From lists-ssh at jay.fm Tue Sep 2 23:46:04 2008 From: lists-ssh at jay.fm (Jay Levitt) Date: Tue, 02 Sep 2008 09:46:04 -0400 Subject: HostName not quite working as expected? In-Reply-To: References: <48B70BC3.3060607@jay.fm> Message-ID: <48BD439C.5010208@jay.fm> Damien Miller wrote: > On Thu, 28 Aug 2008, Jay Levitt wrote: > >> I would have expected that "ssh myhost" would then start a session on >> port 23 (instead of 22). And I've seen blog/list posts that suggest the >> same (which, of course, I can't find now), as a workaround for "Host" >> entries not canonicalizing via DNS. > ... >> Is this the intended behavior? It seems like a bug to me, but it's >> still present in the 20080829 5.1 snapshot, and nobody's ever mentioned >> it before. Maybe it's just something that could be documented better? > > The behaviour is intended and documented. From ssh_config(5): Yep, and I had read that part, but I had wrongly interpreted the HostName documentation to mean that specifying HostName, which creates "nicknames or abbreviations for hosts", would create nicknames or abbreviations for "Host" entries. I think it'd be clearer to add something like "This option modifies only the hostname that ssh actually connects to; ssh still uses the original hostname argument to match Host patterns." And, perhaps, under Host: hostname argument given on the command line (i.e. the name is not - converted to a canonicalized host name before matching). + converted to a canonicalized host name before matching, and HostName aliases are not resolved). But if you think it's clear, cool. Peter Stuge wrote: > By setting up DNS you could save keystrokes in all other apps too. Oh, I've set up DNS. But, at the moment, I have to provide all my host-specific parameters twice; once for Host myhost, and once for Host myhost.example.com. Otherwise, if I'm inconsistent in using tab-completion, I'll get inconsistent results. I'm sure I could write a script to generate ssh_config from DNS, or something, if it bugged me enough... From lakshman.prasad at gmail.com Tue Sep 2 15:37:41 2008 From: lakshman.prasad at gmail.com (Lakshman Prasad) Date: Tue, 2 Sep 2008 11:07:41 +0530 Subject: Queries on ssh_askpass Message-ID: <8cdd7b070809012237q53fc94cch1646f40cdbbb9803@mail.gmail.com> Hi, I had developed a program which spawns a shell where i am trying to use ssh commands to log into a linux server. There is a pop up dialog window which is prompting me for key-ing the password. Actually i want to get rid of this pop up dialog box, as i don't want this to be visible in my program/code execution. Could you please let me know is there any way to resolve and stop this password dialog box - nagging problem. I have tried uninstalling the ssh-askpass-gnome package from my linux box and i am getting the following error. 15:46:04.221 Shell command: ssh abc at kaveri 15:46:04.224 ::com.evolving.adg.util::Shell (::NEComms::shell4)|spawned " abc at kaveri" (3243) 15:46:04.224 Exiting ::NEComms::executeShell 15:46:04.225 exiting SS8VM::connect 15:46:04.292 err channel|RCVD| *"ssh_askpass: exec(/usr/libexec/openssh/gnome-ssh-askpass): No such file or directory* 15:46:04.292 err channel|RCVD| "Write failed: Broken pipe By any chance, anybody has encountered a similar issue ? are there any answers/solutions for this problem ? -- Thanks and Regards, Lakshman From stuge-openssh-unix-dev at cdy.org Wed Sep 3 02:34:30 2008 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 2 Sep 2008 18:34:30 +0200 Subject: Queries on ssh_askpass In-Reply-To: <8cdd7b070809012237q53fc94cch1646f40cdbbb9803@mail.gmail.com> References: <8cdd7b070809012237q53fc94cch1646f40cdbbb9803@mail.gmail.com> Message-ID: <20080902163430.6944.qmail@cdy.org> Lakshman Prasad wrote: > There is a pop up dialog window which is prompting me for key-ing > the password. > > Actually i want to get rid of this pop up dialog box, as i don't > want this to be visible in my program/code execution. > > Could you please let me know is there any way to resolve and stop > this password dialog box - nagging problem. One way is to use private and public key files for authentication. //Peter From Laatsch at uni-koeln.de Wed Sep 3 00:32:47 2008 From: Laatsch at uni-koeln.de (Rainer Laatsch) Date: Tue, 2 Sep 2008 16:32:47 +0200 (CEST) Subject: Standard SSH credential passing + get AFS PAG + token Message-ID: These Scripts at location /afs/rrz.uni-koeln.de/wsadmin/contrib/ : Init-ssh2 krb5gettoken xauthrc ssh2 enable credential (krb5 ticket) passing and get you a PAG and AFS token on subsequent login. This should work with any ssh. NO patches. Enjoy & send bugs/cents to: Laatsch at Uni-Koeln.DE Best regards Rainer Laatsch From jasonwright365 at gmail.com Wed Sep 3 04:32:17 2008 From: jasonwright365 at gmail.com (Jason Wright) Date: Tue, 2 Sep 2008 12:32:17 -0600 Subject: Authentication w/ key + password Message-ID: <65ab78e30809021132l5a4ad2e7m9c70f4439d16c808@mail.gmail.com> I have read archives about two-factor authentication on this list and it is interesting and can open up a can of worms. I don't intend on opening a can of worms or spur debate. As far as I can tell, authentication to openssh can be performed by signing a connection request with a private client key & having the server decrypt the key with the public key. The other way to authenticate (of which I am interested in) is to use a password which is verified through PAM, etc. In both instances communication from the server is signed with the server's private key to ensure authenticity of the server. As far as I can tell, there is no way to authenticate with both mechanism. (client key + password) I have looked at the source and have some ideas, but if I could get steered in the right direction of how to change openssh to allow both authentication methods, I would appreciate that. As a side note, my ideal authentication method for authenticating the client is as follows: public key authentication password defined by password rules with required change intervals One-time-password / pseudo random password (combining static passwords with OTP / pseudo random passwords would be more appropriate for a RADIUS (maybe PAM) implementation) Again I don't want to cause controversy. I understand there are differences between smartcards, OTP, pseudo random number generators, encryption keys. There are security measures, conveniences, etc. needed to consider for all of these methods. I just want to modify openssh to fit my needs. Any help would be appreciated. Thanks, Jason Wright From jmknoble at pobox.com Wed Sep 3 04:44:46 2008 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 2 Sep 2008 14:44:46 -0400 Subject: SSH Command Line Password Support In-Reply-To: <20080829191114.GD13711@crawfish.ais.com> References: <87y72itrl7.fsf@squeak.fifthhorseman.net> <20080827185507.GD233@greenie.muc.de> <87iqtmkusk.fsf@squeak.fifthhorseman.net> <20080828083820.GC2874@apb-laptoy.apb.alt.za> <20080828190818.GB13711@crawfish.ais.com> <20080829142239.GA13113@apb-laptoy.apb.alt.za> <20080829191114.GD13711@crawfish.ais.com> Message-ID: <20080902184446.GE13711@crawfish.ais.com> Circa 2008-08-29 15:11 dixit Jim Knoble: : (2) Always use SSH_ASKPASS, ignoring whether DISPLAY is set and whether : a controlling tty exists: : : SSH_ASKPASS="always:/path/to/file" [...] : State (2) requires command-line options : for ssh-add or ssh-agent. That should be, "requires NO command-line options for ssh-add or ssh-agent". -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) +----------------------------------------------------------------------+ |[L]iberty, as we all know, cannot flourish in a country that is perma-| | nently on a war footing, or even a near-war footing. --Aldous Huxley| +----------------------------------------------------------------------+ From jmknoble at pobox.com Wed Sep 3 04:54:13 2008 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 2 Sep 2008 14:54:13 -0400 Subject: Queries on ssh_askpass In-Reply-To: <8cdd7b070809012237q53fc94cch1646f40cdbbb9803@mail.gmail.com> References: <8cdd7b070809012237q53fc94cch1646f40cdbbb9803@mail.gmail.com> Message-ID: <20080902185413.GF13711@crawfish.ais.com> Circa 2008-09-02 01:37 dixit Lakshman Prasad: : I had developed a program which spawns a shell where i am trying to use ssh : commands to log into a linux server. : : There is a pop up dialog window which is prompting me for key-ing the : password. : : Actually i want to get rid of this pop up dialog box, as i don't want this : to be visible in my program/code execution. : : Could you please let me know is there any way to resolve and stop this : password dialog box - nagging problem. : : I have tried uninstalling the ssh-askpass-gnome package from my linux box : and i am getting the following error. Read the ssh(1) man page ("man ssh") and search for "SSH_ASKPASS", so you understand how SSH_ASKPASS works. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) +----------------------------------------------------------------------+ |[L]iberty, as we all know, cannot flourish in a country that is perma-| | nently on a war footing, or even a near-war footing. --Aldous Huxley| +----------------------------------------------------------------------+ From Laatsch at uni-koeln.de Wed Sep 3 05:42:13 2008 From: Laatsch at uni-koeln.de (Rainer Laatsch) Date: Tue, 2 Sep 2008 21:42:13 +0200 (CEST) Subject: Authentication w/ key + password In-Reply-To: <65ab78e30809021132l5a4ad2e7m9c70f4439d16c808@mail.gmail.com> References: <65ab78e30809021132l5a4ad2e7m9c70f4439d16c808@mail.gmail.com> Message-ID: If your home dir is on local disk or (standard) nfs (without access control enforcement like in AFS NFS4 e.g) the ssh login with an ssh-key enabled in your .ssh/authorized_keys should work. Alternative password authentication is best be done via PAM (not /etc/shadow). A quick lookup with google yields: http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/\ chap16sec132.html Regards, Rainer Laatsch On Tue, 2 Sep 2008, Jason Wright wrote: > I have read archives about two-factor authentication on this list and > it is interesting and can open up a can of worms. I don't intend on > opening a can of worms or spur debate. > > As far as I can tell, authentication to openssh can be performed by > signing a connection request with a private client key & having the > server decrypt the key with the public key. > The other way to authenticate (of which I am interested in) is to use > a password which is verified through PAM, etc. > In both instances communication from the server is signed with the > server's private key to ensure authenticity of the server. > > As far as I can tell, there is no way to authenticate with both > mechanism. (client key + password) > > I have looked at the source and have some ideas, but if I could get > steered in the right direction of how to change openssh to allow both > authentication methods, I would appreciate that. > > > As a side note, my ideal authentication method for authenticating the > client is as follows: > public key authentication > password defined by password rules with required change intervals > One-time-password / pseudo random password > (combining static passwords with OTP / pseudo random passwords would > be more appropriate for a RADIUS (maybe PAM) implementation) > > > Again I don't want to cause controversy. I understand there are > differences between smartcards, OTP, pseudo random number generators, > encryption keys. There are security measures, conveniences, etc. > needed to consider for all of these methods. I just want to modify > openssh to fit my needs. Any help would be appreciated. > > Thanks, > Jason Wright > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From carson at taltos.org Wed Sep 3 06:58:59 2008 From: carson at taltos.org (Carson Gaspar) Date: Tue, 02 Sep 2008 13:58:59 -0700 Subject: Authentication w/ key + password In-Reply-To: References: <65ab78e30809021132l5a4ad2e7m9c70f4439d16c808@mail.gmail.com> Message-ID: <48BDA913.5080202@taltos.org> Rainer Laatsch wrote: > If your home dir is on local disk or (standard) nfs (without access > control enforcement like in AFS NFS4 e.g) the ssh login with an ssh-key > enabled in your .ssh/authorized_keys should work. Alternative password > authentication is best be done via PAM (not /etc/shadow). A quick lookup Which has nothing to do with what he wants. He wants to require _both_ publickey and password auth before access is granted. Many moons ago I created a patch to add ordered authentications, but the openssh devs didn't like the idea. More recently, one of the openssh devs proposed (and I think coded) support for unordered multiple authentications. I don't know what the status of this is, hopefully one of the devs will chime in. I'm sure google can find the thread in one of the list archives. -- Carson From imorgan at nas.nasa.gov Wed Sep 3 11:34:39 2008 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 2 Sep 2008 18:34:39 -0700 Subject: Exiting ssh when MaxSessions=0 In-Reply-To: References: <20080830003209.GA6447@linux55.nas.nasa.gov> Message-ID: <20080903013439.GA11229@linux55.nas.nasa.gov> On Sat, Aug 30, 2008 at 05:30:11 +1000, Damien Miller wrote: > On Fri, 29 Aug 2008, Iain Morgan wrote: > > > Hi, > > > > I've been experimenting with MaxSessions=0 in the sshd_config and have > > encountered one unfortunate problem. Once the client authenticates to > > the server, it ceases to respond to keyboard input. > > > > At first glance, it looks like the client is in a hung state and does > > not time out. If port forwarding was requested on the command-line and > > the server accepts the request, that continues to work. But the tilde > > escapes (and ^C) do not work. Apparently, you have to kill the session > > from another terminal. > > > > Once the session is killed, any buffered input is handled by the shell. > > > > In cases where you know the server will have MaxSessions=0, this is not > > a huge issue; you just have to remember to use the -f option. It is a > > bit unfortunate if you forget to use -f. > > > > It would be nice if ~. worked in this situation. I suppose ~C would also > > be nice in order to add port forwardings after the fact. I'm not sure if > > it would be problematic to add such support. > > Yes, this is a bug. I think this patch fixes it, but I need to think > though the consequences more: > > Index: channels.c > =================================================================== > RCS file: /var/cvs/openssh/channels.c,v > retrieving revision 1.273 > diff -u -p -r1.273 channels.c > --- channels.c 16 Jul 2008 12:42:06 -0000 1.273 > +++ channels.c 29 Aug 2008 19:25:04 -0000 > @@ -2311,8 +2311,8 @@ channel_input_open_failure(int type, u_i > xfree(lang); > } > packet_check_eom(); > - /* Free the channel. This will also close the socket. */ > - channel_free(c); > + /* Schedule the channel for cleanup/deletion. */ > + chan_mark_dead(c); > } > > /* ARGSUSED */ > > The difference if you are curious, is that chan_mark_dead() will schedule > the channel for asynchronous cleanup, via channel_garbage_collect(). > That path runs the channel->detach_user callback which is what we rely > on to determine that our main session channel has exited. > > channel_free() doesn't run any callbacks, so we never noticed that the > session channel went away. > > -d > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev Thanks Damien. Do you need me to submit a bug on this for tracking purposes? -- Iain Morgan From djm at mindrot.org Wed Sep 3 05:58:38 2008 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Sep 2008 05:58:38 +1000 (EST) Subject: Exiting ssh when MaxSessions=0 In-Reply-To: <20080903013439.GA11229@linux55.nas.nasa.gov> References: <20080830003209.GA6447@linux55.nas.nasa.gov> <20080903013439.GA11229@linux55.nas.nasa.gov> Message-ID: On Tue, 2 Sep 2008, Iain Morgan wrote: > Thanks Damien. Do you need me to submit a bug on this for tracking > purposes? Yes, please! -d From jens.rosenboom at freenet.ag Thu Sep 4 01:54:48 2008 From: jens.rosenboom at freenet.ag (Jens Rosenboom) Date: Wed, 3 Sep 2008 17:54:48 +0200 Subject: Problem connecting with openssh-5.1-client to Juniper Eseries Message-ID: <20080903155447.GB24329@bo.mcbone.net> After upgrading to 5.1, connections to our Juniper E-Series routers fail with: $ ssh -v eseries OpenSSH_5.1p1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh_config debug1: Applying options for *-lns* debug1: Applying options for * debug1: Connecting to eseries [1.2.3.4] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/user/.ssh/id_rsa type 1 debug1: identity file /home/user/.ssh/id_rsa type 1 debug1: Remote protocol version 2.0, remote software version 2.0.12 debug1: match: 2.0.12 pat 2.0.11*,2.0.12* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client 3des-cbc hmac-md5 none debug1: kex: client->server 3des-cbc hmac-md5 none debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Host 'eseries' is known and matches the DSA host key. debug1: Found key in /home/user/.ssh/known_hosts:66 debug1: ssh_dss_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentication succeeded (none). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: Received SSH2_MSG_UNIMPLEMENTED for 6 Received disconnect from 62.104.2.13: 2: $ This seems to be in response to the "no-more-sessions" request, if I disable the part of code that generates it, everything works fine as usual. By my understanding of the protocol, the server should respond with SSH_MSG_REQUEST_FAILURE and just go on instead of terminating the connection, can someone please confirm this? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080903/d0090c6f/attachment.bin From djm at mindrot.org Thu Sep 4 07:50:29 2008 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Sep 2008 07:50:29 +1000 (EST) Subject: Problem connecting with openssh-5.1-client to Juniper Eseries In-Reply-To: <20080903155447.GB24329@bo.mcbone.net> References: <20080903155447.GB24329@bo.mcbone.net> Message-ID: On Wed, 3 Sep 2008, Jens Rosenboom wrote: > After upgrading to 5.1, connections to our Juniper E-Series routers > fail with: > [snip] > > This seems to be in response to the "no-more-sessions" request, if > I disable the part of code that generates it, everything works fine > as usual. By my understanding of the protocol, the server should > respond with SSH_MSG_REQUEST_FAILURE and just go on instead of > terminating the connection, can someone please confirm this? Someone reported something similar for Netscreen: http://lists.mindrot.org/pipermail/openssh-unix-dev/2008-August/026821.html It seems that someone at Junpier/Netscreen has been misreading the SSH protocol spec. Could you file a bug with them so we can figure out which versions of their products are affected? Once we know this, and their banner strings (yours is "SSH-2.0-2.0.12") then we can add a workaround. -d From chris at noodles.org.uk Sun Sep 7 19:15:59 2008 From: chris at noodles.org.uk (Chris Mason) Date: Sun, 07 Sep 2008 10:15:59 +0100 Subject: "on-the-fly" SSH Port Forwarding Message-ID: <48C39BCF.2040100@noodles.org.uk> Hi, I am using the following version of OpenSSH for reference: root at proxy:/root# ssh -V OpenSSH_4.8, OpenSSL 0.9.7j 04 May 2006 root at proxy:/root# uname -a OpenBSD proxy.localdomain 4.3 GENERIC#698 i386 I am developing an application which uses on-the-fly SSH port forwarding by using the "~C" escape sequence to add local port forwards when needed (through Expect). It would appear that there is no option to remove local port forwards and only remote port forwards: ssh> -h Commands: -L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward -KR[bind_address:]port Cancel remote forward I am hitting scalability issues as I am not able to cancel local forwards and after about 251 tunnels I am unable to add any more. (I am assuming this is platform/machine dependent as it complains about "No buffer space"). How come there isn't an option to remove local forwards when there is to remove remote ones? Is this by design or something that was never implemented? Thanks in advance, Chris From djm at mindrot.org Sun Sep 7 21:21:52 2008 From: djm at mindrot.org (Damien Miller) Date: Sun, 7 Sep 2008 21:21:52 +1000 (EST) Subject: "on-the-fly" SSH Port Forwarding In-Reply-To: <48C39BCF.2040100@noodles.org.uk> References: <48C39BCF.2040100@noodles.org.uk> Message-ID: On Sun, 7 Sep 2008, Chris Mason wrote: > Hi, > > I am using the following version of OpenSSH for reference: > > root at proxy:/root# ssh -V > OpenSSH_4.8, OpenSSL 0.9.7j 04 May 2006 > > root at proxy:/root# uname -a > OpenBSD proxy.localdomain 4.3 GENERIC#698 i386 > > I am developing an application which uses on-the-fly SSH port forwarding > by using the "~C" escape sequence to add local port forwards when needed > (through Expect). It would appear that there is no option to remove > local port forwards and only remote port forwards: > > ssh> -h > Commands: > -L[bind_address:]port:host:hostport Request local forward > -R[bind_address:]port:host:hostport Request remote forward > -KR[bind_address:]port Cancel remote forward > > I am hitting scalability issues as I am not able to cancel local > forwards and after about 251 tunnels I am unable to add any more. (I am > assuming this is platform/machine dependent as it complains about "No > buffer space"). Could you please send a debug trace of this happening? ("ssh -vvv") There is IIRC a fixed limit to the number of forwards that you can establish, but it should give at least a more friendly error message. > How come there isn't an option to remove local forwards when there is to > remove remote ones? Is this by design or something that was never > implemented? It was never implemented, but probably would be quite easy to do. Another option, which would probably be way better for your application is to use the dynamic/SOCKS port forwarding and possibly a small helper application. Still another option is to implement addition/removal of port-forwards via the control multiplexing socket. This has been on my TODO list for quite a while. -d From kostikbel at gmail.com Mon Sep 8 20:19:21 2008 From: kostikbel at gmail.com (Konstantin Belousov) Date: Mon, 8 Sep 2008 13:19:21 +0300 Subject: OpenSSH 5.1p1 - trouble connecting to ILO board Message-ID: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> Hello, Recently, the FreeBSD base system OpenSSH was upgraded to OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 Before the upgrade, with OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004 I had no troubles connecting to the ssh server built-in into the HP Proliant G5 ILO management board, authenticating by id_dsa, v2 protocol. On that board, ssh server greets with SSH-2.0-mpSSH_0.0.1 string. After the upgrade, I get the disconnection: Received disconnect from 10.1.1.169: 11: Client Disconnect Run with -vv shows debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 277 debug2: input_userauth_pk_ok: fp a9:76:16:94:32:31:37:5f:c1:10:6c:04:ab:33:d0:8f debug1: Authentications that can continue: password,publickey debug1: Offering public key: /usr/home/kostik/.ssh/id_dsa debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-dss blen 434 debug2: input_userauth_pk_ok: fp 6d:36:3d:b8:fb:34:f8:bd:8d:51:b5:e5:b3:7c:5b:03 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug2: channel 0: request shell confirm 1 debug2: fd 4 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 1048576 rmax 2048 Received disconnect from 10.1.1.169: 11: Client Disconnect Does anybody have similar problems ? Any idea what could be the problem ? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080908/6711b586/attachment-0001.bin From mra at malloc.org Tue Sep 9 21:15:25 2008 From: mra at malloc.org (Matt Anderson) Date: Tue, 09 Sep 2008 07:15:25 -0400 Subject: OpenSSH 5.1p1 - trouble connecting to ILO board In-Reply-To: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> References: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> Message-ID: <48C65ACD.90500@malloc.org> Konstantin Belousov wrote: > Hello, > > Recently, the FreeBSD base system OpenSSH was upgraded to > OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 > > Before the upgrade, with > OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004 > I had no troubles connecting to the ssh server built-in into the > HP Proliant G5 ILO management board, authenticating by id_dsa, > v2 protocol. On that board, ssh server greets with SSH-2.0-mpSSH_0.0.1 > string. ... > > Does anybody have similar problems ? Any idea what could be the problem ? I've had similar problems for years. Looking around a while ago I found the suggestion to `unset LANG` and also make sure agent forwarding is disabled. Once I've done both of those things I normally can connect to an iLO. -matt From kostikbel at gmail.com Wed Sep 10 00:06:59 2008 From: kostikbel at gmail.com (Kostik Belousov) Date: Tue, 9 Sep 2008 17:06:59 +0300 Subject: OpenSSH 5.1p1 - trouble connecting to ILO board In-Reply-To: <48C65ACD.90500@malloc.org> References: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> <48C65ACD.90500@malloc.org> Message-ID: <20080909140659.GM39652@deviant.kiev.zoral.com.ua> On Tue, Sep 09, 2008 at 07:15:25AM -0400, Matt Anderson wrote: > Konstantin Belousov wrote: > >Hello, > > > >Recently, the FreeBSD base system OpenSSH was upgraded to > >OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 > > > >Before the upgrade, with > >OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004 > >I had no troubles connecting to the ssh server built-in into the > >HP Proliant G5 ILO management board, authenticating by id_dsa, > >v2 protocol. On that board, ssh server greets with SSH-2.0-mpSSH_0.0.1 > >string. > ... > > > >Does anybody have similar problems ? Any idea what could be the problem ? > > I've had similar problems for years. Looking around a while ago I found > the suggestion to `unset LANG` and also make sure agent forwarding is > disabled. Once I've done both of those things I normally can connect to > an iLO. I do have disabled agent forwarding for ILO, otherwise even old client cannot establish the session. This seems to be a change in the recent ssh that cause this behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080909/9aaf5f4b/attachment.bin From djm at mindrot.org Wed Sep 10 07:34:09 2008 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Sep 2008 07:34:09 +1000 (EST) Subject: OpenSSH 5.1p1 - trouble connecting to ILO board In-Reply-To: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> References: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> Message-ID: On Mon, 8 Sep 2008, Konstantin Belousov wrote: > Hello, > > Recently, the FreeBSD base system OpenSSH was upgraded to > OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 > > Before the upgrade, with > OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004 > I had no troubles connecting to the ssh server built-in into the > HP Proliant G5 ILO management board, authenticating by id_dsa, > v2 protocol. On that board, ssh server greets with SSH-2.0-mpSSH_0.0.1 > string. > > After the upgrade, I get the disconnection: > Received disconnect from 10.1.1.169: 11: Client Disconnect > Run with -vv shows Please send a full trace with "ssh -vvv". -d From kdeveau at cfassociate.com Wed Sep 10 04:53:28 2008 From: kdeveau at cfassociate.com (Kevin Deveau) Date: Tue, 9 Sep 2008 14:53:28 -0400 Subject: not being released Message-ID: I've noticed a bug with even recent OpenSSH products, where if the host disconnects during a certain period of time, the connection becomes frozen causing possible expolit problems . For example [root at portal ~] users root [root at portal ~] uptime -u (used to show how many users the box believes is logged on) 2 Users [root at portal ~] In theory this trapped connection can and has proven to be used for expolits as if the correct packet is sent to the box, using gathered information of course. the attacker becomes assumed by the local host thru a remote host and appears to be authenticated allowing executions based on the level of permission the frozen login has The example of this is: root being the frozen user, the attacker expolits the frozen connection to be assumed as them, and can execute all commands where as kevin being a regular client, but also frozen (the box thinks there still connected - but they arent) the attacker can only execute commands allowed by user permissions. The solution to the problem appears to be so far, making sure there are no frozen connections caused by SSH so u who -a, get the pid to the frozen connection, which removes that authenticated frozen connection. This bug has only been reproduced on the linux operating system, i havent used any other OS to test it for them. From djm at mindrot.org Wed Sep 10 09:30:23 2008 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Sep 2008 09:30:23 +1000 (EST) Subject: not being released In-Reply-To: References: Message-ID: On Tue, 9 Sep 2008, Kevin Deveau wrote: > I've noticed a bug with even recent OpenSSH products, where if the > host disconnects during a certain period of time, the connection > becomes frozen causing possible expolit problems . > > For example > > [root at portal ~] users > root > [root at portal ~] uptime -u (used to show how many users the box believes is logged on) > 2 Users > [root at portal ~] > > In theory this trapped connection can and has proven to be used for > expolits as if the correct packet is sent to the box, using gathered > information of course. the attacker becomes assumed by the local host > thru a remote host and appears to be authenticated allowing executions > based on the level of permission the frozen login has It looks likes utmp is getting out of sync when sshd exits uncleanly. I don't think this could be used for any real attacks, certainly not the one that I think you are describing - there is no "frozen connection", just a missing record in utmp to indicate that a user has logged out. -d From scott_n at xypro.com Wed Sep 10 09:43:31 2008 From: scott_n at xypro.com (Scott Neugroschl) Date: Tue, 9 Sep 2008 16:43:31 -0700 Subject: not being released In-Reply-To: References: Message-ID: <78DD71C304F38B41885A242996B96F73019A6A4C@xyservd.XYPRO-23.LOCAL> > -----Original Message----- > From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org > [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On > Behalf Of Kevin Deveau > Sent: Tuesday, September 09, 2008 11:53 AM > To: openssh-unix-dev at mindrot.org > Subject: not being released > > I've noticed a bug with even recent OpenSSH products, where if the host > disconnects during a certain period of time, the connection becomes > frozen causing possible expolit problems . > > For example > > [root at portal ~] users > root > [root at portal ~] uptime -u (used to show how many users the box believes > is logged on) > 2 Users > [root at portal ~] > > In theory this trapped connection can and has proven to be used for > expolits as if the correct packet is sent to the box, using gathered > information of course. the attacker becomes assumed by the local host > thru a remote host and appears to be authenticated allowing executions > based on the level of permission the frozen login has > > The example of this is: > root being the frozen user, the attacker expolits the frozen connection > to be assumed as them, and can execute all commands > where as > > kevin being a regular client, but also frozen (the box thinks there > still connected - but they arent) the attacker can only execute > commands allowed by user permissions. > > The solution to the problem appears to be so far, making sure there are > no frozen connections caused by SSH so u > who -a, get the pid to the frozen connection, which removes that > authenticated frozen connection. > > This bug has only been reproduced on the linux operating system, i > havent used any other OS to test it for them. Have you done a "ps -ef" to confirm that the child sshd process is still running? From rick.jones2 at hp.com Wed Sep 10 09:32:35 2008 From: rick.jones2 at hp.com (Rick Jones) Date: Tue, 09 Sep 2008 16:32:35 -0700 Subject: OpenSSH 5.1p1 - trouble connecting to ILO board In-Reply-To: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> References: <20080908101921.GJ2038@deviant.kiev.zoral.com.ua> Message-ID: <48C70793.9020104@hp.com> I took the liberty of forwarding the string to some folks and the result was a suggestion that the 1.60 version of the iLO firmware may address this issue. hth, rick jones From djm at mindrot.org Wed Sep 10 21:27:00 2008 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Sep 2008 21:27:00 +1000 (EST) Subject: test, please ignore Message-ID: please ignore this test message - apologies for the noise. From des at des.no Wed Sep 10 18:17:02 2008 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed, 10 Sep 2008 10:17:02 +0200 Subject: not being released In-Reply-To: (Kevin Deveau's message of "Tue, 9 Sep 2008 14:53:28 -0400") References: Message-ID: <861vzsifep.fsf@ds4.des.no> "Kevin Deveau" writes: > In theory this trapped connection can and has proven to be used for > expolits as if the correct packet is sent to the box, using gathered > information of course. the attacker becomes assumed by the local host > thru a remote host and appears to be authenticated allowing executions > based on the level of permission the frozen login has That's a *very* tall claim with no evidence to support it. DES -- Dag-Erling Sm?rgrav - des at des.no From Bryan_R_Harris at raytheon.com Sat Sep 13 04:09:37 2008 From: Bryan_R_Harris at raytheon.com (Bryan R Harris) Date: Fri, 12 Sep 2008 13:09:37 -0500 Subject: OpenSSH issue Message-ID: I hope I'm sending this to the right place. We have an issue with OpenSSH (we think). Consider: 1) on host A, run: ssh hostB mycmd 2) before mycmd exits: kill In this case, ideally ssh would detect the TERM signal, notify the remote sshd process of the shutdown, which would cause the remote sshd to terminate taking "mycmd" down with it. But it doesn't, ssh dies, and the remote "mycmd" process on hostB continues running. Is there a way to kill "mycmd" on hostB in this case? TIA. - Bryan Harris From dkg at fifthhorseman.net Mon Sep 15 15:24:47 2008 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 15 Sep 2008 01:24:47 -0400 Subject: minor documentation fixes in PROTOCOL.agent Message-ID: <873ak2kmlc.fsf@squeak.fifthhorseman.net> A non-text attachment was scrubbed... Name: PROTOCOL.agent.diff Type: text/x-diff Size: 1976 bytes Desc: clarifications of PROTOCOL.agent Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080915/615345d2/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080915/615345d2/attachment-0001.bin From rajeshwar.godugu at nsn.com Mon Sep 15 21:15:04 2008 From: rajeshwar.godugu at nsn.com (Godugu, Rajeshwar (NSN - IN/Bangalore)) Date: Mon, 15 Sep 2008 16:45:04 +0530 Subject: Does OpenSSH support setting PAM_AUSER Message-ID: Hi All, From rajeshwar.godugu at nsn.com Mon Sep 15 22:01:56 2008 From: rajeshwar.godugu at nsn.com (Godugu, Rajeshwar (NSN - IN/Bangalore)) Date: Mon, 15 Sep 2008 17:31:56 +0530 Subject: Does OpenSSH support setting PAM_AUSER Message-ID: Hi All, I have Openssh "OpenSSH_5.1p1, OpenSSL 0.9.7d 17 Mar 2004" installed on machines which has the solaris10 as OS. I have a requirement to implement RBAC (Role Based Access Control) on my system. As part of RBAC, I have to provide remote role2role login feature (For more details: http://bugs.opensolaris.org/view_bug.do;jsessionid=bac85b2b6bd564e843af4 907bd1?bug_id=6213280 http://opensolaris.org/jive/thread.jspa?threadID=64615&tstart=45 ) By default roles doesn't support remote login to roles, reason behind this is PAM (pluggable authentication .module) module pam_roles will not allow remote user's to assume roles. For more details: http://docs.sun.com/app/docs/doc/819-2252/pam-roles-5?a=view pam_roles man page says that this feature is possible by setting PAM_AUSER, but only sshd-hostbased service can set this PAM_AUSER. According to pam_roles(5) man page, after making following changes to /etc/pam.conf, remote role assumption should work. "sshd-hostbased account requisite pam_roles.so.1 allow_remote" 1) My doubt is, In pam_roles man page it is not clearly mentioned, will it work with Open-ssh or SSH? 2) So can you please tell me, is this sshd-hostbased service will set PAM_AUSER or not? If the mail is not clear, please do reply without any hesitation. Thanks in advance, Regards, Rajas From dtucker at zip.com.au Mon Sep 15 22:37:58 2008 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 15 Sep 2008 22:37:58 +1000 Subject: Does OpenSSH support setting PAM_AUSER In-Reply-To: References: Message-ID: <48CE5726.80702@zip.com.au> Godugu, Rajeshwar (NSN - IN/Bangalore) wrote: [...] > "sshd-hostbased account requisite pam_roles.so.1 allow_remote" > > 1) My doubt is, In pam_roles man page it is not clearly mentioned, will > it work with Open-ssh or SSH? > > 2) So can you please tell me, is this sshd-hostbased service will set > PAM_AUSER or not? PAM_AUSER is not part of the PAM spec (either XSSO[1] or the original Sun RFC[2]) and OpenSSH does not currently use it. The link you posted suggests that Sun have modified the sshd that ships with Solaris to use it for some auth methods, but you would need to ask Sun about that. [1] http://www.opengroup.org/onlinepubs/008329799/ [2] http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From raphael.payen at gmail.com Mon Sep 15 04:50:46 2008 From: raphael.payen at gmail.com (Raphael Payen) Date: Sun, 14 Sep 2008 20:50:46 +0200 Subject: Suggestion for %h in ControlPath Message-ID: <7f0eb150809141150j41a5aef7g55dd8b7216b2fb81@mail.gmail.com> Hi. Just a suggestion : in the ControlPath syntax, you could add a %H that would expand to the name of the "Host" specification matched, + %h. In my opinion, when you add a "Host" paragraph with a different name for the same target host, generally you dont want to reuse the same control socket. Of course you can write different ControlPath directives in each specification paragraph, but i would find it better to be able to avoid it. And there can be people adding specifications without even knowing realizing that will reuse the same ControlPath. (that has been my case recently, as you might have guessed :) ). Best regards, -- Raphael Payen From dkg at fifthhorseman.net Tue Sep 16 04:28:29 2008 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 15 Sep 2008 14:28:29 -0400 Subject: Suggestion for %h in ControlPath In-Reply-To: <7f0eb150809141150j41a5aef7g55dd8b7216b2fb81@mail.gmail.com> (Raphael Payen's message of "Sun\, 14 Sep 2008 20\:50\:46 +0200") References: <7f0eb150809141150j41a5aef7g55dd8b7216b2fb81@mail.gmail.com> Message-ID: <87wshdclgy.fsf@squeak.fifthhorseman.net> A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080915/b981fe4e/attachment-0001.bin From sshdoubts at yahoo.com Mon Sep 15 22:07:04 2008 From: sshdoubts at yahoo.com (sri veera) Date: Mon, 15 Sep 2008 05:07:04 -0700 (PDT) Subject: No subject Message-ID: <403434.46637.qm@web59705.mail.ac4.yahoo.com> hello.. i am running openssh-3.7.1p2. on linux.It is working successfully..and daemon is running &client also connecting.But the problem is with the mips architecture when i connecting this server from remote syytem.?i got an error of buufer_get:trying to get more bytes 1 than buffer0.And client is not connecting from remote system.My out is as follows on my server ?in sshd main before sh_get_programme./bcm.user ?in have programme after ssh_get_programme after init_rng before xmalloc after xmalloc before initiliase serveroptions in initilise sever options after initiliase serveroptions before ssleay add algorithms after ssleay add algorithms in channel set before log init after log init before seed_rng after seed_rng before read_server_config after read_server_config ?before fill_default_server_options after fill_default_server_options sshd version OpenSSH_3.7.1p2 before lodaing private keys ?after lodaing private keys ?after lodaing private keys options.host_key_files[i]=/etc/ssh/ssh_host_rsa_key ?in key_load_private ?before key_load_public_rsa1 in buffer_init in buffer_append_space in buffer_get leaving from buffer_get in buffer_free ?before key_load_private_pem ?returning from key_load_private ?after key_load_private private host key: #0 type 1 RSA options.host_key_files[i]=/etc/ssh/ssh_host_dsa_key ?in key_load_private ?before key_load_public_rsa1 in buffer_init in buffer_append_space in buffer_get leaving from buffer_get in buffer_free ?before key_load_private_pem ?returning from key_load_private ?after key_load_private private host key: #1 type 2 DSA ?before setting protcol version options.protocol=4 ...sensitive_data.have_ssh1_key=0? sensitive_data.have_ssh2_key=1 use_privsep=1 ?before get pwnam ?after get pwnam ?before set groups ?before daemon starts ?after daemon starts before arc4random_stir before chdir ?before signal ?after signal ?in else condition AF_INET=2, AF_INET6=10 listen_sock=0ai->ai_family=2,ai->ai_socktype=2,ai->ai_protocol=6 listen_sock=5 Bind to port ssh on 0.0..0.0. ?strport=ssh Server listening on 0.0.0.0 port ssh. AF_INET=2, AF_INET6=10 listen_sock=5ai->ai_family=2,ai->ai_socktype=2,ai->ai_protocol=6 listen_sock=6 Bind to port ssh on ::. ?not binding ?before freeaddrinfo ?after freeaddrinfo before? SIGHUP before? SIGTERM before? SIGCHLD setup fd set for listen ?before select bash-3.00# before alarm ?after alarm before SIGINT ?after SIGINT ?before packet_set_connection in buffer_init in buffer_init in buffer_init in buffer_init ?after packet_set_connection ?before select ?after get_remote_portremote_port=57218 ?after get_remote_ipaddr=192.168.131.254 Connection from 192.168.131.254 port 57218 ?before signal ?before sshd_exchange_identificationsock_in=6, sock_out=6 ?after sshd_exchange_identificationsock_in=6, sock_out=6 ?after packet_set_nonblocking in buffer_init ?after buffer_init ?before use_privsep=0',use_privsep before privsep_preauth in authctxt_new in buffer_init ?authenticate user and start session ?in do_ssh2_kex ?compat_cipher_proposal ?compat_cipher_proposal ?in list_hostkey_types in buffer_init in buffer_len ?in key_ssh_name ?in KEY_RSA in buffer_append in buffer_append_space in buffer_len in buffer_append in buffer_append_space ?in key_ssh_name ?in KEY_DSA in buffer_append in buffer_append_space in buffer_append in buffer_append_space in buffer_ptr in buffer_free list_hostkey_types: ssh-rsa,ssh-dss ?in kex_setup in buffer_init in buffer_init ?before kex_send_kexinit in buffer_len kex_send_kexinit: kex proposal too short ?len=0 in buffer_ptr packet_start[20] in buffer_clear in buffer_append in buffer_append_space in buffer_ptr in buffer_len in buffer_append in buffer_append_space in buffer_ptr in buffer_ptr in buffer_len in buffer_append_space in buffer_len in buffer_ptr in buffer_len in buffer_append_space in buffer_ptr in buffer_len ?in cipher_crypt ?cipher_crypt ?before evp-cipher ?return from? cipher_crypt in buffer_clear packet_send done SSH2_MSG_KEXINIT sent ?before kex_reset_dispatch ?after kex_reset_dispatch ?packet_write_wait in buffer_len in buffer_ptr in buffer_consume ?in packet_have_data_to_write in buffer_len in buffer_len in buffer_append in buffer_append_space in buffer_len in buffer_clear in buffer_append_space in buffer_ptr ?in cipher_crypt ?cipher_crypt ?before evp-cipher ?return from? cipher_crypt in buffer_ptr in buffer_consume in buffer_len in buffer_append_space in buffer_ptr ?in cipher_crypt ?cipher_crypt ?before evp-cipher ?return from? cipher_crypt in buffer_consume in buffer_ptr in buffer_consume in buffer_consume_end in buffer_get leaving from buffer_get in buffer_len in buffer_ptr in buffer_append in buffer_append_space in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_len in buffer_init in buffer_ptr in buffer_len in buffer_append in buffer_append_space in buffer_get in buffer_free in buffer_free in buffer_free in buffer_free ?before select Please any one give suggestions on this From sshdoubts at yahoo.com Thu Sep 18 18:08:38 2008 From: sshdoubts at yahoo.com (sri veera) Date: Thu, 18 Sep 2008 01:08:38 -0700 (PDT) Subject: SSHD_PROBLEM Message-ID: <11480.42137.qm@web59714.mail.ac4.yahoo.com> hello.. i am running openssh-3.7.1p2. on linux.It is working successfully.and daemon is running &client also connecting.But the problem is with the mips architecture when i connecting this server from remote syytem. i got an error of buufer_get:trying to get more bytes 1 than buffer0.And client is not connecting from remote system.My out is as follows on my server in sshd main before sh_get_programme./bcm.user in have programme after ssh_get_programme after init_rng before xmalloc after xmalloc before initiliase serveroptions in initilise sever options after initiliase serveroptions before ssleay add algorithms after ssleay add algorithms in channel set before log init after log init before seed_rng after seed_rng before read_server_config after read_server_config before fill_default_server_options after fill_default_server_options sshd version OpenSSH_3.7.1p2 before lodaing private keys after lodaing private keys after lodaing private keys options.host_key_files[i]=/etc/ssh/ssh_host_rsa_key in key_load_private before key_load_public_rsa1 in buffer_init in buffer_append_space in buffer_get leaving from buffer_get in buffer_free before key_load_private_pem returning from key_load_private after key_load_private private host key: #0 type 1 RSA options.host_key_files[i]=/etc/ssh/ssh_host_dsa_key in key_load_private before key_load_public_rsa1 in buffer_init in buffer_append_space in buffer_get leaving from buffer_get in buffer_free before key_load_private_pem returning from key_load_private after key_load_private private host key: #1 type 2 DSA before setting protcol version options.protocol=4 ...sensitive_data.have_ssh1_key=0 sensitive_data.have_ssh2_key=1 use_privsep=1 before get pwnam after get pwnam before set groups before daemon starts after daemon starts before arc4random_stir before chdir before signal after signal in else condition AF_INET=2, AF_INET6=10 listen_sock=0ai->ai_family=2,ai->ai_socktype=2,ai->ai_protocol=6 listen_sock=5 Bind to port ssh on 0.0.0.0. strport=ssh Server listening on 0.0.0.0 port ssh. AF_INET=2, AF_INET6=10 listen_sock=5ai->ai_family=2,ai->ai_socktype=2,ai->ai_protocol=6 listen_sock=6 Bind to port ssh on ::. not binding before freeaddrinfo after freeaddrinfo before SIGHUP before SIGTERM before SIGCHLD setup fd set for listen before select bash-3.00# before alarm after alarm before SIGINT after SIGINT before packet_set_connection in buffer_init in buffer_init in buffer_init in buffer_init after packet_set_connection before select after get_remote_portremote_port=57218 after get_remote_ipaddr=192.168.131.254 Connection from 192.168.131.254 port 57218 before signal before sshd_exchange_identificationsock_in=6, sock_out=6 after sshd_exchange_identificationsock_in=6, sock_out=6 after packet_set_nonblocking in buffer_init after buffer_init before use_privsep=0',use_privsep before privsep_preauth in authctxt_new in buffer_init authenticate user and start session in do_ssh2_kex compat_cipher_proposal compat_cipher_proposal in list_hostkey_types in buffer_init in buffer_len in key_ssh_name in KEY_RSA in buffer_append in buffer_append_space in buffer_len in buffer_append in buffer_append_space in key_ssh_name in KEY_DSA in buffer_append in buffer_append_space in buffer_append in buffer_append_space in buffer_ptr in buffer_free list_hostkey_types: ssh-rsa,ssh-dss in kex_setup in buffer_init in buffer_init before kex_send_kexinit in buffer_len kex_send_kexinit: kex proposal too short len=0 in buffer_ptr packet_start[20] in buffer_clear in buffer_append in buffer_append_space in buffer_ptr in buffer_len in buffer_append in buffer_append_space in buffer_ptr in buffer_ptr in buffer_len in buffer_append_space in buffer_len in buffer_ptr in buffer_len in buffer_append_space in buffer_ptr in buffer_len in cipher_crypt cipher_crypt before evp-cipher return from cipher_crypt in buffer_clear packet_send done SSH2_MSG_KEXINIT sent before kex_reset_dispatch after kex_reset_dispatch packet_write_wait in buffer_len in buffer_ptr in buffer_consume in packet_have_data_to_write in buffer_len in buffer_len in buffer_append in buffer_append_space in buffer_len in buffer_clear in buffer_append_space in buffer_ptr in cipher_crypt cipher_crypt before evp-cipher return from cipher_crypt in buffer_ptr in buffer_consume in buffer_len in buffer_append_space in buffer_ptr in cipher_crypt cipher_crypt before evp-cipher return from cipher_crypt in buffer_consume in buffer_ptr in buffer_consume in buffer_consume_end in buffer_get leaving from buffer_get in buffer_len in buffer_ptr in buffer_append in buffer_append_space in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_get leaving from buffer_get in buffer_len in buffer_init in buffer_ptr in buffer_len in buffer_append in buffer_append_space in buffer_get in buffer_free in buffer_free in buffer_free in buffer_free before select Please any one give suggestions on this From stuge-openssh-unix-dev at cdy.org Fri Sep 19 02:24:03 2008 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 18 Sep 2008 18:24:03 +0200 Subject: SSHD_PROBLEM In-Reply-To: <11480.42137.qm@web59714.mail.ac4.yahoo.com> References: <11480.42137.qm@web59714.mail.ac4.yahoo.com> Message-ID: <20080918162403.12854.qmail@cdy.org> sri veera wrote: > i am running openssh-3.7.1p2. That is a very old version of OpenSSH. > problem is with the mips architecture when i connecting this server > from remote syytem. .. > Please any one give suggestions on this Please try upgrading OpenSSH at least on the server, but ideally both on server and client to the latest version. I believe that is 5.0p1. //Peter From dkg at fifthhorseman.net Fri Sep 19 03:24:55 2008 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 18 Sep 2008 13:24:55 -0400 Subject: SSHD_PROBLEM In-Reply-To: <20080918162403.12854.qmail@cdy.org> (Peter Stuge's message of "Thu\, 18 Sep 2008 18\:24\:03 +0200") Message-ID: <873ajx1i54.fsf@squeak.fifthhorseman.net> A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080918/76ea68e9/attachment.bin From djm at mindrot.org Fri Sep 19 04:34:32 2008 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Sep 2008 04:34:32 +1000 (EST) Subject: SSHD_PROBLEM In-Reply-To: <11480.42137.qm@web59714.mail.ac4.yahoo.com> References: <11480.42137.qm@web59714.mail.ac4.yahoo.com> Message-ID: On Thu, 18 Sep 2008, sri veera wrote: > hello.. > i am running openssh-3.7.1p2. on linux.It is working > successfully.and daemon is running &client also connecting.But the > problem is with the mips architecture when i connecting this server > from remote syytem. i got an error of buufer_get:trying to get more > bytes 1 than buffer0.And client is not connecting from remote system.My > out is as follows on my server Hi, Your version of OpenSSH is very old. We are up to 5.1 now - can you replicate your problem with a more recent version? Also, we prefer debug traces from OpenSSH ("ssh -vvv", "sshd -ddd"). I'm not sure what you generated your trace with, but it is little help for us in figuring out what your problem is. -d From gorhas at gmail.com Sun Sep 21 04:10:17 2008 From: gorhas at gmail.com (Goran Hasse) Date: Sat, 20 Sep 2008 20:10:17 +0200 Subject: ssh in small devices Message-ID: Dear Sirs, This must have been asked before but I don't find and FAQ around dealing with the issue. We are building small devices that connects to Internet (www.ipio.nu). The next generation of this we want to base on AVR32 and run a small slimmed version of Linux. We have som program on this device that we want to connect to servers out on Internet. SSL seems to be "quite heavy" for this simple task. We just want a fairly good sequre channel and we are investigating if SSH could do the job. BUT wat we would realy like is to embedd the SSH protocol *into* our applications. The devices could and should not be managed in any way! So we must prepack as mutch as possible. The problem is that we found virtualy no information about how to do this! We were looking for some libssh libraries on OpenSSH site - but find no sutch thing. If anybody could take on sutch a task, to build a libssh from stuf that are on OpenSSH and make some simple example code, please get in contact with us. G?ran Hasse Raditex AB gorhas at raditex.se http://www.ipio.nu http://www.freescada.com -- gorhas at gmail.com Mob: 070-5530148 From openssh at p23q.org Sun Sep 21 08:59:30 2008 From: openssh at p23q.org (David Rasmus Piegdon) Date: Sat, 20 Sep 2008 22:59:30 +0000 Subject: ssh in small devices In-Reply-To: References: Message-ID: <20080920225930.GA22023@ganymede> you might want to take a look at OpenSSL (http://openssl.org). there is also a good oreilly book on openssl. openssl provides many cryptography and certificate funktions, including establishment of secure connections via TCP/IP. if openssl is still too heavy, give google(lightweight SSL or TLS library) a try. david -- Hail Eris, All Hail Discordia. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080920/c0d20216/attachment.bin From djm at mindrot.org Sun Sep 21 15:59:32 2008 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 Sep 2008 15:59:32 +1000 (EST) Subject: ssh in small devices In-Reply-To: References: Message-ID: On Sat, 20 Sep 2008, Goran Hasse wrote: > Dear Sirs, > > This must have been asked before but I don't find and FAQ around > dealing with the issue. > > We are building small devices that connects to Internet (www.ipio.nu). > The next generation of this we want to base on AVR32 and run a small > slimmed version of Linux. We have som program on this device that we > want to connect to servers out on Internet. SSL seems to be "quite > heavy" for this simple task. We just want a fairly good sequre channel > and we are investigating if SSH could do the job. BUT wat we would > realy like is to embedd the SSH protocol *into* our applications. The > devices could and should not be managed in any way! So we must prepack > as mutch as possible. OpenSSH doesn't have any direct programatic interface. If you need a SSH client with a programmatic interface, some options are libssh2 (C) jSSH (Java) and Twisted Conch (Python). I'm not aware of any SSH server libraries, but it is quite easy to interface arbirary code to a SSH server as a shell or subsystem. OpenSSH has never been optimised to run on small devices. It wouldn't be too hard to chop out bits that are non-relevant (SSH1, X11 forwarding, compression, etc.) but nobody has done the work. Also, we still depend on OpenSSL's libcrypto, which is fairly heavyweight. This would be much tricker to disentanle, though I note that the Heimdal Kerberos implemention now has a "hcrypto" library that implements a subset of libcrypto - perhaps it is enough for OpenSSH. There is another SSH server implementation that is focused on code size: dropbear. I've ever used it, but it quite popular on small devices. -d From sshdoubts at yahoo.com Tue Sep 23 16:55:28 2008 From: sshdoubts at yahoo.com (sri veera) Date: Mon, 22 Sep 2008 23:55:28 -0700 (PDT) Subject: ERROR:buffer_get_ret Message-ID: <34947.86275.qm@web59702.mail.ac4.yahoo.com> hi, I am running openssh sourec code for ssh server.It is working successfully.daemon is running,but the problem is when conncting to this server from remote system i got the following errors. buffer_get_ret: trying to get more bytes 1 than in buffer 0 buffer_get: buffer error plese give me suggestions on this From djm at mindrot.org Wed Sep 24 03:02:28 2008 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Sep 2008 03:02:28 +1000 (EST) Subject: ERROR:buffer_get_ret In-Reply-To: <34947.86275.qm@web59702.mail.ac4.yahoo.com> References: <34947.86275.qm@web59702.mail.ac4.yahoo.com> Message-ID: On Mon, 22 Sep 2008, sri veera wrote: > hi, > I am running openssh sourec code for ssh server.It is working > successfully.daemon is running,but the problem is when conncting to > this server from remote system i got the following errors. > > buffer_get_ret: trying to get more bytes 1 than in buffer 0 > buffer_get: buffer error > plese give me suggestions on this Like I said before, you need to post a complete bug report. Please include the version of the client and server software in use as well as a complete debug trace ("ssh -vvv" or "sshd -ddd"). Otherwise we simply cannot help you. -d From scott_n at xypro.com Wed Sep 24 02:47:04 2008 From: scott_n at xypro.com (Scott Neugroschl) Date: Tue, 23 Sep 2008 09:47:04 -0700 Subject: Off-topic question Message-ID: <78DD71C304F38B41885A242996B96F73019A7283@xyservd.XYPRO-23.LOCAL> Has anyone else on this list seen an uptick in fake "delivery failure notification" spam? I'm getting them at my return address here, and this is one of the two places where that address is public. Thanks ---- Scott Neugroschl XYPRO Technologies scott_n at xypro.com 805-583-2874 x133 From jbasney at ncsa.uiuc.edu Wed Sep 24 07:46:03 2008 From: jbasney at ncsa.uiuc.edu (Jim Basney) Date: Tue, 23 Sep 2008 16:46:03 -0500 Subject: X11 forwarding fails from Mac OS 10.5.5 Message-ID: <48D9639B.5090000@ncsa.uiuc.edu> Hello, When I use an ssh client built from the openssh.org OpenSSH_5.1p1 sources on Mac OS 10.5.5 (Darwin Kernel Version 9.5.0: Wed Sep 3 11:29:43 PDT 2008; root:xnu-1228.7.58~1/RELEASE_I386 i386), I get the following error when trying to launch an xterm in a remote ssh session: debug1: client_input_channel_open: ctype x11 rchan 3 win 2097152 max 16384 debug1: client_request_x11: request from 127.0.0.1 54813 /tmp/launch-LP0nSk/: unknown host. (nodename nor servname provided, or not known) debug1: failure x11 X connection to localhost:14.0 broken (explicit kill or server shutdown). When I use the ssh client provided by Mac OS (also OpenSSH_5.1p1), it works: debug1: client_input_channel_open: ctype x11 rchan 3 win 2097152 max 16384 debug1: client_request_x11: request from 127.0.0.1 53387 debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 I think this is a new problem that appeared when I updated to Mac OS 10.5.5 from 10.5.4. Has anyone else seen this problem? Is there a workaround? I'd be happy to provide more details on request. Thanks, Jim From openssh at yarra.no-ip.org Wed Sep 24 10:14:59 2008 From: openssh at yarra.no-ip.org (Philip Yarra) Date: Wed, 24 Sep 2008 10:14:59 +1000 Subject: A backhanded compliment for OpenSSH Message-ID: <200809241014.59733.openssh@yarra.no-ip.org> We recently commissioned a new WAN. Us IT folks have been using it for months, using ssh and scp to configure systems, copy files etc. It all worked perfectly, across Linux, FreeBSD and nanoBSD systems. We opened the WAN to our regular (Windows) application traffic, and it promptly fell into a screaming heap. Days of chaos ensued, until we found that ethernet duplex/speed mismatches with the edge routers was causing loss of millions of frames. So here's the back-handed compliment: OpenSSH is too reliable, too robust, and too tolerant of poor networks. Thanks, and keep up the good work. From des at des.no Thu Sep 25 07:26:42 2008 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed, 24 Sep 2008 23:26:42 +0200 Subject: utmp_len Message-ID: <86k5d1kzfx.fsf@ds4.des.no> In sshd.c: /* record remote hostname or ip */ u_int utmp_len = MAXHOSTNAMELEN; However, HOSTNAMELEN is almost certainly too long. Is there a reason not to use UT_HOSTSIZE instead, as below? Index: sshd.c =================================================================== --- sshd.c (revision 182719) +++ sshd.c (working copy) @@ -72,6 +72,7 @@ #include #include #include +#include #include #include @@ -238,7 +239,7 @@ u_int session_id2_len = 0; /* record remote hostname or ip */ -u_int utmp_len = MAXHOSTNAMELEN; +u_int utmp_len = UT_HOSTSIZE; /* options.max_startup sized array of fd ints */ int *startup_pipes = NULL; DES -- Dag-Erling Sm?rgrav - des at des.no From opensource at till.name Fri Sep 26 20:05:05 2008 From: opensource at till.name (Till Maas) Date: Fri, 26 Sep 2008 12:05:05 +0200 Subject: RFE: DynamicForward on ~C commandline and via ControlMaster Message-ID: <200809261205.13139.opensource@till.name> Hiyas, currently the commandline that can be reached via ~C cannot create new DynamicForwards. This is a feature I really miss, therefore it would be nice, if it could be implemented, e.g. -D 12345 should open a new socks proxy on port 12345 on the local machine. Also I want to ask what the status on allowing additional a {Local,Remote,Dynamic}Forward using in combination with ControlMaster is. I found this message from 2005 saying that it is planned to support it, but it does not seem to work with recent openssh versions: http://marc.info/?l=openssh-unix-dev&m=113168962920766&w=2 Probably I could create a patch for the first issue, but I am not a c-expert. Please note, that I am not on this mailing list. Regards, Till -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: This is a digitally signed message part. Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080926/9116b62e/attachment.bin