the file from tape and the scp > hangs until it is successfully recalled. Oh. > So, I'm wondering if there would be any interest in either adding > (yet another) command-line option to add O_TRUNC to the open() > flags when writing a file I doubt this will ever happen. scp is only maintained for backwards compatibility with rcp. > or perhaps to change the default behaviour. (I'm assuming the > latter is unlikely.) Can you test what rcp does? The general intention for scp is that it should behave the same way rcp does, if rcp truncates then scp may quite possibly change. > I should note that sftp doesn't seem to have the same problem. > However, the lack of a recursive copy makes it problematic for many > of our users. Teaching sftp how to do recursive copies is probably the best solution in any case since sftp is actually developed rather than just maintained. //Peter From djm at mindrot.org Wed Mar 1 19:18:54 2006 From: djm at mindrot.org (Damien Miller) Date: Wed, 1 Mar 2006 19:18:54 +1100 (EST) Subject: scp and SGI DMF In-Reply-To: <20060301010816.2564.qmail@cdy.org> References: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> <20060301010816.2564.qmail@cdy.org> Message-ID: On Wed, 1 Mar 2006, Peter Stuge wrote: > > I should note that sftp doesn't seem to have the same problem. > > However, the lack of a recursive copy makes it problematic for many > > of our users. > > Teaching sftp how to do recursive copies is probably the best > solution in any case since sftp is actually developed rather than > just maintained. Absolutely! I would love someone interested to pick this up. There is a patch in bugzilla[1] to implement recursive uploads that I have been meaning to review for ages. Implementing recursive downloads is more tricky, and would probably require hacking sftp awareness into the guts of fts(3) or similar. -d [1] http://bugzilla.mindrot.org/show_bug.cgi?id=520 From Tob_Sch at gmx.de Wed Mar 1 23:26:35 2006 From: Tob_Sch at gmx.de (Tob_Sch at gmx.de) Date: Wed, 1 Mar 2006 13:26:35 +0100 (MET) Subject: sshrc not working when using restricted shells on HP-UX References: <10782.1138896193@www020.gmx.net> Message-ID: <6424.1141215995@www047.gmx.net> Hi, we compiled OpenSSH 4.3p2 / OpenSSL 0.9.8a / zlib 1.2.3 on different platforms. When we connect to a user which has got a restricted login shell on a HP-UX (e.g. 11.00) server, we get errors during passing the sshrc file, altough there are enough rights to access this file e.g. via "dd if=" in the restricted shell. This doesn't appear when using restricted shells on all other platforms!!! Here's the error message during starting the connection: sh: /bin/sh: The operation is not allowed in a restricted shell. The problem occurs on HP-UX with rksh and rsh The problem doesn't occure on SunOS with rksh AIX with rksh Linux with rbash Thanks in advance for help. -- Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer From dtucker at zip.com.au Wed Mar 1 23:44:23 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 01 Mar 2006 23:44:23 +1100 Subject: sshrc not working when using restricted shells on HP-UX In-Reply-To: <6424.1141215995@www047.gmx.net> References: <10782.1138896193@www020.gmx.net> <6424.1141215995@www047.gmx.net> Message-ID: <44059727.2060303@zip.com.au> Tob_Sch at gmx.de wrote: [about restricted shells] > Here's the error message during starting the connection: > > sh: /bin/sh: The operation is not allowed in a restricted shell. I would interpret that as one of the commands in the sshrc failing, rather than parsing of the file itself failing. What's in sshrc? Does putting "set -x" at the top of sshrc provide any enlightenment? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Mar 2 00:02:20 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 02 Mar 2006 00:02:20 +1100 Subject: sshrc not working when using restricted shells on HP-UX In-Reply-To: <44059727.2060303@zip.com.au> References: <10782.1138896193@www020.gmx.net> <6424.1141215995@www047.gmx.net> <44059727.2060303@zip.com.au> Message-ID: <44059B5C.5060703@zip.com.au> Darren Tucker wrote: > Tob_Sch at gmx.de wrote: > [about restricted shells] >> Here's the error message during starting the connection: >> >> sh: /bin/sh: The operation is not allowed in a restricted shell. > > I would interpret that as one of the commands in the sshrc failing, > rather than parsing of the file itself failing. What's in sshrc? Does > putting "set -x" at the top of sshrc provide any enlightenment? Looking at the code, it does: f = popen(_PATH_BSHELL " " _PATH_SSH_SYSTEM_RC, "w"); which is effectively running: /bin/sh /usr/local/etc/sshrc I suspect the difference is that the platforms that work use /bin/sh for popen() but HP-UX uses the login shell. Hmm, SuSv3 implies that popen should use sh, but doesn't come right out and say it: "The environment of the executed command shall be as if a child process were created within the popen() call using the fork() function, and the child invoked the sh utility using the call: execl(shell path, "sh", "-c", command, (char *)0);" The Linux man page says unequivocally that it uses /bin/sh. I can't conveniently check HP-UX right now. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Tob_Sch at gmx.de Thu Mar 2 00:05:09 2006 From: Tob_Sch at gmx.de (Tob_Sch at gmx.de) Date: Wed, 1 Mar 2006 14:05:09 +0100 (MET) Subject: sshrc not working when using restricted shells on HP-UX References: <44059727.2060303@zip.com.au> Message-ID: <21737.1141218309@www023.gmx.net> Hi Darren, thanks for the fast answer. I already tried this. It only shows verbose output when connecting to a user with no restricted login shell. For users with rksh / rsh the error message below is the same and only output. It seems to me that the way sshd brings the sshrc-file to the ssh-client is different on HP-UX (or HP-UX works different from SunOS, AIX, Linux). The script only uses the id, awk, echo, ps -ef, uname, logger -commands. Best regards, Tobias > --- Urspr?ngliche Nachricht --- > Von: Darren Tucker > An: Tob_Sch at gmx.de > Kopie: openssh-unix-dev at mindrot.org > Betreff: Re: sshrc not working when using restricted shells on HP-UX > Datum: Wed, 01 Mar 2006 23:44:23 +1100 > > Tob_Sch at gmx.de wrote: > [about restricted shells] > > Here's the error message during starting the connection: > > > > sh: /bin/sh: The operation is not allowed in a restricted shell. > > I would interpret that as one of the commands in the sshrc failing, > rather than parsing of the file itself failing. What's in sshrc? Does > putting "set -x" at the top of sshrc provide any enlightenment? > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -- Echte DSL-Flatrate dauerhaft f?r 0,- Euro*! "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl From rapier at psc.edu Thu Mar 2 02:40:38 2006 From: rapier at psc.edu (Chris Rapier) Date: Wed, 01 Mar 2006 10:40:38 -0500 Subject: scp and SGI DMF In-Reply-To: <20060301010816.2564.qmail@cdy.org> References: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> <20060301010816.2564.qmail@cdy.org> Message-ID: <4405C076.6060804@psc.edu> Peter Stuge wrote: > On Tue, Feb 28, 2006 at 03:58:27PM -0800, Iain Morgan wrote: >> This causes DMF (the HSM) to recall the file from tape and the scp >> hangs until it is successfully recalled. > > Oh. I think we saw problems like this with our tape silos as well. Its not something that most people have to deal with though which sort of makes it an orphan problem. So unless it can be argued that truncating a file before overwriting the file is correct behaviour I don't see it getting into the code base. One thing I'm wondering though - what would be the effect of not using a switch and just making truncate the default behaviour? It looks like its the default behaviour in sftp as it is. Anyway, something like this seems to be a pretty straightforward patch that only would need to be implemented on the NASA servers. >> So, I'm wondering if there would be any interest in either adding >> (yet another) command-line option to add O_TRUNC to the open() >> flags when writing a file > > I doubt this will ever happen. scp is only maintained for backwards > compatibility with rcp. See, I've never been convinced that this is the right way to handle SCP. A lot of people use because its easy and straightforward. So I'm not sure its best to relegate it to enforced stagnation because it was originally envisioned as a drop in replacement for rcp. Thats just me though. From rick.jones2 at hp.com Thu Mar 2 04:13:42 2006 From: rick.jones2 at hp.com (Rick Jones) Date: Wed, 01 Mar 2006 09:13:42 -0800 Subject: scp and SGI DMF In-Reply-To: <4405C076.6060804@psc.edu> References: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> <20060301010816.2564.qmail@cdy.org> <4405C076.6060804@psc.edu> Message-ID: <4405D646.3080107@hp.com> Chris Rapier wrote: >>I doubt this will ever happen. scp is only maintained for backwards >>compatibility with rcp. > > > See, I've never been convinced that this is the right way to handle SCP. > A lot of people use because its easy and straightforward. So I'm not > sure its best to relegate it to enforced stagnation because it was > originally envisioned as a drop in replacement for rcp. Thats just me > though. From what I've seen of the questions asked in various support places, I'd have to say I've seen more questions about scp than sftp. I would initially ass-u-me that implies more folks are using scp than sftp, but have to admit that is not the only possible conclusion. rick jones From rapier at psc.edu Thu Mar 2 04:31:43 2006 From: rapier at psc.edu (Chris Rapier) Date: Wed, 01 Mar 2006 12:31:43 -0500 Subject: scp and SGI DMF In-Reply-To: <4405D646.3080107@hp.com> References: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> <20060301010816.2564.qmail@cdy.org> <4405C076.6060804@psc.edu> <4405D646.3080107@hp.com> Message-ID: <4405DA7F.6090501@psc.edu> Rick Jones wrote: > Chris Rapier wrote: >>> I doubt this will ever happen. scp is only maintained for backwards >>> compatibility with rcp. >> >> See, I've never been convinced that this is the right way to handle SCP. >> A lot of people use because its easy and straightforward. So I'm not >> sure its best to relegate it to enforced stagnation because it was >> originally envisioned as a drop in replacement for rcp. Thats just me >> though. > > From what I've seen of the questions asked in various support places, > I'd have to say I've seen more questions about scp than sftp. I would > initially ass-u-me that implies more folks are using scp than sftp, but > have to admit that is not the only possible conclusion. Well, obviously it could also mean that SFTP is just easier to use for most people. I personally prefer SCP most of the time. Just more straight forward for transferring files in my world. I'd love to see some improvements in it. We considered doing some of that at one point. Parallel streams, transferring multiple files as a single data stream, ganged transfers using multiple servers (like gridftp), etc. Admittedly those applications are for more high performance environments but its really only a matter of time until today's high performance becomes tomorrow's consumer grade. Well, never got the time to get to it though. :\ From rick.jones2 at hp.com Thu Mar 2 05:18:45 2006 From: rick.jones2 at hp.com (Rick Jones) Date: Wed, 01 Mar 2006 10:18:45 -0800 Subject: scp and SGI DMF In-Reply-To: <20060301010816.2564.qmail@cdy.org> References: <200602282358.k1SNwRiK028472@sun601.nas.nasa.gov> <20060301010816.2564.qmail@cdy.org> Message-ID: <4405E585.4040705@hp.com> Peter Stuge wrote: > Can you test what rcp does? The general intention for scp is that it > should behave the same way rcp does, if rcp truncates then scp may > quite possibly change. FWIW, this is a system call trace of an rcp under HP-UX 11.11 (11iv1) wen rcp was asked to copy a remote file to /tmp/foobie. I'm just showing those things accessing the /tmp/foobie file: stat64("/tmp/foobie", 0x7a0018b8) ........................ = 0 st_dev: 64 0x000003 st_ino: 121698 st_mode: S_IFREG|0755 st_nlink: 1 st_rdev: 0 st_size: 19016840 st_blksize: 8192 st_blocks: 18576 st_uid: 8394 st_gid: 20 st_atime: Wed Mar 1 10:05:45 2006 st_mtime: Wed Mar 1 10:05:47 2006 st_ctime: Wed Mar 1 10:05:47 2006 open("/tmp/foobie", O_WRONLY|O_CREAT|O_LARGEFILE, 0) ..... = 5 It then drops into a read/write loop writing the file. I can make no assertions as to whether HP-UX's rcp is unique in its behaviour. However, from the looks of things, it would be "OK" to add O_TRUNC because at the very end of the copy, rcp does this: read(4, "\0\0\0\0\0\0\004\005abf312\0\00f".., 11400) ..... = 11400 write(5, "\0\0\0\0\0\0\004\005abf312\0\00f".., 11400) .... = 11400 ftruncate64(5, 19016840) ................................. = 0 sigvec(SIGINT, 0x7a00a6f8, 0x7a00a704) ................... = 0 which means that it is truncating the file to the length of the new version anyway. rick jones Hewlett-Packard Company - 1 - HP-UX Release 11i: November 2000 open(2) open(2) O_CREAT If the file exists, this flag has no effect, except as noted under O_EXCL below. Otherwise, the owner ID of the file is set to the effective user ID of the process, the group ID of the file is set to the effective group ID of the process if the set-group-ID bit of the parent directory is not set, or to the group ID of the parent directory if the set-group-ID bit of the parent directory is set. The file access permission bits of the new file mode are set to the value of mode, modified as follows (see creat(2)): + For each bit set in the file mode creation mask of the process, the corresponding bit in the new file mode is cleared (see umask(2)). + The "save text image after execution" bit of the new file mode is cleared. See chmod(2). + On HFS file systems with access control lists, three base ACL entries are created corresponding to the file access permissions (see acl(5)). + On JFS file systems that support access control lists, optional ACL entries are created corresponding to the parent directory's default ACL entries (see aclv(5)). O_EXCL If O_EXCL and O_CREAT are set and the file exists, open() fails. O_LARGEFILE This is a non-standard flag which may be used by 32-bit applications to access files larger than 2 GB. See creat64(2). ... O_TRUNC If the file exists, its length is truncated to 0 and the mode and owner are unchanged. From mcc21371 at gmail.com Thu Mar 2 07:28:13 2006 From: mcc21371 at gmail.com (mark clarkson) Date: Wed, 1 Mar 2006 12:28:13 -0800 Subject: Username Length and Password Expiry Message-ID: <4bc6fef20603011228g71beee1dxb4dad651a9363c2c@mail.gmail.com> I am having a problem with usernames that are longer than 8 characters on the following system types: Solaris 8, Solaris 9 OpenSSH 4.2p1 OpenSSL 0.9.8a When logging in with an SSH client like PuTTY, OpenSSH or SecureCRT, the username is truncated when the password is asked to be changed. Below is output from a PuTTY session when logging in to a system with an expired password and a username that is 9 characters: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2006.03.01 10:55:48 =~=~=~=~=~=~=~=~=~=~=~= login as: bclarkson bclarkson at sjc010ap02t's password: Last login: Wed Mar 1 10:55:05 2006 from hub5tv0951.fffc WARNING: Your password has expired. You must change your password now and login again! passwd: Changing password for bclarkso passwd: User unknown: bclarkso Permission denied Notice the "n" at the end of the user name is dropped. This works just fine using telnet as can be seen in the output below: SunOS 5.8 login: bclarkson Password: Choose a new password. New Password: Re-enter new Password: telnet: password successfully changed for bclarkson Last login: Wed Mar 1 11:52:00 from 10.247.4.60 $ Does anyone know of any fixes for this or if it is a bug? Thank you, Mark. From dtucker at zip.com.au Thu Mar 2 08:06:24 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 02 Mar 2006 08:06:24 +1100 Subject: Username Length and Password Expiry In-Reply-To: <4bc6fef20603011228g71beee1dxb4dad651a9363c2c@mail.gmail.com> References: <4bc6fef20603011228g71beee1dxb4dad651a9363c2c@mail.gmail.com> Message-ID: <44060CD0.9010708@zip.com.au> mark clarkson wrote: > I am having a problem with usernames that are longer than 8 characters > on the following system types: > > Solaris 8, Solaris 9 > OpenSSH 4.2p1 > OpenSSL 0.9.8a > > When logging in with an SSH client like PuTTY, OpenSSH or SecureCRT, > the username is truncated when the password is asked to be changed. [...] > WARNING: Your password has expired. > You must change your password now and login again! > passwd: Changing password for bclarkso > passwd: User unknown: bclarkso > Permission denied > > Notice the "n" at the end of the user name is dropped. All it does in that case is run "passwd" with no arguments. If you log on (via telnet or ssh) and just run "passwd", does that work? Solaris doesn't seem to support usernames longer than 8 chars: $ uname -sr SunOS 5.8 $ sudo useradd abcdefghi UX: useradd: abcdefghi name too long. > This works just fine using telnet as can be seen in the output below: [...] > Does anyone know of any fixes for this or if it is a bug? You can try building with and enabling PAM (that's probably what telnet is using). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mcc21371 at gmail.com Thu Mar 2 08:24:38 2006 From: mcc21371 at gmail.com (mark clarkson) Date: Wed, 1 Mar 2006 13:24:38 -0800 Subject: Username Length and Password Expiry In-Reply-To: <44060CD0.9010708@zip.com.au> References: <4bc6fef20603011228g71beee1dxb4dad651a9363c2c@mail.gmail.com> <44060CD0.9010708@zip.com.au> Message-ID: <4bc6fef20603011324y69b63ab8n81e58a0f34ee8030@mail.gmail.com> Thanks Darren. I know that useradd warns you but it does create the ID on the system. Mark. On 3/1/06, Darren Tucker wrote: > mark clarkson wrote: > > I am having a problem with usernames that are longer than 8 characters > > on the following system types: > > > > Solaris 8, Solaris 9 > > OpenSSH 4.2p1 > > OpenSSL 0.9.8a > > > > When logging in with an SSH client like PuTTY, OpenSSH or SecureCRT, > > the username is truncated when the password is asked to be changed. > [...] > > WARNING: Your password has expired. > > You must change your password now and login again! > > passwd: Changing password for bclarkso > > passwd: User unknown: bclarkso > > Permission denied > > > > Notice the "n" at the end of the user name is dropped. > > All it does in that case is run "passwd" with no arguments. If you log > on (via telnet or ssh) and just run "passwd", does that work? > > Solaris doesn't seem to support usernames longer than 8 chars: > $ uname -sr > SunOS 5.8 > $ sudo useradd abcdefghi > UX: useradd: abcdefghi name too long. > > > This works just fine using telnet as can be seen in the output below: > [...] > > Does anyone know of any fixes for this or if it is a bug? > > You can try building with and enabling PAM (that's probably what telnet > is using). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Thu Mar 2 08:42:43 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 2 Mar 2006 08:42:43 +1100 Subject: Username Length and Password Expiry In-Reply-To: <4bc6fef20603011324y69b63ab8n81e58a0f34ee8030@mail.gmail.com> References: <4bc6fef20603011228g71beee1dxb4dad651a9363c2c@mail.gmail.com> <44060CD0.9010708@zip.com.au> <4bc6fef20603011324y69b63ab8n81e58a0f34ee8030@mail.gmail.com> Message-ID: <20060301214243.GA818@gate.dtucker.net> On Wed, Mar 01, 2006 at 01:24:38PM -0800, mark clarkson wrote: > Thanks Darren. I know that useradd warns you but it does create the > ID on the system. There appears to be a good reason for the warning: $ telnet localhost [...] login: abcdefghi Password: [...] $ id uid=517(abcdefghi) gid=1(other) groups=1(other) $ passwd passwd: Changing password for abcdefgh passwd: User unknown: abcdefgh Permission denied passwd is a setuid binary and doesn't really know your login name. It does know your real uid, though. It is probably looking that up with getpwuid(), and it would appear that it or passwd itself does not support usernames of more than 8 characters. So your options appear to be 1) shorten the username or 2) use PAM. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tryponraj at gmail.com Thu Mar 2 20:19:04 2006 From: tryponraj at gmail.com (ponraj) Date: Thu, 2 Mar 2006 14:49:04 +0530 Subject: sftp batch mode and password authentication Message-ID: <000e01c63dda$5c5b25c0$180110ac@pomco> Hi all, I used to execute ftp in batch mode to dowload files. In my case, password authentication is the only way to get remote access. Could anyone tell me how can i accomplish the same task using sftp under batchmode as what i have done with ftp ? Meanwhile, how can i specify the password securely ? Is there anyother alternatives ? -- Thanks M.P From t.luetticke at inovex.de Thu Mar 2 23:13:06 2006 From: t.luetticke at inovex.de (=?ISO-8859-1?Q?Tobias_L=FCtticke?=) Date: Thu, 02 Mar 2006 13:13:06 +0100 Subject: sftp batch mode and password authentication In-Reply-To: <000e01c63dda$5c5b25c0$180110ac@pomco> References: <000e01c63dda$5c5b25c0$180110ac@pomco> Message-ID: <4406E152.6050403@inovex.de> Hi, > Is > there anyother alternatives ? As far as alternatives are concerned, the recommended way to accomplish your goal is: - Use public key authentication and create a key pair without passphrase for batch job purposes only. - Limit the key usage via options in the server's ~/.ssh/authorized_keys file With this setup you have non-interactive authentication, which can be started by cron jobs for instance. Moreover, misuse of the passphrase-less key is limited through the options. Regards, Tobias L?tticke ponraj schrieb: > Hi all, > > I used to execute ftp in batch mode to dowload files. In my case, password > authentication is the only way to get remote access. Could anyone tell me > how can i accomplish the same task using sftp under batchmode as what i have > done with ftp ? Meanwhile, how can i specify the password securely ? Is > there anyother alternatives ? > > -- > Thanks > M.P > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From wietse at porcupine.org Thu Mar 2 08:41:49 2006 From: wietse at porcupine.org (Wietse Venema) Date: Wed, 1 Mar 2006 16:41:49 -0500 (EST) Subject: sshd blocking SIGALARM turns out to be due to tcpd In-Reply-To: <17413.51879.981598.160610@davenant.relativity.greenend.org.uk> "from Ian Jackson at Mar 1, 2006 04:24:07 pm" Message-ID: <20060301214150.01848BC171@spike.porcupine.org> Ian Jackson: > I recently encountered a bug where some ssh login sessions would > apparently inherit a blocked SIGALRM. A web search showed up two > relevant threads: > http://lists.suse.com/archive/suse-linux-e/2005-Dec/2628.html > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=113533337923128&w=2 > et seq - but sadly no answers. > > Experimentation with strace et al revealed the problem: the > tcp-wrappers build I was using would use alarm(2) to time out of the > ident (RFC931/1413) lookup, but failed to properly use sigsetjmp. I > was using (basically) the Debian package (describing itself as version > `7.6.dbs-8'), which had been patched to use sigsetjmp instead of plain > setjmp but passed 0 for the 2nd argument. Changing it to pass 1 made > it work. > > I have reported this bug to the Debian BTS and they will no doubt be > passing it upstream more formally eventually, but I thought that since > this problem is so mysterious I would document at least one possible > cause in places where the symptoms had been seen already. See: > http://bugs.debian.org/354855 > which contains a patch. This could be introduced by third parties. The tcp wrapper does this: if (setjmp(timebuf) == 0) { signal(SIGALRM, timeout); alarm(rfc931_timeout); ... stuff ... alarm(0); } Thus, no dangling signal handlers. Wietse From rapier at psc.edu Fri Mar 3 05:01:03 2006 From: rapier at psc.edu (Chris Rapier) Date: Thu, 02 Mar 2006 13:01:03 -0500 Subject: sftp batch mode and password authentication In-Reply-To: <000e01c63dda$5c5b25c0$180110ac@pomco> References: <000e01c63dda$5c5b25c0$180110ac@pomco> Message-ID: <440732DF.3080108@psc.edu> ponraj wrote: > Hi all, > > I used to execute ftp in batch mode to dowload files. In my case, password > authentication is the only way to get remote access. Are you saying that you can't use private keys to authenticate? (I have seen situations here this happens - usually as a result of severe restrictions on shell access to an archival data store). If that is the case I don't think you can do this without using something like 'expect' to control the process. From carson at taltos.org Fri Mar 3 06:16:53 2006 From: carson at taltos.org (Carson Gaspar) Date: Thu, 02 Mar 2006 14:16:53 -0500 Subject: sftp batch mode and password authentication In-Reply-To: <440732DF.3080108@psc.edu> References: <000e01c63dda$5c5b25c0$180110ac@pomco> <440732DF.3080108@psc.edu> Message-ID: <62EF7E3C503F92A722A65103@[192.168.2.104]> --On Thursday, March 02, 2006 1:01 PM -0500 Chris Rapier wrote: > ponraj wrote: >> Hi all, >> >> I used to execute ftp in batch mode to dowload files. In my case, >> password authentication is the only way to get remote access. > > Are you saying that you can't use private keys to authenticate? (I have > seen situations here this happens - usually as a result of severe > restrictions on shell access to an archival data store). If that is the > case I don't think you can do this without using something like 'expect' > to control the process. He should be able to use a custom SSH_ASKPASS to do this, although he'll need to make sure the sftp batch job has no controlling TTY. -- Carson From vinschen at redhat.com Fri Mar 3 20:13:18 2006 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 3 Mar 2006 10:13:18 +0100 Subject: [PATCH] contrib/cygwin/ssh-host-config: Handle lastlog with more care Message-ID: <20060303091318.GA31575@calimero.vinschen.de> Hi, below is a patch to Cygwin's ssh-host-config file. So far this script allowed to have a lastlog file as well as a lastlog dir, whatever the user preferred. This is no problem as long as ssh is the only application using lastlog, but that's nothing we can be sure about, so we decided to restrict lastlog to being a file in a Cygwin installation. This also allows reliable porting and use of Linux tools like lastlog(1) which is only aware of lastlog being a file. Consequentially, the ssh-host-config script must handle lastlog with some greater care than before and refuse to allow a lastlog dir. Additionally the lastlog file doesn't get a 666 access mask anymore, but it's chowned to the user account starting the service and gets a 644 access mask now for security reasons. Could this be applied? Thanks, Corinna --- ssh-host-config.ORIG 2006-02-28 13:24:32.248566300 +0100 +++ ssh-host-config 2006-02-28 13:32:22.168803900 +0100 @@ -153,22 +153,31 @@ fi # Create /var/log and /var/log/lastlog if not already existing -if [ -f ${LOCALSTATEDIR}/log ] +if [ -e ${LOCALSTATEDIR}/log -a ! -d ${LOCALSTATEDIR}/log ] then - echo "Creating ${LOCALSTATEDIR}/log failed!" -else - if [ ! -d ${LOCALSTATEDIR}/log ] - then - mkdir -p ${LOCALSTATEDIR}/log - fi - if [ -d ${LOCALSTATEDIR}/log/lastlog ] - then - chmod 777 ${LOCALSTATEDIR}/log/lastlog - elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] - then - cat /dev/null > ${LOCALSTATEDIR}/log/lastlog - chmod 666 ${LOCALSTATEDIR}/log/lastlog - fi + echo + echo "${LOCALSTATEDIR}/log is existant but not a directory." + echo "Cannot create ssh host configuration." + echo + exit 1 +fi +if [ ! -e ${LOCALSTATEDIR}/log ] +then + mkdir -p ${LOCALSTATEDIR}/log +fi + +if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ] +then + echo + echo "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." + echo "Cannot create ssh host configuration." + echo + exit 1 +fi +if [ ! -e ${LOCALSTATEDIR}/log/lastlog ] +then + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 644 ${LOCALSTATEDIR}/log/lastlog fi # Create /var/empty file used as chroot jail for privilege separation @@ -578,6 +587,7 @@ then fi chown "${_user}" ${SYSCONFDIR}/ssh* chown "${_user}".544 ${LOCALSTATEDIR}/empty + chown "${_user}".544 ${LOCALSTATEDIR}/log/lastlog if [ -f ${LOCALSTATEDIR}/log/sshd.log ] then chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From thesource at ldb-jab.org Sun Mar 5 08:06:29 2006 From: thesource at ldb-jab.org (LDB) Date: Sat, 04 Mar 2006 16:06:29 -0500 Subject: OpenSSH CVS repo. Message-ID: <440A0155.6040202@ldb-jab.org> Can anyone give me the OpenSSH CVS repo. they are successfully using? Thank you, LDB From simon at sxw.org.uk Mon Mar 6 23:40:26 2006 From: simon at sxw.org.uk (Simon Wilkinson) Date: Mon, 06 Mar 2006 12:40:26 +0000 Subject: GSSAPI Key Exchange patches for OpenSSH 4.3p2 Message-ID: <440C2DBA.1010908@sxw.org.uk> Patches supporting GSSAPI Key Exchange in OpenSSH 4.3p2 are now available from http://www.sxw.org.uk/computing/patches/openssh.html These patches add support for performing GSSAPI key exchange to the OpenSSH client and server. Whilst OpenSSH contains support for using GSSAPI in the user authentication step, this is inadequate for many sites, as it doesn't provide a mechanism for using GSSAPI/Kerberos to verify the server's identity to the user. Using GSSAPI key exchange uses Kerberos to validate the servers identity, and can eliminate the need to maintain known hosts files of server public keys across your site. These patches also contain a number of improvements as a result of resyncing against the Debian patch set, including: *) Support for the CCAPI on Darwin *) Support for the Security Session API on Darwin *) Support for not counting failures due to bad server configuration against the clients number of permitted authentication attempts Thanks to Sam Hartman, Alexandra Ellwood and Harald Barth Cheers, Simon. From cove at wildpackets.com Tue Mar 7 10:11:06 2006 From: cove at wildpackets.com (Cove Schneider) Date: Mon, 6 Mar 2006 15:11:06 -0800 Subject: Bug 1131 Message-ID: <6B4BFF81-5593-4224-9613-D0BA71C5072C@wildpackets.com> http://bugzilla.mindrot.org/show_bug.cgi?id=1131 Hello, I was just wondering what the status of this bug was? If anyone happens to know anything. Thanks, Cove From petesea at bigfoot.com Tue Mar 7 11:31:01 2006 From: petesea at bigfoot.com (Dan Peterson) Date: Mon, 06 Mar 2006 16:31:01 -0800 (Pacific Standard Time) Subject: Accessing gssapi/kerberos principal In-Reply-To: References: Message-ID: I'm attempting to add authorized_keys functionality to gssapi/kerberos authorized connections, mainly to support forced command capability, but would like to confirm the best way to determine the gssapi/kerberos principal and the best place to check authorized_keys. To determine the principal, currently I'm indirectly accessing gss-serv.c:gssapi_client.displayname.value (more detail below). This seems to work, but I'd just like to know if there's a better/more appropriate way to determine the principal? I'm also not 100% sure WHERE I should be testing for the existence of the user in authorized_keys. Currently the check is done in auth2-gss.c:input_gssapi_token() (more detail below). This seems to work, but again is this the best/most appropriate place to check? MORE DETAIL To determine the current principal, I created a one-line function in gss-serv.c: char *ssh_gssapi_displayname(void) which simply returns (char *)gssapi_client.displayname.value. This is called from auth2-gss.c:input_gssapi_token() and assigned to a "Key" pointer which is passed into auth2-pubkey.c:user_key_allowed(). In auth2-gss.c:input_gssapi_token(), I check for the existence of the user in authorized_keys. I first tried to mimic the pubkey behavior and check in userauth_gssapi(), but found out gss-serv.c:gssapi_client wasn't defined until AFTER userauth_gssapi() had been called. The new code is inside the "else" clause, just after "if (send_tok.length != 0)", but before "if (maj_status == GSS_S_COMPLETE)". My check may fail, and if it does, I "goto done", which is just before "gss_release_buffer()" at the end of the function. I can give more details if necessary and I will supply a complete patch for review, I just hoped to get as close to correct as possible before submitting the patch. PS. One other note... as I mentioned earlier, I'm calling auth2-pubkey.c:user_key_allowed() to parse authorized_keys and search for the appropriate key. I had to make one small change to user_key_allowed2() so the new "ssh-gss" type wouldn't try to call key_fingerprint() with the principal, but other then that, the function is the same. This all works, but auth2-pubkey.c no longer seems like the most appropriate place for user_key_allowed() and user_key_allowed2(), since they're used for more then just "pubkey". Would it be better to move these to a separate file (eg. authorized_keys.c) or maybe move then to auth2.c? Assuming a NEW file (authorized_keys.c) would be best... would it also be a good idea to move the other authorized_keys related functions to the same file... so in other words, the following 4 functions would be moved to authorized_keys.c: auth.c:authorized_keys_file() auth.c:authorized_keys_file2() auth2-pubkey.c:user_key_allowed() auth2-pubkey.c:user_key_allowed2() From fcusack at fcusack.com Tue Mar 7 13:15:47 2006 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 06 Mar 2006 18:15:47 -0800 Subject: Accessing gssapi/kerberos principal In-Reply-To: References: Message-ID: <165DE0C59181D8DD9201C295@maguro.local> On March 6, 2006 4:31:01 PM -0800 Dan Peterson wrote: > I'm attempting to add authorized_keys functionality to gssapi/kerberos > authorized connections, mainly to support forced command capability, doesn't .k5users do what you want? -frank From wietse at porcupine.org Wed Mar 8 02:49:11 2006 From: wietse at porcupine.org (Wietse Venema) Date: Tue, 7 Mar 2006 10:49:11 -0500 (EST) Subject: sshd blocking SIGALARM turns out to be due to tcpd In-Reply-To: <17421.42315.512946.917968@davenant.relativity.greenend.org.uk> "from Ian Jackson at Mar 7, 2006 03:22:51 pm" Message-ID: <20060307154911.80932BC0D9@spike.porcupine.org> Ian Jackson: > Wietse Venema writes ("Re: sshd blocking SIGALARM turns out to be due to tcpd"): > > Ian Jackson: > > > Experimentation with strace et al revealed the problem: the > > > tcp-wrappers build I was using would use alarm(2) to time out of the > > > ident (RFC931/1413) lookup, but failed to properly use sigsetjmp. [...] > > > > This could be introduced by third parties. The tcp wrapper does this: > > if (setjmp(timebuf) == 0) { > > signal(SIGALRM, timeout); > > alarm(rfc931_timeout); > > Indeed the broken use of sigsetjmp was introduced by third parties (I > can see in the Debian diff that the original uses setjmp). But, I was > very surprised to see you still using signal. In code that was released in 1996. > Reading SuSv3 (the best Sure. Wietse > reference I have available) doesn't make it clear whether the code > above guarantees to unblock SIGALRM if the code longjmps out of the > handler; this code is relying on old BSD and SysV behaviour, which > AFAICT is as you might hope but I can see why people might be > confused and try to `fix' it by changing it to use sigaction. > > Thanks, > Ian. > From petesea at bigfoot.com Wed Mar 8 04:41:17 2006 From: petesea at bigfoot.com (Dan Peterson) Date: Tue, 07 Mar 2006 09:41:17 -0800 (Pacific Standard Time) Subject: Accessing gssapi/kerberos principal In-Reply-To: <165DE0C59181D8DD9201C295@maguro.local> References: <165DE0C59181D8DD9201C295@maguro.local> Message-ID: On Mon, 6 Mar 2006, Frank Cusack wrote: > On March 6, 2006 4:31:01 PM -0800 Dan Peterson wrote: > >> I'm attempting to add authorized_keys functionality to gssapi/kerberos >> authorized connections, mainly to support forced command capability, > > doesn't .k5users do what you want? As far as I know, .k5users is only consulted when using "ksu", not during an ssh connection. And in my particular situation, the users don't have home directories. My main reason for making this patch is to provide a way to use ssh with kerberos authentication for dedicated CVS and Subversion connections. The users have no other access to the system. From tryponraj at gmail.com Fri Mar 10 16:18:54 2006 From: tryponraj at gmail.com (ponraj) Date: Fri, 10 Mar 2006 10:48:54 +0530 Subject: Purpose of Publickey file Message-ID: <002a01c64402$24a95ba0$180110ac@pomco> Hello All, I'm using OpenSSH 4.2p1 and I have a question regarding the usage of host keys in OpenSSH. The host keys (both private and public) are stored in etc directory. But when sshd loads the key, it reads only private key and generates the public key from it. Is there any reason for having the public host key along with the private key in the etc directory? -- M.P From djm at mindrot.org Fri Mar 10 22:16:11 2006 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Mar 2006 22:16:11 +1100 (EST) Subject: Purpose of Publickey file In-Reply-To: <002a01c64402$24a95ba0$180110ac@pomco> References: <002a01c64402$24a95ba0$180110ac@pomco> Message-ID: On Fri, 10 Mar 2006, ponraj wrote: > Hello All, > > I'm using OpenSSH 4.2p1 and I have a question regarding the usage of host > keys in OpenSSH. The host keys (both private and public) are stored in etc > directory. But when sshd loads the key, it reads only private key and > generates the public key from it. Is there any reason for having the public > host key along with the private key in the etc directory? Yes, so users can manually add them to their known_hosts files or verify them out of band. (notice that the public keys are world readable for that reason) -d From gevik at xs4all.nl Fri Mar 10 22:45:49 2006 From: gevik at xs4all.nl (Gevik Babakhani) Date: Fri, 10 Mar 2006 12:45:49 +0100 (CET) Subject: auto passphrase Message-ID: <24105.195.169.118.227.1141991149.squirrel@webmail.xs4all.nl> Hello, I was wondering why we do not have an option to privide the passphrase (RSA) as a parameter to ssh (on windows ssh.exe) Is there a reason for that. I looked at the code. It is very easy to provide such functionality. Regards, Gevik. From dtucker at zip.com.au Fri Mar 10 23:12:24 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 10 Mar 2006 23:12:24 +1100 Subject: auto passphrase In-Reply-To: <24105.195.169.118.227.1141991149.squirrel@webmail.xs4all.nl> References: <24105.195.169.118.227.1141991149.squirrel@webmail.xs4all.nl> Message-ID: <20060310121224.GA6123@gate.dtucker.net> On Fri, Mar 10, 2006 at 12:45:49PM +0100, Gevik Babakhani wrote: > Hello, > I was wondering why we do not have an option to privide the passphrase > (RSA) as a parameter to ssh (on windows ssh.exe) > Is there a reason for that. On many platforms (and I don't know if this includes Windows) it's trivial for other users to find out what the arguments to any running program is. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From reyk at openbsd.org Sat Mar 11 01:57:36 2006 From: reyk at openbsd.org (Reyk Floeter) Date: Fri, 10 Mar 2006 15:57:36 +0100 Subject: tun with darwin/macos x Message-ID: <20060310145736.GA30533@dhal.vantronix.net> hi, the following patch adds ssh tun support for Darwin/MacOS X (layer 2+3). I tested it with Darwin 8.0.1 x86 and MacOS X 10.4 Tiger PPC, I would like to see any tests from MacOS X users. It requires an external tun/tap driver, see below. reyk --- README.platform.orig 2006-02-13 20:22:04.000000000 -0800 +++ README.platform 2006-02-13 20:21:45.000000000 -0800 @@ -30,6 +30,18 @@ gcc, gcc-mingw-core, mingw-runtime, binu openssl-devel, zlib, minres, minires-devel. +Darwin and MacOS X +------------------ +Darwin does not provide a tun(4) driver required for OpenSSH-based +virtual private networks. The BSD manpage still exists, but the driver +has been removed in recent releases of Darwin and MacOS X. + +Nevertheless, tunnel support is known to work with Darwin 8 and +MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode +using a third party driver. More information is available at: + http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ + + Solaris ------- If you enable BSM auditing on Solaris, you need to update audit_event(4) --- configure.orig 2006-02-13 19:16:02.000000000 -0800 +++ configure 2006-02-13 18:28:39.000000000 -0800 @@ -5285,6 +5285,21 @@ cat >>confdefs.h <<_ACEOF #define BIND_8_COMPAT 1 _ACEOF + +cat >>confdefs.h <<\_ACEOF +#define SSH_TUN_FREEBSD 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define SSH_TUN_COMPAT_AF 1 +_ACEOF + + +cat >>confdefs.h <<\_ACEOF +#define SSH_TUN_PREPEND_AF 1 +_ACEOF + ;; *-*-hpux*) # first we define all of the options common to all HP-UX releases --- configure.ac.orig 2006-02-13 20:25:27.000000000 -0800 +++ configure.ac 2006-02-13 20:25:48.000000000 -0800 @@ -231,6 +231,11 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE(BROKEN_SETREGID) AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1, [Define if your resolver libs need this for getrrsetbyname]) + AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) + AC_DEFINE(SSH_TUN_COMPAT_AF, 1, + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + [Prepend the address family to IP tunnel traffic]) ;; *-*-hpux*) # first we define all of the options common to all HP-UX releases --- openbsd-compat/port-tun.c.orig 2006-02-13 19:16:25.000000000 -0800 +++ openbsd-compat/port-tun.c 2006-02-13 18:28:46.000000000 -0800 @@ -26,6 +26,7 @@ * settings. * * SSH_TUN_LINUX Use the (newer) Linux tun/tap device + * SSH_TUN_FREEBSD Use the FreeBSD tun/tap device * SSH_TUN_COMPAT_AF Translate the OpenBSD address family * SSH_TUN_PREPEND_AF Prepend/remove the address family */ @@ -93,7 +94,10 @@ sys_tun_open(int tun, int mode) #ifdef SSH_TUN_FREEBSD #include #include + +#if !defined(SSH_TUN_PREPEND_AF) #include +#endif int sys_tun_open(int tun, int mode) From cmadams at hiwaay.net Sat Mar 11 02:51:45 2006 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 10 Mar 2006 09:51:45 -0600 Subject: PrivSep and PAM environment variable setting Message-ID: <20060310155144.GA1402004@hiwaay.net> I think I've seen this come up before, but I couldn't find an answer in the archives. I'm trying to use the PAM "pam_mail.so" module on Linux to set the MAIL environment variable (so I don't have to try to do it in various shell init scripts), but the MAIL setting doesn't get passed through unless I disable PrivilegeSeparation. Is there a way to have PAM set environment variables when PrivSep is enabled? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From dtucker at zip.com.au Sat Mar 11 12:03:00 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 11 Mar 2006 12:03:00 +1100 Subject: PrivSep and PAM environment variable setting In-Reply-To: <20060310155144.GA1402004@hiwaay.net> References: <20060310155144.GA1402004@hiwaay.net> Message-ID: <20060311010300.GA17327@gate.dtucker.net> On Fri, Mar 10, 2006 at 09:51:45AM -0600, Chris Adams wrote: > I think I've seen this come up before, but I couldn't find an answer in > the archives. > > I'm trying to use the PAM "pam_mail.so" module on Linux to set the MAIL > environment variable (so I don't have to try to do it in various shell > init scripts), but the MAIL setting doesn't get passed through unless I > disable PrivilegeSeparation. > > Is there a way to have PAM set environment variables when PrivSep is > enabled? I think it should work. What version of OpenSSH and LinuxPAM are you using, and what does the PAM config file look like? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cmadams at hiwaay.net Sun Mar 12 05:51:53 2006 From: cmadams at hiwaay.net (Chris Adams) Date: Sat, 11 Mar 2006 12:51:53 -0600 Subject: PrivSep and PAM environment variable setting In-Reply-To: <20060311010300.GA17327@gate.dtucker.net> References: <20060310155144.GA1402004@hiwaay.net> <20060311010300.GA17327@gate.dtucker.net> Message-ID: <20060311185153.GA784371@hiwaay.net> Once upon a time, Darren Tucker said: > On Fri, Mar 10, 2006 at 09:51:45AM -0600, Chris Adams wrote: > > I'm trying to use the PAM "pam_mail.so" module on Linux to set the MAIL > > environment variable (so I don't have to try to do it in various shell > > init scripts), but the MAIL setting doesn't get passed through unless I > > disable PrivilegeSeparation. > > > > Is there a way to have PAM set environment variables when PrivSep is > > enabled? > > I think it should work. What version of OpenSSH and LinuxPAM are you > using, and what does the PAM config file look like? I started out on a RHEL system with: pam-0.77-66.11 openssh-3.9p1-8.RHEL4.9 and then tried on a FC rawhide (essentially FC5 at this point) system with: pam-0.99.3.0-2 openssh-4.3p2-4 I added the line: auth required /lib/security/$ISA/pam_mail.so hash=2 to /etc/pam.d/system-auth right after the pam_env.so line (on the FC5 system I left out the "/lib/security/$ISA/" as that was how the other entries were written). I had to comment out the setting of MAIL in /etc/profile (or that overrides anything OpenSSH or PAM set). Hmm, it appears to be a problem specific to pam_mail.so. If I configure pam_env.so to change MAIL to "xyzzy", it works. I guess I'll have to dig at that some more. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From frederik at a5.repetae.net Mon Mar 13 07:15:02 2006 From: frederik at a5.repetae.net (Frederik Eaton) Date: Sun, 12 Mar 2006 20:15:02 +0000 Subject: caching In-Reply-To: <4261A7AB.8030807@zip.com.au> References: <20050310031604.GA29384@a5.repetae.net> <20050324034139.GA11181@a5.repetae.net> <4246B5F4.3060504@mindrot.org> <20050416234643.GA26617@a5.repetae.net> <4261A7AB.8030807@zip.com.au> Message-ID: <20060312201502.GA31454@a5.repetae.net> Hi, About caching, I've not been paying attention for some time, but things seem to have improved from a usability standpoint. Now I have "ControlPath ~/.ssh/sockets/%r@%h:%p" in .ssh/config and the procedure is fairly automated. One thing is, it would be nice is to have an option to specify that, if it is not possible to connect to an old socket, then ssh should remove the socket and create a new one. $ ssh fly # <- here ssh knows that existing socket is dead Control socket connect(/home/frederik/.ssh/sockets/frederik at fly:22): Connection refused Linux fly 2.6.15.6 #1 Sun Mar 12 07:53:50 GMT 2006 i686 GNU/Linux ... $ ssh -fNM fly # <- here ssh doesn't bother to check that existing socket is dead ControlSocket /home/frederik/.ssh/sockets/frederik at fly:22 already exists Then I would specify this option in .ssh/config for certain hosts, and their master connections would get resurrected automatically if they happened to die... Regards, Frederik On Sun, Apr 17, 2005 at 10:02:51AM +1000, Darren Tucker wrote: > Frederik Eaton wrote: > >I've filed bugs as requested, for version 3.9p1. I don't have time to > >reverify the problems on 4.0 unless you really think that they've been > >fixed there. > > Several bugs relating to the connection caching code *were* fixed in 4.0. From the changelog: > > - djm at cvs.openbsd.org 2004/10/29 21:47:15 > [channels.c channels.h clientloop.c] > fix some window size change bugs for multiplexed connections: windows > sizes were not being updated if they had changed after ~^Z suspends and > SIGWINCH was not being processed unless the first connection had > requested a tty; ok markus > > So, yes, you need to retest on 4.0... > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- http://ofb.net/~frederik/ From linux at linuon.com Tue Mar 14 01:45:31 2006 From: linux at linuon.com (Linux) Date: Mon, 13 Mar 2006 23:45:31 +0900 Subject: Log message Message-ID: <4415858B.5030208@linuon.com> Hi, I'm working on some project which is sort of log filter. Last few days I noticed that there are some wacky people scanning sshd port all the time from anywhere. Although sshd reports it with syslog error message which is very helpful, I'd like to know the source ip address with following message: canohost.c: around line #100 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { logit("reverse mapping checking getaddrinfo for %.700s " "from address %.100s failed - POSSIBLE BREAKIN ATTEMPT!", ntop, name); return xstrdup(ntop); } I added ip address to the message. Since the name woun't be abled to be resolved correctly, reporting only host name won't help so. Please apply below patch if it is acceptable. Thanks! -- Junji --- openssh-4.0p1/canohost.c 2005-03-01 19:16:19.000000000 +0900 +++ openssh-4.0p1.patched/canohost.c 2006-03-13 23:42:03.000000000 +0900 @@ -102,7 +102,8 @@ hints.ai_socktype = SOCK_STREAM; if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { logit("reverse mapping checking getaddrinfo for %.700s " - "failed - POSSIBLE BREAKIN ATTEMPT!", name); + "from address %.100s failed - POSSIBLE BREAKIN ATTEMPT!", + name, ntop); return xstrdup(ntop); } /* Look for the address from the list of addresses. */ From djm at mindrot.org Tue Mar 14 11:18:26 2006 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2006 11:18:26 +1100 (EST) Subject: Log message In-Reply-To: <4415858B.5030208@linuon.com> References: <4415858B.5030208@linuon.com> Message-ID: On Mon, 13 Mar 2006, Linux wrote: > Hi, > > I'm working on some project which is sort of log filter. > Last few days I noticed that there are some wacky people > scanning sshd port all the time from anywhere. > Although sshd reports it with syslog error message which is > very helpful, I'd like to know the source ip address with > following message: > > canohost.c: around line #100 > > if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { > logit("reverse mapping checking getaddrinfo for %.700s " > "from address %.100s failed - POSSIBLE BREAKIN ATTEMPT!", > ntop, name); > return xstrdup(ntop); > } Good point, fixed. The other message of this type already logged the address. The new message will look like: logit("reverse mapping checking getaddrinfo for %.700s " "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); -d From linux at linuon.com Tue Mar 14 12:59:54 2006 From: linux at linuon.com (Linux) Date: Tue, 14 Mar 2006 10:59:54 +0900 Subject: Log message In-Reply-To: References: <4415858B.5030208@linuon.com> Message-ID: <4416239A.20807@linuon.com> Thnak you for your quick response. Really appreciated. BTW, there's '-' between "BREAK" and "IN" added in new message: Damien Miller wrote: > The new message will look like: > > logit("reverse mapping checking getaddrinfo for %.700s " > "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); > Are you going to change it too? Current version pronts "... - POSSIBLE BREAKIN ATTEMPT!", there's no '-'. Just wanted to make sure it since my programe scans that part so. Thanks! -- Junji From djm at mindrot.org Tue Mar 14 13:23:42 2006 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Mar 2006 13:23:42 +1100 (EST) Subject: Log message In-Reply-To: <4416239A.20807@linuon.com> References: <4415858B.5030208@linuon.com> <4416239A.20807@linuon.com> Message-ID: On Tue, 14 Mar 2006, Linux wrote: > Thnak you for your quick response. Really appreciated. > BTW, there's '-' between "BREAK" and "IN" added in > new message The hyphen was added in openssh-4.3, so your software should be prepared to recognise it. -d From gael at magicnet.org Tue Mar 14 12:47:37 2006 From: gael at magicnet.org (Gael Martinez) Date: Mon, 13 Mar 2006 19:47:37 -0600 Subject: groups issue with openssh (all versions since at least 3.8), AIX 5.3 and NIS Message-ID: <20060314014737.GA28347@amd.magicnet.org> Hello We are have a massive performance issue in our environment since a while. SSH logins simply take 30 s to 1 minute to give a prompt, telnet are instantaneous. After doing a few tcpdump and comparisons between telnet and ssh connections, we noticed that in average a ssh connection is generating over 12000 nis sessions, scanning basically all the group.byname table a few times and we got a few thousands groups... :( I was wondering if it could be the same issue that we saw with DB2 which behaves the exact same way each time a user logs in...they were using the wrong function to determine the groups associated to one user http://www-1.ibm.com/support/docview.wss?uid=swg1IY44229 As we got over a thousand AIX machines running my build of openssh in a very large environment, this is causing a real overall performance issue with our nis environment ... Details about the current test build: apsp8111:/gael/src/openssh-4.3p2 #oslevel -r 5300-03 bash-2.05a$ gcc -v Reading specs from /opt/gcc/gcc-3.2.2/lib/gcc-lib/powerpc-ibm-aix5.1.0.0/3.3.2/specs Configured with: ./configure --prefix=/opt/gcc/gcc-3.2.2 --enable-languages=c,c++ Thread model: aix gcc version 3.3.2 apsp8111:/gael/src/openssh-4.3p2 #/usr/local/ssl/bin/openssl version OpenSSL 0.9.7i 14 Oct 2005 apsp8111:/gael/src/openssh-4.3p2 #./ssh -v OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005 $ ./configure --without-rsh --disable-suid-ssh --sysconfdir=/etc/ssh --with-mantype=man --libexecdir=/usr/local/sbin --with-pid-di r=/etc/ssh --with-zlib=../zlib-1.2.3 --with-default-path=/bin:/usr/bin:/usr/local/bin Let me know, I will assist as much as possible, this is really a big issue for us, and I'm not able to determine if that issue can be resolved with a patch to openssh or at the OS level. Regards -- Gael From dtucker at zip.com.au Tue Mar 14 14:11:41 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Mar 2006 14:11:41 +1100 Subject: groups issue with openssh (all versions since at least 3.8), AIX 5.3 and NIS In-Reply-To: <20060314014737.GA28347@amd.magicnet.org> References: <20060314014737.GA28347@amd.magicnet.org> Message-ID: <20060314031141.GA13104@gate.dtucker.net> On Mon, Mar 13, 2006 at 07:47:37PM -0600, Gael Martinez wrote: [...] > that in average a ssh connection is generating over 12000 nis sessions, > scanning basically all the group.byname table a few times and we got a > few thousands groups... :( [...] > Let me know, I will assist as much as possible, this is really a big > issue for us, and I'm not able to determine if that issue > can be resolved with a patch to openssh or at the OS level. Looking briefly at the URL and the code, it looks like it could be resolved by implementing an AIX-specific getgroupslist() based on getgrset(). I'll look at at it if you can test patches. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From linux at linuon.com Tue Mar 14 18:18:56 2006 From: linux at linuon.com (Linux) Date: Tue, 14 Mar 2006 16:18:56 +0900 Subject: Log message In-Reply-To: References: <4415858B.5030208@linuon.com> <4416239A.20807@linuon.com> Message-ID: <44166E60.8060904@linuon.com> > The hyphen was added in openssh-4.3, so your software should > be prepared to recognise it. OK. Thanks for the info. -- Junji From dtucker at zip.com.au Tue Mar 14 22:01:36 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Mar 2006 22:01:36 +1100 Subject: groups issue with openssh (all versions since at least 3.8), AIX 5.3 and NIS In-Reply-To: <20060314031141.GA13104@gate.dtucker.net> References: <20060314014737.GA28347@amd.magicnet.org> <20060314031141.GA13104@gate.dtucker.net> Message-ID: <20060314110136.GA18396@gate.dtucker.net> On Tue, Mar 14, 2006 at 02:11:41PM +1100, Darren Tucker wrote: > On Mon, Mar 13, 2006 at 07:47:37PM -0600, Gael Martinez wrote: > [...] > > that in average a ssh connection is generating over 12000 nis sessions, > > scanning basically all the group.byname table a few times and we got a > > few thousands groups... :( > [...] > > Let me know, I will assist as much as possible, this is really a big > > issue for us, and I'm not able to determine if that issue > > can be resolved with a patch to openssh or at the OS level. > > Looking briefly at the URL and the code, it looks like it could be > resolved by implementing an AIX-specific getgroupslist() based on > getgrset(). I'll look at at it if you can test patches. Please try this diff (against OpenSSH 4.3p2). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Only in openssh-4.3p2: autom4te.cache diff -ru openssh-4.3p2.orig/config.h.in openssh-4.3p2/config.h.in --- openssh-4.3p2.orig/config.h.in 2006-02-11 11:07:35.000000000 +1100 +++ openssh-4.3p2/config.h.in 2006-03-14 21:54:49.000000000 +1100 @@ -305,6 +305,9 @@ /* Define to 1 if you have the `getgrouplist' function. */ #undef HAVE_GETGROUPLIST +/* Define to 1 if you have the `getgrset' function. */ +#undef HAVE_GETGRSET + /* Define to 1 if you have the `getluid' function. */ #undef HAVE_GETLUID Only in openssh-4.3p2: config.h.in~ diff -ru openssh-4.3p2.orig/configure openssh-4.3p2/configure --- openssh-4.3p2.orig/configure 2006-02-11 11:07:37.000000000 +1100 +++ openssh-4.3p2/configure 2006-03-14 21:55:13.000000000 +1100 @@ -5019,7 +5019,8 @@ -for ac_func in setauthdb + +for ac_func in getgrset setauthdb do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -27224,9 +27225,9 @@ exec 5>>config.log { echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <&5 cat >&5 <<_CSEOF diff -ru openssh-4.3p2.orig/configure.ac openssh-4.3p2/configure.ac --- openssh-4.3p2.orig/configure.ac 2006-02-08 22:11:06.000000000 +1100 +++ openssh-4.3p2/configure.ac 2006-03-14 21:53:53.000000000 +1100 @@ -174,7 +174,7 @@ [], [#include ] ) - AC_CHECK_FUNCS(setauthdb) + AC_CHECK_FUNCS(getgrset setauthdb) check_for_aix_broken_getaddrinfo=1 AC_DEFINE(BROKEN_REALPATH, 1, [Define if you have a broken realpath.]) AC_DEFINE(SETEUID_BREAKS_SETUID, 1, diff -ru openssh-4.3p2.orig/openbsd-compat/port-aix.c openssh-4.3p2/openbsd-compat/port-aix.c --- openssh-4.3p2.orig/openbsd-compat/port-aix.c 2005-05-29 10:54:28.000000000 +1000 +++ openssh-4.3p2/openbsd-compat/port-aix.c 2006-03-14 21:53:53.000000000 +1100 @@ -1,7 +1,7 @@ /* * * Copyright (c) 2001 Gert Doering. All rights reserved. - * Copyright (c) 2003,2004,2005 Darren Tucker. All rights reserved. + * Copyright (c) 2003,2004,2005,2006 Darren Tucker. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -372,4 +372,47 @@ } # endif /* AIX_GETNAMEINFO_HACK */ +# if defined(USE_GETGRSET) +# include +int +getgrouplist(const char *user, gid_t pgid, gid_t *groups, int *grpcnt) +{ + char *cp, *grplist, *grp; + gid_t gid; + int ret = 0, ngroups = 0, maxgroups; + long l; + + maxgroups = *grpcnt; + + if ((cp = grplist = getgrset(user)) == NULL) + return -1; + + /* handle zero-length case */ + if (maxgroups <= 0) { + *grpcnt = 0; + return -1; + } + + /* copy primary group */ + groups[ngroups++] = pgid; + + /* copy each entry from getgrset into group list */ + while ((grp = strsep(&grplist, ",")) != NULL) { + l = strtol(grp, NULL, 10); + if (ngroups >= maxgroups || l == LONG_MIN || l == LONG_MAX) { + ret = -1; + goto out; + } + gid = (gid_t)l; + if (gid == pgid) + continue; /* we have already added primary gid */ + groups[ngroups++] = gid; + } +out: + free(cp); + *grpcnt = ngroups; + return ret; +} +# endif /* USE_GETGRSET */ + #endif /* _AIX */ diff -ru openssh-4.3p2.orig/openbsd-compat/port-aix.h openssh-4.3p2/openbsd-compat/port-aix.h --- openssh-4.3p2.orig/openbsd-compat/port-aix.h 2005-05-28 20:28:40.000000000 +1000 +++ openssh-4.3p2/openbsd-compat/port-aix.h 2006-03-14 21:53:53.000000000 +1100 @@ -3,7 +3,7 @@ /* * * Copyright (c) 2001 Gert Doering. All rights reserved. - * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. + * Copyright (c) 2004,2005,2006 Darren Tucker. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -115,4 +115,11 @@ # define getnameinfo(a,b,c,d,e,f,g) (sshaix_getnameinfo(a,b,c,d,e,f,g)) #endif +/* We use getgrset in preference to multiple getgrent calls for efficiency */ +#if !defined(HAVE_GETGRENT) && defined(HAVE_GETGRSET) +# define HAVE_GETGRENT +# define USE_GETGRSET +int getgrouplist(const char *, gid_t, gid_t *, int *); +#endif + #endif /* _AIX */ From william.wilson at NAU.EDU Wed Mar 15 04:41:22 2006 From: william.wilson at NAU.EDU (William) Date: Tue, 14 Mar 2006 10:41:22 -0700 Subject: Problems compiling on Solaris 8 Message-ID: <6.1.2.0.2.20060314103600.03995718@mailbox.nau.edu> I have two machines that we are having problems compiling version 4.3p2. Both machines are Solaris 8 and gcc 3.3.2 openssl 0.9.8a is installed on both machines as well. The first exhibits an error in log.h: In file included from bsd-arc4random.c:18: ../log.h: In function `fatal': ../log.h:56: warning: empty declaration ../log.h:65: error: parse error before "volatile" ../log.h:56: error: parm types given both in parmlist and separately ../log.h:56: error: parameter name omitted bsd-arc4random.c:20: error: `rcsid' undeclared (first use in this function) bsd-arc4random.c:20: error: (Each undeclared identifier is reported only once bsd-arc4random.c:20: error: for each function it appears in.) bsd-arc4random.c:20: warning: left-hand operand of comma expression has no effect bsd-arc4random.c:20: error: parse error before '}' token *** Error code 1 make: Fatal error: Command failed for target `bsd-arc4random.o' Current working directory /nau/src/Net/openssh-4.3p2/openbsd-compat *** Error code 1 make: Fatal error: Command failed for target `openbsd-compat/libopenbsd-compat.a' The second machine exhibits a different problem: In file included from port-aix.c:32: /nau/share/include/buffer.h:72: error: redefinition of `BUF_MEM' /nau/share/include/openssl/ossl_typ.h:114: error: `BUF_MEM' previously declared here *** Error code 1 make: Fatal error: Command failed for target `port-aix.o' Current working directory /nau/src/Net/openssh-4.3p2/openbsd-compat *** Error code 1 make: Fatal error: Command failed for target `openbsd-compat/libopenbsd-compat.a' Any ideas on how to fix these? I've done a web search for both and have not found any good answers. Thanks! ************************************************************************** * William Wilson - Northern AZ Univ * william.wilson at nau.edu *** http://jan.ucc.nau.edu/~wew From cdick at ocis.net Wed Mar 15 05:29:02 2006 From: cdick at ocis.net (Colin Dick) Date: Tue, 14 Mar 2006 10:29:02 -0800 (PST) Subject: Problem compiling openssh-4.3p2 w/ openssl.0.9.8a on FC3 Message-ID: Hi there, I have tried compiling OpenSSH 4.3p2 using the following steps: Upgrade OpenSSL tar xvfz openssl-0.9.8a.tar.gz cd openssl-0.9.8a ./config make make install Upgrade zlib tar xvfz zlib-1.2.3.tar.gz ./configure make test make install Upgrade OpenSSH tar xvfz openssh-4.3p2.tar.gz cd openssh-4.3p2.tar.gz ./configure --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-md5 --with-rand-helper make Unfortunately, the make fails with the following error: gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x38): In function `dlfcn_load': : undefined reference to `dlopen' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xa0): In function `dlfcn_load': : undefined reference to `dlclose' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xc9): In function `dlfcn_load': : undefined reference to `dlerror' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x13e): In function `dlfcn_unload': : undefined reference to `dlclose' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x1f5): In function `dlfcn_bind_var': : undefined reference to `dlsym' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x241): In function `dlfcn_bind_var': : undefined reference to `dlerror' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x2d5): In function `dlfcn_bind_func': : undefined reference to `dlsym' /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x321): In function `dlfcn_bind_func': : undefined reference to `dlerror' collect2: ld returned 1 exit status make: *** [ssh] Error 1 Any ideas? It looks like an incompatibility between OpenSSH and OpenSSL. Thanks in advance for any information or suggestions you can provide. -- Colin Dick OCIS Admin From bruno at knix.ca Wed Mar 15 05:30:19 2006 From: bruno at knix.ca (Bruno Clermont) Date: Tue, 14 Mar 2006 13:30:19 -0500 Subject: openssh customization Message-ID: <44170BBB.4010106@knix.ca> One of my client is asking for some modifications to OpenSSH code (not cryptography related). They want to add some new features and extend existing one. Most of those features are not specific to my client needs, then can be given back to the community. The target plateform is AIX 5.x and Solaris 8 but only a very small part of the code is target specific. The modifications in BSD licensing. I hope to see some of them being added to standard OpenSSH distribution. Physical presence here (Montreal) is not necessary. I'm looking for someone whose already in OpenSSH dev-team, but I can evaluate external resources. thanks From dan at D00M.lightwave.net.ru Wed Mar 15 05:42:32 2006 From: dan at D00M.lightwave.net.ru (Dan Yefimov) Date: Tue, 14 Mar 2006 21:42:32 +0300 (MSK) Subject: Problem compiling openssh-4.3p2 w/ openssl.0.9.8a on FC3 In-Reply-To: Message-ID: On Tue, 14 Mar 2006, Colin Dick wrote: > Hi there, > I have tried compiling OpenSSH 4.3p2 using the following steps: > > Upgrade OpenSSL > tar xvfz openssl-0.9.8a.tar.gz > cd openssl-0.9.8a > ./config > make > make install > > Upgrade zlib > tar xvfz zlib-1.2.3.tar.gz > ./configure > make test > make install > > Upgrade OpenSSH > tar xvfz openssh-4.3p2.tar.gz > cd openssh-4.3p2.tar.gz > ./configure --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl > --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-md5 > --with-rand-helper > make > > Unfortunately, the make fails with the following error: > > gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib > -lssh -lopenbsd-compat -lresolv -lcrypto -lutil -lz -lnsl -lcrypt > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x38): In function > `dlfcn_load': > : undefined reference to `dlopen' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xa0): In function > `dlfcn_load': > : undefined reference to `dlclose' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0xc9): In function > `dlfcn_load': > : undefined reference to `dlerror' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x13e): In function > `dlfcn_unload': > : undefined reference to `dlclose' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x1f5): In function > `dlfcn_bind_var': > : undefined reference to `dlsym' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x241): In function > `dlfcn_bind_var': > : undefined reference to `dlerror' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x2d5): In function > `dlfcn_bind_func': > : undefined reference to `dlsym' > /usr/local/ssl/lib/libcrypto.a(dso_dlfcn.o)(.text+0x321): In function > `dlfcn_bind_func': > : undefined reference to `dlerror' > collect2: ld returned 1 exit status > make: *** [ssh] Error 1 > > Any ideas? It looks like an incompatibility between OpenSSH and > OpenSSL. Thanks in advance for any information or suggestions you can > provide. > It seems you forgot to add -ldl to the list of libraries in the linker command line. All undefined references you meantioned are resolved against that library. -- Sincerely Your, Dan. From dan at D00M.lightwave.net.ru Wed Mar 15 06:01:19 2006 From: dan at D00M.lightwave.net.ru (Dan Yefimov) Date: Tue, 14 Mar 2006 22:01:19 +0300 (MSK) Subject: Problem compiling openssh-4.3p2 w/ openssl.0.9.8a on FC3 In-Reply-To: Message-ID: On Tue, 14 Mar 2006, Dan Yefimov wrote: > > Any ideas? It looks like an incompatibility between OpenSSH and > > OpenSSL. Thanks in advance for any information or suggestions you can > > provide. > > > It seems you forgot to add -ldl to the list of libraries in the linker command > line. All undefined references you meantioned are resolved against that library. > One notice after all. More correctly, -ldl should be specified in the linker command line yet while building openssl, since openssh in fact doesn't itself use dynamic linking (at least directly). -- Sincerely Your, Dan. From dtucker at zip.com.au Wed Mar 15 06:43:37 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Mar 2006 06:43:37 +1100 Subject: Problems compiling on Solaris 8 In-Reply-To: <6.1.2.0.2.20060314103600.03995718@mailbox.nau.edu> References: <6.1.2.0.2.20060314103600.03995718@mailbox.nau.edu> Message-ID: <44171CE9.7040805@zip.com.au> William wrote: > I have two machines that we are having problems compiling version 4.3p2. > > Both machines are Solaris 8 and gcc 3.3.2 openssl 0.9.8a is installed on > both machines as well. > > The first exhibits an error in log.h: > > In file included from bsd-arc4random.c:18: > ../log.h: In function `fatal': > ../log.h:56: warning: empty declaration > ../log.h:65: error: parse error before "volatile" > ../log.h:56: error: parm types given both in parmlist and separately > ../log.h:56: error: parameter name omitted This sounds like this: http://bugzilla.mindrot.org/show_bug.cgi?id=1013 which was a compiler installation problem (a bogus cdefs.h file on the system somewhere). > The second machine exhibits a different problem: > > In file included from port-aix.c:32: > /nau/share/include/buffer.h:72: error: redefinition of `BUF_MEM' > /nau/share/include/openssl/ossl_typ.h:114: error: `BUF_MEM' previously > declared here > *** Error code 1 > make: Fatal error: Command failed for target `port-aix.o' > Current working directory /nau/src/Net/openssh-4.3p2/openbsd-compat > *** Error code 1 > make: Fatal error: Command failed for target > `openbsd-compat/libopenbsd-compat.a' That looks like the compiler is picking up a wrong buffer.h from /nau/share/include. Presumably you added that in CPPFLAGS or CFLAGS? What options did you give configure? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Mar 15 07:37:02 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 15 Mar 2006 07:37:02 +1100 Subject: Problem compiling openssh-4.3p2 w/ openssl.0.9.8a on FC3 In-Reply-To: References: Message-ID: <20060314203702.GA8074@gate.dtucker.net> On Tue, Mar 14, 2006 at 10:29:02AM -0800, Colin Dick wrote: > gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o [...] > : undefined reference to `dlopen' > Any ideas? It looks like an incompatibility between OpenSSH and > OpenSSL. Thanks in advance for any information or suggestions you can > provide. OpenSSL now seems to need libdl these days. You can add it by doing: ./configure --with-libs=-ldl Perhaps configure should test for this condition, eg the attached? (Anyone trying this will need to run "autoreconf" to rebuild configure then re-run configure). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.333 diff -u -p -r1.333 configure.ac --- configure.ac 13 Mar 2006 08:06:51 -0000 1.333 +++ configure.ac 14 Mar 2006 20:33:23 -0000 @@ -1871,6 +1895,36 @@ int main(void) { exit(EVP_aes_192_cbc() ] ) +AC_MSG_CHECKING([if programs using OpenSSL functions will link]) +AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void) { SSLeay_add_all_algorithms(); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + saved_LIBS="$LIBS" + LIBS="$LIBS -ldl" + AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +int main(void) { SSLeay_add_all_algorithms(); } + ]])], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + LIBS="$saved_LIBS" + ] + ) + ] +) + # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, # because the system crypt() is more featureful. if test "x$check_for_libcrypt_before" = "x1"; then From openssh at roumenpetrov.info Wed Mar 15 08:38:55 2006 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Tue, 14 Mar 2006 23:38:55 +0200 Subject: Problem compiling openssh-4.3p2 w/ openssl.0.9.8a on FC3 In-Reply-To: <20060314203702.GA8074@gate.dtucker.net> References: <20060314203702.GA8074@gate.dtucker.net> Message-ID: <441737EF.3040107@roumenpetrov.info> Darren Tucker wrote: > On Tue, Mar 14, 2006 at 10:29:02AM -0800, Colin Dick wrote: > >>gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o > > [...] > >>: undefined reference to `dlopen' >> Any ideas? It looks like an incompatibility between OpenSSH and >>OpenSSL. Thanks in advance for any information or suggestions you can >>provide. > > > OpenSSL now seems to need libdl these days. You can add it by doing: > ./configure --with-libs=-ldl > I don't have problems with openssl 0.9.8x either with and without shared libraries. May by this is redhat/fedora specific ? Darren configure may remove library dl - see libpam comment near to end. Regards, Roumen From george at canihelp.com Thu Mar 16 01:45:12 2006 From: george at canihelp.com (George Henson) Date: Wed, 15 Mar 2006 09:45:12 -0500 (EST) Subject: HPUX - Trusted mode - Successful login time Message-ID: <48717.140.139.18.228.1142433912.squirrel@www.canihelp.com> We run HP-UX 11.00 in "Trusted Mode". This creates and mananges a tcb database for all the users on the system. I have created the attached patch, for openssh-4.3p2, to update the date/time of a successful login. I have tested this patch on several systems here, but I am sure there is a cleaner way to implement the updates into openssh. In a perfect world I would like to update the tcb with the date/time of unsuccessful logins as well. Thank you From nicolagerardo.sanita at eds.com Thu Mar 16 20:36:23 2006 From: nicolagerardo.sanita at eds.com (Sanita', Nicola Gerardo) Date: Thu, 16 Mar 2006 10:36:23 +0100 Subject: SSH Help Message-ID: <9B232A936C6EA142875E6CC2789295748FFFA3@itssm203.emea.corp.eds.com> Hi All, I starting to use OpenSSH 4.3.2 on Solaris 5.6, but I have a little problem (I'm new to SSH) using the log recording: can't write to log the 'Repeated Login Failures' as happens using telnet. I have tried many sshd_config parameters unsuccessfully. Could someone suggest me what I'm doing wrong? Thanks Nicola Sanit? Via Medici del Vascello, 26 20138 Milano - Italy Tel.: +39 02 520 25352 This email contains information which is confidential and may be privileged. Unless you are the intended addressee (or authorised to receive for the addressee) you may not use, forward, copy or disclose to anyone this email or any information contained in this email. If you have received this email in error, please advise the sender by reply email immediately and delete this email. From rapier at psc.edu Fri Mar 17 06:50:08 2006 From: rapier at psc.edu (Chris Rapier) Date: Thu, 16 Mar 2006 14:50:08 -0500 Subject: New Version of HPN-SSH Patch Message-ID: <4419C170.50302@psc.edu> [NB: General information regarding HPN-SSH can be found at http://www.psc.edu/networking/projects/hpn-ssh ] This is a beta release of HPN12 but I'd like to get some user experiences with it if anyone is so inclined. This version of the HPN patch more closely conforms to the openssh nomenclature and coding style, it eliminates the use of command line switches in favor of -o options, it allows the user to enable or disable tcp receive buffer size polling (for non-autotuning systems), allows the user to change the tcp buffer on a per connection basis thereby overriding the system tcp receive buffer up to the buffer maximum, and incorporates the none cipher switch. The none cipher switch allows the user to switch to the none cipher after the authentication takes place. As such, authentication is still fully encrypted. This is a beta release. I've not fully tested it with the new tunneling options that were introduced in 4.3. Also, I'm still trying to figure out some performance issues in LAN transfers (reports of up to a 30% performance hit in some circumstances). So until that is resolved this will be a beta. The patch can be found at http://www.psc.edu/networking/projects/hpn-ssh/openssh-4.3p2-hpn12.diff Usage notes can be found at http://www.psc.edu/networking/projects/hpn-ssh/ssh-hpn12.notes As always, comments, criticism, bug fixes, and the like are greatly appreciated. I'll answer any questions as best I can. Chris Rapier From crs at sorsby.org Fri Mar 17 06:36:09 2006 From: crs at sorsby.org (Charlie Sorsby) Date: Thu, 16 Mar 2006 12:36:09 -0700 (MST) Subject: OpenSSH Configure Output Message-ID: <200603161936.k2GJa9oi096738@sorsby.org> Per instructions in configure output (if you want all the configure output, I shall be happy to send it): PC% grep -n WARN Config.log 42:configure: WARNING: net/if_tap.h: present but cannot be compiled 43:configure: WARNING: net/if_tap.h: check for missing prerequisite headers? 44:configure: WARNING: net/if_tap.h: see the Autoconf documentation 45:configure: WARNING: net/if_tap.h: section "Present But Cannot Be Compiled" 46:configure: WARNING: net/if_tap.h: proceeding with the preprocessor's result 47:configure: WARNING: net/if_tap.h: in the future, the compiler will take precedence 48:configure: WARNING: ## ------------------------------------------- ## 49:configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## 50:configure: WARNING: ## ------------------------------------------- ## 91:configure: WARNING: login_cap.h: present but cannot be compiled 92:configure: WARNING: login_cap.h: check for missing prerequisite headers? 93:configure: WARNING: login_cap.h: see the Autoconf documentation 94:configure: WARNING: login_cap.h: section "Present But Cannot Be Compiled" 95:configure: WARNING: login_cap.h: proceeding with the preprocessor's result 96:configure: WARNING: login_cap.h: in the future, the compiler will take precedence 97:configure: WARNING: ## ------------------------------------------- ## 98:configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## 99:configure: WARNING: ## ------------------------------------------- ## 163:configure: WARNING: sys/mman.h: present but cannot be compiled 164:configure: WARNING: sys/mman.h: check for missing prerequisite headers? 165:configure: WARNING: sys/mman.h: see the Autoconf documentation 166:configure: WARNING: sys/mman.h: section "Present But Cannot Be Compiled" 167:configure: WARNING: sys/mman.h: proceeding with the preprocessor's result 168:configure: WARNING: sys/mman.h: in the future, the compiler will take precedence 169:configure: WARNING: ## ------------------------------------------- ## 170:configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## 171:configure: WARNING: ## ------------------------------------------- ## 184:configure: WARNING: sys/select.h: present but cannot be compiled 185:configure: WARNING: sys/select.h: check for missing prerequisite headers? 186:configure: WARNING: sys/select.h: see the Autoconf documentation 187:configure: WARNING: sys/select.h: section "Present But Cannot Be Compiled" 188:configure: WARNING: sys/select.h: proceeding with the preprocessor's result 189:configure: WARNING: sys/select.h: in the future, the compiler will take precedence 190:configure: WARNING: ## ------------------------------------------- ## 191:configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## 192:configure: WARNING: ## ------------------------------------------- ## 499:configure: WARNING: Make sure the path to scp is in /etc/login.conf Charlie -- Charlie Sorsby crs at swcp.com P. O. Box 1225 Edgewood, NM 87015 USA Why HTML in e-mail is evil: http://www.birdhouse.org/etc/evilmail.html and (possibly) how to turn it off: http://www.expita.com/nomime.html From dtucker at zip.com.au Sun Mar 19 18:23:10 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 19 Mar 2006 18:23:10 +1100 Subject: OpenSSH Configure Output In-Reply-To: <200603161936.k2GJa9oi096738@sorsby.org> References: <200603161936.k2GJa9oi096738@sorsby.org> Message-ID: <20060319072309.GA31484@gate.dtucker.net> On Thu, Mar 16, 2006 at 12:36:09PM -0700, Charlie Sorsby wrote: > Per instructions in configure output (if you want all the configure > output, I shall be happy to send it): Thanks, but whch version of OpenSSH is this and what platform are you compiling it on? [...] > WARNING: login_cap.h: present but cannot be compiled This one may have been fixed after 4.3p2 was released. Does it (and the others for that matter) still occur with a snapshot? ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nascimento.rp at gmail.com Wed Mar 22 02:12:07 2006 From: nascimento.rp at gmail.com (Rodrigo Nascimento) Date: Tue, 21 Mar 2006 12:12:07 -0300 Subject: Newbie here Message-ID: Hi All, My name is Rodrigo Nascimento I have some knowlegde in C programming language and I want to contribute with openSSH project. I never work with this kind of development, always wrote programs to corporate business and now I'd like to know this kind of development, I want to know how is to write programs to provide new functions together the O.S. As I never work with this kind of development I need of a "sponsor of knowledge", someone that say: "The project needs it. Do it and send me for corrections...", or something like that..... So, I'm here to do anything that may helps the project.... oh! and sorry for my poor english. Thanks, -- Nascimento From brian at karoshi.ucsd.edu Wed Mar 22 06:54:41 2006 From: brian at karoshi.ucsd.edu (Brian Kantor) Date: Tue, 21 Mar 2006 11:54:41 -0800 (PST) Subject: OpenSSH4.3p2 vs FreeBSD-6.0Rel Message-ID: <200603211954.k2LJsftZ028686@karoshi.ucsd.edu> If this is a new problem, please contact me and I will get you further information. - Brian checking login_cap.h usability... no checking login_cap.h presence... yes configure: WARNING: login_cap.h: present but cannot be compiled configure: WARNING: login_cap.h: check for missing prerequisite headers? configure: WARNING: login_cap.h: see the Autoconf documentation configure: WARNING: login_cap.h: section "Present But Cannot Be Compiled" configure: WARNING: login_cap.h: proceeding with the preprocessor's result configure: WARNING: login_cap.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------- ## configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## configure: WARNING: ## ------------------------------------------- ## checking for login_cap.h... yes From tim at multitalents.net Wed Mar 22 12:10:02 2006 From: tim at multitalents.net (Tim Rice) Date: Tue, 21 Mar 2006 17:10:02 -0800 (PST) Subject: OpenSSH4.3p2 vs FreeBSD-6.0Rel In-Reply-To: <200603211954.k2LJsftZ028686@karoshi.ucsd.edu> Message-ID: On Tue, 21 Mar 2006, Brian Kantor wrote: > If this is a new problem, please contact me and I will > get you further information. > - Brian > > > checking login_cap.h usability... no > checking login_cap.h presence... yes > configure: WARNING: login_cap.h: present but cannot be compiled > configure: WARNING: login_cap.h: check for missing prerequisite headers? > configure: WARNING: login_cap.h: see the Autoconf documentation > configure: WARNING: login_cap.h: section "Present But Cannot Be Compiled" Look at your config.log for clues why it can not be compiled. There is probably some additional header needed for the test on your platform. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Wed Mar 22 22:39:39 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 22 Mar 2006 22:39:39 +1100 Subject: OpenSSH4.3p2 vs FreeBSD-6.0Rel In-Reply-To: References: <200603211954.k2LJsftZ028686@karoshi.ucsd.edu> Message-ID: <20060322113939.GA32066@gate.dtucker.net> On Tue, Mar 21, 2006 at 05:10:02PM -0800, Tim Rice wrote: > On Tue, 21 Mar 2006, Brian Kantor wrote: > > checking login_cap.h usability... no > > checking login_cap.h presence... yes > > configure: WARNING: login_cap.h: present but cannot be compiled > > configure: WARNING: login_cap.h: check for missing prerequisite headers? > > configure: WARNING: login_cap.h: see the Autoconf documentation > > configure: WARNING: login_cap.h: section "Present But Cannot Be Compiled" > > Look at your config.log for clues why it can not be compiled. > There is probably some additional header needed for the test on > your platform. It's also worth checking if it's fixed in the snaps. I saw a similar issue on NetBSD and made it happy by having configure #include . -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From julien at jdemoor.com Wed Mar 22 23:04:12 2006 From: julien at jdemoor.com (Julien Demoor) Date: Wed, 22 Mar 2006 13:04:12 +0100 Subject: X forwarding problem Message-ID: <44213D3C.5080705@jdemoor.com> Hi, I'm working on a program (for Linux) that uses OpenSSH with multiplexing and X11 forwarding. The first call to ssh has arguments -MNfX, so the connection is only established. Later, remote commands using X are called with "ssh -S path -fX remoteCommand". For some obscure reason, this does not work from my program, which is also responsible for starting the X server and setting the authorizations. I have tried everything I could think of, without success. It seems that the problem come from the first call to ssh. There must be something my program does at the same time that prevents ssh from initializing X forwarding locally. Unfortunately, even with the -vvv option, ssh gives very little information about X forwarding (few when it works, none when it doesn't). I'm looking for ideas as to why ssh can't initialize X or indications to what parts of the OpenSSH source code I should look into. Thanks in advance for your help. Julien Demoor From logsnaath at gmx.net Thu Mar 23 18:36:34 2006 From: logsnaath at gmx.net (Logu) Date: Thu, 23 Mar 2006 13:06:34 +0530 Subject: Cygwin sftp is very slow. Message-ID: <007f01c64e4c$8ae544c0$140110ac@ads.com> I tried to transfer a CD image (around 600Mb ) from a local network linux machine to a windows machine with the cygwin sftp. The transfer is very slow. It did not go beyond 15KB/s But I did transfer it just with ssh and it was pretty quick. ssh logu at 192.168.1.52 "cat sysrec.iso" > sysrec.iso What could be the problem. I have switched off Antivirus, firewall etc. The version of the cygwin openssh client is: $ ssh -V OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 Any help will be appreciated. Thanks -logu From senthilkumar_sen at hotpop.com Thu Mar 23 20:43:49 2006 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Thu, 23 Mar 2006 15:13:49 +0530 Subject: HostKey checking and DNS finger print verification Message-ID: <838a01c64e5e$5f98a750$220110ac@sekco> Hello All, I have a client-server setup with about 100 nodes. We often install the OS and this results in change of host keys in our server. This necessiates the need to update all known_hosts files in the client machines. Im using the VerifyHostKeyDNS option in the client side where the DNS is updated with new finger print each time we change the host key. But still the SSH client verifies its known_hosts file even the DNS finger print matches. Is there any way to overcome clients local database checking if DNS finger print matches? What are the security issues associated with this way? Thanks, Senthil Kumar. From dtucker at zip.com.au Thu Mar 23 21:00:43 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 23 Mar 2006 21:00:43 +1100 Subject: HostKey checking and DNS finger print verification In-Reply-To: <838a01c64e5e$5f98a750$220110ac@sekco> References: <838a01c64e5e$5f98a750$220110ac@sekco> Message-ID: <442271CB.6030105@zip.com.au> Senthil Kumar wrote: > I have a client-server setup with about 100 nodes. We often install the OS > and this results in change of host keys in our server. This necessiates the > need to update all known_hosts files in the client machines. Im using the > VerifyHostKeyDNS option in the client side where the DNS is updated with new > finger print each time we change the host key. But still the SSH client > verifies its known_hosts file even the DNS finger print matches. > > Is there any way to overcome clients local database checking if DNS finger > print matches? What are the security issues associated with this way? If your DNS is trusted (ie DNSSEC) then the fingerprints will be trusted too. Otherwise the DNS results are used as an additional check but are not trusted. If practical you could also save and restore the host keys during a rebuild. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Mar 24 10:32:04 2006 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Mar 2006 10:32:04 +1100 (EST) Subject: Funding OpenSSH Message-ID: Hi, This mail is a request for vendors who have integrated OpenSSH into their products or devices to step up and provide some financial assistance back to the project. Please note that this request is intended for *vendors* - our individual userbase already helps us in every appropriate way. You may have noticed a similar request for OpenSSH/OpenBSD funding made by Marco Peereboom in this last couple of days, but I would like to reiterate: money donated to the project goes directly to development, either by funding individual developers for medium-long term projects or by putting developers in a room together, without distractions so they can improve OpenSSH. Having long term developers around ensures that small and "boring, but important changes" receive the attention that they deserve. OpenSSH hasn't had 9am-5pm developer attention for a while, but we believe it would greatly benefit from it. The second consumer of funds above refers to the annual hackathons that the OpenBSD project runs. These provide a forum where major functionality improvements can be initiated, fleshed out, reviewed and committed. The last two hackathons alone have been directly responsible for: - Fixing of dozens of bugs - The addition of connection multiplexing - The idea for the layer-2/layer-3 VPN over SSH released in 4.3 - The implementation of auto-reexecution - Many proactive signed vs. unsigned integer cleanups ... and a bunch of other improvements and ideas at various stages of conception and development. There really isn't a substitute for pulling a bunch of developers from around the world to focus on one thing for a solid week. Many vendors have integrated OpenSSH into their operating systems or devices and quite a few of these proudly list the secure management ability that OpenSSH provides as a major feature in their marketing material - something which translates directly to product sales. This is an opportunity for these vendors to give somthing back. For a relatively tiny amount of money, you can help ensure that OpenSSH continues to extend its functionality and proactively improve security. If you are interested, please email myself, Markus Friedl and/or Theo de Raadt: - Damien Miller - Markus Friedl - Theo de Raadt If you work for a vendor who uses or has integrated OpenSSH, please consider this request and forward it to anyone else in your organisation who is able to assist. Thanks, Damien Miller From deraadt at cvs.openbsd.org Fri Mar 24 11:03:50 2006 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Thu, 23 Mar 2006 17:03:50 -0700 Subject: Funding OpenSSH In-Reply-To: Your message of "Fri, 24 Mar 2006 10:32:04 +1100." Message-ID: <200603240003.k2O03oII021806@cvs.openbsd.org> I would like to add a few things, if I may. > Many vendors have integrated OpenSSH into their operating systems or > devices and quite a few of these proudly list the secure management > ability that OpenSSH provides as a major feature in their marketing > material - something which translates directly to product sales. These vendors include: Sun Apple IBM HP Cisco Netgear RedHat SuSe most operating system vendors except Microsoft nearly other major network equipment manufacturer (but many other vendors too) These vendors have never given us even a dime. (To put it more clearly, IBM loaned one developer a machine to make sure that OpenSSH would run better on it, but they INSISTED on it being a loan instead of just giving it to the developer). I heard a story once that Sun talked to SSH.COM about getting their SSH product incorporated into Solaris, and were quoted either $1 million or $2.5 per year for a license. (Someone from Sun can correct me on this figure when they come help us). Sun instead incorporated OpenSSH into Solaris. Now that's all fine and dandy, but if Sun saved so much money why don't they help us out a little bit, so that we can make OpenSSH even better? The same applies to the other vendors listed above. We have saved them perhaps tens of millions of dollars (I am sure this is not an exageration, for EACH vendor), yet everytime we have tried to contact them to ask for some assistance we have always been given the run-around, the conversation has died out, and then amounted to nothing. We have contacted most of these vendors multiple times. Some of the user community may have been around long enough to know how things have historically went with BIND or Sendmail, other infrastructure products that had no assistance from vendors. Sendmail went semi-commercial and is so poorly maintained that it still has holes in it (how timely), and if my information is correct BIND9 development was largely funded by a few European non-profits, on a pitance of a grant. Meanwhile, the GPL'd variants of such software products like this are still avoided by vendors. So they only want to take, take, take. I know we cannot be the only people who think this is ridiculous. And it has to change, otherwise I think we will feel compelled to change the way that we work with vendors. We have had discussions about other options we have already, but we hope that the vendor community does the responsible thing. > This is an opportunity for these vendors to give somthing back. For > a relatively tiny amount of money, you can help ensure that OpenSSH > continues to extend its functionality and proactively improve security. > If you are interested, please email myself, Markus Friedl and/or Theo de > Raadt: > > - Damien Miller > - Markus Friedl > - Theo de Raadt > > If you work for a vendor who uses or has integrated OpenSSH, please > consider this request and forward it to anyone else in your organisation > who is able to assist. > > Thanks, > Damien Miller As a side note, earlier today IBM Support actually sent an energy company with whom they have a multi-million support contract to our private development mailing list saying we had to fix a customer bug. I was shown an extensive set of IBM support emails with the customer where they were refusing to take responsibility for the issue, and finally told their customer that OpenSSH was responsible for fixing their problem. I say shame you, IBM, SHAME ON YOU. You take their money and want us to make your customers happy. From blastwave at gmail.com Fri Mar 24 15:14:10 2006 From: blastwave at gmail.com (Dennis Clarke) Date: Thu, 23 Mar 2006 23:14:10 -0500 Subject: Funds for OpenSSH from Solaris and OpenSolaris users at Blastwave Message-ID: Dear OpenSSH friends : The Blastwave.org project is focused on providing quality open source software to Solaris and OpenSolaris users. Please know that your software is valued and one of the very first software packages to be offered by Blastwave well over 3 years ago. I have personally scraped together $100 for you but don't know where to put it yet. You have a PayPal link on your site at http://www.openssh.org/donations.html that says "NOT YET SETUP!". Will you have this PayPal link in place soon? If so then I will gather some money together for you if I can. I will start with my own personal $100 and then go out and "pass the hat" for you. Also, if you ever need access to a Solaris or OpenSolaris build environment and you are an active developer in the OpenSSH project then I can certainly help you there also. Dennis Clarke Director Blastwave.org From djm at mindrot.org Fri Mar 24 17:06:38 2006 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Mar 2006 17:06:38 +1100 (EST) Subject: Funds for OpenSSH from Solaris and OpenSolaris users at Blastwave In-Reply-To: References: Message-ID: Hi Dennis, You caught the donations.html page in the act of being written. It is there now :) Thanks indeed for your donation. Regards, Damien Miller On Thu, 23 Mar 2006, Dennis Clarke wrote: > Dear OpenSSH friends : > > The Blastwave.org project is focused on providing quality open > source software to Solaris and OpenSolaris users. Please know that > your software is valued and one of the very first software packages to > be offered by Blastwave well over 3 years ago. I have personally > scraped together $100 for you but don't know where to put it yet. You > have a PayPal link on your site at > http://www.openssh.org/donations.html that says "NOT YET SETUP!". > Will you have this PayPal link in place soon? If so then I will > gather some money together for you if I can. I will start with my own > personal $100 and then go out and "pass the hat" for you. > > Also, if you ever need access to a Solaris or OpenSolaris build > environment and you are an active developer in the OpenSSH project > then I can certainly help you there also. > > Dennis Clarke > Director Blastwave.org > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Michael at Wayne.edu Sat Mar 25 07:03:03 2006 From: Michael at Wayne.edu (Michael Thompson) Date: Fri, 24 Mar 2006 15:03:03 -0500 Subject: OpenSSH Message-ID: Trying to compile OpenSSH with Kerberos5 fails. checking whether we are using Heimdal... no checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking gssapi_krb5.h usability... no checking gssapi_krb5.h presence... no checking for gssapi_krb5.h... no checking gssapi/gssapi_krb5.h usability... no checking gssapi/gssapi_krb5.h presence... yes configure: WARNING: gssapi/gssapi_krb5.h: present but cannot be compiled configure: WARNING: gssapi/gssapi_krb5.h: check for missing prerequisite headers? configure: WARNING: gssapi/gssapi_krb5.h: see the Autoconf documentation configure: WARNING: gssapi/gssapi_krb5.h: section "Present But Cannot Be Compiled" configure: WARNING: gssapi/gssapi_krb5.h: proceeding with the preprocessor's result configure: WARNING: gssapi/gssapi_krb5.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------- ## configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## configure: WARNING: ## ------------------------------------------- ## checking for gssapi/gssapi_krb5.h... yes checking gssapi_generic.h usability... no checking gssapi_generic.h presence... no checking for gssapi_generic.h... no checking gssapi/gssapi_generic.h usability... yes checking gssapi/gssapi_generic.h presence... yes checking for gssapi/gssapi_generic.h... yes Thanks, Michael Thompson Wayne State University Computing & Information Technology Research Services Department Phone: (313) 577-8106 e-Mail: Michael at Wayne.edu From fast at ais42.net Sat Mar 25 21:13:00 2006 From: fast at ais42.net (fast) Date: Sat, 25 Mar 2006 11:13:00 +0100 Subject: High Performance SSH/SCP - HPN-SSH when? Message-ID: <20060325101007.M7943@ais42.net> Hi, http://www.psc.edu/networking/projects/hpn-ssh/ Clearly, the HPN patches significantly boost throughput performance. This enhancement is entirely from tuning the SSH buffer sizes. Alex Tavcar From rapier at psc.edu Sun Mar 26 15:37:57 2006 From: rapier at psc.edu (Chris Rapier) Date: Sat, 25 Mar 2006 23:37:57 -0500 Subject: High Performance SSH/SCP - HPN-SSH when? In-Reply-To: <20060325101007.M7943@ais42.net> References: <20060325101007.M7943@ais42.net> Message-ID: <44261AA5.9070407@psc.edu> Well, I'm the developer of this patch and I fully respect their decision not to incorporate at this time. The OpenSSH dev group has, I believe, different priorities. Security is, and must be, foremost in their mind. Performance rightly takes a back seat to security concerns. On the other hand, as a developer for high performance networks I have a client base that needs the performance so that is foremost in my mind. I don't believe my patch compromises security but the development group has to be sure of this. Their reputation will be far more affected than mine if there turns out to be a problem. Eventually, I believe that some version of the buffer tuning concept will be incorporated but it has to meet the high quality requirements of the development group. In the mean time, early adopters and other people willing to incorporate this patch are perfectly free to do so. In fact, even when communicating with non-HPN hosts a performance boost will be seen if the bulk data flow is in the direction of the HPN patch host. So even without incorporation of the patch into the main source tree people can see these advantages. Development is on going and new version of the patch will be available shortly. This new version of the patch will hopefully address a performance issue in LAN transfers. Chris Rapier fast wrote: > Hi, > > http://www.psc.edu/networking/projects/hpn-ssh/ > > Clearly, the HPN patches significantly boost throughput performance. > This enhancement is entirely from tuning the SSH buffer sizes. > > Alex Tavcar > > > > ------------------------------------------------------------------------ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Thu Mar 30 00:18:04 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 30 Mar 2006 00:18:04 +1100 Subject: sshd config parser Message-ID: <442A890C.9050003@zip.com.au> Hi All. For various reasons, we're currently looking at extending (or even overhauling) the config parser used for sshd_config. Right now the syntax I'm looking at is a cumulative "Match" keyword that matches when all of the specified criteria are met. This would be similar the the Host directive used in ssh_config, although it's still limiting (eg you can't easily nest directives). "Match" would be first-match, same as ssh_config. (I think this is simpler for both implementation and configuration, but needs more careful planning of the directives). This would be especially useful with the RequiredAuthentications patch in bugzilla, eg: # allow anyone to authenticate normally from the local net Match Address 192.168.0.0/24 RequiredAuthentications default # allow admins from the dmz with pubkey and password Match Group admins Address 1.2.3.0/24 RequiredAuthentications publickey,password # deny untrusted and local users from any other net Match Group untrusted,lusers RequiredAuthentications deny # anyone else gets normal behaviour Match all RequiredAuthentications default There's also some potential for other things too: Match User anoncvs PermitTcpForwarding no Match Group nosftp Subsystem sftp /bin/false Anyway, some food for thought. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From smooge at gmail.com Thu Mar 30 03:34:49 2006 From: smooge at gmail.com (Stephen J. Smoogen) Date: Wed, 29 Mar 2006 09:34:49 -0700 Subject: sshd config parser In-Reply-To: <442A890C.9050003@zip.com.au> References: <442A890C.9050003@zip.com.au> Message-ID: <80d7e4090603290834q4f6fbc14vf3cafcc0bbc9da57@mail.gmail.com> On 3/29/06, Darren Tucker wrote: > Hi All. > > For various reasons, we're currently looking at extending (or even > overhauling) the config parser used for sshd_config. > This looks very very good. I have seen this in some other versions of SSH, and it has been useful for some administration on older unixes (Setup special administration rights from localhost only with people in this group.) Being able to stop TCP-forwarding and such for wrapped services would also be useful to keep out the level 0 crackpots (though I will bet it isnt a solution in itself.) -- Stephen J Smoogen. CSIRT/Linux System Administrator From ndbecker2 at gmail.com Thu Mar 30 03:56:21 2006 From: ndbecker2 at gmail.com (Neal Becker) Date: Wed, 29 Mar 2006 11:56:21 -0500 Subject: knownhosts grows without bound Message-ID: As probably a lot of us know, if you use DHCP then your knownhosts will potentially grow without bound. Has anything been done to address this? From imorgan at nas.nasa.gov Thu Mar 30 05:01:38 2006 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 29 Mar 2006 10:01:38 -0800 (PST) Subject: sshd config parser In-Reply-To: <442A890C.9050003@zip.com.au> from "Darren Tucker" at Mar 30, 2006 12:18:04 AM Message-ID: <200603291801.k2TI1cch022202@sun601.nas.nasa.gov> This looks _VERY_ interesting. Good idea! On Wed Mar 29 05:18:04 2006, Darren Tucker wrote: > > Hi All. > > For various reasons, we're currently looking at extending (or even > overhauling) the config parser used for sshd_config. > > Right now the syntax I'm looking at is a cumulative "Match" keyword that > matches when all of the specified criteria are met. This would be > similar the the Host directive used in ssh_config, although it's still > limiting (eg you can't easily nest directives). > > "Match" would be first-match, same as ssh_config. (I think this is > simpler for both implementation and configuration, but needs more > careful planning of the directives). > > This would be especially useful with the RequiredAuthentications patch > in bugzilla, eg: > > # allow anyone to authenticate normally from the local net > Match Address 192.168.0.0/24 > RequiredAuthentications default > > # allow admins from the dmz with pubkey and password > Match Group admins Address 1.2.3.0/24 > RequiredAuthentications publickey,password > > # deny untrusted and local users from any other net > Match Group untrusted,lusers > RequiredAuthentications deny > > # anyone else gets normal behaviour > Match all > RequiredAuthentications default > > There's also some potential for other things too: > > Match User anoncvs > PermitTcpForwarding no > > Match Group nosftp > Subsystem sftp /bin/false > > Anyway, some food for thought. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Iain Morgan From dkg-openssh.com at fifthhorseman.net Thu Mar 30 05:40:41 2006 From: dkg-openssh.com at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 29 Mar 2006 13:40:41 -0500 Subject: sshd config parser In-Reply-To: <442A890C.9050003@zip.com.au> References: <442A890C.9050003@zip.com.au> Message-ID: <17450.54441.358028.399372@localhost.localdomain> On March 30, dtucker at zip.com.au said: > Right now the syntax I'm looking at is a cumulative "Match" keyword > that matches when all of the specified criteria are met. This > would be similar the the Host directive used in ssh_config, > although it's still limiting (eg you can't easily nest directives). i'll chime in thirdly to say that this sounds very good. i've been wanting controls like this for sshd for a while, but hadn't taken the time to articulate it clearly. It looks like this proposal would meet my needs quite well. Thanks! --dkg From gert at greenie.muc.de Thu Mar 30 08:13:12 2006 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 29 Mar 2006 23:13:12 +0200 Subject: sshd config parser In-Reply-To: <17450.54441.358028.399372@localhost.localdomain> References: <442A890C.9050003@zip.com.au> <17450.54441.358028.399372@localhost.localdomain> Message-ID: <20060329211312.GW22955@greenie.muc.de> Hi, On Wed, Mar 29, 2006 at 01:40:41PM -0500, Daniel Kahn Gillmor wrote: > i'll chime in thirdly to say that this sounds very good. i've been > wanting controls like this for sshd for a while, but hadn't taken the > time to articulate it clearly. It looks like this proposal would meet > my needs quite well. "fourthly", or so. We have *exactly* this need at work - "from *this* network, permit password authentication. From everywhere else, only permit RSA keys or S/Key". (Right now, we do this with PAM, but it's not pretty). Thanks for formulating an approach that will make all this very easy. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de