From mnemonic.fx at gmail.com Wed Oct 8 12:30:56 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Wed, 8 Oct 2008 08:30:56 +0700 Subject: Problem with sshd host key checking, for my own build with custom prefix Message-ID: <45d629ef0810071830l41191d3bx3c770e0be07b9025@mail.gmail.com> Hello openssh developers, I was builiding openssh-4.7p, and it builds successfully with my own prefix (--prefix=/path/to/sshd). The problem is when I execute sshd, it warns about permission being too open: hostname:/path root# /path/to/sshd -t -f /path/to/sshd_config @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0534 for '(null)' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /path/to/ssh_host_key Could not load host key: /path/to/ssh_host_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0536 for '(null)' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /path/to/ssh_host_rsa_key Could not load host key: /path/to/ssh_host_rsa_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0532 for '(null)' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /path/to/ssh_host_dsa_key Could not load host key: /path/to/ssh_host_dsa_key Disabling protocol version 1. Could not load host key sshd: no hostkeys available -- exiting. This is the host keys file permissions: -rw------- 1 root wheel 672 Oct 7 10:11 ssh_host_dsa_key -rw-r--r-- 1 root wheel 609 Oct 7 10:11 ssh_host_dsa_key.pub -rw------- 1 root wheel 982 Oct 7 10:11 ssh_host_key -rw-r--r-- 1 root wheel 646 Oct 7 10:11 ssh_host_key.pub -rw------- 1 root wheel 1675 Oct 7 10:11 ssh_host_rsa_key -rw-r--r-- 1 root wheel 401 Oct 7 10:11 ssh_host_rsa_key.pub Does anybody knows what went wrong? Other than that why does the sshd checks for host keys in /path/to/ssh, instead of /path/to/ssh/etc, which is the give sysconfdir ? So I have to manually copy everything to the parent directory. Jesse Armand ---------------------------------------- (http://jessearm.blogspot.com) From valqk at lozenetz.org Wed Oct 8 19:06:55 2008 From: valqk at lozenetz.org (Anton Blajev - Valqk) Date: Wed, 08 Oct 2008 11:06:55 +0300 Subject: FW: LDAP Problem In-Reply-To: References: Message-ID: <48EC6A1F.5090100@lozenetz.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Joseph, I've resolved this problem for myself by changind the order of lookups : $>cat /etc/nsswitch.conf group: pgsql files passwd: pgsql files .... but it'd be a good idea to compile add the ncsd (nis caching daemon). then the file will look like this group: cache files pgsql etc... as far as I looked at the code I think the problem is that there is no failback when doing login_get_lastlog on other nis records but I've found solution for me and I prefer not to patch the code (hope it gets in stable releases sooner or later) cheers, valqk. Gigliotti, Joseph wrote: > Hi Anton, saw your post "login_get_lastlog - nss enviornment - works in > shell env, doesn't work" > _http://securepoint.com/lists/html/OpenSSH/2007-01/msg00017.html_ > > We are having similar problems from an RedHat v3 host when we try and > ssh, su etc. to it. The host is configured to authenticate against an > LDAP directory and it hangs for 4 minutes and then logs out with the > error message "fatal: login_get_lastlog: Cannot find account for uid > 232135350" in the syslogs. > > Do you have any knowledge of this problem please? > > > Regards > Joseph Gigliotti > IT Domain Specialist > Identity Solutions, Telstra Operations > Tel: (03) 9634 2436 / 0407 862 934 > _http://www.in.telstra.com.au/ism/identitymanagementsolutioncentre/_ > This communication may contain CONFIDENTIAL or copyright information of > Telstra Corporation Limited (ABN 33 051 775 556). If you are not an > intended recipient, you MUST NOT keep, forward, copy, use, save or rely > on this communication, and any such action is unauthorised and > prohibited. If you have received this communication in error, please > reply to this e-mail to notify the sender of its incorrect delivery, and > then delete both it and your reply. Thank you > > > ______________________________________________ > *From: *Clemens, Ross W > *Sent: *Wednesday, 8 October 2008 11:53 AM > *To: *Gigliotti, Joseph; Penjin, Jovan; Budavari, Raymond > *Subject: *LDAP Problem > > Hi! > > Further to previous email on the same subject, please find below further > investigation. > > I have two nearly identical Red Hat host. I say nearly identical > because although the LDAP rpms, ldap configuration and os kernel are the > same there is obviously some difference that is preventing me from > logging into one of the hosts using ldap. > > The faulty host will not allow me to login from the console, ssh or su > to an eAAA user. From the syslog event it would appear that the ldap > password was accepted but the session was closed after a delay of four > minutes with the error that uid of 23213530 could not be found. The uid > of 23213530 is mine and is valid. A copy of the syslog output is shown > below. > > Oct 8 09:39:54 wpm3 sshd[23426]: Accepted password for b321353 from > 172.17.9.15 port 971 ssh2 > Oct 8 09:39:54 wpm3 sshd(pam_unix)[23439]: session opened for user > b321353 by (uid=0) > Oct 8 09:43:55 wpm3 sshd[23439]: fatal: login_get_lastlog: Cannot find > account for uid 232135350 > Oct 8 09:43:55 wpm3 sshd(pam_unix)[23439]: session closed for user b321353 > > I confirmed that ldap was working by running ldapsearch - see below > > HVS2_[root at wpm3 root]# *ldapsearch* -D > "cn=proxyagent,ou=profile,ou=msg,dc=AAA,dc=telstra,dc=com" -W -h > ssino04.msg.in.telstra.com.au -x -b > "ou=people,ou=msg,dc=AAA,dc=telstra,dc=com" "uid=b321353" > Enter LDAP Password: > version: 2 > > # > # filter: uid=b321353 > # requesting: ALL > # > > # b321353, People, msg, AAA, telstra, com > dn: uid=b321353,ou=People,ou=msg,dc=AAA,dc=telstra,dc=com > userPassword:: > e1NTSEF9SytrejFDNDlVYXJFQmJXYW9aY0FsNFYwdnZ0WWRHcEp4REtaR1E9PQ= > = > homeDirectory: /export/home/msggrp3 > givenName: Ross > sn: Clemens > loginShell: /bin/bash > gidNumber: 1000 > uidNumber: 232135350 > mail: Ross.W.Clemens at team.telstra.com > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: posixAccount > objectClass: shadowAccount > objectClass: top > uid: b321353 > gecos: Ross Clemens (02) 8255 2555 > cn: b321353 > employeeNumber: 23213535 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > I search the internet to find more details re the error message: fatal: > login_get_lastlog: Cannot find account for uid 232135350 > I came to the conclusion, from looking at openssh code that this error > is generated if getpwuid() returns a null > > I wrote a simple program that prints the output from getpwuid and > compiled it on a development host. I ran it on the host in question and > it produced a valid ouput - i.e not null > > HVS2_[root at wpm3 msggrp3]# ./*getuid.out *232135350 > Login Name: b321353 User ID: 232135350 Group ID: 1000 > > *Help Required* > I've exhausted all my leads although there was some talk that the length > (9-digits) of the uid may cause this error. If you are unable to assist > can we raise a case witn Red Hat to investigate? > > > Regards, > Ross > Tel: (02) 8255 2555 > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjsah8ACgkQzpU6eaWiiWgocwCfcu4AN+PVg9EqAXURIkXgqYYe 34UAniB8UPRa/Y20VfpqRMyZViHXzG5x =IfgV -----END PGP SIGNATURE----- From mnemonic.fx at gmail.com Thu Oct 9 20:01:14 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Thu, 9 Oct 2008 16:01:14 +0700 Subject: Issues on sshd host keys Message-ID: <45d629ef0810090201q4658ffe2t5610cc0959007ad5@mail.gmail.com> Hello openssh-unix-dev list members, This is related to my previous post, but I need to ask specific questions. I'm building openssh with iPhone Toolchain (http://wikee.iphwn.org/howto:toolchain_on_leopard_aspen) for iPhone 2.1 firmware. This is not an iPhone mailing list, but probably anyone with deep knowledge of openssh could give a hint. So this is what I do: 1. I patch the files using Saurik's patches from http://svn.telesphoreo.org/trunk/data/openssh 1. I added the appropriate CFLAGS and LDFLAGS for arm-apple-darwin. 2. I changed the path on configure.ac to point to my own build of libcrypto.a (using http://svn.telesphoreo.org/trunk/data/openssl, with the same methods). 3. I did autoconf 4. configure --prefix=/path/to/ssh --host=arm-apple-darwin 5. make 6. Since there are some things that have to be done on iPhone in the makefile script, I did make install on iPhone. 7. when it got to the point of: root# /path/to/ssh/sshd -t -f /path/to/ssh/etc/sshd_config @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0140 for '(null)' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key Could not load host key: /path/to/ssh/etc/ssh_host_rsa_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0136 for '(null)' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /path/to/ssh/etc/ssh_host_dsa_key Could not load host key: /path/to/ssh/etc/ssh_host_dsa_key Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. I'm confused as to why it's pointing to a NULL file ? Jesse Armand ---------------------------------------- (http://jessearm.blogspot.com) From mnemonic.fx at gmail.com Wed Oct 8 12:34:45 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Wed, 8 Oct 2008 08:34:45 +0700 Subject: Problem with sshd host key checking, for my own build with custom prefix In-Reply-To: <45d629ef0810071830l41191d3bx3c770e0be07b9025@mail.gmail.com> References: <45d629ef0810071830l41191d3bx3c770e0be07b9025@mail.gmail.com> Message-ID: <45d629ef0810071834h24961b1dt6049d08ecfb08ca8@mail.gmail.com> Additional info: I was building openssh on Mac OS X 10.5 for arm-apple-darwin host. But I didn't change anything in the code, I only did some adjustments on configure.ac and Makefile.in, with appropriate LDFLAGS, and CFLAGS, and I also used openssl-0.9.8g built for arm-apple-darwin host. Jesse Armand ---------------------------------------- (http://jessearm.blogspot.com) On Wed, Oct 8, 2008 at 8:30 AM, Jesse Armand wrote: > Hello openssh developers, > > I was builiding openssh-4.7p, and it builds successfully with my own > prefix (--prefix=/path/to/sshd). > The problem is when I execute sshd, it warns about permission being too open: > > hostname:/path root# /path/to/sshd -t -f /path/to/sshd_config > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0534 for '(null)' are too open. > It is recommended that your private key files are NOT accessible by others. > This private key will be ignored. > bad permissions: ignore key: /path/to/ssh_host_key > Could not load host key: /path/to/ssh_host_key > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0536 for '(null)' are too open. > It is recommended that your private key files are NOT accessible by others. > This private key will be ignored. > bad permissions: ignore key: /path/to/ssh_host_rsa_key > Could not load host key: /path/to/ssh_host_rsa_key > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Permissions 0532 for '(null)' are too open. > It is recommended that your private key files are NOT accessible by others. > This private key will be ignored. > bad permissions: ignore key: /path/to/ssh_host_dsa_key > Could not load host key: /path/to/ssh_host_dsa_key > Disabling protocol version 1. Could not load host key > sshd: no hostkeys available -- exiting. > > This is the host keys file permissions: > -rw------- 1 root wheel 672 Oct 7 10:11 ssh_host_dsa_key > -rw-r--r-- 1 root wheel 609 Oct 7 10:11 ssh_host_dsa_key.pub > -rw------- 1 root wheel 982 Oct 7 10:11 ssh_host_key > -rw-r--r-- 1 root wheel 646 Oct 7 10:11 ssh_host_key.pub > -rw------- 1 root wheel 1675 Oct 7 10:11 ssh_host_rsa_key > -rw-r--r-- 1 root wheel 401 Oct 7 10:11 ssh_host_rsa_key.pub > > Does anybody knows what went wrong? > > Other than that why does the sshd checks for host keys in > /path/to/ssh, instead of /path/to/ssh/etc, which is the give > sysconfdir ? > So I have to manually copy everything to the parent directory. > > > Jesse Armand > ---------------------------------------- > (http://jessearm.blogspot.com) > From mnemonic.fx at gmail.com Fri Oct 10 00:51:51 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Thu, 9 Oct 2008 20:51:51 +0700 Subject: Issues on sshd host keys In-Reply-To: <48EDEEE7.4060609@siemens.com> References: <45d629ef0810090201q4658ffe2t5610cc0959007ad5@mail.gmail.com> <48EDEEE7.4060609@siemens.com> Message-ID: <45d629ef0810090651u3ab58082n54d364d5859daf2f@mail.gmail.com> Thanks Chris, I already did that, I think the problem is with the filename parameter in: Key * key_load_private(const char *filename, const char *passphrase, char **commentp) { .... } This function returns NULL. I'm not sure why it's pointing to a null filename, as I don't change anything in the code. I only add a prefix to configure, even though I did this on iPhone, do you think this problem is related to platform differences ? Jesse Armand ---------------------------------------- (http://jessearm.blogspot.com) On Thu, Oct 9, 2008 at 6:45 PM, Christian Pfaffel-Janser wrote: > Jesse Armand wrote: > Hi Jesse, > > Make sure that You do something like > > chmod 0600 /path/to/ssh/etc/ssh_host_rsa_key > chmod 0600 /path/to/ssh/etc/ssh_host_dsa_key > > ( I do not have an iphone, it's just a guess) > > Regards, > Christian Pfaffel-Janser > > From christian.pfaffel-janser at siemens.com Fri Oct 10 19:03:20 2008 From: christian.pfaffel-janser at siemens.com (Christian Pfaffel-Janser) Date: Fri, 10 Oct 2008 10:03:20 +0200 Subject: Issues on sshd host keys In-Reply-To: <45d629ef0810090651u3ab58082n54d364d5859daf2f@mail.gmail.com> References: <45d629ef0810090201q4658ffe2t5610cc0959007ad5@mail.gmail.com> <48EDEEE7.4060609@siemens.com> <45d629ef0810090651u3ab58082n54d364d5859daf2f@mail.gmail.com> Message-ID: <48EF0C48.2020604@siemens.com> Jesse Armand wrote: > Thanks Chris, > > I already did that, I think the problem is with the filename parameter in: > > Key * key_load_private(const char *filename, const char *passphrase, > char **commentp) > { > .... > } > > This function returns NULL. > > I'm not sure why it's pointing to a null filename, as I don't change > anything in the code. > > I only add a prefix to configure, even though I did this on iPhone, do > you think this problem is related to platform differences ? > The filename is set prior to being passed to key_load_private(), or You would not get the following error message: Permissions 0140 for '(null)' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key Is it possible that You tried to compile ssh, applied the patch and then tried to recompile ssh without doing a make distclean? Christian -- Firma: Siemens Aktiengesellschaft ?sterreich Rechtsform: Aktiengesellschaft Firmensitz: Wien, Firmenbuchnummer: FN 60562 m Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708 From mnemonic.fx at gmail.com Fri Oct 10 20:18:20 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Fri, 10 Oct 2008 16:18:20 +0700 Subject: Issues on sshd host keys In-Reply-To: <48EF0C48.2020604@siemens.com> References: <45d629ef0810090201q4658ffe2t5610cc0959007ad5@mail.gmail.com> <48EDEEE7.4060609@siemens.com> <45d629ef0810090651u3ab58082n54d364d5859daf2f@mail.gmail.com> <48EF0C48.2020604@siemens.com> Message-ID: <45d629ef0810100218p6f335d84t6f42f88829cc440d@mail.gmail.com> > > The filename is set prior to being passed to key_load_private(), or You > would not get the following error message: > > Permissions 0140 for '(null)' are too open. > It is recommended that your private key files are NOT accessible by others. > This private key will be ignored. > bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key > What do you mean, by the "filename is set" ? I didn't set any permissions on the files, if there's something to be set before that, it must be something that was done by the standard Makefile. > Is it possible that You tried to compile ssh, applied the patch and then > tried to recompile ssh without doing a make distclean? > Not exactly, I applied the patch, reautoconf, configure, and make, everytime I tried to reautoconf / configure, I did make clean, though not make distclean. Even though, if I patch the function, by making it to consider the keys don't have bad permissions, the sshd is still not runnable. This could be a platform difference or specific situation that only happens on certain platforms, in this case is arm-apple-darwin, am I right ? Though I'm not sure what may cause that, in openssh code. Or a problem with my built of openssl with libcrypto ? From christian.pfaffel-janser at siemens.com Tue Oct 14 00:32:14 2008 From: christian.pfaffel-janser at siemens.com (Christian Pfaffel-Janser) Date: Mon, 13 Oct 2008 15:32:14 +0200 Subject: Issues on sshd host keys In-Reply-To: <45d629ef0810100218p6f335d84t6f42f88829cc440d@mail.gmail.com> References: <45d629ef0810090201q4658ffe2t5610cc0959007ad5@mail.gmail.com> <48EDEEE7.4060609@siemens.com> <45d629ef0810090651u3ab58082n54d364d5859daf2f@mail.gmail.com> <48EF0C48.2020604@siemens.com> <45d629ef0810100218p6f335d84t6f42f88829cc440d@mail.gmail.com> Message-ID: <48F34DDE.5060500@siemens.com> Jesse Armand wrote: >> The filename is set prior to being passed to key_load_private(), or You >> would not get the following error message: >> >> Permissions 0140 for '(null)' are too open. >> It is recommended that your private key files are NOT accessible by others. >> This private key will be ignored. >> bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key >> > > What do you mean, by the "filename is set" ? > > I didn't set any permissions on the files, if there's something to be > set before that, it must be something that was done by the standard > Makefile. > What I meant was that the code calling key_load_private() is using the value of filename to print the error message. But in key_load_private() the value of filename is not the same, i.e. NULL. Therefor I think that the addresses of the function's parameters are incorrect, which can happen if You compile sources, patch them and do not recompile all files that depend on the touched files. Something similar happened to me in the past. Regards, Christian -- From mnemonic.fx at gmail.com Mon Oct 13 21:59:07 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Mon, 13 Oct 2008 17:59:07 +0700 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> Message-ID: <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> Corrections, it's running and listening if I invoked sshd directly. I may need to find out the proper way of integration of sshd into launchd. On Mon, Oct 13, 2008 at 4:28 PM, Jesse Armand wrote: > Hello openssh developers, > > I had built openssh-4.7p1 on arm-apple-darwin9 platform, but > I get this error when I load sshd using launchd: > > root# launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist > errors on getaddrinfo(): nodename nor servname provided, or not known > > When I execute sshd directly, I don't get any warnings or error > messages, but the sshd is not listening on the intended port, and it's > not running. > > I didn't change anything significant on the code, except disabling the > use of utmp.h and util.h. > > Can anyone pinpoint me on what's wrong ? > > From petesea at bigfoot.com Tue Oct 14 11:41:23 2008 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Mon, 13 Oct 2008 17:41:23 -0700 (PDT) Subject: GSSAPI Key Exchange on multi-homed host Message-ID: >From a security standpoint, if the default keytab (/etc/krb5.keytab) contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck is set to "yes" or "no"? My company uses an internally built OpenSSH package that includes the GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use a "standard" sshd_config file that works for the majority of hosts. Unfortunately, the current "standard" sshd_config does not set the GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore does not work correctly on the multi-homed hosts. I'd like to change our standard sshd_config so GSSAPIStrictAcceptorCheck defaults to "no", but before doing so, I want to better understand the implications. As I understand the GSSAPIStrictAcceptorCheck flag, setting it to "no", simply enables matches against more then the 1st principal in /etc/krb5.keytab. So... if there's only one principal in the keytab, it seems like it wouldn't matter if GSSAPIStrictAcceptorCheck is set to yes or no. Is that correct? From djm at mindrot.org Tue Oct 14 14:45:58 2008 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Oct 2008 13:45:58 +1000 (EST) Subject: GSSAPI Key Exchange on multi-homed host In-Reply-To: References: Message-ID: On Mon, 13 Oct 2008, petesea at bigfoot.com wrote: > >From a security standpoint, if the default keytab (/etc/krb5.keytab) > contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck > is set to "yes" or "no"? > > My company uses an internally built OpenSSH package that includes the > GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to use > a "standard" sshd_config file that works for the majority of hosts. > Unfortunately, the current "standard" sshd_config does not set the > GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore > does not work correctly on the multi-homed hosts. OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a patch in our bugzilla to add it, and I'd like to review and merge is soon but it has never been in any version that we have released. -d From mnemonic.fx at gmail.com Mon Oct 13 20:28:57 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Mon, 13 Oct 2008 16:28:57 +0700 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known Message-ID: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> Hello openssh developers, I had built openssh-4.7p1 on arm-apple-darwin9 platform, but I get this error when I load sshd using launchd: root# launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist errors on getaddrinfo(): nodename nor servname provided, or not known When I execute sshd directly, I don't get any warnings or error messages, but the sshd is not listening on the intended port, and it's not running. I didn't change anything significant on the code, except disabling the use of utmp.h and util.h. Can anyone pinpoint me on what's wrong ? Jesse Armand ---------------------------------------- (http://jessearm.blogspot.com) From djm at mindrot.org Tue Oct 14 15:53:43 2008 From: djm at mindrot.org (Damien Miller) Date: Tue, 14 Oct 2008 14:53:43 +1000 (EST) Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> Message-ID: On Mon, 13 Oct 2008, Jesse Armand wrote: > Hello openssh developers, > > I had built openssh-4.7p1 on arm-apple-darwin9 platform, but > I get this error when I load sshd using launchd: > > root# launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist > errors on getaddrinfo(): nodename nor servname provided, or not known > > When I execute sshd directly, I don't get any warnings or error > messages, but the sshd is not listening on the intended port, and it's > not running. > > I didn't change anything significant on the code, except disabling the > use of utmp.h and util.h. > > Can anyone pinpoint me on what's wrong ? Can you post a normal debug output? ("sshd -ddd") I have no idea how much munging is done between launchctl and sshd, but "errors on getaddrinfo()" is not a sshd error message AFAIK. -d From petesea at bigfoot.com Wed Oct 15 03:12:49 2008 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Tue, 14 Oct 2008 09:12:49 -0700 (PDT) Subject: GSSAPI Key Exchange on multi-homed host In-Reply-To: References: Message-ID: On Tue, 14 Oct 2008, Damien Miller wrote: > On Mon, 13 Oct 2008, petesea at bigfoot.com wrote: > >>> From a security standpoint, if the default keytab (/etc/krb5.keytab) >> contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck >> is set to "yes" or "no"? >> >> My company uses an internally built OpenSSH package that includes the >> GSSAPI Key Exchange patch. Because we have 1000s of hosts, we need to >> use a "standard" sshd_config file that works for the majority of hosts. >> Unfortunately, the current "standard" sshd_config does not set the >> GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore >> does not work correctly on the multi-homed hosts. > > OpenSSH doesn't support a GSSAPIStrictAcceptorCheck at all. There is a > patch in our bugzilla to add it, and I'd like to review and merge is > soon but it has never been in any version that we have released. The GSSAPIStrictAcceptorCheck keyword is included as part of Simon Wilkinson's GSSAPI Key Exchange patch, which we use. Sorry if that wasn't clearer in my first message. From peter at stuge.se Wed Oct 15 20:35:53 2008 From: peter at stuge.se (Peter Stuge) Date: Wed, 15 Oct 2008 11:35:53 +0200 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> Message-ID: <20081015093553.25361.qmail@stuge.se> Jesse Armand wrote: > I may need to find out the proper way of integration of sshd into > launchd. Is ktrace/kdump available? Try comparing manual startup with launchd startup. //Peter From mnemonic.fx at gmail.com Thu Oct 16 05:31:33 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Thu, 16 Oct 2008 01:31:33 +0700 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <20081015093553.25361.qmail@stuge.se> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> <20081015093553.25361.qmail@stuge.se> Message-ID: <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> Manual startup works fine. I did add -i and -ddd and -e arguments into com.openssh.sshd.plist. But there's no further debugging output on launchctl start com.openssh.sshd My original purpose is just to target openssh-4.7p1 with my own path on arm-apple-darwin9 platform, which listens on specific port (besides 22), and it's only using SSH protocol version 2. And no, there's no ktrace / kdump. It seems the only way to debug is by not detaching sshd into a daemon (-D) option. On Wed, Oct 15, 2008 at 4:35 PM, Peter Stuge wrote: > Jesse Armand wrote: >> I may need to find out the proper way of integration of sshd into >> launchd. > > Is ktrace/kdump available? Try comparing manual startup with launchd > startup. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From lists at spuddy.org Fri Oct 17 06:43:30 2008 From: lists at spuddy.org (Stephen Harris) Date: Thu, 16 Oct 2008 15:43:30 -0400 Subject: 5.1p on RHEL 3 and password expiration Message-ID: <20081016194330.GA13132@mercury.spuddy.org> [ Sorry for the length of this; I felt it better to provide potentially too much info, rather than not enough. I've probably missed something that's important, though! ] I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and "UsePrivilegeSeparation no" is set. The code detects that the user password is aged (according to shadow) but then fails to let me change the password: % ssh -p 2222 fred at localhost fred at localhost's password: You are required to change your password immediately (password aged) Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain Connection to localhost closed. If I run the server in -ddd mode, % ssh fred at localhost -p 2222 fred at localhost's password: You are required to change your password immediately (password aged) Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain debug1: PAM: changing password PAM: pam_chauthtok(): Authentication token manipulation error debug1: do_cleanup Connection to localhost closed. On the server side, I see Failed publickey for fred from 127.0.0.1 port 32786 ssh2 debug1: userauth-request for user fred service ssh-connection method password debug1: attempt 3 failures 2 debug2: input_userauth_request: try method password debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for fred debug1: do_pam_account: called debug3: PAM: sshpam_passwd_conv called with 1 messages debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.) debug3: sshpam_password_change_required 1 Accepted password for fred from 127.0.0.1 port 32786 ssh2 debug1: PAM: establishing credentials debug3: PAM: opening session debug1: Entering interactive session for SSH2. debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 256 debug3: tty_parse_modes: ospeed 38400 debug3: tty_parse_modes: ispeed 38400 debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: Setting controlling tty using TIOCSCTTY. debug2: fd 3 setting TCP_NODELAY debug2: channel 0: rfd 8 isatty debug2: fd 8 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug1: Received SIGCHLD. debug1: session_by_pid: pid 6942 debug1: session_exit_message: session 0 channel 0 pid 6942 debug2: channel 0: request exit-status confirm 0 debug1: session_exit_message: release channel 0 [channel closing debug messages] debug1: channel 0: free: server-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e -1 c -1 Connection closed by 127.0.0.1 debug1: do_cleanup debug1: PAM: cleanup debug1: PAM: deleting credentials debug1: PAM: closing session debug3: PAM: sshpam_thread_cleanup entering Transferred: sent 2240, received 2512 bytes Closing connection to 127.0.0.1 port 32786 If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password change process works... WARNING: Your password has expired. You must change your password now and login again! Changing password for user fred. Changing password for fred (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. Connection to localhost closed. (that logout and login again process is annoying) The error message received looks very similar to a problem Darren had with LinuxPAM back in 2004 about setting the conversation, but I can't find if this was ever resolved http://osdir.com/ml/pam/2004-06/msg00028.html Of course the RedHat provided OpenSSH3.6 package (with their gazillion patches) works just fine; allows the password to be changed and doesn't force a logout/login again. Any ideas? I'm trying to standardise on a single version of OpenSSH over all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking at me pretty funny when my replacement package can't perform as well as the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and Solaris, but we have a large RHEL3 footprint) sshd_config contents... #Port 22 #Protocol 2,1 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/myssh/ssh/ssh_host_key #HostKey /etc/myssh/ssh/ssh_host_rsa_key #HostKey /etc/myssh/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: LoginGraceTime 1m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile /etc/myssh/ssh/auth_keys/%u #RhostsRSAAuthentication no #HostbasedAuthentication no #IgnoreUserKnownHosts no #IgnoreRhosts yes PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes UsePAM yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation no #PermitUserEnvironment no Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path # Banner /etc/issue # override default of no subsystems Subsystem sftp /opt/myssh/libexec/sftp-server Server: RedHat Enterprise Linux 3 Linux 2.4.21-47.0.1.EL pam-0.75-72 OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006 Thanks for your time! -- rgds Stephen From dan at nf15.lightwave.net.ru Fri Oct 17 07:29:59 2008 From: dan at nf15.lightwave.net.ru (Dan Yefimov) Date: Fri, 17 Oct 2008 00:29:59 +0400 Subject: 5.1p on RHEL 3 and password expiration In-Reply-To: <20081016194330.GA13132@mercury.spuddy.org> References: <20081016194330.GA13132@mercury.spuddy.org> Message-ID: <48F7A447.3020000@nf15.lightwave.net.ru> On 16.10.2008 23:43, Stephen Harris wrote: > [ Sorry for the length of this; I felt it better to provide potentially > too much info, rather than not enough. I've probably missed something > that's important, though! ] > > I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and > "UsePrivilegeSeparation no" is set. The code detects that the user > password is aged (according to shadow) but then fails to let me change > the password: > > % ssh -p 2222 fred at localhost > fred at localhost's password: > You are required to change your password immediately (password aged) > Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain > Connection to localhost closed. > > If I run the server in -ddd mode, > % ssh fred at localhost -p 2222 > fred at localhost's password: > You are required to change your password immediately (password aged) > Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain > debug1: PAM: changing password > PAM: pam_chauthtok(): Authentication token manipulation error > debug1: do_cleanup > Connection to localhost closed. > > On the server side, I see > > Failed publickey for fred from 127.0.0.1 port 32786 ssh2 > debug1: userauth-request for user fred service ssh-connection method password > debug1: attempt 3 failures 2 > debug2: input_userauth_request: try method password > debug3: PAM: sshpam_passwd_conv called with 1 messages > debug1: PAM: password authentication accepted for fred > debug1: do_pam_account: called > debug3: PAM: sshpam_passwd_conv called with 1 messages > debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.) > debug3: sshpam_password_change_required 1 > Accepted password for fred from 127.0.0.1 port 32786 ssh2 > debug1: PAM: establishing credentials > debug3: PAM: opening session > debug1: Entering interactive session for SSH2. > debug2: fd 4 setting O_NONBLOCK > debug2: fd 5 setting O_NONBLOCK > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug2: session_new: allocate (allocated 0 max 10) > debug3: session_unused: session id 0 unused > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 > debug1: server_input_channel_req: channel 0 request pty-req reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_pty_req: session 0 alloc /dev/pts/2 > debug3: tty_parse_modes: SSH2 n_bytes 256 > debug3: tty_parse_modes: ospeed 38400 > debug3: tty_parse_modes: ispeed 38400 > debug1: server_input_channel_req: channel 0 request shell reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: Setting controlling tty using TIOCSCTTY. > debug2: fd 3 setting TCP_NODELAY > debug2: channel 0: rfd 8 isatty > debug2: fd 8 setting O_NONBLOCK > debug3: fd 6 is O_NONBLOCK > debug1: Received SIGCHLD. > debug1: session_by_pid: pid 6942 > debug1: session_exit_message: session 0 channel 0 pid 6942 > debug2: channel 0: request exit-status confirm 0 > debug1: session_exit_message: release channel 0 > > [channel closing debug messages] > > debug1: channel 0: free: server-session, nchannels 1 > debug3: channel 0: status: The following connections are open: > #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > debug3: channel 0: close_fds r -1 w -1 e -1 c -1 > Connection closed by 127.0.0.1 > debug1: do_cleanup > debug1: PAM: cleanup > debug1: PAM: deleting credentials > debug1: PAM: closing session > debug3: PAM: sshpam_thread_cleanup entering > Transferred: sent 2240, received 2512 bytes > Closing connection to 127.0.0.1 port 32786 > > If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password > change process works... > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user fred. > Changing password for fred > (current) UNIX password: > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updated successfully. > Connection to localhost closed. > > (that logout and login again process is annoying) > > The error message received looks very similar to a problem Darren had > with LinuxPAM back in 2004 about setting the conversation, but I can't > find if this was ever resolved > http://osdir.com/ml/pam/2004-06/msg00028.html > > Of course the RedHat provided OpenSSH3.6 package (with their gazillion > patches) works just fine; allows the password to be changed and doesn't > force a logout/login again. > > Any ideas? I'm trying to standardise on a single version of OpenSSH over > all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking > at me pretty funny when my replacement package can't perform as well as > the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and > Solaris, but we have a large RHEL3 footprint) > > sshd_config contents... > > #Port 22 > #Protocol 2,1 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > #HostKey /etc/myssh/ssh/ssh_host_key > #HostKey /etc/myssh/ssh/ssh_host_rsa_key > #HostKey /etc/myssh/ssh/ssh_host_dsa_key > # Lifetime and size of ephemeral version 1 server key > #KeyRegenerationInterval 1h > #ServerKeyBits 768 > # Logging > #obsoletes QuietMode and FascistLogging > #SyslogFacility AUTH > #LogLevel INFO > # Authentication: > LoginGraceTime 1m > PermitRootLogin yes > #StrictModes yes > #MaxAuthTries 6 > RSAAuthentication yes > PubkeyAuthentication yes > AuthorizedKeysFile /etc/myssh/ssh/auth_keys/%u > #RhostsRSAAuthentication no > #HostbasedAuthentication no > #IgnoreUserKnownHosts no > #IgnoreRhosts yes > PasswordAuthentication yes > PermitEmptyPasswords no > ChallengeResponseAuthentication no > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > UsePAM yes > #AllowTcpForwarding yes > #GatewayPorts no > X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PrintMotd yes > #PrintLastLog yes > #TCPKeepAlive yes > #UseLogin no > UsePrivilegeSeparation no > #PermitUserEnvironment no > Compression yes > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #UseDNS yes > #PidFile /var/run/sshd.pid > #MaxStartups 10 > # no default banner path > # Banner /etc/issue > # override default of no subsystems > Subsystem sftp /opt/myssh/libexec/sftp-server > > Server: > RedHat Enterprise Linux 3 > Linux 2.4.21-47.0.1.EL > pam-0.75-72 > OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006 > The only thing I can suggest to you is upgrading PAM too. The latest stable PAM version is 1.0.2. Best of all get the latest PAM source package from Fedora Core development branch, replace the main tarball with 1.0.2 one, modify patches to fit that version, and build. That approach is time consuming, but reliable. -- Sincerely Your, Dan. From chris at qwirx.com Fri Oct 17 08:54:29 2008 From: chris at qwirx.com (Chris Wilson) Date: Thu, 16 Oct 2008 22:54:29 +0100 (BST) Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> <20081015093553.25361.qmail@stuge.se> <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> Message-ID: On Thu, 16 Oct 2008, Jesse Armand wrote: > Manual startup works fine. > > I did add -i and -ddd and -e arguments into com.openssh.sshd.plist. > > But there's no further debugging output on launchctl start com.openssh.sshd > > My original purpose is just to target openssh-4.7p1 with my own path > on arm-apple-darwin9 platform, which listens on specific port (besides > 22), and it's only using SSH protocol version 2. > > And no, there's no ktrace / kdump. > > It seems the only way to debug is by not detaching sshd into a daemon > (-D) option. I've seen this problem on Darwin but not on MacOS X. If I remember correctly, launchd is listening on the port and handing over the connected socket to sshd, much like inetd. sshd tries to get the remote address of the socket, but it can't, because it's being proxied by launchd, so it generates an infinite stream of error messages in the system logs/console and spins at 100% CPU. With my limited knowledge of launchd, I was not able to make it run sshd as a real daemon which handles port listening and incoming connections itself. Perhaps copying a configuration from MacOS X might help? Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \ _/_/_/_//_/___/ | We are GNU : free your mind & your software | From dtucker at zip.com.au Fri Oct 17 11:35:35 2008 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 17 Oct 2008 11:35:35 +1100 Subject: 5.1p on RHEL 3 and password expiration In-Reply-To: <20081016194330.GA13132@mercury.spuddy.org> References: <20081016194330.GA13132@mercury.spuddy.org> Message-ID: <48F7DDD7.8030303@zip.com.au> Stephen Harris wrote: > [ Sorry for the length of this; I felt it better to provide potentially > too much info, rather than not enough. I've probably missed something > that's important, though! ] > > I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and > "UsePrivilegeSeparation no" is set. The code detects that the user > password is aged (according to shadow) but then fails to let me change > the password: > [...] > If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password > change process works... This works because the password change is done by invoking /usr/bin/passwd, rather than by calling pam_chauthtok (the latter won't work in this case because when UsePrivilegeSeparation=yes, we have long since given up root privs). [...] > The error message received looks very similar to a problem Darren had > with LinuxPAM back in 2004 about setting the conversation, but I can't > find if this was ever resolved > http://osdir.com/ml/pam/2004-06/msg00028.html I think this was fixed in later versions of LinuxPAM but I also suspect the fix was never backported. You can check with the testcase I posted back then (which passes on my fedora 8 box): http://www.zip.com.au/~dtucker/openssh/wrong-conv-function.c > Of course the RedHat provided OpenSSH3.6 package (with their gazillion > patches) works just fine; allows the password to be changed and doesn't > force a logout/login again. > > Any ideas? You could disable PasswordAuthentication and require Protocol 2 with keyboard-interactive authentication, which will probably work since it does both authentication and password change through the same conversation function). > I'm trying to standardise on a single version of OpenSSH over > all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking > at me pretty funny when my replacement package can't perform as well as > the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and > Solaris, but we have a large RHEL3 footprint) It would be possible to hack around in sshd, however I don't think it's worth the effort since it's demonstrably a (since fixed) LinuxPAM bug. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jmknoble at pobox.com Fri Oct 17 10:49:27 2008 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 16 Oct 2008 19:49:27 -0400 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> <20081015093553.25361.qmail@stuge.se> <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> Message-ID: <20081016234927.GE175@crawfish.ais.com> Circa 2008-10-15 14:31 dixit Jesse Armand: [About running sshd via Apple's launchd] : Manual startup works fine. : : I did add -i and -ddd and -e arguments into com.openssh.sshd.plist. : : But there's no further debugging output on launchctl start com.openssh.sshd : : My original purpose is just to target openssh-4.7p1 with my own path : on arm-apple-darwin9 platform, which listens on specific port (besides : 22), and it's only using SSH protocol version 2. : : And no, there's no ktrace / kdump. : : It seems the only way to debug is by not detaching sshd into a daemon : (-D) option. According to Apple, you *must* tell sshd not to detach. From : Jobs run from launchd should not duplicate launchd functionality; for instance, they should not use chroot(2). Furthermore, they should not do the things normally required of daemon processes, such as detaching from the terminal they are initially attached to. The only things that are strictly prohibited, however, are fork()/exit() combinations (including indirect methods, such as the daemon(3) library call). A server which attempts to run itself as a daemon in this way will seem to have finished running, potentially leading to launchd respawning it, or disabling the service. launchd also seems to have a flag which turns on its own debugging, confusingly called '-D'. From : OPTIONS -D Debug. Prints syslog messages to stderr and adjusts logging via syslog(3) to LOG_DEBUG. That may prove helpful. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) +----------------------------------------------------------------------+ |[L]iberty, as we all know, cannot flourish in a country that is perma-| | nently on a war footing, or even a near-war footing. --Aldous Huxley| +----------------------------------------------------------------------+ From peter at stuge.se Fri Oct 17 12:31:29 2008 From: peter at stuge.se (Peter Stuge) Date: Fri, 17 Oct 2008 03:31:29 +0200 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <20081016234927.GE175@crawfish.ais.com> <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> References: <20081016234927.GE175@crawfish.ais.com> <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> <20081015093553.25361.qmail@stuge.se> <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> <20081015093553.25361.qmail@stuge.se> <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> Message-ID: <20081017013129.28044.qmail@stuge.se> Jesse Armand wrote: > It seems the only way to debug is by not detaching sshd into a > daemon (-D) option. What does your plist look like? Chris Wilson wrote: > If I remember correctly, launchd is listening on the port and > handing over the connected socket to sshd, much like inetd. It can, if it's told to do so. But that will not work for sshd. Jim Knoble wrote: > According to Apple, you *must* tell sshd not to detach. Right, just like with supervise. No big deal, use -D. > From : Helpful page! Jesse, note that there must be no Sockets key in your plist. Maybe this is all you need: Label com.openssh.sshd ProgramArguments /usr/local/sbin/sshd -D RunAtLoad //Peter From medsalim.bouhlel at enis.rnu.tn Fri Oct 17 19:50:40 2008 From: medsalim.bouhlel at enis.rnu.tn (MedSalim BOUHLEL) Date: Fri, 17 Oct 2008 10:50:40 +0200 Subject: Extended Deadline Submission (SETIT'O9) Message-ID: <20081017.397380,451855277777778@enis.rnu.tn> Dear Colleagues Apologies for any cross-postings At the request of a number of potential contributors, we have decided to extend the deadline for receipt of papers to be presented to The 5th International Conference: Sciences of Electronics, Technologies of Information and Telecommunications SETIT 2009. This deadline is extended to November 1st, 2008. This conference will be held in Tunisia, 22-26 March 2009. It is supported by IEEE . Papers are solicited in the following areas: Information Processing Signal Processing Image and Video Multimedia Telecommunications and Networks Electronic Your propositions are welcome (they can be made either in English or in French). The paper submission is on-line at: http://www.setit.rnu.tn/?pg=submission We are waiting for seeing you in SETIT 2009. NB: In order to receive information about activities and events of this conference (4 to 6 times per year), please provide your contact information to our mailing list http://www.setit.rnu.tn/?pg=nletter&mail=openssh-unix-dev at mindrot.org All contact information you provide will be used strictly for SETIT 09 related events only and will not be disclosed in any other way You can unsubscribe yourself from our mailing list at any time by sending an email to unsubscribe.setit at gmail.com with subject Unsubscribe ================================================================== This email is sent out to all those on the SETIT 2009 database. If you want to be removed from this database, please send an email to unsubscribe.setit at gmail.com ================================================================== Mohamed Salim BOUHLEL General Co-Chair, SETIT 2009 Director of Sfax High Institute of Electronics and Communication Head of Research Unit:Sciences & Technologies of Image and Telecommunications ( Sfax University ) GSM +216 20 200005 Skype Name : UR-SETIT From mnemonic.fx at gmail.com Fri Oct 17 21:27:41 2008 From: mnemonic.fx at gmail.com (Jesse Armand) Date: Fri, 17 Oct 2008 17:27:41 +0700 Subject: errors on getaddrinfo(): nodename nor servname provided, or not known In-Reply-To: <20081017013129.28044.qmail@stuge.se> References: <45d629ef0810130228kd811c85h9bcb06d0117a89c8@mail.gmail.com> <45d629ef0810130359y6efcf863r879f7036b14976df@mail.gmail.com> <20081015093553.25361.qmail@stuge.se> <20081016234927.GE175@crawfish.ais.com> <45d629ef0810151131i2650d532w8a39817a9ffdceb8@mail.gmail.com> <20081017013129.28044.qmail@stuge.se> Message-ID: <45d629ef0810170327y6a490c8dibca52867377a5ead@mail.gmail.com> Thanks a lot for the info, and guidance on the right direction. On Fri, Oct 17, 2008 at 8:31 AM, Peter Stuge wrote: > > What does your plist look like? > > This is my plist, this plist is working on iPhone OS 2.1 with openssh from telesphoreo.org packages, I have my own usage of ssh, and I can't disclose it, but basically I use the similar configuration, building, and installing: Label com.openssh.sshd Program /path/to/ssh/libexec/sshd-keygen-wrapper ProgramArguments /path/to/ssh/sbin/sshd -i -e -ddd SessionCreate Sockets Listeners Bonjour ssh SockServiceName ssh StandardErrorPath /dev/null inetdCompatibility Wait Note: /path/to/ssh is my prefix for ssh installation From santanu at india.tejasnetworks.com Sat Oct 18 02:07:33 2008 From: santanu at india.tejasnetworks.com (Santanu Sen) Date: Fri, 17 Oct 2008 20:37:33 +0530 Subject: Specifying SSHD PAM service name in the configuration file Message-ID: <1224256053.7234.10.camel@sephia> The attached patch enables specifying the PAM service name in the sshd_config file. It requires an entry similar to the follows to be added to the configuration file- PAMServiceName MyFavoriteServiceName If this option is not specified, the default scheme of picking up the service name from the application name will be in effect. Thanks, Santanu -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh_pam_service_name.diff Type: text/x-patch Size: 4019 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081017/416424a7/attachment.bin From lists at spuddy.org Sat Oct 18 06:21:41 2008 From: lists at spuddy.org (Stephen Harris) Date: Fri, 17 Oct 2008 15:21:41 -0400 Subject: 5.1p on RHEL 3 and password expiration In-Reply-To: <48F7DDD7.8030303@zip.com.au> References: <20081016194330.GA13132@mercury.spuddy.org> <48F7DDD7.8030303@zip.com.au> Message-ID: <20081017192141.GA25164@mercury.spuddy.org> On Fri, Oct 17, 2008 at 11:35:35AM +1100, Darren Tucker wrote: > You could disable PasswordAuthentication and require Protocol 2 with > keyboard-interactive authentication, which will probably work since it > does both authentication and password change through the same > conversation function). That seemed to work just fine; < PasswordAuthentication yes --- > PasswordAuthentication no 62c62 < ChallengeResponseAuthentication no --- > ChallengeResponseAuthentication yes And now... $ ssh fred at localhost Password: You are required to change your password immediately (password aged) Changing password for fred (current) UNIX password: New UNIX password: Retype new UNIX password: Last login: Fri Oct 17 15:15:18 2008 from localhost.localdomain > It would be possible to hack around in sshd, however I don't think it's > worth the effort since it's demonstrably a (since fixed) LinuxPAM bug. And the ChallengeResponseAuthentication acts as a sufficient workaround for the older systems. Thank you very much! -- rgds Stephen From Dominik.Epple at gmx.de Sat Oct 18 01:33:34 2008 From: Dominik.Epple at gmx.de (Dominik Epple) Date: Fri, 17 Oct 2008 16:33:34 +0200 Subject: Hostbased login based on SSHFP DNS records? Message-ID: <20081017143334.250280@gmx.net> Hi, is it possible to use SSHFP DNS records to enable password-free host-based login? What I already got working is to use SSHFP DNS records to verify the server host keys. debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS But hostbased login does not work and I still need to supply a password to log in. (Or to configure a known_hosts file on the server where my host key can be checked. But it is exactly this file that I want to get rid of because keeping this file up to date on a large cluster is a pain.) Or is this impossible by design because only fingerprints are stored in SSHFP records, and not the public keys themselves? Regards, Dominik -- GMX Kostenlose Spiele: Einfach online spielen und Spa? haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196 From djm at mindrot.org Sat Oct 18 14:18:09 2008 From: djm at mindrot.org (Damien Miller) Date: Sat, 18 Oct 2008 13:18:09 +1000 (EST) Subject: Hostbased login based on SSHFP DNS records? In-Reply-To: <20081017143334.250280@gmx.net> References: <20081017143334.250280@gmx.net> Message-ID: On Fri, 17 Oct 2008, Dominik Epple wrote: > Hi, > > is it possible to use SSHFP DNS records to enable password-free > host-based login? No - SSHFP is currently only used to publicise the server's key to the client and can't be used to identify the client to the server. It might be possible to adapt it for use by hostbased authentication, but I don't think there is much sense in extending it until DNSSEC is deployed more extensively. -d From tpikonen at gmail.com Fri Oct 24 01:08:44 2008 From: tpikonen at gmail.com (Teemu Ikonen) Date: Thu, 23 Oct 2008 16:08:44 +0200 Subject: ChrootDirectory on a per key basis Message-ID: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> Hello, I'm trying to set up an sftp (sshfs) service accessible to users with a normal account on a server, but which would be restricted to a subset of the directory hierarchy normally accessible to the users in question, in practice a single directory. The idea would be to allow file access to this directory with a passwordless public key, but keep rest of the users file accessible only with another, supposedly more secure key. I found a way to do this by running a separate sshd on a different port with 'ChrootDirectory /some-dir' and 'ForceCommand internal-sftp' configuration variables, but running two sshds is rather inelegent. Is there a way to force this kind of configuration to only some keys? If not, could the Match keyword be extended to match only certain keys, or even better, could a 'chrootdir' option be added to the Authorized keys format? Teemu From peter at stuge.se Fri Oct 24 13:36:19 2008 From: peter at stuge.se (Peter Stuge) Date: Fri, 24 Oct 2008 04:36:19 +0200 Subject: ChrootDirectory on a per key basis In-Reply-To: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> Message-ID: <20081024023619.22882.qmail@stuge.se> Teemu Ikonen wrote: > Is there a way to force this kind of configuration to only some > keys? No. > If not, could the Match keyword be extended to match only certain > keys, Yes. > or even better, could a 'chrootdir' option be added to the > Authorized keys format? Yes. I think this will be the easiest to implement. Give it a shot. Infrastructure is in place also for passing a value from options in authorized_keys. //Peter From gaowenk at 163.com Fri Oct 24 16:06:38 2008 From: gaowenk at 163.com (kk) Date: Fri, 24 Oct 2008 13:06:38 +0800 (CST) Subject: two pieces of ethernet card,ssh very slowly. In-Reply-To: <20081024023619.22882.qmail@stuge.se> References: <20081024023619.22882.qmail@stuge.se> <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> Message-ID: <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> fedora8/server eth0: ip: 192.168.1.2 netmask:255.255.255.0 gateway:192.168.1.1 eth1: ip: 192.168.2.2 netmask:255.255.255.0 gateway:192.168.2.1 fedroa8/pc eth0: ip: 192.168.1.9 netmask:255.255.255.0 gateway:192.168.1.9 I login the server,then "ssh 192.168.1.9",is very slowly.why? If i change eth1 to "192.168.1.x,gateway 192.168.1.1",will be very good. I also find execute "route", the last line("default 192.168.2.1 0.0.0.0 UG 0 0 0 eth1" ) appears after 17 seconds;very slowly too. From peter at stuge.se Fri Oct 24 19:38:55 2008 From: peter at stuge.se (Peter Stuge) Date: Fri, 24 Oct 2008 10:38:55 +0200 Subject: two pieces of ethernet card,ssh very slowly. In-Reply-To: <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> References: <20081024023619.22882.qmail@stuge.se> <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> Message-ID: <20081024083855.6419.qmail@stuge.se> kk wrote: > I login the server,then "ssh 192.168.1.9",is very slowly.why? > > I also find execute "route", > the last line ( > "default 192.168.2.1 0.0.0.0 UG 0 0 0 eth1" > ) appears after 17 seconds;very slowly too. Your system is probably trying to look up host names in DNS. Investigate the UseDNS setting in sshd_config on the server to control this in sshd. For route, try route -n Also it does not make sense to have default router set to the local IP address. If a system should not have a default route, it is best to not set one. //Peter From djm at mindrot.org Fri Oct 24 20:52:07 2008 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Oct 2008 19:52:07 +1000 (EST) Subject: ChrootDirectory on a per key basis In-Reply-To: <20081024023619.22882.qmail@stuge.se> References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> Message-ID: On Fri, 24 Oct 2008, Peter Stuge wrote: > Teemu Ikonen wrote: > > > or even better, could a 'chrootdir' option be added to the > > Authorized keys format? > > Yes. I think this will be the easiest to implement. Give it a shot. > Infrastructure is in place also for passing a value from options in > authorized_keys. No, letting users chroot to arbitrary directories introduces serious security problems. Think about hard-linking /bin/su into a chroot on the same filesystem where an attacker has filled in a friendly /etc/passwd. -d From djm at mindrot.org Fri Oct 24 20:53:13 2008 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Oct 2008 19:53:13 +1000 (EST) Subject: two pieces of ethernet card,ssh very slowly. In-Reply-To: <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> References: <20081024023619.22882.qmail@stuge.se> <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> Message-ID: On Fri, 24 Oct 2008, kk wrote: > fedora8/server > eth0: > ip: 192.168.1.2 > netmask:255.255.255.0 > gateway:192.168.1.1 > > eth1: > ip: 192.168.2.2 > netmask:255.255.255.0 > gateway:192.168.2.1 > > fedroa8/pc > eth0: > ip: 192.168.1.9 > netmask:255.255.255.0 > gateway:192.168.1.9 > > I login the server,then "ssh 192.168.1.9",is very slowly.why? > > If i change eth1 to "192.168.1.x,gateway 192.168.1.1",will be very good. > > > I also find execute "route", > the last line("default 192.168.2.1 0.0.0.0 UG 0 0 0 eth1" ) appears after 17 seconds;very slowly too. You might have a broken network, or broken DNS. Either way, if the layers under ssh aren't working right then ssh isn't going to work right either. -d From gaowenk at 163.com Fri Oct 24 22:10:15 2008 From: gaowenk at 163.com (kk) Date: Fri, 24 Oct 2008 19:10:15 +0800 (CST) Subject: two pieces of ethernet card,ssh very slowly. In-Reply-To: <20081024083855.6419.qmail@stuge.se> References: <20081024083855.6419.qmail@stuge.se> <20081024023619.22882.qmail@stuge.se> <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> Message-ID: <24413431.884651224846615103.JavaMail.coremail@bj163app29.163.com> I have set UseDNS to no. Before set UseDNS to no,my pc connnecting to the the server is slowly too. Another server is configured as same as this server,and both are IBM x3250.But that one runs very well. I can login this server with ssh,but if login any other sshd from this server,include the server self,will be very slow,or "Connection closed by UNKNOWN". Is someting wrong with the "ssh", ?2008-10-24?"Peter Stuge" ? >kk wrote: >> I login the server,then "ssh 192.168.1.9",is very slowly.why? >> >> I also find execute "route", >> the last line ( >> "default 192.168.2.1 0.0.0.0 UG 0 0 0 eth1" >> ) appears after 17 seconds;very slowly too. > >Your system is probably trying to look up host names in DNS. >Investigate the UseDNS setting in sshd_config on the server to >control this in sshd. > >For route, try route -n > >Also it does not make sense to have default router set to the local >IP address. If a system should not have a default route, it is best >to not set one. > > >//Peter From Jefferson.Ogata at noaa.gov Sat Oct 25 02:20:33 2008 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Fri, 24 Oct 2008 15:20:33 +0000 Subject: ChrootDirectory on a per key basis In-Reply-To: <20081024023619.22882.qmail@stuge.se> References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> Message-ID: <4901E7C1.6070408@noaa.gov> On 2008-10-24 02:36, Peter Stuge wrote: > Teemu Ikonen wrote: >> or even better, could a 'chrootdir' option be added to the >> Authorized keys format? > > Yes. I think this will be the easiest to implement. Give it a shot. > Infrastructure is in place also for passing a value from options in > authorized_keys. Uh, wouldn't that be a Very Bad Idea? Adding Match support is one thing. Letting users specify their own chroot location is something else entirely. -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) "Never try to retrieve anything from a bear."--National Park Service From chris at qwirx.com Sat Oct 25 08:18:55 2008 From: chris at qwirx.com (Chris Wilson) Date: Fri, 24 Oct 2008 22:18:55 +0100 (BST) Subject: ChrootDirectory on a per key basis In-Reply-To: References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> Message-ID: Hi Damien, On Fri, 24 Oct 2008, Damien Miller wrote: > On Fri, 24 Oct 2008, Peter Stuge wrote: > > Teemu Ikonen wrote: > > > > > or even better, could a 'chrootdir' option be added to the > > > Authorized keys format? > > > > Yes. I think this will be the easiest to implement. Give it a shot. > > Infrastructure is in place also for passing a value from options in > > authorized_keys. > > No, letting users chroot to arbitrary directories introduces > serious security problems. Think about hard-linking /bin/su into > a chroot on the same filesystem where an attacker has filled in > a friendly /etc/passwd. I thought that the suid bit was a property of the directory entry, not the inode? On what platforms is the suid bit a property of the inode, which would make this exploit possible? Cheers, Chris. -- _____ __ _ \ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \ _/_/_/_//_/___/ | Stop nuclear war http://www.nuclearrisk.org | From Jefferson.Ogata at noaa.gov Sat Oct 25 08:55:14 2008 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Fri, 24 Oct 2008 21:55:14 +0000 Subject: ChrootDirectory on a per key basis In-Reply-To: References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> Message-ID: <49024442.1060408@noaa.gov> On 2008-10-24 21:18, Chris Wilson wrote: > On Fri, 24 Oct 2008, Damien Miller wrote: >> No, letting users chroot to arbitrary directories introduces >> serious security problems. Think about hard-linking /bin/su into >> a chroot on the same filesystem where an attacker has filled in >> a friendly /etc/passwd. > > I thought that the suid bit was a property of the directory entry, not the > inode? On what platforms is the suid bit a property of the inode, which > would make this exploit possible? All of them. The only properties in a directory entry are a name, entry type (regular file, directory, block device, etc.), and an inode number. -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) "Never try to retrieve anything from a bear."--National Park Service From scott_n at xypro.com Sat Oct 25 09:07:46 2008 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 24 Oct 2008 15:07:46 -0700 Subject: ChrootDirectory on a per key basis In-Reply-To: <49024442.1060408@noaa.gov> References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com><20081024023619.22882.qmail@stuge.se> <49024442.1060408@noaa.gov> Message-ID: <78DD71C304F38B41885A242996B96F73019F45F0@xyservd.XYPRO-23.LOCAL> > The only properties in a directory entry are a name, entry type > (regular > file, directory, block device, etc.), and an inode number. > No, the only properties in a directory entry are the name and inode number. The rest of the information comes from the inode (that's what stat(2) is for). From Jefferson.Ogata at noaa.gov Sat Oct 25 09:21:28 2008 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Fri, 24 Oct 2008 22:21:28 +0000 Subject: ChrootDirectory on a per key basis In-Reply-To: <78DD71C304F38B41885A242996B96F73019F45F0@xyservd.XYPRO-23.LOCAL> References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> <49024442.1060408@noaa.gov> <78DD71C304F38B41885A242996B96F73019F45F0@xyservd.XYPRO-23.LOCAL> Message-ID: <49024A68.9080306@noaa.gov> On 2008-10-24 22:07, Scott Neugroschl wrote: > Jefferson Ogata wrote [attribution restored]: >> The only properties in a directory entry are a name, entry type >> (regular >> file, directory, block device, etc.), and an inode number. > > No, the only properties in a directory entry are the name and inode > number. > > The rest of the information comes from the inode (that's what stat(2) is > for). Of course the type comes originally from the inode. But on some systems there is a copy of it in struct dirent (see on Linux). The on-disk format depends on the filesystem. -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) "Never try to retrieve anything from a bear."--National Park Service From peter at stuge.se Sat Oct 25 12:41:41 2008 From: peter at stuge.se (Peter Stuge) Date: Sat, 25 Oct 2008 03:41:41 +0200 Subject: ChrootDirectory on a per key basis In-Reply-To: References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> Message-ID: <20081025014141.14237.qmail@stuge.se> Damien Miller wrote: > > > or even better, could a 'chrootdir' option be added to the > > > Authorized keys format? > > > > Yes. I think this will be the easiest to implement. Give it a shot. > > Infrastructure is in place also for passing a value from options in > > authorized_keys. > > No, letting users chroot to arbitrary directories introduces > serious security problems. Thanks - this is an important point! I was thinking about (and hope the OP did too) a case where authorized_keys is not user writable, but always controlled by the adminstrator. //Peter From gert at greenie.muc.de Sat Oct 25 23:52:50 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 25 Oct 2008 14:52:50 +0200 Subject: ChrootDirectory on a per key basis In-Reply-To: References: <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20081024023619.22882.qmail@stuge.se> Message-ID: <20081025125250.GI8535@greenie.muc.de> Hi, On Fri, Oct 24, 2008 at 10:18:55PM +0100, Chris Wilson wrote: > I thought that the suid bit was a property of the directory entry, not the > inode? No. > On what platforms is the suid bit a property of the inode, which > would make this exploit possible? On all platforms with "unix file system semantics" (read: inodes), the directory entry only contains "name->inode", and all details, including all permission bits, are stored in the inode. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From gaowenk at 163.com Sun Oct 26 21:30:54 2008 From: gaowenk at 163.com (kk) Date: Sun, 26 Oct 2008 18:30:54 +0800 (CST) Subject: two pieces of ethernet card,ssh very slowly. In-Reply-To: <24413431.884651224846615103.JavaMail.coremail@bj163app29.163.com> References: <24413431.884651224846615103.JavaMail.coremail@bj163app29.163.com> <20081024083855.6419.qmail@stuge.se> <20081024023619.22882.qmail@stuge.se> <97fdf2d70810230708h68179c27w104bb31883511fc1@mail.gmail.com> <20774880.692061224824798584.JavaMail.coremail@bj163app29.163.com> Message-ID: <18075475.214451225017054722.JavaMail.coremail@bj163app119.163.com> first: [root at Fedora8 etc]# cat hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 Fedora8 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 second: empty /etc/resolv.conf,then is ok. But if empty resolv.conf,I can't ping www.google.com or can't browse any website. How can I ssh this server from this server,and ping www.google.com and other size. 2008-10-24?kk ? >I have set UseDNS to no. > >Before set UseDNS to no,my pc connnecting to the the server is slowly too. > >Another server is configured as same as this server,and both are IBM x3250.But that one runs very well. > >I can login this server with ssh,but if login any other sshd from this server,include the server self,will be very slow,or "Connection closed by UNKNOWN". > >Is someting wrong with the "ssh", > >?2008-10-24?"Peter Stuge" From tpikonen at gmail.com Mon Oct 27 03:06:45 2008 From: tpikonen at gmail.com (Teemu Ikonen) Date: Sun, 26 Oct 2008 17:06:45 +0100 Subject: ChrootDirectory on a per key basis Message-ID: <49049595.9060404@gmail.com> Damien Miller wrote: > No, letting users chroot to arbitrary directories introduces > serious security problems. Think about hard-linking /bin/su into > a chroot on the same filesystem where an attacker has filled in > a friendly /etc/passwd. OK, so adding chrootdir option to authorized keys is a bad idea. Another way to achieve my objective, which is additional sftp file access restrictions to connections authorized with certain keys, would be to modify sftp-server to accept a directory parameter. The authorized_keys could then have 'command="sftp-server -d /home/user/stuff"' option to restrict access to /home/user/stuff. Could this be made secure so that if an attacker has a copy of the (passwordless) private key, he would not be able to access files outside the given directory? Teemu From Dominik.Epple at gmx.de Mon Oct 27 23:07:51 2008 From: Dominik.Epple at gmx.de (Dominik Epple) Date: Mon, 27 Oct 2008 13:07:51 +0100 Subject: Hostbased authentication without known_hosts file? Message-ID: <20081027120751.108640@gmx.net> Hi, is there any way to use hostbased authentication without the need to have the SSH host keys stored in a known_hosts file? We run a large cluster where we need to have passwordless remote login available. We currently do that with hostbased SSH authentication. But it is error-prone and a lot of work to keep the known_hosts file up to date on all hosts. (This is the same situation like DNS vs /etc/hosts and LDAP vs /etc/passwd, and so on.) We know of the possibility to store SSH fingerprints in SSHFP records in DNS. But this currently does not allow hostbased authentication, it only allows the client to verify the server's host key. Is there any other possiblity? Thanks in advance, Dominik -- Psssst! Schon vom neuen GMX MultiMessenger geh?rt? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger From djm at mindrot.org Mon Oct 27 23:43:42 2008 From: djm at mindrot.org (Damien Miller) Date: Mon, 27 Oct 2008 23:43:42 +1100 (EST) Subject: Hostbased authentication without known_hosts file? In-Reply-To: <20081027120751.108640@gmx.net> References: <20081027120751.108640@gmx.net> Message-ID: On Mon, 27 Oct 2008, Dominik Epple wrote: > Hi, > > is there any way to use hostbased authentication without the need to > have the SSH host keys stored in a known_hosts file? > > We run a large cluster where we need to have passwordless remote login > available. We currently do that with hostbased SSH authentication. But > it is error-prone and a lot of work to keep the known_hosts file up to > date on all hosts. (This is the same situation like DNS vs /etc/hosts > and LDAP vs /etc/passwd, and so on.) > > We know of the possibility to store SSH fingerprints in SSHFP records > in DNS. But this currently does not allow hostbased authentication, > it only allows the client to verify the server's host key. > > Is there any other possiblity? Kerberos or push out hostkey lists with rdist. -d From Dominik.Epple at gmx.de Tue Oct 28 00:33:35 2008 From: Dominik.Epple at gmx.de (Dominik Epple) Date: Mon, 27 Oct 2008 14:33:35 +0100 Subject: Hostbased authentication without known_hosts file? In-Reply-To: References: <20081027120751.108640@gmx.net> Message-ID: <20081027133335.108610@gmx.net> Hi, On Mon, 27 Oct 2008, Damien Miller wrote: > Kerberos This requires the users to obtain a ticket, I guess? Or is there a way to do password-less, ticket-less hostbased authentication which just uses kerberos host keys instead of ssh host keys to validate the remote host? > or push out hostkey lists with rdist. Our cluster is too large for this. This does not work well and we want do get rid of it. > > -d Thanks for your reply. Regards, Dominik -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: http://www.gmx.net/de/go/promail From deengert at anl.gov Tue Oct 28 03:11:26 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 27 Oct 2008 11:11:26 -0500 Subject: Hostbased authentication without known_hosts file? In-Reply-To: <20081027133335.108610@gmx.net> References: <20081027120751.108640@gmx.net> <20081027133335.108610@gmx.net> Message-ID: <4905E82E.1030109@anl.gov> Dominik Epple wrote: > Hi, > > On Mon, 27 Oct 2008, Damien Miller wrote: >> Kerberos > > This requires the users to obtain a ticket, I guess? Yes. You would need a Kerberos realm setup with users principals,and host principals. Each host has to have a keytab file. One way to use this is the user gets a ticket on the client, then you use the GSSAPI options of ssh. There are Windows ssh clients like SecureCRT and some versions of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already have tickets. > Or is there a > way to do password-less, ticket-less hostbased authentication which > just uses kerberos host keys instead of ssh host keys to validate > the remote host? > >> or push out hostkey lists with rdist. > > Our cluster is too large for this. This does not work well and we > want do get rid of it. > >> -d > > Thanks for your reply. > > Regards, > Dominik > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From dkg at fifthhorseman.net Wed Oct 29 15:19:35 2008 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 29 Oct 2008 00:19:35 -0400 Subject: ssh disregarding umask for creation of known_hosts (and other files?) Message-ID: <878ws8m3s8.fsf@squeak.fifthhorseman.net> Hey folks-- When ssh creates a known_hosts file for a user, it disregards the currently-set umask, and can actually turn on mode bits that the user has explicitly masked. While i'm happy to have ssh make files *more* secure than my umask (in situations where that's reasonable, like the creation of new ssh keys, etc), i'm not sure that i see the point in ssh making the files more open than i've explicitly requested. I found this at ssh.c:256: /* * Set our umask to something reasonable, as some files are created * with the default umask. This will make them world-readable but * writable only by the owner, which is ok for all files for which we * don't set the modes explicitly. */ umask(022); Why not simply OR the dangerous writable bits with the current umask instead: umask(022 | umask(0)); This would make sure that we're not creating group- or other-writable files while still honoring the user's expectations that setting a bit in the umask will actually mask off that bit. Regards, --dkg PS Some tests that i ran that demonstrate this surprising behavior: Here's ssh setting g+r,o+r (explicitly disregarding my umask of 077) when it creates known_hosts for me (tested with OpenSSH 4.8 on OpenBSD 4.3 and OpenSSH 5.1 on Debian testing): $ uname -a OpenBSD openbsdtest.squeak.fifthhorseman.net 4.3 GENERIC#698 i386 $ umask 077 $ ls -l ~/.ssh/known_hosts ls: /home/dkg/.ssh/known_hosts: No such file or directory $ ssh monkeysphere.info The authenticity of host 'monkeysphere.info (204.13.164.191)' can't be established. RSA key fingerprint is e8:7e:5b:7d:bc:6f:08:22:80:00:bb:0a:83:ef:bd:7a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'monkeysphere.info,204.13.164.191' (RSA) to the list of known hosts. Permission denied (publickey). $ ls -l ~/.ssh/known_hosts -rw-r--r-- 1 dkg dkg 414 Oct 29 00:03 /home/dkg/.ssh/known_hosts $ umask 077 $ wt215 at squeak:~$ uname -a Linux squeak 2.6.26-1-686 #1 SMP Sat Oct 18 16:22:25 UTC 2008 i686 GNU/Linux wt215 at squeak:~$ umask 077 wt215 at squeak:~$ ls -l ~/.ssh/known_hosts ls: cannot access /home/wt215/.ssh/known_hosts: No such file or directory wt215 at squeak:~$ ssh monkeysphere.info The authenticity of host 'monkeysphere.info (204.13.164.191)' can't be established. RSA key fingerprint is e8:7e:5b:7d:bc:6f:08:22:80:00:bb:0a:83:ef:bd:7a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'monkeysphere.info,204.13.164.191' (RSA) to the list of known hosts. Permission denied (publickey). wt215 at squeak:~$ ls -l ~/.ssh/known_hosts -rw-r--r-- 1 wt215 wt215 884 2008-10-28 23:51 /home/wt215/.ssh/known_hosts wt215 at squeak:~$ umask 0077 wt215 at squeak:~$ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20081029/f24fc798/attachment-0001.bin From Sergio.Gelato at astro.su.se Wed Oct 29 19:05:57 2008 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Wed, 29 Oct 2008 09:05:57 +0100 Subject: Hostbased authentication without known_hosts file? In-Reply-To: <4905E82E.1030109@anl.gov> References: <20081027120751.108640@gmx.net> <20081027133335.108610@gmx.net> <4905E82E.1030109@anl.gov> Message-ID: <20081029080557.GA8016@hanuman.astro.su.se> * Douglas E. Engert [2008-10-27 11:11:26 -0500]: > > > Dominik Epple wrote: >> Hi, >> >> On Mon, 27 Oct 2008, Damien Miller wrote: >>> Kerberos >> >> This requires the users to obtain a ticket, I guess? > > Yes. You would need a Kerberos realm setup with users principals,and host > principals. Each host has to have a keytab file. One way to use this > is the user gets a ticket on the client, then you use the GSSAPI > options of ssh. There are Windows ssh clients like SecureCRT and some versions > of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already > have tickets. Don't you also need Simon Wilkinson's GSSAPI key exchange patch for OpenSSH to bypass the known_hosts-based host key checks? It's a minor caveat since many distributors already apply that patch, but as far as I know the feature isn't included in vanilla OpenSSH yet. >> Or is there a >> way to do password-less, ticket-less hostbased authentication which >> just uses kerberos host keys instead of ssh host keys to validate >> the remote host? In principle that ought to be feasible with a helper program similar to ssh-keysign that accesses a keytab and uses its contents to initiate the GSS exchange, but I don't think anyone has implemented it yet. (I don't find it a particularly desirable feature: I'd rather authenticate the user than the client host.) Another solution might be for you to use rsh over IPsec (and either a public-key infrastructure or Kerberos to establish the security associations; PKI is more widely supported). From deengert at anl.gov Thu Oct 30 02:16:06 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 29 Oct 2008 10:16:06 -0500 Subject: Hostbased authentication without known_hosts file? In-Reply-To: <20081029080557.GA8016@hanuman.astro.su.se> References: <20081027120751.108640@gmx.net> <20081027133335.108610@gmx.net> <4905E82E.1030109@anl.gov> <20081029080557.GA8016@hanuman.astro.su.se> Message-ID: <49087E36.4080403@anl.gov> Sergio Gelato wrote: > * Douglas E. Engert [2008-10-27 11:11:26 -0500]: >> >> Dominik Epple wrote: >>> Hi, >>> >>> On Mon, 27 Oct 2008, Damien Miller wrote: >>>> Kerberos >>> This requires the users to obtain a ticket, I guess? >> Yes. You would need a Kerberos realm setup with users principals,and host >> principals. Each host has to have a keytab file. One way to use this >> is the user gets a ticket on the client, then you use the GSSAPI >> options of ssh. There are Windows ssh clients like SecureCRT and some versions >> of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already >> have tickets. > > Don't you also need Simon Wilkinson's GSSAPI key exchange patch for > OpenSSH to bypass the known_hosts-based host key checks? It's a minor caveat > since many distributors already apply that patch, but as far as I know > the feature isn't included in vanilla OpenSSH yet. That would help a lot and I wish OpenSSH would include Simon's mods, as all the vendors we use in our environment have it. We had tested something like this is in a user's .ssh/config on the client side: #test to not use the known host keys StrictHostKeyChecking no UserKnownHostsFile /.ssh/dont.save.keys where this files has no keys and has -r------- permissions only. so sshd can not save a new key, and the next time a user goes to the host there is no old key for sshd to check. You should be able to put this under a Host section in the .ssh/config file to limit to only selected hosts where you are using GSSAPI. But I would check the man pages on this and the StrickHostKeyChecking. Since in the environment in which I work we use GSSAPI exclusively and don't rely on host keys. > >>> Or is there a >>> way to do password-less, ticket-less hostbased authentication which >>> just uses kerberos host keys instead of ssh host keys to validate >>> the remote host? > > In principle that ought to be feasible with a helper program similar to > ssh-keysign that accesses a keytab and uses its contents to initiate the > GSS exchange, but I don't think anyone has implemented it yet. > (I don't find it a particularly desirable feature: I'd rather > authenticate the user than the client host.) > > Another solution might be for you to use rsh over IPsec (and either a > public-key infrastructure or Kerberos to establish the security associations; > PKI is more widely supported). > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From shubin_evgeniy at mail.ru Fri Oct 31 05:18:04 2008 From: shubin_evgeniy at mail.ru (=?utf-8?b?0JXQstCz0LXQvdC40Lk=?=) Date: Thu, 30 Oct 2008 21:18:04 +0300 Subject: Can not debug sshd in gdb Message-ID: <200810302118.04315.shubin_evgeniy@mail.ru> I can not debug sshd in gdb. If i set a breakpoint in main function gdb can step, but I want to set break point on function packet_read_poll2 in file packet.c and the program do not stop on it. before installing I ran configure with --disable-strip option, this add -g to CFLAGS. I also remove optimization flag. I run sshd with options -ddd -e. I use OpenSSH portable v5.1. Please tell me what I do wrong.