From openssh at roumenpetrov.info Sun Oct 1 06:09:37 2006 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 30 Sep 2006 23:09:37 +0300 Subject: Announce: X.509 certificates support version 5.5.1 in OpenSSH 4.4p1 Message-ID: <451ECF01.1020401@roumenpetrov.info> Hi All, The version 5.5.1 of "X.509 certificates support in OpenSSH" is ready for download. On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.5.1 you can found diff for OpenSSH versions 4.4p1. What's new: * specific diff of 5.5 for OpenSSH 4.4p1 Because of OpenSSH source code changes, like include statements and new server option "Match", X.509 certificate support specific files should be changed too so those files cannot be same as in 5.5 for OpenSSH 4.3p2 and 4.2p1. As result of OpenSSH changes new version number 5.5.1 is required. * ocsp-path patch included The patch for ocsp-path component issued on 4 Sep 2006 is included in this version. Also note recent OpenSSL security advisories and make sure that your crypto library is not vulnerable. Regards, Roumen Petrov More information about "X.509 certificates support in OpenSSH" at http://roumenpetrov.info/openssh/ . From tim at multitalents.net Sun Oct 1 07:17:02 2006 From: tim at multitalents.net (Tim Rice) Date: Sat, 30 Sep 2006 14:17:02 -0700 (PDT) Subject: on FreeBSD In-Reply-To: <868xk1leme.fsf@dwp.des.no> References: <868xk1leme.fsf@dwp.des.no> Message-ID: On Sat, 30 Sep 2006, Dag-Erling Sm?rgrav wrote: > FreeBSD's requires u_char to be defined: > > checking net/if_tap.h usability... no > checking net/if_tap.h presence... yes > configure: WARNING: net/if_tap.h: present but cannot be compiled > configure: WARNING: net/if_tap.h: check for missing prerequisite headers? Does the attached patch to configure.ac help? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.old 2006-09-30 12:51:23.798481001 -0700 +++ configure.ac 2006-09-30 14:11:42.008801092 -0700 @@ -379,15 +379,7 @@ ;; esac # tun(4) forwarding compat code - AC_CHECK_HEADERS(linux/if_tun.h) - if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then - AC_DEFINE(SSH_TUN_LINUX, 1, - [Open tunnel devices the Linux tun/tap way]) - AC_DEFINE(SSH_TUN_COMPAT_AF, 1, - [Use tunnel device compatibility to OpenBSD]) - AC_DEFINE(SSH_TUN_PREPEND_AF, 1, - [Prepend the address family to IP tunnel traffic]) - fi + check_linux_if_tun_h=yes ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty]) @@ -399,8 +391,7 @@ need_dash_r=1 fi AC_DEFINE(SSH_TUN_FREEBSD, 1, [Open tunnel devices the FreeBSD way]) - AC_CHECK_HEADER([net/if_tap.h], , - AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) + check_net_if_tun_h=yes AC_DEFINE(SSH_TUN_PREPEND_AF, 1, [Prepend the address family to IP tunnel traffic]) ;; @@ -808,6 +799,22 @@ #include ]) +if test "x$check_linux_if_tun_h" = "xyes" ; then + AC_CHECK_HEADERS(linux/if_tun.h) + if test "x$ac_cv_header_linux_if_tun_h" = "xyes" ; then + AC_DEFINE(SSH_TUN_LINUX, 1, + [Open tunnel devices the Linux tun/tap way]) + AC_DEFINE(SSH_TUN_COMPAT_AF, 1, + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE(SSH_TUN_PREPEND_AF, 1, + [Prepend the address family to IP tunnel traffic]) + fi +fi +if test "x$check_net_if_tun_h" = "xyes" ; then + AC_CHECK_HEADER([net/if_tap.h], , + AC_DEFINE(SSH_TUN_NO_L2, 1, [No layer 2 tunnel support])) +fi + # Checks for libraries. AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) From dtucker at zip.com.au Sun Oct 1 08:15:09 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 1 Oct 2006 08:15:09 +1000 Subject: audit-bsm.c lacks In-Reply-To: <864puplco5.fsf@dwp.des.no> References: <864puplco5.fsf@dwp.des.no> Message-ID: <20060930221509.GA21412@gate.dtucker.net> On Sat, Sep 30, 2006 at 03:14:02PM +0200, Dag-Erling Sm?rgrav wrote: [...] > move #include out of includes.h; ok markus@ > ---------------------------- > > However, it was never added to audit-bsm.c, which references errno > twice: Thanks, this has been added to both HEAD and the 4.4 branch. It is not an issue on Solaris with BSM (which is one of the configurations tested regularly) because includes errno.h. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From alon.barlev at gmail.com Sun Oct 1 07:00:06 2006 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 1 Oct 2006 00:00:06 +0300 Subject: Announce: PKCS#11 support version 0.14 in OpenSSH 4.4p1 Message-ID: <200610010000.06972.alon.barlev@gmail.com> Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.4p1. What's new: - Some pkcs11-helper updates. - Rebase against 4.4p1. I will be grateful to receive any comments regarding this feature. Best Regards, Alon Bar-Lev. From ric at ms.telcom.arizona.edu Mon Oct 2 01:23:48 2006 From: ric at ms.telcom.arizona.edu (Ric Anderson) Date: Sun, 01 Oct 2006 08:23:48 -0700 Subject: new error message in 4.4p1 Message-ID: <451FDD84.4080204@ms.telcom.arizona.edu> I'm trying to understand why I'm getting a new error message in 4.4p1, when 4.3p1 did not produce the error message. The config files are the unchanged. The new error in the log is Failed hostbased for xxx from nnn.nnn.nnn.nnn That is followed by the usual Accepted hostbased for xxx from nnn.nnn.nnn.nnn and the host based authentication continues to work correctly despite the new "Failed hostbased..." message. Running sshd in debug shows that 4.4p1 tries a DSA host key ahead of the RSA host key. /etc/ssh/ssh_known_hosts2 only contains RSA keys, and 4.3p1 (and previous) OpenSSH versions did not produce any errors. Is checking DSA keys ahead of RSA keys new in 4.4p1, or is this just a logging change of a previously unreported error? Thanks Ric Anderson (ric at ms.telcom.arizona.edu) From des at des.no Mon Oct 2 22:48:21 2006 From: des at des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) Date: Mon, 02 Oct 2006 14:48:21 +0200 Subject: on FreeBSD In-Reply-To: (Tim Rice's message of "Sat, 30 Sep 2006 14:17:02 -0700 (PDT)") References: <868xk1leme.fsf@dwp.des.no> Message-ID: <86ejtqkhnu.fsf@dwp.des.no> Tim Rice writes: > Does the attached patch to configure.ac help? It does, thanks. DES -- Dag-Erling Sm?rgrav - des at des.no From openssh at roumenpetrov.info Tue Oct 3 06:00:50 2006 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 02 Oct 2006 23:00:50 +0300 Subject: Announce: X.509 certificates support version 5.5.1 in OpenSSH 4.4p1 In-Reply-To: <451ECF01.1020401@roumenpetrov.info> References: <451ECF01.1020401@roumenpetrov.info> Message-ID: <45216FF2.4070001@roumenpetrov.info> Download page correction: http://roumenpetrov.info/openssh/download.html#get_-5.5.1 Roumen Petrov wrote: > Hi All, > > The version 5.5.1 of "X.509 certificates support in OpenSSH" is ready > for download. > On download page > http://roumenpetrov.info.localhost/openssh/download.html#get_-5.5.1 > you can found diff for OpenSSH versions 4.4p1. > > > What's new: > * specific diff of 5.5 for OpenSSH 4.4p1 > Because of OpenSSH source code changes, like include statements and > new server > option "Match", X.509 certificate support specific files should be > changed too so > those files cannot be same as in 5.5 for OpenSSH 4.3p2 and 4.2p1. > As result of OpenSSH changes new version number 5.5.1 is required. > * ocsp-path patch included > The patch for ocsp-path component issued on 4 Sep 2006 is included in > this version. > > > Also note recent OpenSSL security advisories and make sure that your > crypto library > is not vulnerable. > > > Regards, > Roumen Petrov > > More information about "X.509 certificates support in OpenSSH" at > http://roumenpetrov.info/openssh/ . > -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From sxw at inf.ed.ac.uk Tue Oct 3 06:40:28 2006 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Mon, 2 Oct 2006 21:40:28 +0100 Subject: GSSAPI Key Exchange for 4.4p1 Message-ID: <1C288F5D-277C-4A21-91A7-D3F5B6464384@inf.ed.ac.uk> Hi, I'm pleased to be able to announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.4p1. This patch adds RFC4462 compatibility to OpenSSH, along with adding additional GSSAPI support that is yet to make it into the main tree. The patch implements: *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. This can be enabled through the GSSAPIKeyExchange option on both client and server (bugzilla.mindrot.org #1242) *) Support for the null host key type *) Support for CCAPI caches on Mac OS X (bugzilla.mindrot.org #1245) *) Don't penalise the client for authentication failures caused by server misconfiguration (bugzilla.mindrot.org #1244) *) Better error reporting when using GSSAPI libraries containing multiple mechanisms (bugzilla.mindrot.org #1220) *) Support for GSSAPI connections to hosts using a round-robin load balancer, through the GSSAPITrustDNS client option (bugzilla.mindrot.org #1008) *) Support for GSSAPI connections to multi-homed hosts with multiple acceptor names, though the GSSAPIStrictAcceptorCheck server option (bugzilla.mindrot.org #928) *) Tidy GSSAPI code seperation between client and server (bugzilla.mindrot.org #1225) As usual the code is available from http://www.sxw.org.uk/computing/patches/openssh.html Thanks again to everyone who has sent patches and suggestions over the years! Cheers, Simon. From tim at multitalents.net Wed Oct 4 02:57:42 2006 From: tim at multitalents.net (Tim Rice) Date: Tue, 3 Oct 2006 09:57:42 -0700 (PDT) Subject: on FreeBSD In-Reply-To: <86ejtqkhnu.fsf@dwp.des.no> References: <868xk1leme.fsf@dwp.des.no> <86ejtqkhnu.fsf@dwp.des.no> Message-ID: On Mon, 2 Oct 2006, Dag-Erling Sm?rgrav wrote: > Tim Rice writes: > > Does the attached patch to configure.ac help? > > It does, thanks. I've committed a different patch that will work for future cases too. It should be in the next snapshot. > > DES > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From william at 25thandClement.com Wed Oct 4 06:45:43 2006 From: william at 25thandClement.com (William Ahern) Date: Tue, 3 Oct 2006 13:45:43 -0700 Subject: Patch: Unix Domain Socket Forwards for 4.4p1 Message-ID: <20061003204543.GA20022@orville.25thandClement.com> I've updated the streamlocal patch for OpenSSH 4.4p1. http://www.25thandclement.com/~william/projects/streamlocal.html This patch allows for local and remote forwards, to and from Unix domain sockets. Simply specify the socket path, enclosed within squares braces (i.e. -L[/tmp/.s.PGSQL.5432]:[/tmp/.s.PGSQL.5432]) as the origin and/or destination of the -R and -L switches. This patch also includes additions to the regression suite. Because I haven't had the time to separate them out, this patch incorporates two other features: 1) Explicit user/group restrictions on control sockets (instead of the fixed "sameuser or root" policy). 2) Being able to specify an explicit protocol banner for sshd. From joevandyk at gmail.com Wed Oct 4 10:52:53 2006 From: joevandyk at gmail.com (Joe Van Dyk) Date: Tue, 3 Oct 2006 17:52:53 -0700 Subject: Sending signal to process via channel Message-ID: Hi, After I exec a process in a ssh channel, I would like to send it a signal. According to the ssh specs, I'd send a SSH_MSG_CHANNEL_REQUEST message across the channel with a "signal" string. But, it doesn't seem that openssh supports this. I searched around and found http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104295745607575&w=2 from a couple years ago. Is there any particular reason why this hasn't made its way into released code? Thanks, Joe From pebenito at gentoo.org Fri Oct 6 22:17:29 2006 From: pebenito at gentoo.org (Chris PeBenito) Date: Fri, 06 Oct 2006 08:17:29 -0400 Subject: [PATCH] fix SELinux function checks in configure Message-ID: <1160137049.2840.0.camel@gorn.pebenito.net> The following patch fixes the function checks in configure for getseuserbyname() and get_default_context_with_level(). These functions are in libselinux, and since -lselinux is not added to LIBS, these functions could never be found. Please apply. configure.ac | 3 +++ 1 file changed, 3 insertions(+) --- openssh-4.4p1.orig/configure.ac 2006-09-24 15:08:59.000000000 -0400 +++ openssh-4.4p1/configure.ac 2006-10-02 22:22:41.658955080 -0400 @@ -3145,7 +3145,10 @@ AC_MSG_ERROR(SELinux support requires selinux.h header)) AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ], AC_MSG_ERROR(SELinux support requires libselinux library)) + save_LIBS="$LIBS" + LIBS="$LIBS $LIBSELINUX" AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) + LIBS="$save_LIBS" fi ] ) AC_SUBST(LIBSELINUX) -- Chris PeBenito Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 From girishvenkatachalam at gmail.com Sun Oct 8 14:41:27 2006 From: girishvenkatachalam at gmail.com (Girish Venkatachalam) Date: Sun, 8 Oct 2006 10:11:27 +0530 Subject: FreeBSD 6.1 OpenSSH broken Message-ID: <20061008044127.GA29949@lakshmi.susmita.org> Hi, I know this subject is better suited to the freebsd mailing list but I send it here bcoz this mail is further to the mail I sent a couple of weeks ago about weird DH problems with FreeBSD OpenSSH. It turned out that reinstalling OpenSSL solved the issue. For those of you working on FreeBSD this is the solution. # cd /usr/ports/security/openssl #make deinstall #make reinstall I will make available a cleaner fix if I get around to it. I have been seeing several instances of Apache SSL not working, OpenSSH not working sometimes and various other problems with FreeBSD users. Root cause is a broken OpenSSL library. Please refer to my thread titled "weird DH problems" for details. regards, Girish From girishvenkatachalam at gmail.com Mon Oct 9 02:32:52 2006 From: girishvenkatachalam at gmail.com (Girish Venkatachalam) Date: Sun, 8 Oct 2006 22:02:52 +0530 Subject: FreeBSD 6.1 OpenSSH broken In-Reply-To: <20061008044127.GA29949@lakshmi.susmita.org> References: <20061008044127.GA29949@lakshmi.susmita.org> Message-ID: <20061008163252.GB5712@lakshmi.susmita.org> On Sun, Oct 08, 2006 at 10:11:27AM +0530, Girish Venkatachalam wrote: > Hi, > > I know this subject is better suited to the freebsd mailing list but I send it here bcoz this mail is further to the mail I sent a couple of weeks ago about weird DH problems with FreeBSD OpenSSH. > > It turned out that reinstalling OpenSSL solved the issue. > > For those of you working on FreeBSD this is the solution. > > # cd /usr/ports/security/openssl > #make deinstall > #make reinstall > > I will make available a cleaner fix if I get around to it. > > I have been seeing several instances of Apache SSL not working, OpenSSH not working sometimes and various other problems with FreeBSD users. > > Root cause is a broken OpenSSL library. > > Please refer to my thread titled "weird DH problems" for details. > > regards, > Girish I remember seeing long ago someone who tried to solve a "Corrupted MAC on input" error with scp. This is the culprit. It is a guess of course but a pretty good one. If that original poster is around, can u please confirm whether one of the boxes is FreeBSD? I have mostly seen this problem during inward xfers to FreeBSD boxes. Can u plz try the above solution and verify if the problem goes away? Thanks. regards, Girish From rapier at psc.edu Mon Oct 9 02:46:55 2006 From: rapier at psc.edu (chris rapier) Date: Sun, 08 Oct 2006 12:46:55 -0400 Subject: FreeBSD 6.1 OpenSSH broken In-Reply-To: <20061008163252.GB5712@lakshmi.susmita.org> References: <20061008044127.GA29949@lakshmi.susmita.org> <20061008163252.GB5712@lakshmi.susmita.org> Message-ID: <45292B7F.4050008@psc.edu> That might have been me but it was a linux box. The problem was actually not dependent on the OS but a bug in the Intel Pro1000 microcode. There were some other people who have run into that. The archive of that discussion can be found here http://marc.theaimsgroup.com/?t=108316318300002&r=1&w=2 Girish Venkatachalam wrote: > On Sun, Oct 08, 2006 at 10:11:27AM +0530, Girish Venkatachalam wrote: > >>Hi, >> >> I know this subject is better suited to the freebsd mailing list but I send it here bcoz this mail is further to the mail I sent a couple of weeks ago about weird DH problems with FreeBSD OpenSSH. >> >> It turned out that reinstalling OpenSSL solved the issue. >> >> For those of you working on FreeBSD this is the solution. >> >># cd /usr/ports/security/openssl >>#make deinstall >>#make reinstall >> >> I will make available a cleaner fix if I get around to it. >> >> I have been seeing several instances of Apache SSL not working, OpenSSH not working sometimes and various other problems with FreeBSD users. >> >> Root cause is a broken OpenSSL library. >> >> Please refer to my thread titled "weird DH problems" for details. >> >> regards, >> Girish > > I remember seeing long ago someone who tried to solve a "Corrupted MAC on input" error with scp. This is the culprit. > > It is a guess of course but a pretty good one. > > If that original poster is around, can u please confirm whether one of the boxes is FreeBSD? > > I have mostly seen this problem during inward xfers to FreeBSD boxes. > > Can u plz try the above solution and verify if the problem goes away? > > Thanks. > > regards, > Girish > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From ribas at c3sl.ufpr.br Mon Oct 9 10:40:35 2006 From: ribas at c3sl.ufpr.br (Bruno Cesar Ribas) Date: Sun, 8 Oct 2006 21:40:35 -0300 Subject: About sftp-server root path Message-ID: <20061009004035.GA26201@c3sl.ufpr.br> Hi, I saw in archive that some people made a patch to sftp-server, and that patch sets a root path. I'd like to know if there's an ideia to apply that patch in main tree of openssh? With the use of SSHFS [wich uses sftp-server], it would be interesting to have someting like that, because as we have netboot workstations, the access to devices [such as, floppy, cdrom and usb data] are becoming to be used by sshfs, but we don't want that users can make an sftp tunnell and mount others directories besides those pre-determined [i.e /mnt]. Thanks -- Bruno Ribas - ribas at c3sl.ufpr.br http://web.inf.ufpr.br/ribas C3SL: http://www.c3sl.ufpr.br From efb at cotdazr.org Mon Oct 9 10:47:32 2006 From: efb at cotdazr.org (Ev Batey WA6CRE) Date: Sun, 8 Oct 2006 17:47:32 -0700 Subject: Can not use auth_keys Mac OSX to Linux Message-ID: Connect from Mac OSX 10.4.8 / to Recent Linux .. Sys/Sw Versions in .txt ? Refuses to accept keys in auth_keys .. bad keys "-----BEGIN" ... "-----END" Is this open .. not found in site search ... R/ Everett F Batey II - WA6CRE - http://www.cotdazr.org 800 545-6998 = 805 340-6471 / Office (805) 228-7180 From dtucker at zip.com.au Mon Oct 9 16:37:56 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 09 Oct 2006 16:37:56 +1000 Subject: Can not use auth_keys Mac OSX to Linux In-Reply-To: References: Message-ID: <4529EE44.4020702@zip.com.au> Ev Batey WA6CRE wrote: > Connect from Mac OSX 10.4.8 / to Recent Linux .. Sys/Sw Versions in .txt Your attachment appears to have been stripped by the list server. It will do that for any non-text MIME types. > Refuses to accept keys in auth_keys .. bad keys "-----BEGIN" ... > "-----END" If the rest of that line says things like "-----BEGIN RSA PRIVATE KEY-----" then that's a private key and is not what you need to put into authorized_keys. There should be a corresponding key file with a ".pub" extension which is what you need to use. If there's not then you can extract the public components from the private key like so: $ ssh-keygen -y -f id_rsa >id_rsa.pub (or simply generate a new set if you haven't deployed this key anywhere). > Is this open .. not found in site search ... I'm sorry but I can't make out your meaning here. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From efb at cotdazr.org Tue Oct 10 02:06:22 2006 From: efb at cotdazr.org (Ev Batey WA6CRE) Date: Mon, 9 Oct 2006 09:06:22 -0700 Subject: Can not use auth_keys Mac OSX to Linux In-Reply-To: <4529EE44.4020702@zip.com.au> References: <4529EE44.4020702@zip.com.au> Message-ID: <6F8BE43C-FEAF-438F-9A61-10DB4583B6D0@cotdazr.org> Darren and List .. From MacOSX 10.4.8 (PPC) Src Host: Darwin efbmac 8.8.0 Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/ RELEASE_PPC Power Macintosh powerpc Src SSH: OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005 To Intel Linux Fedora Core Dst Host: Linux sm 2.6.17-1.2187_FC5 #1 Mon Sep 11 01:17:06 EDT 2006 i686 i686 i386 GNU/Linux Dst SSH: OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005 Happy to send the debug file off list. On Oct 8, 2006, at 23:37, Darren Tucker wrote: > Ev Batey WA6CRE wrote: >> Connect from Mac OSX 10.4.8 / to Recent Linux .. Sys/Sw Versions >> in .txt .. attachment was .txt .. above >> Refuses to accept keys in auth_keys .. bad keys "-----BEGIN" ... >> "-----END" ssh_log:debug2: key_type_from_name: unknown key type '-----BEGIN' ssh_log:debug2: key_type_from_name: unknown key type '-----END' that is all there was in debug2 Yes I did distribute the .pub > If ... line says things like "-----BEGIN RSA PRIVATE KEY-----" then > that's a private key and is not what you need to put into > authorized_keys. There should be a corresponding key file with a > ".pub" My same key file works fine with FreeBSD remote hosts. >> Is this open .. not found in site search ... WAS this an open issue OpenSSH Mac OSX to Linux for the versions above? COULD not find any clue of this failure in any OpenSSH bug reports. > Darren Tucker (dtucker at zip.com.au) R/ Everett F Batey II - WA6CRE - http://www.cotdazr.org 800 545-6998 = 805 340-6471 From djm at mindrot.org Tue Oct 10 09:50:40 2006 From: djm at mindrot.org (Damien Miller) Date: Tue, 10 Oct 2006 09:50:40 +1000 (EST) Subject: About sftp-server root path In-Reply-To: <20061009004035.GA26201@c3sl.ufpr.br> References: <20061009004035.GA26201@c3sl.ufpr.br> Message-ID: On Sun, 8 Oct 2006, Bruno Cesar Ribas wrote: > Hi, > > I saw in archive that some people made a patch to sftp-server, and > that patch sets a root path. I'd like to know if there's an ideia to > apply that patch in main tree of openssh? > > With the use of SSHFS [wich uses sftp-server], it would be interesting > to have someting like that, because as we have netboot workstations, > the access to devices [such as, floppy, cdrom and usb data] are > becoming to be used by sshfs, but we don't want that users can make an > sftp tunnell and mount others directories besides those pre-determined > [i.e /mnt]. Here is my current sftp-server chroot diff for OpenBSD. It should apply to portable too, but it will be up to you to make a change that corresponds to the sftp-server/Makefile hunk. Chroot is enabled using commandline options to sftp-server much like the new logging options. I think the patch is safe, but haven't run through the extra code it exposes with root privileges or fully considered what new attacks it might enable - so don't apply it unless you are willing to do so. I don't know when I'll have time to come back to this, but maybe some lurkers on this mailing list feel like analysing/auditing it. -d diff -urp ssh/sftp-server/Makefile ssh-x/sftp-server/Makefile --- sftp-server/Makefile Tue Jun 13 11:22:55 2006 +++ sftp-server/Makefile Sat Apr 22 09:41:18 2006 @@ -5,7 +5,7 @@ PROG= sftp-server BINOWN= root -BINMODE?=555 +BINMODE?=4555 BINDIR= /usr/libexec MAN= sftp-server.8 diff -urp ssh/sftp-server.8 ssh-x/sftp-server.8 --- sftp-server.8 Tue Jun 13 11:23:10 2006 +++ sftp-server.8 Tue Apr 25 18:16:06 2006 @@ -30,6 +30,7 @@ .Nd SFTP server subsystem .Sh SYNOPSIS .Nm sftp-server +.Op Fl C Ar chroot_path .Op Fl f Ar log_facility .Op Fl l Ar log_level .Sh DESCRIPTION @@ -54,6 +55,25 @@ for more information. .Pp Valid options are: .Bl -tag -width Ds +.It Fl C Ar chroot_path +Requests that +.Nm +.Xr chroot 2 +itself to the specified path prior to processing requests from the user. +The +.Ar chroot_path +use the tilde syntax to refer to a user's home directory or one of the +following +escape characters: +.Ql %d +(local user's home directory) or +.Ql %g +(local user's primary group name). +Note that +.Xr chroot 2 +support requires +.Nm +to be installed setuid root. .It Fl f Ar log_facility Specifies the facility code that is used when logging messages from .Nm . diff -urp ssh/sftp-server.c ssh-x/sftp-server.c --- sftp-server.c Tue Jun 13 11:23:42 2006 +++ sftp-server.c Tue Jun 13 11:24:35 2006 @@ -1154,6 +1154,35 @@ process(void) buffer_consume(&iqueue, msg_len - consumed); } +static void +do_chroot(const char *chroot_path_template) +{ + char *cp, *chroot_path; + struct group *gr; + + if ((gr = getgrgid(pw->pw_gid)) == NULL) + fatal("No group found for gid %lu", (u_long)pw->pw_gid); + + cp = percent_expand(chroot_path_template, "d", pw->pw_dir, + "u", pw->pw_name, "g", gr->gr_name, (char *)NULL); + chroot_path = tilde_expand_filename(cp, getuid()); + xfree(cp); + + logit("chroot to %s", chroot_path); + + /* Ensure the user has rights to access the chroot path first */ + temporarily_use_uid(pw); + if (chdir(chroot_path) == -1) + fatal("chdir(\"%s\"): %s", chroot_path, strerror(errno)); + restore_uid(); + + if (chroot(chroot_path) == -1) + fatal("chroot(\"%s\"): %s", chroot_path, strerror(errno)); + if (chdir("/") == -1) + fatal("chdir(\"/\"): %s", strerror(errno)); + xfree(chroot_path); +} + /* Cleanup handler that logs active handles upon normal exit */ void cleanup_exit(int i) @@ -1179,7 +1208,7 @@ main(int argc, char **argv) int in, out, max, ch, skipargs = 0, log_stderr = 0; ssize_t len, olen, set_size; SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; - char *cp; + char *cp, *chroot_path = NULL; extern int optind; extern char *optarg; @@ -1192,6 +1221,9 @@ main(int argc, char **argv) while (!skipargs && (ch = getopt(argc, argv, "C:f:l:che")) != -1) { switch (ch) { + case 'C': + chroot_path = optarg; + break; case 'c': /* * Ignore all arguments if we are invoked as a @@ -1236,6 +1268,11 @@ main(int argc, char **argv) logit("session opened for client %s local user %s", client_addr, pw->pw_name); + if (chroot_path != NULL) + do_chroot(chroot_path); + if (getuid() != geteuid()) + permanently_set_uid(pw); + handle_init(); in = dup(STDIN_FILENO); From william at 25thandClement.com Tue Oct 10 10:20:17 2006 From: william at 25thandClement.com (William Ahern) Date: Mon, 9 Oct 2006 17:20:17 -0700 Subject: Patch: Unix Domain Socket Forwards for 4.4p1 In-Reply-To: <20061003204543.GA20022@orville.25thandClement.com> References: <20061003204543.GA20022@orville.25thandClement.com> Message-ID: <20061010002017.GA20740@orville.25thandClement.com> There's an updated patch available which fixes a portability issue. The patch should now work on OpenBSD (from 4.4p1), and on any other platform where getpeername() could return a zero-length address [for AF_UNIX sockets]. http://www.25thandclement.com/~william/projects/streamlocal.html From menard_1 at yahoo.com Wed Oct 11 04:09:43 2006 From: menard_1 at yahoo.com (Clark Menard) Date: Tue, 10 Oct 2006 11:09:43 -0700 (PDT) Subject: Use remote machine environmental variables Message-ID: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> I am having an issue passing a command through ssh which uses an environment variable. I would like the environment variable to be read from the remote host, but it is being read from the local host. For instance: ssh rhost ls -lm $WWW_HOME $WWW_HOME is set as /usr/www on local but /var/www on the remote so it is being read as : ssh rhost ls -lm /usr/www and I'd like it to be ssh rhost ls -lm /var/www Any thoughts would be appreciated, thanks for your help. From william at 25thandClement.com Wed Oct 11 07:57:35 2006 From: william at 25thandClement.com (William Ahern) Date: Tue, 10 Oct 2006 14:57:35 -0700 Subject: Use remote machine environmental variables In-Reply-To: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> References: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> Message-ID: <20061010215735.GA21244@orville.25thandClement.com> On Tue, Oct 10, 2006 at 11:09:43AM -0700, Clark Menard wrote: > I am having an issue passing a command through ssh which uses an environment variable. I would like the environment variable to be read from the remote host, but it is being read from the local host. > > For instance: > > ssh rhost ls -lm $WWW_HOME > ssh rhost ls -lm \$WWW_HOME The issue is that your command is being variable interpolated by your local shell before executing ssh. You want to pass a literal '$WWW_HOME' argument to ssh (so it can pass it over the ssh channel), so you need to escape it from the local shell. - Bill From djm at mindrot.org Wed Oct 11 07:58:45 2006 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 Oct 2006 07:58:45 +1000 (EST) Subject: Use remote machine environmental variables In-Reply-To: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> References: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> Message-ID: On Tue, 10 Oct 2006, Clark Menard wrote: > I am having an issue passing a command through ssh which uses an > environment variable. I would like the environment variable to be read > from the remote host, but it is being read from the local host. > > For instance: > > ssh rhost ls -lm $WWW_HOME try: ssh rhost "ls -lm $WWW_HOME" otherwise your local shell will digest the environment variable in your command line without passing it to the other end. From djm at mindrot.org Wed Oct 11 08:23:18 2006 From: djm at mindrot.org (Damien Miller) Date: Wed, 11 Oct 2006 08:23:18 +1000 (EST) Subject: Use remote machine environmental variables In-Reply-To: References: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> Message-ID: please send it to the list :) On Tue, 10 Oct 2006, Tim Rice wrote: > [ not sent to list] > On Wed, 11 Oct 2006, Damien Miller wrote: > > > try: > > > > ssh rhost "ls -lm $WWW_HOME" > > Actually that would be. > ssh rhost 'ls -lm $WWW_HOME' > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > From jmknoble at pobox.com Wed Oct 11 08:13:38 2006 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 10 Oct 2006 18:13:38 -0400 Subject: Use remote machine environmental variables In-Reply-To: References: <20061010180944.7784.qmail@web55510.mail.re4.yahoo.com> Message-ID: <20061010221338.GI26385@crawfish.ais.com> Circa 2006-10-10 17:58 dixit Damien Miller: : try: : : ssh rhost "ls -lm $WWW_HOME" (Damien very likely meant to use single quotes, as follows; otherwise the effect would be the same as without the quotes at all). ssh rhost 'ls -lm $WWW_HOME' -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: 6F39C2CC >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC) +----------------------------------------------------------------------+ |[L]iberty, as we all know, cannot flourish in a country that is perma-| | nently on a war footing, or even a near-war footing. --Aldous Huxley| +----------------------------------------------------------------------+ From behnam.rashidian at gmail.com Wed Oct 11 08:44:27 2006 From: behnam.rashidian at gmail.com (behnam rashidian) Date: Tue, 10 Oct 2006 15:44:27 -0700 Subject: data streaming using SFTP Message-ID: <8af4154f0610101544h145b50d6vae6c6bd8e6ff2726@mail.gmail.com> Sorry to interrupt, just a quick question... I need to find out if openssh has any functions that would read some memory chuck and transfer that chunk over SSH ( what I mean here is SFTP), except that I don't want it to open a file and read it and transfer it since there will not be enough storage space to store files. Therefore I need to have some functions that would stream the data as they arrive on the fly. Please let me know if such function exists in this package. Thanks From william at 25thandClement.com Wed Oct 11 09:46:42 2006 From: william at 25thandClement.com (William Ahern) Date: Tue, 10 Oct 2006 16:46:42 -0700 Subject: data streaming using SFTP In-Reply-To: <8af4154f0610101544h145b50d6vae6c6bd8e6ff2726@mail.gmail.com> References: <8af4154f0610101544h145b50d6vae6c6bd8e6ff2726@mail.gmail.com> Message-ID: <20061010234642.GA5966@orville.25thandClement.com> On Tue, Oct 10, 2006 at 03:44:27PM -0700, behnam rashidian wrote: > Sorry to interrupt, just a quick question... > > I need to find out if openssh has any functions that would read some memory > chuck and transfer that chunk over SSH ( what I mean here is SFTP), except > that I don't want it to open a file and read it and transfer it since there > will not be enough storage space to store files. Therefore I need to have > some functions that would stream the data as they arrive on the fly. Please > let me know if such function exists in this package. > Why must you use SFTP, which is a "file transfer protocol"? What you want is trivial with straight SSH: ssh foo at host cat /some/file | process_file or cat /some/file | ssh foo at host process_file From dkg-openssh.com at fifthhorseman.net Wed Oct 11 12:22:40 2006 From: dkg-openssh.com at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 10 Oct 2006 22:22:40 -0400 Subject: data streaming using SFTP In-Reply-To: <20061010234642.GA5966@orville.25thandClement.com> References: <8af4154f0610101544h145b50d6vae6c6bd8e6ff2726@mail.gmail.com> <20061010234642.GA5966@orville.25thandClement.com> Message-ID: <17708.21872.758061.287247@squeak.fifthhorseman.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On October 10, william at 25thandClement.com said: > On Tue, Oct 10, 2006 at 03:44:27PM -0700, behnam rashidian wrote: > > Sorry to interrupt, just a quick question... > > > > I need to find out if openssh has any functions that would read > > some memory chuck and transfer that chunk over SSH ( what I mean > > here is SFTP), except that I don't want it to open a file and read > > it and transfer it since there will not be enough storage space to > > store files. Therefore I need to have some functions that would > > stream the data as they arrive on the fly. Please let me know if > > such function exists in this package. > > > > Why must you use SFTP, which is a "file transfer protocol"? > > What you want is trivial with straight SSH: > > ssh foo at host cat /some/file | process_file > > or > cat /some/file | ssh foo at host process_file Alternately, if your data is already coming in via TCP/IP, you could look at the LocalForward (-L) and RemoteForward (-R) options for openssh. man ssh_config or man ssh and grep for those options for more details. --dkg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ iD8DBQFFLFUPiXTlFKVLY2URAkhFAKC5UCaavaZ4DIy6fiqevazmbctklQCeLhNw b4nxfk+FhiF5/izRNO3eBiE= =7ouR -----END PGP SIGNATURE----- From jcs at superblock.net Wed Oct 11 15:13:29 2006 From: jcs at superblock.net (joshua stein) Date: Wed, 11 Oct 2006 00:13:29 -0500 Subject: data streaming using SFTP In-Reply-To: <20061010234642.GA5966@orville.25thandClement.com> References: <8af4154f0610101544h145b50d6vae6c6bd8e6ff2726@mail.gmail.com> <20061010234642.GA5966@orville.25thandClement.com> Message-ID: <20061011051328.85635a2@knockback.superblock.net> > Why must you use SFTP, which is a "file transfer protocol"? > > What you want is trivial with straight SSH: because sometimes the host you're connecting to only provides sftp access without a real shell that can run arbitrary commands. such is the case with a backup provider like strongspace.com. sftp(1) refuses to upload from /dev/stdin, but if the checks are altered with the hack below (against openbsd src), it works, but it's not pretty: $ echo "put /dev/stdin some-remote-file" > ~/a $ tar -czf - / | sftp -b ~/a some-remote-host the batch mode is necessary because otherwise sftp wants to read commands from stdin instead of the data you want to transfer. it would be nice to be able to read the put command from an argument and accept "-" as an input file. -- joshua stein :: superblock :: http://superblock.net/ Index: sftp-client.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v retrieving revision 1.74 diff -u -r1.74 sftp-client.c --- sftp-client.c 3 Aug 2006 03:34:42 -0000 1.74 +++ sftp-client.c 11 Oct 2006 04:58:03 -0000 @@ -1013,7 +1013,7 @@ close(local_fd); return(-1); } - if (!S_ISREG(sb.st_mode)) { + if (!(S_ISREG(sb.st_mode) || S_ISFIFO(sb.st_mode))) { error("%s is not a regular file", local_path); close(local_fd); return(-1); Index: sftp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp.c,v retrieving revision 1.92 diff -u -r1.92 sftp.c --- sftp.c 19 Sep 2006 05:52:23 -0000 1.92 +++ sftp.c 11 Oct 2006 04:58:04 -0000 @@ -492,7 +492,7 @@ if (stat(path, &sb) == -1) fatal("stat %s: %s", path, strerror(errno)); - return(S_ISREG(sb.st_mode)); + return(S_ISREG(sb.st_mode) || S_ISCHR(sb.st_mode)); } static int From vincenzo.sciarra at gmail.com Wed Oct 11 19:39:20 2006 From: vincenzo.sciarra at gmail.com (Vincenzo Sciarra) Date: Wed, 11 Oct 2006 11:39:20 +0200 Subject: New Module Tutorial Message-ID: <199b4dc20610110239r5051b988id3bc7ab1fc7af027@mail.gmail.com> Hi, how can add a new module in openSSH? Is there a tutorial? Thanks From vincenzo.sciarra at gmail.com Wed Oct 11 19:34:02 2006 From: vincenzo.sciarra at gmail.com (Vincenzo Sciarra) Date: Wed, 11 Oct 2006 11:34:02 +0200 Subject: No subject Message-ID: <199b4dc20610110234l48ab1277jfdc2704778150385@mail.gmail.com> From stuge-openssh-unix-dev at cdy.org Wed Oct 11 20:29:41 2006 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 11 Oct 2006 12:29:41 +0200 Subject: New Module Tutorial In-Reply-To: <199b4dc20610110239r5051b988id3bc7ab1fc7af027@mail.gmail.com> References: <199b4dc20610110239r5051b988id3bc7ab1fc7af027@mail.gmail.com> Message-ID: <20061011102941.20647.qmail@cdy.org> Hi, On Wed, Oct 11, 2006 at 11:39:20AM +0200, Vincenzo Sciarra wrote: > Hi, > how can add a new module in openSSH? > Is there a tutorial? No tutorials that I know of, sorry. But if by module you mean subsystem it's very easy to create the server end; just have your process communicate on standard io. If the client should be a monolithic program it has to include SSH code, but the unix way would be to execute ssh -s with the subsystem name as written in the server sshd.conf specified just like it was a command to be executed. -s makes the client ask for the subsystem instead. Please don't forget to add your domain name to the name if you're creating only a local subsystem. //Peter From menard_1 at yahoo.com Wed Oct 11 22:07:04 2006 From: menard_1 at yahoo.com (Clark Menard) Date: Wed, 11 Oct 2006 05:07:04 -0700 (PDT) Subject: Use remote machine environmental variables Message-ID: <20061011120705.13812.qmail@web55505.mail.re4.yahoo.com> Thank you for the follow up, this works perfectly. Clark ----- Original Message ---- From: William Ahern To: Clark Menard Cc: openssh-unix-dev at mindrot.org Sent: Tuesday, October 10, 2006 5:57:35 PM Subject: Re: Use remote machine environmental variables On Tue, Oct 10, 2006 at 11:09:43AM -0700, Clark Menard wrote: > I am having an issue passing a command through ssh which uses an environment variable. I would like the environment variable to be read from the remote host, but it is being read from the local host. > > For instance: > > ssh rhost ls -lm $WWW_HOME > ssh rhost ls -lm \$WWW_HOME The issue is that your command is being variable interpolated by your local shell before executing ssh. You want to pass a literal '$WWW_HOME' argument to ssh (so it can pass it over the ssh channel), so you need to escape it from the local shell. - Bill From william at 25thandClement.com Thu Oct 12 03:32:52 2006 From: william at 25thandClement.com (William Ahern) Date: Wed, 11 Oct 2006 10:32:52 -0700 Subject: data streaming using SFTP In-Reply-To: <20061011051328.85635a2@knockback.superblock.net> References: <8af4154f0610101544h145b50d6vae6c6bd8e6ff2726@mail.gmail.com> <20061010234642.GA5966@orville.25thandClement.com> <20061011051328.85635a2@knockback.superblock.net> Message-ID: <20061011173252.GA25523@orville.25thandClement.com> On Wed, Oct 11, 2006 at 12:13:29AM -0500, joshua stein wrote: > > Why must you use SFTP, which is a "file transfer protocol"? > > > > What you want is trivial with straight SSH: > > because sometimes the host you're connecting to only provides sftp > access without a real shell that can run arbitrary commands. such > is the case with a backup provider like strongspace.com. > > sftp(1) refuses to upload from /dev/stdin, but if the checks are > altered with the hack below (against openbsd src), it works, but > it's not pretty: Initially I had assumed the file size might be a critical part of the protocol. But reading the spec it looks like SFTP is just a simple way to export Unix I/O--read, write, mkdir--across the network. Now I understand :) From petesea at bigfoot.com Thu Oct 12 11:12:20 2006 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Wed, 11 Oct 2006 18:12:20 -0700 (Pacific Daylight Time) Subject: GSSAPICleanupCredentials and UsePrivilegeSeperation Message-ID: It looks to me like GSSAPICleanupCredentials doesn't work if UsePrivilegeSeparation is set to "no". Is this a bug, or am I doing something wrong? On a related note, is there a SERVER way to disable GSSAPIDelegateCredentials? From vincenzo.sciarra at gmail.com Thu Oct 12 19:49:10 2006 From: vincenzo.sciarra at gmail.com (Vincenzo Sciarra) Date: Thu, 12 Oct 2006 11:49:10 +0200 Subject: New auth method Message-ID: <199b4dc20610120249n4e967ddbi92074830ef639618@mail.gmail.com> How can add a new authentication method build by me to sshd ? Thanks -- Vincenzo Sciarra From stuge-openssh-unix-dev at cdy.org Thu Oct 12 21:56:06 2006 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 12 Oct 2006 13:56:06 +0200 Subject: New auth method In-Reply-To: <199b4dc20610120249n4e967ddbi92074830ef639618@mail.gmail.com> References: <199b4dc20610120249n4e967ddbi92074830ef639618@mail.gmail.com> Message-ID: <20061012115606.7736.qmail@cdy.org> On Thu, Oct 12, 2006 at 11:49:10AM +0200, Vincenzo Sciarra wrote: > How can add a new authentication method build by me to sshd ? One idea is to use PAM. Or even NSS. That way other applications will be able to use your method too. //Peter From thmo-13 at gmx.de Sun Oct 15 21:55:00 2006 From: thmo-13 at gmx.de (ThMO) Date: Sun, 15 Oct 2006 13:55:00 +0200 Subject: v4.4p1: compile fix Message-ID: <45322194.1B9F836F@gmx.de> Hello, I've attached a small unified diff fixing a compilation problem under linux v2.0.35: ? monitor_fdpass.c: need to be included in order to get the structures fro cmsg... defined. ? --with-mantype=man I would prefer this to be the default, but YMMV. THX for listening. CU Tom. (Thomas M.Ott) Germany -------------- next part -------------- --- openssh-4.4p1/monitor_fdpass.c.orig 2006-08-05 04:39:40.000000000 +0200 +++ openssh-4.4p1/monitor_fdpass.c 2006-10-15 13:10:51.000000000 +0200 @@ -29,7 +29,9 @@ #include #include #include - +#ifdef __linux__ /* (ThMO) */ + #include /* for cmsg... -- linux 2.0.35 (ThMO) */ +#endif #include #include #include From dtucker at zip.com.au Mon Oct 16 19:50:12 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 16 Oct 2006 19:50:12 +1000 Subject: v4.4p1: compile fix In-Reply-To: <45322194.1B9F836F@gmx.de> References: <45322194.1B9F836F@gmx.de> Message-ID: <20061016095012.GA3330@gate.dtucker.net> On Sun, Oct 15, 2006 at 01:55:00PM +0200, ThMO wrote: > I've attached a small unified diff fixing a compilation problem > under linux v2.0.35: > > ? monitor_fdpass.c: > need to be included in order to get the structures > fro cmsg... defined. Thanks, a slightly different patch has been applied. Index: monitor_fdpass.c =================================================================== RCS file: /var/cvs/openssh/monitor_fdpass.c,v retrieving revision 1.20 diff -u -p -r1.20 monitor_fdpass.c --- monitor_fdpass.c 5 Aug 2006 02:39:40 -0000 1.20 +++ monitor_fdpass.c 16 Oct 2006 09:48:20 -0000 @@ -29,6 +29,9 @@ #include #include #include +#ifdef HAVE_SYS_UN_H +#include +#endif #include #include -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Judith.Fait at HVBIS.com Tue Oct 17 00:40:59 2006 From: Judith.Fait at HVBIS.com (Judith.Fait at HVBIS.com) Date: Mon, 16 Oct 2006 16:40:59 +0200 Subject: AIX 5.2/53 issue "Undeclared identifier O_RDWR" Message-ID: <07E786854195E04A80065DA8C342E2840EFAFC@EXMECAB4.resdom.droot.net> Hi, I tried to build on AIX 5.2 and 5.3 and found a problem with openssh-4.4p1 / openssl-0.9.8d during make: when using gcc I get make echo (cd openbsd-compat && make) /usr/bin/gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c daemon.c daemon.c:81: warning: implicit declaration of function `open' daemon.c:81: error: `O_RDWR' undeclared (first use in this function) daemon.c:81: error: (Each undeclared identifier is reported only once daemon.c:81: error: for each function it appears in.) make: 1254-004 The error code from the last command is 1. (using IBMs vac: "openbsd-compat/daemon.c", line 81.51: 1506-045 (S) Undeclared identifier O_RDWR.) Any help would be appreciated regards, J. Fait From dtucker at zip.com.au Tue Oct 17 08:00:17 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 17 Oct 2006 08:00:17 +1000 Subject: AIX 5.2/53 issue "Undeclared identifier O_RDWR" In-Reply-To: <07E786854195E04A80065DA8C342E2840EFAFC@EXMECAB4.resdom.droot.net> References: <07E786854195E04A80065DA8C342E2840EFAFC@EXMECAB4.resdom.droot.net> Message-ID: <453400F1.8060903@zip.com.au> Judith.Fait at HVBIS.com wrote: > I tried to build on AIX 5.2 and 5.3 and found a problem with > openssh-4.4p1 / openssl-0.9.8d during make: [...] > /usr/bin/gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized > -Wsign-compare -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c daemon.c > daemon.c:81: warning: implicit declaration of function `open' > daemon.c:81: error: `O_RDWR' undeclared (first use in this function) > daemon.c:81: error: (Each undeclared identifier is reported only once > daemon.c:81: error: for each function it appears in.) > make: 1254-004 The error code from the last command is 1. That's kinda odd, it ought to be declared in fcntl.h. What is HAVE_FCNTL_H set to in config.h? For that matter do you have a /usr/include/fcntl.h file? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From paolo.vicario at uniud.it Tue Oct 17 19:06:56 2006 From: paolo.vicario at uniud.it (Paolo Vicario) Date: Tue, 17 Oct 2006 11:06:56 +0200 Subject: OpenSSH not compliant with RFC 4253? (Protocol Version Exchange string not ending with CR LF) Message-ID: <20061017110656.v9w0xeo5uu0ws4w0@webmail.uniud.it> (Maybe this is a re-posting: sorry for that.) Hello, a SonicWALL appliance that protects my servers' LAN has suddenly begun to refuse OpenSSH connections with the following message: 'SSH 2.0 Overly Long Protocol Version Exchange String, SID: 3696, Priority: High - This signature detects overly long "Protocol Version Exchange" string in SSH 2.0. The maximum length of the string, defined in RFC 4253, is 255 bytes.' Sniffing IP packets during a connection, I found that the problem is not the string length, but the string terminator: Version Exchange String does not end with CR LF (RFC 4253, section "4.2. Protocol Version Exchange"), but with CR only. I tried two different client versions, with the same result: Openssh V3.8.1p1 (Debian stable package ssh 3.8.1p1-8.sarge.4) Openssh V4.3p2 (Debian testing package openssh-client 4.3p2-3) Is (portable) OpenSSH compliant with RFC 4253? Is it a bug fixed in V4.4? Are Debian packages not compliant with (portable) OpenSSH official packages? Did anybody experience something like this? Thanks in advance, Paolo -- Paolo Vicario, Centro Servizi Informatici e Telematici (CSIT) Universita' degli Studi di Udine e-mail: paolo.vicario at uniud.it ---------------------------------------------------------------------- SEMEL (SErvizio di Messaging ELettronico) - CSIT -Universita' di Udine From georgeslegr at gmail.com Tue Oct 17 19:39:28 2006 From: georgeslegr at gmail.com (Georges Le grand) Date: Tue, 17 Oct 2006 11:39:28 +0200 Subject: SSH and data priority In-Reply-To: <7d7b76890610170231r21127535sde210e3d48795dce@mail.gmail.com> References: <7d7b76890610170231r21127535sde210e3d48795dce@mail.gmail.com> Message-ID: <7d7b76890610170239u4eb498c3w696cdac0d9be0e68@mail.gmail.com> Dear all, I don't know if someone already posted the same question on the mailing list I would like how to implement "Application Data Priority" with SSH. More precisely, I would like to secure, for example, POP, SMTP, FTP, HTTP and telnet with SSH and to associate 3 levels of priority: (HTTP, POP, SMTP, low) (FTP, medium) (telnet, high) Does SSH implement any function or any algorithm to do that? Thank you in advance George From monagin at lason.com Thu Oct 19 03:38:07 2006 From: monagin at lason.com (John Monagin) Date: Wed, 18 Oct 2006 13:38:07 -0400 Subject: Using CHROOT jail in SFTP Message-ID: Good afternoon, I have been using OpenSSH 3.8p1 and added code to sftp-server.c so I could put users in chroot jail. When I setup a new system and downloaded OpenSSH 4.4p1 and tried the same patch it fails with the following in the /var/log/messages file: sftp-server[11001]: fatal: Couldn't chroot to user directory /home/newyork/ftpbcc: Operation not permitted I was wondering why one would work and the other would not. I am running SUSE Linux Enterprise server 9.0. Regards, John Monagin Lason, Inc. Office - 734-632-1681 Fax - 734-632-1650 Cell - 248-767-3956 jmonagin at lason.com From stuge-openssh-unix-dev at cdy.org Fri Oct 20 10:57:45 2006 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 20 Oct 2006 02:57:45 +0200 Subject: SSH and data priority In-Reply-To: <7d7b76890610170239u4eb498c3w696cdac0d9be0e68@mail.gmail.com> References: <7d7b76890610170231r21127535sde210e3d48795dce@mail.gmail.com> <7d7b76890610170239u4eb498c3w696cdac0d9be0e68@mail.gmail.com> Message-ID: <20061020005745.2840.qmail@cdy.org> On Tue, Oct 17, 2006 at 11:39:28AM +0200, Georges Le grand wrote: > I would like how to implement "Application Data Priority" with SSH. > More precisely, I would like to secure, for example, POP, SMTP, > FTP, HTTP and telnet with SSH and to associate 3 levels of > priority: > > (HTTP, POP, SMTP, low) > (FTP, medium) > (telnet, high) > > Does SSH implement any function or any algorithm to do that? Not really, no. You can do port forwarding or a VPN setup with OpenSSH, but I think there are much better tools for doing priority configuration. //Peter From girishvenkatachalam at gmail.com Fri Oct 20 18:46:07 2006 From: girishvenkatachalam at gmail.com (Girish Venkatachalam) Date: Fri, 20 Oct 2006 14:16:07 +0530 Subject: SSH and data priority In-Reply-To: <20061020005745.2840.qmail@cdy.org> References: <7d7b76890610170231r21127535sde210e3d48795dce@mail.gmail.com> <7d7b76890610170239u4eb498c3w696cdac0d9be0e68@mail.gmail.com> <20061020005745.2840.qmail@cdy.org> Message-ID: <20061020084607.GC23594@lakshmi.susmita.org> On Fri, Oct 20, 2006 at 02:57:45AM +0200, Peter Stuge wrote: > On Tue, Oct 17, 2006 at 11:39:28AM +0200, Georges Le grand wrote: > > I would like how to implement "Application Data Priority" with SSH. > > More precisely, I would like to secure, for example, POP, SMTP, > > FTP, HTTP and telnet with SSH and to associate 3 levels of > > priority: > > > > (HTTP, POP, SMTP, low) > > (FTP, medium) > > (telnet, high) > > > > Does SSH implement any function or any algorithm to do that? > > Not really, no. > > You can do port forwarding or a VPN setup with OpenSSH, but I think > there are much better tools for doing priority configuration. OpenBSD pf(4) is what you are looking for. From lindysandiego at yahoo.com Tue Oct 24 05:07:05 2006 From: lindysandiego at yahoo.com (Thomas Baden) Date: Mon, 23 Oct 2006 12:07:05 -0700 (PDT) Subject: Disconnecting: Corrupted MAC on input. - Solaris 8 64-bit SPARC OpenSSH 4.4p1 Message-ID: <20061023190705.14581.qmail@web51713.mail.yahoo.com> Hi everyone, I tried finding this using Google, but no joy. I have a massive (6GB uncompressed, 2.9GB compressed) file I'm attempting to transfer using SCP or SFTP. I get a random length into the transfer, and then it aborts with "Disconnecting: Corrupted MAC on input." Both hosts are Solaris 8, using OpenSSH4.4p1 compiled 64-bit by the Sun Forte C compiler. I've tried passing -o'Compression no' and -o'MACs hmac-sha1,hmac-ripemd160,hmac-sha1-96' in an attempt to sidestep the MAC that's causing the grief (I assume it's MD5, as that's the default first MAC). It only seems to happen in connection with this one file, as other files (not nearly as large) all transfer without pain. Does anyone have any suggestions? scp -vvv gives the following when it bombs: ebug2: channel 0: window 57344 sent adjust 73728 debug2: channel 0: window 57344 sent adjust 73728 Disconnecting: Corrupted MAC on input. debug3: channel 0: close_fds r 4 w 5 e 6 c -1 lost connection I've even tried doing the following: ssh $host gzip -dc $file | gzip -9 > $file and got the same result. Cheers, -Thomas __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rapier at psc.edu Tue Oct 24 06:22:47 2006 From: rapier at psc.edu (Chris Rapier) Date: Mon, 23 Oct 2006 16:22:47 -0400 Subject: Disconnecting: Corrupted MAC on input. - Solaris 8 64-bit SPARC OpenSSH 4.4p1 In-Reply-To: <20061023190705.14581.qmail@web51713.mail.yahoo.com> References: <20061023190705.14581.qmail@web51713.mail.yahoo.com> Message-ID: <453D2497.2060605@psc.edu> More than likely this is due to a layer 1 problem somewhere along the path. I saw this happen with some of the older intel pro e1000 cards but I've also seen it happen with bad cables and flaky drivers (esp when using some sort of offloading). A straight forward tcp transfer will recovery from some intermittent hardware faults by just retransmitting but MAC will, for obvious reasons, fail in these same conditions. You can try to isolate problem by varying path components. Good luck Thomas Baden wrote: > Hi everyone, > > I tried finding this using Google, but no joy. > > I have a massive (6GB uncompressed, 2.9GB compressed) > file I'm attempting to transfer using SCP or SFTP. I > get a random length into the transfer, and then it > aborts with "Disconnecting: Corrupted MAC on input." > > Both hosts are Solaris 8, using OpenSSH4.4p1 compiled > 64-bit by the Sun Forte C compiler. I've tried > passing -o'Compression no' and -o'MACs > hmac-sha1,hmac-ripemd160,hmac-sha1-96' in an attempt > to sidestep the MAC that's causing the grief (I assume > it's MD5, as that's the default first MAC). It only > seems to happen in connection with this one file, as > other files (not nearly as large) all transfer without > pain. > > Does anyone have any suggestions? > > scp -vvv gives the following when it bombs: > ebug2: channel 0: window 57344 sent adjust 73728 > debug2: channel 0: window 57344 sent adjust 73728 > Disconnecting: Corrupted MAC on input. > debug3: channel 0: close_fds r 4 w 5 e 6 c -1 > lost connection > > I've even tried doing the following: > ssh $host gzip -dc $file | gzip -9 > $file > and got the same result. > > Cheers, > -Thomas > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Tue Oct 24 09:36:08 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 24 Oct 2006 09:36:08 +1000 Subject: Using CHROOT jail in SFTP In-Reply-To: References: Message-ID: <453D51E8.80303@zip.com.au> John Monagin wrote: > Good afternoon, > > I have been using OpenSSH 3.8p1 and added code to sftp-server.c so I > could put users in chroot jail. When I setup a new system and downloaded > OpenSSH 4.4p1 and tried the same patch it fails with the following in Unless you mention which patch you're using then the help that you get might be limited... > the /var/log/messages file: > sftp-server[11001]: fatal: Couldn't chroot to user directory > /home/newyork/ftpbcc: Operation not permitted > > I was wondering why one would work and the other would not. The chroot(2) system call requires root privileges. I suspect that the patch requires that you make sftp-server setuid root and that your new installation doesn't have that. (Note that the code in the patch needs to be careful otherwise it might be able to be (mis)used by a user to elevate their privileges.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Rick.Glorie at travelsupportcenter.nl Sat Oct 21 06:36:04 2006 From: Rick.Glorie at travelsupportcenter.nl (Rick Glorie) Date: Fri, 20 Oct 2006 22:36:04 +0200 Subject: Complete? Message-ID: Hello, I am new to Linux, just installed Ubuntu 6.06 for a school project. I have to install OpenSSH, which also needs Zlib and OpenSSL. The problem is that these programs have to be compiled. What do I need for that? I have had al 3 packages and none would compile. Is there a complete compiled set out? Rick From gert at greenie.muc.de Tue Oct 24 17:26:07 2006 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Oct 2006 09:26:07 +0200 Subject: Disconnecting: Corrupted MAC on input. - Solaris 8 64-bit SPARC OpenSSH 4.4p1 In-Reply-To: <453D2497.2060605@psc.edu> References: <20061023190705.14581.qmail@web51713.mail.yahoo.com> <453D2497.2060605@psc.edu> Message-ID: <20061024072607.GQ1140@greenie.muc.de> Hi On Mon, Oct 23, 2006 at 04:22:47PM -0400, Chris Rapier wrote: > More than likely this is due to a layer 1 problem somewhere along the > path. I saw this happen with some of the older intel pro e1000 cards but > I've also seen it happen with bad cables and flaky drivers (esp when > using some sort of offloading). A straight forward tcp transfer will > recovery from some intermittent hardware faults by just retransmitting > but MAC will, for obvious reasons, fail in these same conditions. I can't really follow that argument. If "tcp will recover" then the errors must be visible to TCP, and TCP will retransmit that segment before SSH can even take a look at it, let alone notice the corrupted MAC. >From what I've seen on this list, I'd tend to blaim the OpenSSL installation on that machine. (As a workaround, the original poster might want to use "bsplit" to chop the file into smaller pieces, transmit them one by one, and re-concatenate them aftwarwards. Ugly, but a quick solution). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From bob at proulx.com Tue Oct 24 19:33:01 2006 From: bob at proulx.com (Bob Proulx) Date: Tue, 24 Oct 2006 03:33:01 -0600 Subject: Complete? In-Reply-To: References: Message-ID: <20061024093300.GB25825@dementia.proulx.com> Rick Glorie wrote: > I am new to Linux, just installed Ubuntu 6.06 for a school project. > > I have to install OpenSSH, which also needs Zlib and OpenSSL. The > problem is that these programs have to be compiled. What do I need > for that? I have had al 3 packages and none would compile. You misunderstand. There is no need to compile your own version. You should use the copy of OpenSSH that is included with your distribution. What does this command say for you? /usr/bin/ssh -V > Is there a complete compiled set out? OpenSSH is installed in /usr/bin/ssh and is packaged in the openssh-client package on Ubuntu. I believe that you may be simply having a use issue. As such you might want to direct further questions to the ubuntu-users at lists.ubuntu.com mailing list instead. They can help you with distribution specific questions such as this. Bob From rapier at psc.edu Wed Oct 25 03:54:39 2006 From: rapier at psc.edu (Chris Rapier) Date: Tue, 24 Oct 2006 13:54:39 -0400 Subject: Disconnecting: Corrupted MAC on input. - Solaris 8 64-bit SPARC OpenSSH 4.4p1 In-Reply-To: <20061024072607.GQ1140@greenie.muc.de> References: <20061023190705.14581.qmail@web51713.mail.yahoo.com> <453D2497.2060605@psc.edu> <20061024072607.GQ1140@greenie.muc.de> Message-ID: <453E535F.4040100@psc.edu> > I can't really follow that argument. If "tcp will recover" then the > errors must be visible to TCP, and TCP will retransmit that segment > before SSH can even take a look at it, let alone notice the corrupted > MAC. My apologies I worded that badly. I was more focused on trying to get across that a layer 1 problem can be causing the symptoms this person is seeing. Problems that would not lead to a noticeable issue in a non-SSH TCP transfer (because there would be no disconnect) but would lead to a very noticeable problem when using SSH. In my specific case the corruption happened on the NIC but after the TCP checksum was calculated. I have also seen situation where a faulty cable introduces intermittent data corruption. TCP checksums do catch much of it (but it does not necessarily catch all of it due to a higher than expected rate of checksum collision (http://www1.acm.org:80/sigcomm/sigcomm95/papers/partridge.pdf)) but sometimes a corrupted packet does get through and causes a disconnect from SSH. In both cases its a layer 1 problem, but as you point out, the specific corrupted packet causing the SSH disconnects is transparent to TCP. I was thinking more along the line that if TCP gets a corrupted packet then it just retransmits. If SSH gets a corrupted packet it disconnects (which is good, I wouldn't say this is anything but the correct behavior). Previous discussions on this problem can be found here http://marc.theaimsgroup.com/?t=108316318300002&r=1&w=2 specifically http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108575680024325&w=2 and the referenced bug #845 From gert at greenie.muc.de Wed Oct 25 06:52:59 2006 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Oct 2006 22:52:59 +0200 Subject: Disconnecting: Corrupted MAC on input. - Solaris 8 64-bit SPARC OpenSSH 4.4p1 In-Reply-To: <453E535F.4040100@psc.edu> References: <20061023190705.14581.qmail@web51713.mail.yahoo.com> <453D2497.2060605@psc.edu> <20061024072607.GQ1140@greenie.muc.de> <453E535F.4040100@psc.edu> Message-ID: <20061024205258.GT1140@greenie.muc.de> Hi, On Tue, Oct 24, 2006 at 01:54:39PM -0400, Chris Rapier wrote: > I was thinking more along the line that if TCP gets a corrupted packet > then it just retransmits. If SSH gets a corrupted packet it disconnects > (which is good, I wouldn't say this is anything but the correct behavior). I agree. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From patrol at sinus.cz Thu Oct 26 14:34:42 2006 From: patrol at sinus.cz (Pavel Troller) Date: Thu, 26 Oct 2006 06:34:42 +0200 Subject: Tunnel freezing Message-ID: <20061026043442.GA16675@arcus.sinus.cz> Hi! I hope this list a good place for my question - I've googled for it first, but I didn't find any answers. I'm trying to use the new ssh IP tunnel feature to get a secure access to my machine at work, which is behind a firewall/NAT but it has a ssh port in outbound direction open. The problem is that the tunnel freezes occasionally, mostly in one direction only. The freeze occurs mostly when there is traffic over the tunnel, like VoIP call or remote X session. I know that this is unidirectional freeze, because for example during a VoIP call one party stops hearing the other, but in the opposite direction the audio is still transferred. I think this makes evidence that the underlying TCP connection is alive, because otherwise it would stop in both directions (at least due to absence of ACKs) - I've also monitored its packet queues and they are almost empty. My configuration is almost symmetrical at both ends: - Linux-2.6.18 kernel - OpenSSH-4.4p1 (but 4.3p2 did the same) - OpenSSL-0.9.8a I'm starting the tunnel by this script (from a host behind a firewall) # Create a ssh tunnel ssh -f -w0:1 true # Wait for tun0 to be created sleep 3 # Configure tunnel iface ifconfig tun0 xxx.xxx.xxx.xxx pointopoint xxx.xxx.xxx.xxy route add -net aaa.aaa.aaa.aaa netmask 255.255.255.0 dev tun0 iptables -A INPUT -i tun0 -s \! aaa.aaa.aaa.aaa/24 -j REJECT The last two lines establish routing over the tunnel just for my home network and block the access for others. The tunnel is terminated in a host which uses standard technique of forced command, making ifconfig of the tunnel iface. The tunnel works normally for hours or sometimes days, then freezes. Sometimes it gets some "happy days" and remains OK for a really long period of time (abouth a months or even longer), but sometimes it freezes in 10 minutes. I didn't find any reason for this. Any help would be greatly appreciated! Please Cc: me, I'm not regularly subscribed to the mailing list. Thanks. With regards, Pavel Troller From enrique.moliner at aragon.catastro.meh.es Thu Oct 26 19:44:07 2006 From: enrique.moliner at aragon.catastro.meh.es (enrique moliner) Date: Thu, 26 Oct 2006 11:44:07 +0200 Subject: priotc text hp-ux renicer program Message-ID: <027601c6f8e3$48048c00$b9d5390a@zaragoza.catastro.minhac.es> http://perso.wanadoo.es/priotc/ PRIOTC Priority Task Controller for HP-UX 9000 B.10.20 or higher systems. Version is1.4a Author: Enrique Moliner Martinez, from Zaragoza (Spain) See also "top" unix program. -This is an automatic renicer program: Get more CPU time to processes NOT matching names or patterns in this file (normally interactive programs, typed programs), by once renice those are matching (normally large programs). At start priotc, for all pids, renice to defined nice. When priotc is already running, watch only for renice new pids or old pids with change. -This is also an automatic serializer program: Serialize a pid with a nice >= that defined in configuration file if low free pages. See"man serialize" priotc.c source code priotc.cfg configuration file example priotc.comp for compiling priotc.doc sample documentation file priotcv.log log example rutinas.h include file Free source program with free_enduser license - Is free unloaded with the source program - The program (source/executable) can be distributed ONLY in original form and ever completely free. - The program only can be modified for internal use, and in this case can not be distributed. The modified program ever must show the program author name (initial credits). The documentation can be modified and distributed, ever free and with the reference of the program author name. Download if you accept free_enduser license: priotc.zip Report bugs to cmolimar at hotmail.com TOP UNIX PROGRAM OUTPUT ... priotc renice CPU TTY PID USERNAME PRI NI SIZE RES STATE TIME %WCPU %CPU COMMAND 0 pts/tz 24498 assf 154 25 42796K 10728K sleep 0:05 0.68 0.68 runff116 1 pts/t5 1476 chaa1 154 25 45484K 13452K sleep 0:13 0.65 0.65 runff116 0 ? 39 root 152 26 7424K 7424K run 63:38 0.45 0.45 vxfsd 0 ? 15308 oracle8 156 23 480M 8304K sleep 6:11 0.29 0.29 ora_s000 3 ? 6577 oracle8 156 23 474M 2240K sleep 0:30 0.24 0.24 ora_d001 2 ? 6646 oracle8 168 23 24376K 4956K sleep 7:32 0.16 0.16 dbsnmp 2 ? 1802 root 152 20 29084K 7272K run 0:02 0.16 0.16 ovbbccb From risto.suominen at gmail.com Thu Oct 26 22:51:42 2006 From: risto.suominen at gmail.com (Risto Suominen) Date: Thu, 26 Oct 2006 15:51:42 +0300 Subject: scp and character encoding in file names Message-ID: <46e1c7760610260551o2314016alc5e6a37dfd27ace8@mail.gmail.com> Hello, I got an 'Invalid argument' error when trying to scp a file, with non-ascii characters in its name, from Linux (ISO 8859-15) to OS X (UTF-8). So I made a patch for scp that adds two option flags: -I: local side uses UTF-8 and remote side uses ISO 8859-15 -U: local side uses ISO 8859-15 and remote side uses UTF-8 and converts the filenames on-the-fly. Maybe it would be useful for others, as well. Risto Suominen ps. The patch seems to work with openssh-4.4p1, too. From openssh at lakedaemon.net Fri Oct 27 01:47:49 2006 From: openssh at lakedaemon.net (Jason) Date: Thu, 26 Oct 2006 11:47:49 -0400 Subject: Tunnel freezing In-Reply-To: <20061026043442.GA16675@arcus.sinus.cz> References: <20061026043442.GA16675@arcus.sinus.cz> Message-ID: <4540D8A5.4040100@lakedaemon.net> Little OT reply... Pavel Troller wrote: [snip] > The problem is that the tunnel freezes occasionally, mostly in one direction > only. The freeze occurs mostly when there is traffic over the tunnel, like > VoIP call or remote X session. I know that this is unidirectional freeze, How is the latency across your tunnel? I typically see ~20-40ms from work to home. When on travel I've seen as great as 300ms (overseas). Other than this mysterious unidirectional freeze, how is the voice quality of you VoIP calls? Is there a noticeable effect because of riding through the tunnel? Which VoIP are you using? btw - I've been doing Layer2 tap interfaces with bridging to create the tunnel. I haven't signed up for VoIP yet, but was looking into it. You may be interested in Bug 1223 [1], it has a patch so you don't have to ssh in as root. You still have to be root on the client side to set it up, but you can disable remote root login on your SSH server. thx, Jason. [1] - http://bugzilla.mindrot.org/show_bug.cgi?id=1223 From vinschen at redhat.com Fri Oct 27 18:36:59 2006 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 27 Oct 2006 10:36:59 +0200 Subject: Requirement for sshd account since 4.4p1 Message-ID: <20061027083659.GA4721@calimero.vinschen.de> Hi, there's a change made to 4.4p1, which gave some irritation on the Cygwin mailing list. It's a change from 20060907: - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can be used to drop privilege to; fixes Solaris GSSAPI crash reported by Magnus Abrante; suggestion and feedback dtucker@ NB. this change will require that the privilege separation user must exist on all the time, not just when UsePrivilegeSeparation=yes This fix for a Solaris specific problem forces everyone - even non-Solaris users - to have a sshd account on the system. This leaves behind users which have no admin access to their boxes and just want to start a private sshd which allows to logon with their own account. Looking into the source code it looks like this patch was never meant to be something other than temporary: struct passwd * fakepw(void) { [...] fake.pw_uid = (uid_t)-1; fake.pw_gid = (gid_t)-1; fake.pw_uid = privsep_pw->pw_uid; fake.pw_gid = privsep_pw->pw_gid; So my question, are there plans to get this working as before at least for non-Solaris users? Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From dtucker at zip.com.au Fri Oct 27 21:00:16 2006 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 27 Oct 2006 21:00:16 +1000 Subject: Requirement for sshd account since 4.4p1 In-Reply-To: <20061027083659.GA4721@calimero.vinschen.de> References: <20061027083659.GA4721@calimero.vinschen.de> Message-ID: <20061027110016.GA5243@gate.dtucker.net> On Fri, Oct 27, 2006 at 10:36:59AM +0200, Corinna Vinschen wrote: > Hi, > > there's a change made to 4.4p1, which gave some irritation on the Cygwin > mailing list. It's a change from 20060907: > > - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can > be used to drop privilege to; fixes Solaris GSSAPI crash reported by > Magnus Abrante; suggestion and feedback dtucker@ > NB. this change will require that the privilege separation user must > exist on all the time, not just when UsePrivilegeSeparation=yes It was intended to be in the release notes too (as a rule, user-visible changes like that should be) but it seems that it was dropped along the line somewhere... > This fix for a Solaris specific problem forces everyone - even > non-Solaris users - to have a sshd account on the system. It's probably not just Solaris (any system where (seteuid(-1)) fails would be affected) but that's where it was reported. > This leaves behind users which have no admin access to their boxes and > just want to start a private sshd which allows to logon with their own > account. That's one configuration I hadn't considered: running sshd entirely nonprivileged when the privsep account doesn't exist. Maybe we could only load privsep_pw if we're running privileged? set*uid is not going to work if we're not. > Looking into the source code it looks like this patch was never meant > to be something other than temporary: > > struct passwd * > fakepw(void) fakepw() has been there quite a while. It gets used when a user does not exist in the passwd file so that many operations that would normally be done can still be. This is in order to prevent leaking information to an attacker by behaving differently for users that exist, are blocked or don't exist. Always having the privsep uid available is useful in other cases too (eg PAM, bug #1215). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Fri Oct 27 22:29:00 2006 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 27 Oct 2006 14:29:00 +0200 Subject: Requirement for sshd account since 4.4p1 In-Reply-To: <20061027110016.GA5243@gate.dtucker.net> References: <20061027083659.GA4721@calimero.vinschen.de> <20061027110016.GA5243@gate.dtucker.net> Message-ID: <20061027122900.GE8323@calimero.vinschen.de> Hi Darren, On Oct 27 21:00, Darren Tucker wrote: > On Fri, Oct 27, 2006 at 10:36:59AM +0200, Corinna Vinschen wrote: > It's probably not just Solaris (any system where (seteuid(-1)) fails > would be affected) but that's where it was reported. Right, but this is for circumventing a bug in a small number of systems while the effect is visible on all systems. The fact that this is also visible in sshd's which are not built with GSSAPI support at all is another point. > > This leaves behind users which have no admin access to their boxes and > > just want to start a private sshd which allows to logon with their own > > account. > > That's one configuration I hadn't considered: running sshd entirely > nonprivileged when the privsep account doesn't exist. > > Maybe we could only load privsep_pw if we're running privileged? > set*uid is not going to work if we're not. Here's the problem: Right now there's no way to figure out whether sshd is running under a privileged account or not on Cygwin. The problem is that being privileged is bound to testing uid 0 in OpenSSH throughout. I'm asking for some years now to replace the inflexible tests for uid 0 by a system specific function call along the lines of a bool privileged_user(uid) This would be an enormous progress for systems which allow an arbitrary number of privileged accounts, resp. for systems which are capable of granting fine grained user privileges. There's no reason why sshd should run under uid 0 if there's a specific account on a system which has the privilege to switch the user context. I sent a patch once, back in 2005, which we never discussed, unfortunately. As a short term solution I would suggest that sshd doesn't exit prematurely when it can't find the sshd account, but only later if it finds that the sshd account is required for operation, like, for instance, GSSAPI on Solaris, or if privilege separation is actually requested. > > Looking into the source code it looks like this patch was never meant > > to be something other than temporary: > > > > struct passwd * > > fakepw(void) > > fakepw() has been there quite a while. [...] I wasn't referring to the name of the function, I was referring to the fact that uid and gid get set twice, first to -1, then to the privsep_pw value. > Always having the privsep uid available is useful in other cases too > (eg PAM, bug #1215). I see, but not all systems use PAM either ;) Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From djm at mindrot.org Sat Oct 28 01:13:18 2006 From: djm at mindrot.org (Damien Miller) Date: Sat, 28 Oct 2006 01:13:18 +1000 (EST) Subject: Requirement for sshd account since 4.4p1 In-Reply-To: <20061027122900.GE8323@calimero.vinschen.de> References: <20061027083659.GA4721@calimero.vinschen.de> <20061027110016.GA5243@gate.dtucker.net> <20061027122900.GE8323@calimero.vinschen.de> Message-ID: On Fri, 27 Oct 2006, Corinna Vinschen wrote: > Hi Darren, > > On Oct 27 21:00, Darren Tucker wrote: > On Fri, Oct 27, 2006 at > 10:36:59AM +0200, Corinna Vinschen wrote: > It's probably not just > Solaris (any system where (seteuid(-1)) fails > would be affected) but > that's where it was reported. > > Right, but this is for circumventing a bug in a small number of > systems while the effect is visible on all systems. The fact that this > is also visible in sshd's which are not built with GSSAPI support at > all is another point. The alternative of adding yet another platform-specific code path is exactly what we are trying to get away from. > As a short term solution I would suggest that sshd doesn't exit > prematurely when it can't find the sshd account, but only later if > it finds that the sshd account is required for operation, like, for > instance, GSSAPI on Solaris, or if privilege separation is actually > requested. I don't think it makes sense to have a sshd that fails at random times once it has successfully started. Better to be clear at the beginning. > > > Looking into the source code it looks like this patch was never > > > meant to be something other than temporary: > > > > > > struct passwd * fakepw(void) > > > > fakepw() has been there quite a while. [...] > > I wasn't referring to the name of the function, I was referring to > the fact that uid and gid get set twice, first to -1, then to the > privsep_pw value. That is just some dead code (deleted in HEAD), I don't get how this could be construed as being "temporary". -d From vinschen at redhat.com Sat Oct 28 03:05:58 2006 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 27 Oct 2006 19:05:58 +0200 Subject: Requirement for sshd account since 4.4p1 In-Reply-To: References: <20061027083659.GA4721@calimero.vinschen.de> <20061027110016.GA5243@gate.dtucker.net> <20061027122900.GE8323@calimero.vinschen.de> Message-ID: <20061027170558.GH8323@calimero.vinschen.de> On Oct 28 01:13, Damien Miller wrote: > On Fri, 27 Oct 2006, Corinna Vinschen wrote: > > Right, but this is for circumventing a bug in a small number of > > systems while the effect is visible on all systems. The fact that this > > is also visible in sshd's which are not built with GSSAPI support at > > all is another point. > > The alternative of adding yet another platform-specific code path is > exactly what we are trying to get away from. > > > As a short term solution I would suggest that sshd doesn't exit > > prematurely when it can't find the sshd account, but only later if > > it finds that the sshd account is required for operation, like, for > > instance, GSSAPI on Solaris, or if privilege separation is actually > > requested. > > I don't think it makes sense to have a sshd that fails at random times > once it has successfully started. Better to be clear at the beginning. I understand that simple point, but I don't understand the argumentation. This change leaves users behind which have been using sshd for a long time in a specific manner. This has nothing to do with Cygwin or, FWIW, any platform. Maybe you could avoid a platform-specific code path this way but now *all* platforms have to live with the consequences of a patch for the sake of just one broken system, Solaris with GSSAPI. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From djm at mindrot.org Sat Oct 28 03:22:39 2006 From: djm at mindrot.org (Damien Miller) Date: Sat, 28 Oct 2006 03:22:39 +1000 (EST) Subject: Requirement for sshd account since 4.4p1 In-Reply-To: <20061027170558.GH8323@calimero.vinschen.de> References: <20061027083659.GA4721@calimero.vinschen.de> <20061027110016.GA5243@gate.dtucker.net> <20061027122900.GE8323@calimero.vinschen.de> <20061027170558.GH8323@calimero.vinschen.de> Message-ID: On Fri, 27 Oct 2006, Corinna Vinschen wrote: > I understand that simple point, but I don't understand the argumentation. > This change leaves users behind which have been using sshd for a long > time in a specific manner. "leaving behind" is a very emotive way to say "users have to install an account". On the vast majority of platforms, this account has existed for years anyway, so it is a total nop for most people. -d From vinschen at redhat.com Sat Oct 28 03:36:56 2006 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 27 Oct 2006 19:36:56 +0200 Subject: Requirement for sshd account since 4.4p1 In-Reply-To: References: <20061027083659.GA4721@calimero.vinschen.de> <20061027110016.GA5243@gate.dtucker.net> <20061027122900.GE8323@calimero.vinschen.de> <20061027170558.GH8323@calimero.vinschen.de> Message-ID: <20061027173656.GI8323@calimero.vinschen.de> On Oct 28 03:22, Damien Miller wrote: > On Fri, 27 Oct 2006, Corinna Vinschen wrote: > > > I understand that simple point, but I don't understand the argumentation. > > This change leaves users behind which have been using sshd for a long > > time in a specific manner. > > "leaving behind" is a very emotive way to say "users have to install an > account". On the vast majority of platforms, this account has existed > for years anyway, so it is a total nop for most people. It wasn't meant emotional. But you're avoiding to reply to the original problem by stating that it is not a problem in "most" cases. There are platforms and users out there which don't live in a situation which is covered by "most". They have used sshd for years in a valid way. The change in question blocks this usage suddenly and it seems that the affected users are just dropped off and you simply don't care. That's at least surprising. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From cxu at lucent.com Tue Oct 31 15:47:20 2006 From: cxu at lucent.com (Xu, Chun Gang (Titan)) Date: Tue, 31 Oct 2006 12:47:20 +0800 Subject: SSH 1.0.1 and 1.1 have different prompt. Message-ID: Hi, Just feel curiously. I am using sun SSH 1.0.1 and 1.1 on different machines, and get different password promts as follows. ------------------------------------ root> ssh -V SSH Version Sun_SSH_1.0.1, protocol versions 1.5/2.0. root>ssh 10.193.106.90 root at 10.193.106.90's Password: ------------------------------------ root> ssh -V Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f root>ssh 10.193.114.90 Password: ----------------------------------- The official ssh has two options, PasswordPromptHost and PasswordPromptLogin to specify whether to include the remote host name and user id in the password prompt. Seems that openSSH doesn't have the similar options. So why 1.0.1 and 1.1 show different prompts and how to control the prompt? Thanks, From djm at mindrot.org Tue Oct 31 17:05:36 2006 From: djm at mindrot.org (Damien Miller) Date: Tue, 31 Oct 2006 17:05:36 +1100 (EST) Subject: SSH 1.0.1 and 1.1 have different prompt. In-Reply-To: References: Message-ID: On Tue, 31 Oct 2006, Xu, Chun Gang (Titan) wrote: > Seems that openSSH doesn't have the similar options. > So why 1.0.1 and 1.1 show different prompts and how to control the prompt? I would guess because one is offering PAM authentication via keyboard-interactive authentication and the other is offering "emulated" password authentication, but you should really ask Sun because we don't have anything to do with SunSSH. -d From Jan.Pechanec at Sun.COM Tue Oct 31 21:45:28 2006 From: Jan.Pechanec at Sun.COM (Jan Pechanec) Date: Tue, 31 Oct 2006 11:45:28 +0100 (CET) Subject: SSH 1.0.1 and 1.1 have different prompt. In-Reply-To: References: Message-ID: On Tue, 31 Oct 2006, Xu, Chun Gang (Titan) wrote: hi, as Damien already said: >root> ssh -V >SSH Version Sun_SSH_1.0.1, protocol versions 1.5/2.0. > >root>ssh 10.193.106.90 >root at 10.193.106.90's Password: >------------------------------------ password based authentication, see PasswordAuthentication >root> ssh -V >Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f > >root>ssh 10.193.114.90 >Password: >----------------------------------- keyboard-interactive authentication. also see PreferredAuthentications for example, you can test with: ssh -o PreferredAuthentications=password user at your-host ssh -o PreferredAuthentications=keyboard-interactive user at your-host of course this in general also depends on server side configuration. Jan. -- Jan Pechanec