From luciano at debian.org Wed Apr 1 03:10:33 2009 From: luciano at debian.org (Luciano Bello) Date: Tue, 31 Mar 2009 13:10:33 -0300 Subject: About multiple hosts with same hostname In-Reply-To: <49D20DA9.9040404@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> Message-ID: <200903311310.33525.luciano@debian.org> El Mar 31 Mar 2009, Christian Iversen escribi?: > Isn't there some way to make OpenSSH save > the host key using the FQDN instead of just the local part? That would > solve this problem. Permit that is permit MitM when there is a DNS spoofing situation. luciano From chrivers at iversen-net.dk Wed Apr 1 05:01:45 2009 From: chrivers at iversen-net.dk (Christian Iversen) Date: Tue, 31 Mar 2009 20:01:45 +0200 Subject: About multiple hosts with same hostname In-Reply-To: <200903311310.33525.luciano@debian.org> References: <49D20DA9.9040404@iversen-net.dk> <200903311310.33525.luciano@debian.org> Message-ID: <49D25A89.9080301@iversen-net.dk> Luciano Bello wrote: > El Mar 31 Mar 2009, Christian Iversen escribi?: >> Isn't there some way to make OpenSSH save >> the host key using the FQDN instead of just the local part? That would >> solve this problem. > > Permit that is permit MitM when there is a DNS spoofing situation. You are entirely right. I realized that moments after I had sent the message :-) Of course, the domain parameter cannot be determined with any certainty. However, maybe there is a way to accept multiple keys for the same hostname? I understand that using FQDNs is a way to go, but they can be pretty long to input (custom zsh tab completion could be a way to go here). I mean, having (say) 5 different host keys for "fw0" shouldn't really be a problem, since whichever one is presented can be verified. It's still impossible for an attacker to replace fw0 with another machine without knowing the private keys, and you're still not going to hit another machine by accident. Am I really the only person with this problem? :-) -- Med venlig hilsen Christian Iversen From chrivers at iversen-net.dk Wed Apr 1 05:04:13 2009 From: chrivers at iversen-net.dk (Christian Iversen) Date: Tue, 31 Mar 2009 20:04:13 +0200 Subject: About multiple hosts with same hostname In-Reply-To: <49D2509B.2070105@hp.com> References: <49D20DA9.9040404@iversen-net.dk> <49D2509B.2070105@hp.com> Message-ID: <49D25B1D.6050003@iversen-net.dk> Rick Jones wrote: > Christian Iversen wrote: >> Hello all >> >> I have a somewhat annoying problem with OpenSSH. Now, granted, it's >> certainly not a bug. I'm just wondering what the best course of action >> is. >> >> At work, we have multiple customers with machines named "fw0", "fs0", >> etc. This is all good, since it conforms to a standard naming scheme, >> so it's easier to administrate. >> >> However, when we go to our customers' sites, we often issue commands >> like "ssh user at fw0", which of course gives out endless warnings about >> MITM attacks, and essentially makes host keys worthless on the >> internal customer networks. >> >> It seems somewhat wrong to me. Isn't there some way to make OpenSSH >> save the host key using the FQDN instead of just the local part? That >> would solve this problem. Is there some other commonly accepted way of >> dealing with this that doesn't involve making all our host names unique? > > FQDNs _are_ unique host names. Or at least they are supposed to be. Oh, of course they are. But as I said, the problem is that we often use only the local part. Our FQDNs are always globally unique, otherwise a ton of things would break. > So, it would seem that simply saying ssh user at FQDN is going to be the > way to go. It has been my experience that if one uses the FQDN that is > what will go into the file. Mine too. I might just set up some zsh completion and perhaps some aliases to work around the extra typing involved. >> Bonus question: We have 2 storage servers (let's call them storage0 >> and storage1), and between them they run a floating IP address with a >> heartbeat-monitored NFS daemon (let's call that nfs0). >> >> Now, obviously the host key changes whenever there's been a failover, >> and so again we get this same kind of problem. What to do in this >> case? Any ideas? > > Always ssh to the unique rather than shared name? Well, since they mount a shared disk which is only available on the active nfs host, we need to actually ssh to the nfs server in maintenance and backup scripts. Any ideas? -- Med venlig hilsen Christian Iversen From rick.jones2 at hp.com Wed Apr 1 04:19:23 2009 From: rick.jones2 at hp.com (Rick Jones) Date: Tue, 31 Mar 2009 10:19:23 -0700 Subject: About multiple hosts with same hostname In-Reply-To: <49D20DA9.9040404@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> Message-ID: <49D2509B.2070105@hp.com> Christian Iversen wrote: > Hello all > > I have a somewhat annoying problem with OpenSSH. Now, granted, it's > certainly not a bug. I'm just wondering what the best course of action is. > > At work, we have multiple customers with machines named "fw0", "fs0", > etc. This is all good, since it conforms to a standard naming scheme, so > it's easier to administrate. > > However, when we go to our customers' sites, we often issue commands > like "ssh user at fw0", which of course gives out endless warnings about > MITM attacks, and essentially makes host keys worthless on the internal > customer networks. > > It seems somewhat wrong to me. Isn't there some way to make OpenSSH save > the host key using the FQDN instead of just the local part? That would > solve this problem. Is there some other commonly accepted way of dealing > with this that doesn't involve making all our host names unique? FQDNs _are_ unique host names. Or at least they are supposed to be. So, it would seem that simply saying ssh user at FQDN is going to be the way to go. It has been my experience that if one uses the FQDN that is what will go into the file. > Bonus question: We have 2 storage servers (let's call them storage0 and > storage1), and between them they run a floating IP address with a > heartbeat-monitored NFS daemon (let's call that nfs0). > > Now, obviously the host key changes whenever there's been a failover, > and so again we get this same kind of problem. What to do in this case? > Any ideas? Always ssh to the unique rather than shared name? rick jones From miguel.sanders at arcelormittal.com Wed Apr 1 05:33:50 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Tue, 31 Mar 2009 20:33:50 +0200 Subject: Memory leak in do_ssh2_kex() Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF3EE6@GEN-MXB-V04.msad.arcelor.net> Hi guys Apparently, there is small memory leak in the do_ssh2_kex() routine in sshd.c. Line 2195 in sshd.c states: myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); Where list_hostkey_types() returns a pointer allocated by the xstrdup call (line 735). This pointer should be freed in the calling routine do_ssh2_key(). Should I make a patch for this? Also, since my previous patch was not according to the your standards, how many lines of context do you normally want in a patch file? Thanks! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From bob at proulx.com Wed Apr 1 05:46:53 2009 From: bob at proulx.com (Bob Proulx) Date: Tue, 31 Mar 2009 12:46:53 -0600 Subject: About multiple hosts with same hostname In-Reply-To: <49D25B1D.6050003@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> <49D2509B.2070105@hp.com> <49D25B1D.6050003@iversen-net.dk> Message-ID: <20090331184653.GA20453@dementia.proulx.com> Christian Iversen wrote: > Rick Jones wrote: > > So, it would seem that simply saying ssh user at FQDN is going to be the > > way to go. It has been my experience that if one uses the FQDN that is > > what will go into the file. > > Mine too. I might just set up some zsh completion and perhaps some > aliases to work around the extra typing involved. Isn't that already the default? You may be falling victim to HashKnownHosts=yes preventing this from working by default. > >> Bonus question: We have 2 storage servers (let's call them storage0 > >> and storage1), and between them they run a floating IP address with a > >> heartbeat-monitored NFS daemon (let's call that nfs0). > >> > >> Now, obviously the host key changes whenever there's been a failover, > >> and so again we get this same kind of problem. What to do in this > >> case? Any ideas? IMNHO if two machines are hot failover spares for each other and you control both of them completely then it is best to ensure that they both have the same host key. Together as a set they are effectively one machine. Similar to a set of mirrored disks. Effectively you have mirrored servers. This is what I do to solve this problem for my environment. Bob From peter at stuge.se Wed Apr 1 05:49:22 2009 From: peter at stuge.se (Peter Stuge) Date: Tue, 31 Mar 2009 20:49:22 +0200 Subject: Memory leak in do_ssh2_kex() In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206AF3EE6@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF3EE6@GEN-MXB-V04.msad.arcelor.net> Message-ID: <20090331184922.13313.qmail@stuge.se> miguel.sanders at arcelormittal.com wrote: > Should I make a patch for this? I think that sounds good. > Also, since my previous patch was not according to the your > standards, how many lines of context do you normally want in a > patch file? It's not so much about the amount of context. The point is that diff defaults to "context diff" which is more difficult for most to read than "unified diff" which requires diff to be run with -u or e.g. -U 2. I think I mixed up u and U in the email, sorry for that confusion. :\ //Peter From miguel.sanders at arcelormittal.com Wed Apr 1 06:18:59 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Tue, 31 Mar 2009 21:18:59 +0200 Subject: Memory leak in do_ssh2_kex() In-Reply-To: <20090331184922.13313.qmail@stuge.se> References: <7DF29B50FFF41848BB2281EC2E71A206AF3EE6@GEN-MXB-V04.msad.arcelor.net> <20090331184922.13313.qmail@stuge.se> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF3EEB@GEN-MXB-V04.msad.arcelor.net> No problem :) I added the patch as an attachment. Hopefully it passes this time... Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org [mailto:openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org] Namens Peter Stuge Verzonden: dinsdag 31 maart 2009 20:49 Aan: openssh-unix-dev at mindrot.org Onderwerp: Re: Memory leak in do_ssh2_kex() miguel.sanders at arcelormittal.com wrote: > Should I make a patch for this? I think that sounds good. > Also, since my previous patch was not according to the your standards, > how many lines of context do you normally want in a patch file? It's not so much about the amount of context. The point is that diff defaults to "context diff" which is more difficult for most to read than "unified diff" which requires diff to be run with -u or e.g. -U 2. I think I mixed up u and U in the email, sorry for that confusion. :\ //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Wed Apr 1 06:22:38 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Tue, 31 Mar 2009 21:22:38 +0200 Subject: Memory leak in do_ssh2_kex() In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206AF3EEB@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF3EE6@GEN-MXB-V04.msad.arcelor.net><20090331184922.13313.qmail@stuge.se> <7DF29B50FFF41848BB2281EC2E71A206AF3EEB@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF3EEC@GEN-MXB-V04.msad.arcelor.net> It didn't work. You can the find the patch (memleak.patch) here aswell: ftp://6tvLa11g:ZB0b073qxZ at 193.121.250.205 Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org [mailto:openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org] Namens miguel.sanders at arcelormittal.com Verzonden: dinsdag 31 maart 2009 21:19 Aan: openssh-unix-dev at mindrot.org Onderwerp: RE: Memory leak in do_ssh2_kex() No problem :) I added the patch as an attachment. Hopefully it passes this time... Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org [mailto:openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org] Namens Peter Stuge Verzonden: dinsdag 31 maart 2009 20:49 Aan: openssh-unix-dev at mindrot.org Onderwerp: Re: Memory leak in do_ssh2_kex() miguel.sanders at arcelormittal.com wrote: > Should I make a patch for this? I think that sounds good. > Also, since my previous patch was not according to the your standards, > how many lines of context do you normally want in a patch file? It's not so much about the amount of context. The point is that diff defaults to "context diff" which is more difficult for most to read than "unified diff" which requires diff to be run with -u or e.g. -U 2. I think I mixed up u and U in the email, sorry for that confusion. :\ //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From rick.jones2 at hp.com Wed Apr 1 05:22:14 2009 From: rick.jones2 at hp.com (Rick Jones) Date: Tue, 31 Mar 2009 11:22:14 -0700 Subject: About multiple hosts with same hostname In-Reply-To: <49D25B1D.6050003@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> <49D2509B.2070105@hp.com> <49D25B1D.6050003@iversen-net.dk> Message-ID: <49D25F56.5050103@hp.com> Christian Iversen wrote: > Rick Jones wrote: > >>Christian Iversen wrote: >> >>>Hello all >>> >>>I have a somewhat annoying problem with OpenSSH. Now, granted, it's >>>certainly not a bug. I'm just wondering what the best course of action >>>is. >>> >>>At work, we have multiple customers with machines named "fw0", "fs0", >>>etc. This is all good, since it conforms to a standard naming scheme, >>>so it's easier to administrate. >>> >>>However, when we go to our customers' sites, we often issue commands >>>like "ssh user at fw0", which of course gives out endless warnings about >>>MITM attacks, and essentially makes host keys worthless on the >>>internal customer networks. >>> >>>It seems somewhat wrong to me. Isn't there some way to make OpenSSH >>>save the host key using the FQDN instead of just the local part? That >>>would solve this problem. Is there some other commonly accepted way of >>>dealing with this that doesn't involve making all our host names unique? >> >>FQDNs _are_ unique host names. Or at least they are supposed to be. > > > Oh, of course they are. But as I said, the problem is that we often use > only the local part. Then it seems the fault lies not in your stars/software :) > Our FQDNs are always globally unique, otherwise a ton of things would break. > > >>So, it would seem that simply saying ssh user at FQDN is going to be the >>way to go. It has been my experience that if one uses the FQDN that is >>what will go into the file. > > > Mine too. I might just set up some zsh completion and perhaps some > aliases to work around the extra typing involved. Even without zsh completion, you might "get by" with what I will call "PQDN" - Partially Qualified Domain Name. If your sites only differ by the first sub-domain then you can go: ssh user at foo.bar ssh user at foo.baz ssh user at foo.bing rather than: ssh user at foo.bar.com. ssh user at foo.baz.fred.com. ssh user at foo.bing.ethel.org. (being picky and putting the "root dot" to have the software really know it is an FQDN and saving some DNS queries :) >>>Bonus question: We have 2 storage servers (let's call them storage0 >>>and storage1), and between them they run a floating IP address with a >>>heartbeat-monitored NFS daemon (let's call that nfs0). >>> >>>Now, obviously the host key changes whenever there's been a failover, >>>and so again we get this same kind of problem. What to do in this >>>case? Any ideas? >> >>Always ssh to the unique rather than shared name? > > > Well, since they mount a shared disk which is only available on the > active nfs host, we need to actually ssh to the nfs server in > maintenance and backup scripts. Any ideas? Have the standby cross-mount the shared disc filesystem(s) from the active NFS? server? rick jones From tim at multitalents.net Wed Apr 1 06:41:57 2009 From: tim at multitalents.net (Tim Rice) Date: Tue, 31 Mar 2009 12:41:57 -0700 (PDT) Subject: About multiple hosts with same hostname In-Reply-To: <49D25B1D.6050003@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> <49D2509B.2070105@hp.com> <49D25B1D.6050003@iversen-net.dk> Message-ID: On Tue, 31 Mar 2009, Christian Iversen wrote: > >> Bonus question: We have 2 storage servers (let's call them storage0 > >> and storage1), and between them they run a floating IP address with a > >> heartbeat-monitored NFS daemon (let's call that nfs0). > >> > >> Now, obviously the host key changes whenever there's been a failover, > >> and so again we get this same kind of problem. What to do in this > >> case? Any ideas? > > > > Always ssh to the unique rather than shared name? > > Well, since they mount a shared disk which is only available on the > active nfs host, we need to actually ssh to the nfs server in > maintenance and backup scripts. Any ideas? Set up a seperate sshd with its own host keys listening on the nfs0 IP only and use the same keys on both machines. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From flavien-ssh at lebarbe.net Wed Apr 1 07:47:47 2009 From: flavien-ssh at lebarbe.net (Flavien) Date: Tue, 31 Mar 2009 22:47:47 +0200 Subject: About multiple hosts with same hostname In-Reply-To: <49D20DA9.9040404@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> Message-ID: <20090331204747.GB31909@flavien.org> Hi, Christian Iversen wrote: > However, when we go to our customers' sites, we often issue commands > like "ssh user at fw0", which of course gives out endless warnings about > MITM attacks, and essentially makes host keys worthless on the internal > customer networks. > > It seems somewhat wrong to me. Isn't there some way to make OpenSSH save > the host key using the FQDN instead of just the local part? What about a trick like : $ tail -2 .ssh/config Host fw0 Hostname fw0.client3.toto.org#CLIENTDOMAIN $ switch-ssh client2.org $ tail -2 .ssh/config Host fw0 Hostname fw0.client2.org#CLIENTDOMAIN "switch-ssh" can be a script or even an alias in your shell, that does : sed -i \ "s/^Hostname *\([^.]*\).*#CLIENTDOMAIN/Hostname \1.$1#CLIENTDOMAIN/" \ .ssh/config Hope this helps, Flavien. From chrivers at iversen-net.dk Wed Apr 1 07:57:57 2009 From: chrivers at iversen-net.dk (Christian Iversen) Date: Tue, 31 Mar 2009 22:57:57 +0200 Subject: About multiple hosts with same hostname In-Reply-To: <20090331204747.GB31909@flavien.org> References: <49D20DA9.9040404@iversen-net.dk> <20090331204747.GB31909@flavien.org> Message-ID: <49D283D5.40906@iversen-net.dk> Flavien wrote: > Hi, > > > > Christian Iversen wrote: >> However, when we go to our customers' sites, we often issue commands >> like "ssh user at fw0", which of course gives out endless warnings about >> MITM attacks, and essentially makes host keys worthless on the internal >> customer networks. >> >> It seems somewhat wrong to me. Isn't there some way to make OpenSSH save >> the host key using the FQDN instead of just the local part? > > > What about a trick like : > $ tail -2 .ssh/config > Host fw0 > Hostname fw0.client3.toto.org#CLIENTDOMAIN > $ switch-ssh client2.org > $ tail -2 .ssh/config > Host fw0 > Hostname fw0.client2.org#CLIENTDOMAIN > > "switch-ssh" can be a script or even an alias in your shell, that > does : > sed -i \ > "s/^Hostname *\([^.]*\).*#CLIENTDOMAIN/Hostname \1.$1#CLIENTDOMAIN/" \ > .ssh/config Hmm, that does seem like quite the hack. I think a better solution would be to use "ssh -o UserKnownHostsFile=~/.ssh/customers/SITE" to provide a specific hosts file for the customer. An even better solution, now that I think of it, could be to define a shell function named "ssh" that resolves the host part into a FQDN, based on the search domain for the host, checked against a whitelist of valid customer site named. That way, only FQDNs would ever be stored. These are unique by definition, so that should solve it pretty cleanly. Does anyone have any comments about this idea? -- Med venlig hilsen Christian Iversen From bob at proulx.com Wed Apr 1 08:15:15 2009 From: bob at proulx.com (Bob Proulx) Date: Tue, 31 Mar 2009 15:15:15 -0600 Subject: About multiple hosts with same hostname In-Reply-To: <49D283D5.40906@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> <20090331204747.GB31909@flavien.org> <49D283D5.40906@iversen-net.dk> Message-ID: <20090331211515.GA29616@dementia.proulx.com> Christian Iversen wrote: > An even better solution, now that I think of it, could be to define a > shell function named "ssh" that resolves the host part into a FQDN, > based on the search domain for the host, checked against a whitelist of > valid customer site named. Don't forget that ssh is used by other commands such as scp and rsync and others. if your shell function is purely for the shell then they won't get the same behavior and will surprise people by not working the same. Bob From aphexer at mailhaven.com Wed Apr 1 07:56:30 2009 From: aphexer at mailhaven.com (Alexander Prinsier) Date: Tue, 31 Mar 2009 22:56:30 +0200 Subject: ChrootDirectory security In-Reply-To: <49CE78CE.5030203@mailhaven.com> References: <49CE78CE.5030203@mailhaven.com> Message-ID: <49D2837E.8040300@mailhaven.com> Alexander Prinsier wrote: > I've tried many places, finally ending up here to ask my question: why > is it so vital that the directory used with the ChrootDirectory > directive is root-owned? Thanks everyone for your valuable replies (and the off-list discussions). And to make the archive complete: you can just comment a block of code in safely_chroot() in session.c to remove the root-ownership check. I hope this will be configurable some day. The introduction of internal-sftp was one big step in the good direction, this option would make it complete. Alexander From jmknoble at pobox.com Wed Apr 1 10:45:53 2009 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 31 Mar 2009 18:45:53 -0500 Subject: About multiple hosts with same hostname In-Reply-To: <49D283D5.40906@iversen-net.dk> References: <49D20DA9.9040404@iversen-net.dk> <20090331204747.GB31909@flavien.org> <49D283D5.40906@iversen-net.dk> Message-ID: <20090331234552.GP29122@crawfish.ais.com> On 2009-03-31 15:57, Christian Iversen wrote: : An even better solution, now that I think of it, could be to define a : shell function named "ssh" that resolves the host part into a FQDN, : based on the search domain for the host, checked against a whitelist of : valid customer site named. : : That way, only FQDNs would ever be stored. These are unique by : definition, so that should solve it pretty cleanly. Writing wrapper functions or scripts for ssh(1) (and scp(1), etc.) is somewhat difficult, unless the wrapper script reproduces the same getopt() syntax that ssh(1) uses. Even so, options or arguents that contain whitespace or shell metacharacters often don't work so well. An alternative approach would be to pre-build a ~/.ssh/config file that contains usable hostname aliases for each customer's "fw0" host. For example: Host fw0.customer1.example.net fw0.cust1 cust1-fw0 HostName fw0.customer1.example.net Host fw0.customer2.example.net fw0.cust2 cust2-fw0 HostName fw0.customer2.example.net # [and so on...] Thus, both 'ssh cust1-fw0' and 'ssh fw0.cust1' both get to the same fw0 host in customer1's domain. This could be done by a script, optionally assembling ~/.ssh/config from a top portion, a repeated template filled in for each customer, and a bottom portion. If you wanted to get fancy, you could either generate ~/.ssh/config on a daily basis or when the list of customer domains changes. This doesn't require any wrapper function or shell script, it still uses DNS to resolve the hostname, and it works for ssh(1), scp(1), sftp(1), rsync(1), etc. Judicious use of bash or zsh completion could probably be used along with this to make it even easier, if cust1, cust2, etc. are sufficiently different. Good luck to the original poster. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) From miguel.sanders at arcelormittal.com Thu Apr 2 05:12:53 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Wed, 1 Apr 2009 20:12:53 +0200 Subject: bzero() before free() Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> Hi guys I've been browsing the code and at many places I found the following odd sequence: char * string=malloc(somesize); ? bzero(string,strlen(string)); free(string); I really don't see why you would zero a string and free the memory immediately afterwards? Any idea why this is done? Thanks! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From edsiper at gmail.com Thu Apr 2 05:15:54 2009 From: edsiper at gmail.com (Eduardo Silva) Date: Wed, 1 Apr 2009 14:15:54 -0400 Subject: bzero() before free() In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> Message-ID: <5aff0db90904011115k5de2a254o5f8941207f00bf22@mail.gmail.com> I had to do that long time ago, that was the only way to avoid a problem generated by the compiler, I'm not talking about ssh, it was another project... maybe it was done for the same reason ? On Wed, Apr 1, 2009 at 2:12 PM, wrote: > Hi guys > > I've been browsing the code and at many places I found the following odd > sequence: > > char * string=malloc(somesize); > ? > bzero(string,strlen(string)); > free(string); > > I really don't see why you would zero a string and free the memory > immediately afterwards? > Any idea why this is done? > > Thanks! > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders at arcelormittal.com > www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the > use of the individual or entity to whom it is addressed and may be protected > by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), > please immediately notify the sender and delete the message. You are hereby > notified that any unauthorized use, copying or dissemination of any or all > information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or > in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal > except when expressly agreed otherwise in writing in a separate agreement. > **** > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Eduardo Silva http://edsiper.linuxchile.cl From peter at stuge.se Thu Apr 2 05:22:58 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 1 Apr 2009 20:22:58 +0200 Subject: bzero() before free() In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> Message-ID: <20090401182258.31378.qmail@stuge.se> miguel.sanders at arcelormittal.com wrote: > I really don't see why you would zero a string and free the memory > immediately afterwards? > Any idea why this is done? To decrease the risk for sensitive data stored in that memory are to leak into another program in the system. Now that the memory area is unused (or used by someone else) it might also be marked for paging, and end up being stored to swap on a hard disk. Decrypted keys or parts of keys, as an example, can be identified even in a large data stream, so it's real bad to let them get away. Passwords would also be bad to leak. //Peter From miguel.sanders at arcelormittal.com Thu Apr 2 05:25:31 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Wed, 1 Apr 2009 20:25:31 +0200 Subject: bzero() before free() In-Reply-To: <5aff0db90904011115k5de2a254o5f8941207f00bf22@mail.gmail.com> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> <5aff0db90904011115k5de2a254o5f8941207f00bf22@mail.gmail.com> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF40EC@GEN-MXB-V04.msad.arcelor.net> Good point, I also thought of that, but it isn't done all the time (sometimes they do, sometimes they don't...) Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent ________________________________ Van: Eduardo Silva [mailto:edsiper at gmail.com] Verzonden: woensdag 1 april 2009 20:16 Aan: SANDERS Miguel CC: openssh-unix-dev at mindrot.org Onderwerp: Re: bzero() before free() I had to do that long time ago, that was the only way to avoid a problem generated by the compiler, I'm not talking about ssh, it was another project... maybe it was done for the same reason ? On Wed, Apr 1, 2009 at 2:12 PM, wrote: Hi guys I've been browsing the code and at many places I found the following odd sequence: char * string=malloc(somesize); ? bzero(string,strlen(string)); free(string); I really don't see why you would zero a string and free the memory immediately afterwards? Any idea why this is done? Thanks! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Eduardo Silva http://edsiper.linuxchile.cl **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Thu Apr 2 05:34:36 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Wed, 1 Apr 2009 20:34:36 +0200 Subject: bzero() before free() In-Reply-To: <20090401182258.31378.qmail@stuge.se> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> <20090401182258.31378.qmail@stuge.se> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF40ED@GEN-MXB-V04.msad.arcelor.net> Hi Peter, Thanks for the clarification! Makes sense :) Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org [mailto:openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org] Namens Peter Stuge Verzonden: woensdag 1 april 2009 20:23 Aan: openssh-unix-dev at mindrot.org Onderwerp: Re: bzero() before free() miguel.sanders at arcelormittal.com wrote: > I really don't see why you would zero a string and free the memory > immediately afterwards? > Any idea why this is done? To decrease the risk for sensitive data stored in that memory are to leak into another program in the system. Now that the memory area is unused (or used by someone else) it might also be marked for paging, and end up being stored to swap on a hard disk. Decrypted keys or parts of keys, as an example, can be identified even in a large data stream, so it's real bad to let them get away. Passwords would also be bad to leak. //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguelsanders at telenet.be Thu Apr 2 05:40:53 2009 From: miguelsanders at telenet.be (miguelsanders at telenet.be) Date: Wed, 01 Apr 2009 18:40:53 +0000 Subject: Memory leak in do_ssh2_kex() Message-ID: Trying to send this via home address... That FTP server isn't a stable solution :) Grtz Miguel From miguel.sanders at arcelormittal.com Thu Apr 2 05:47:38 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Wed, 1 Apr 2009 20:47:38 +0200 Subject: Memory leak in do_ssh2_kex() In-Reply-To: References: Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF40EE@GEN-MXB-V04.msad.arcelor.net> Hmm, why can't I deliver a patch via mail? Isn't this allowed? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org [mailto:openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org] Namens miguelsanders at telenet.be Verzonden: woensdag 1 april 2009 20:41 Aan: openssh-unix-dev at mindrot.org Onderwerp: RE: Memory leak in do_ssh2_kex() Trying to send this via home address... That FTP server isn't a stable solution :) Grtz Miguel **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From dkg at fifthhorseman.net Thu Apr 2 06:03:28 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 01 Apr 2009 15:03:28 -0400 Subject: Memory leak in do_ssh2_kex() In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206AF40EE@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EE@GEN-MXB-V04.msad.arcelor.net> Message-ID: <49D3BA80.3080600@fifthhorseman.net> On 04/01/2009 02:47 PM, miguel.sanders at arcelormittal.com wrote: > Hmm, why can't I deliver a patch via mail? > Isn't this allowed? I've successfully attached patches to mail to this list before. I'm not sure why you're having difficulty. But regardless, a better idea is to submit a bug at https://bugzilla.mindrot.org/ and attach the patch there. That will make it more likely to be folded into a future release, and provide a stable referent for the issue. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090401/51f60f5c/attachment.bin From miguel.sanders at arcelormittal.com Thu Apr 2 06:07:06 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Wed, 1 Apr 2009 21:07:06 +0200 Subject: Memory leak in do_ssh2_kex() In-Reply-To: <49D3BA80.3080600@fifthhorseman.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EE@GEN-MXB-V04.msad.arcelor.net> <49D3BA80.3080600@fifthhorseman.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF40EF@GEN-MXB-V04.msad.arcelor.net> Thanks! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org [mailto:openssh-unix-dev-bounces+miguel.sanders=arcelormittal.com at mindrot.org] Namens Daniel Kahn Gillmor Verzonden: woensdag 1 april 2009 21:03 Aan: SANDERS Miguel CC: openssh-unix-dev at mindrot.org Onderwerp: Re: Memory leak in do_ssh2_kex() On 04/01/2009 02:47 PM, miguel.sanders at arcelormittal.com wrote: > Hmm, why can't I deliver a patch via mail? > Isn't this allowed? I've successfully attached patches to mail to this list before. I'm not sure why you're having difficulty. But regardless, a better idea is to submit a bug at https://bugzilla.mindrot.org/ and attach the patch there. That will make it more likely to be folded into a future release, and provide a stable referent for the issue. Regards, --dkg **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From meheranandk at gmail.com Thu Apr 2 06:15:00 2009 From: meheranandk at gmail.com (Meher Anand) Date: Thu, 2 Apr 2009 00:45:00 +0530 Subject: Improving Testing Infrastructure using an abstraction driven Framework - GSOC Message-ID: Hi. The following is my idea for Improving Testing Infrastructure for the Google Summer of Code Program. Please do let me know if anything is vague or anything needs to be improved. * A framework which provides abstractions for the different protocols that an application uses, is always helpful in a testing process since a Test Engineer need not bother about the implementation of the Protocol. Such a framework can be useful for fuzzy testing, since the program for generating the test cases will be greatly simplified. An additional library which may be included during testing time only, can be useful to deal with the code coverage issue.* Thanks and regards. Meher Anand From peter at stuge.se Thu Apr 2 06:59:09 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 1 Apr 2009 21:59:09 +0200 Subject: Improving Testing Infrastructure using an abstraction driven Framework - GSOC In-Reply-To: References: Message-ID: <20090401195909.32088.qmail@stuge.se> Hi Meher, Meher Anand wrote: > The following is my idea for Improving Testing Infrastructure for > the Google Summer of Code Program. Please do let me know if > anything is vague or anything needs to be improved. You write "a framework" and "an additional library" but nothing really concrete? How would it work? What testing problems would it solve? How would it relate to the existing testing infrastructure? Would it replace it? If so, how could the existing work be reused, if at all? If it would run in parallell, could there still be some reuse? Etc etc. //Peter From djm at mindrot.org Thu Apr 2 08:44:58 2009 From: djm at mindrot.org (Damien Miller) Date: Thu, 2 Apr 2009 07:44:58 +1000 (EST) Subject: bzero() before free() In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206AF40EC@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206AF40EB@GEN-MXB-V04.msad.arcelor.net> <5aff0db90904011115k5de2a254o5f8941207f00bf22@mail.gmail.com> <7DF29B50FFF41848BB2281EC2E71A206AF40EC@GEN-MXB-V04.msad.arcelor.net> Message-ID: On Wed, 1 Apr 2009, miguel.sanders at arcelormittal.com wrote: > Good point, I also thought of that, but it isn't done all the time > (sometimes they do, sometimes they don't...) If you find a place where some sensitive data is not zeroed before a free() please file a bug. -d From meheranandk at gmail.com Fri Apr 3 01:25:53 2009 From: meheranandk at gmail.com (Meher Anand) Date: Thu, 2 Apr 2009 19:55:53 +0530 Subject: Improving Testing Infrastructure using an abstraction driven Framework - GSOC In-Reply-To: <20090401195909.32088.qmail@stuge.se> References: <20090401195909.32088.qmail@stuge.se> Message-ID: Hi. I will be writing concrete code that will be using the libraries that I intend to develop. The intention of using words like framework and library is to emphasize on their re-usability. I havent yet completely thought out about how I would relate it to the existing testing framework, but mostly it is going to run in parallel. The library for testing code coverage will be an additional header file include that the tester would need to add to the existing code, along with a few lines of code in the main() function that will call the functions in the library. This library would monitor the coverage of the code, like the function being called, the condition being executed etc. One way to implement this would be to monitor the stack for all function calls and conditions executed. The tester would to create an array of all the functions and if conditions in each file. I couldnt think of a better method as of now. And the framework that I mentioned about will be doing protocol level testing. For eg:- To test the SSL protocol, there will be a few calls to the SSL library of Open SSH. This set of calls will be passing a few parameters to my functions and test its output, to see if it is returning the exact values. This library, to test the SSL protocol, will be a part of the framework along with libraries for testing the other protocols. Each library in this framework will be independent of the other libraries in the framework. When one needs to test one particular protocol, he will include only those headers that are relevant to it. Thus, a protocol level testing procedure is possible. Each of these libraries can be modified or extended depending on the needs. The operations in the above library will be called by functions which have code for random string generation to generate random test inputs. This will take care of the fuzzy testing part. Please let me know if I need to detail on any of the points. Thanks and regards. Meher Anand On Thu, Apr 2, 2009 at 1:29 AM, Peter Stuge wrote: > Hi Meher, > > Meher Anand wrote: > > The following is my idea for Improving Testing Infrastructure for > > the Google Summer of Code Program. Please do let me know if > > anything is vague or anything needs to be improved. > > You write "a framework" and "an additional library" but nothing > really concrete? > > How would it work? What testing problems would it solve? How would it > relate to the existing testing infrastructure? Would it replace it? > If so, how could the existing work be reused, if at all? If it would > run in parallell, could there still be some reuse? Etc etc. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From bburnell at cisco.com Fri Apr 3 03:21:12 2009 From: bburnell at cisco.com (Brenda Burnell (bburnell)) Date: Thu, 2 Apr 2009 09:21:12 -0700 Subject: Method to permit ssh while denying sftp Message-ID: Is there a way to permit ssh sessions while denying sftp with openssh 3.8? In openssh 4.4+ this is possible using the Match directive with Force Command but I don't know how to configure this in older versions. Thanks in advance for any guidance. Brenda From jmknoble at pobox.com Fri Apr 3 08:42:25 2009 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 2 Apr 2009 16:42:25 -0500 Subject: Method to permit ssh while denying sftp In-Reply-To: References: Message-ID: <20090402214224.GS29122@crawfish.ais.com> On 2009-04-02 11:21, Brenda Burnell (bburnell) wrote: : Is there a way to permit ssh sessions while denying sftp with openssh : 3.8? : : In openssh 4.4+ this is possible using the Match directive with Force : Command but I don't know how to configure this in older versions. : : Thanks in advance for any guidance. Are you sure you asked the question you intended to ask? Permitting ssh while denying sftp makes no sense. If a user has ssh access, she can transmit files using any of the following methods: - Using 'scp' instead of 'sftp' - Executing 'sftp-server' manually - Executing another file transfer program, such as 'tar' or 'cat' Perhaps you could explain in more detail what you're intending to allow and prevent. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) From imorgan at nas.nasa.gov Fri Apr 3 09:51:14 2009 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 2 Apr 2009 15:51:14 -0700 Subject: Method to permit ssh while denying sftp In-Reply-To: References: Message-ID: <20090402225114.GA19483@linux55.nas.nasa.gov> On Thu, Apr 02, 2009 at 11:21:12 -0500, Brenda Burnell (bburnell) wrote: > Is there a way to permit ssh sessions while denying sftp with openssh > 3.8? > > > > In openssh 4.4+ this is possible using the Match directive with Force > Command but I don't know how to configure this in older versions. > > > > Thanks in advance for any guidance. > > > > Brenda > If you really want to disable sftp support, you could start by not defining the sftp subsystem in the sshd_config. However, users could always use the -s option to specify the path to the sftp-server executable. So you'd have to remove or chmod the executable as well. But users could still get around that by installing a copy of the executable in their home directories, assuming that filesystem is not mounted with the noexec flag. -- Iain Morgan From djm at mindrot.org Fri Apr 3 09:55:45 2009 From: djm at mindrot.org (Damien Miller) Date: Fri, 3 Apr 2009 08:55:45 +1000 (EST) Subject: Method to permit ssh while denying sftp In-Reply-To: <20090402225114.GA19483@linux55.nas.nasa.gov> References: <20090402225114.GA19483@linux55.nas.nasa.gov> Message-ID: On Thu, 2 Apr 2009, Iain Morgan wrote: > If you really want to disable sftp support, you could start by not > defining the sftp subsystem in the sshd_config. However, users could > always use the -s option to specify the path to the sftp-server > executable. So you'd have to remove or chmod the executable as well. > But users could still get around that by installing a copy of the > executable in their home directories, assuming that filesystem is not > mounted with the noexec flag. ... and even then they will still be able to transfer files using cat, dd, tar and other standard tools, probably ones that are built into the shell too. You can't really allow shell access and deny file transfer access. -d From tcreedon at easystreet.net Fri Apr 3 14:02:34 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 2 Apr 2009 20:02:34 -0700 Subject: mkae test fails on 5.3.p1 Message-ID: make tests fails: run test login-timeout.sh ... ssh: connect to host 127.0.0.1 port 4242: Connection refused ssh connect after login grace timeout failed without privsep failed connect after login grace timeout make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/data/openssh-5.2p1.works/regress' make: *** [tests] Error 2 any clues? thanks tedc From tcreedon at easystreet.net Sat Apr 4 09:55:50 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Fri, 3 Apr 2009 15:55:50 -0700 Subject: gssapi not enabled Message-ID: I'm trying to get gssapi-with-mic to work but the enabled field in the method struct is disabled I.e. The gssapi-with-mic enable field s not enabled in in the *method struct; it fails at: if (authmethod_is_enabled(method)) in the authmethod_is_enabled(method) function call using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2) Questiion - what enables gssapi-with-mic? Thanks tedc From tcreedon at easystreet.net Sat Apr 4 10:29:35 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Fri, 3 Apr 2009 16:29:35 -0700 Subject: gssapi not enabled In-Reply-To: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk> References: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk> Message-ID: sshd_conf aaadn ssh_conf # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes ssh -vvvv -o PreferredAuthentications=gssapi-with-mic localhost debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive debug3: preferred gssapi-with-mic debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive). when I troubleshoot using DDD I find that the gssapi-with-mic enable field is off when the client checks up on it.. I'm trying to find where its set.. On Fri, Apr 3, 2009 at 4:05 PM, Simon Wilkinson wrote: > > On 3 Apr 2009, at 23:55, Ted Creedon wrote: > >> >> Questiion - what enables gssapi-with-mic? >> > > The GSSAPIAuthentication configuration directive. See the ssh_config man > page. > > S. > > From tcreedon at easystreet.net Sat Apr 4 11:15:53 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Fri, 3 Apr 2009 17:15:53 -0700 Subject: gssapi not enabled In-Reply-To: References: Message-ID: It looks like its all there.. ./configure --with-ldflags="-L/usr/lib64" --with-cflags="-ggdb3" --prefix=/ --exec-prefix=/usr --libdir=/usr/lib64 --datadir=/usr --sysconfdir=/etc/ \ --with-ssl-engine --with-pam --with-rand-helper --with-kerberos5 --with-md5-passwords --with-libedit=/usr/lib64 --with-tcp-wrappers \ --disable-strip checking for gss_init_sec_context in -lgssapi_krb5... yes checking gssapi.h usability... yes checking gssapi.h presence... yes checking for gssapi.h... yes checking gssapi_krb5.h usability... no checking gssapi_krb5.h presence... no checking for gssapi_krb5.h... no checking for gssapi.h... (cached) yes checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking for gssapi_krb5.h... (cached) no checking gssapi/gssapi_krb5.h usability... yes checking gssapi/gssapi_krb5.h presence... yes checking for gssapi/gssapi_krb5.h... yes checking gssapi_generic.h usability... no checking gssapi_generic.h presence... no checking for gssapi_generic.h... no checking gssapi/gssapi_generic.h usability... yes checking gssapi/gssapi_generic.h presence... yes checking for gssapi/gssapi_generic.h... yes cOpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ Askpass program: /usr/libexec/ssh-askpass Manual pages: //share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: yes SELinux support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes libedit support: yes Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 -ggdb3 Preprocessor flags: -I/usr/lib64/include -I/usr/local/include Linker flags: -L/usr/lib64/lib -fstack-protector-all -L/usr/lib64 -L/usr/local/lib Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv -lresolv -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err +for sshd: -lwrap -lpam -ldl On Fri, Apr 3, 2009 at 4:57 PM, wrote: > Perhaps you are missing the '--with-kerberos5= lib>' compile time option? > > Jason Burns > Information Security Technology > Cryptography Services -> Secure Communications and Data Encryption > UnixSecure Lead Engineer > > > -----Original Message----- > > From: > openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org > > [mailto:openssh-unix-dev- > > bounces+jason.c.burns=wellsfargo.com at mindrot.org] On Behalf Of Ted > > Creedon > > Sent: Friday, April 03, 2009 3:56 PM > > To: openssh-unix-dev at mindrot.org > > Subject: gssapi not enabled > > > > I'm trying to get gssapi-with-mic to work but the enabled field in the > > method struct is disabled I.e. > > > > The gssapi-with-mic enable field s not enabled in in the *method > > struct; it > > fails at: > > > > if (authmethod_is_enabled(method)) > > > > in the authmethod_is_enabled(method) function call > > > > using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2) > > > > Questiion - what enables gssapi-with-mic? > > > > Thanks > > > > tedc > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > From sxw at inf.ed.ac.uk Sat Apr 4 10:05:57 2009 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Sat, 4 Apr 2009 00:05:57 +0100 Subject: gssapi not enabled In-Reply-To: References: Message-ID: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk> On 3 Apr 2009, at 23:55, Ted Creedon wrote: > > Questiion - what enables gssapi-with-mic? The GSSAPIAuthentication configuration directive. See the ssh_config man page. S. From tcreedon at easystreet.net Sat Apr 4 11:40:25 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Fri, 3 Apr 2009 17:40:25 -0700 Subject: gssapi not enabled In-Reply-To: <03D62A7C-9201-42FD-885A-C58EAC800F22@inf.ed.ac.uk> References: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk> <03D62A7C-9201-42FD-885A-C58EAC800F22@inf.ed.ac.uk> Message-ID: Its not getting that far.. Its not trying to contact the krb5kdc, it bombs out on the enabled switch I think the problem may be in the compilation - I'm adding some includes but I can't get it to find krb5-config checking for krb5-config... no checking whether we are using Heimdal... no checking for library containing dn_expand... (cached) no checking for gss_init_sec_context in -lgssapi_krb5... yes checking gssapi.h usability... yes checking gssapi.h presence... yes checking for gssapi.h... yes checking gssapi_krb5.h usability... yes checking gssapi_krb5.h presence... no configure: WARNING: gssapi_krb5.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: gssapi_krb5.h: proceeding with the compiler's result checking for gssapi_krb5.h... yes checking for gssapi.h... (cached) yes checking gssapi/gssapi.h usability... yes checking gssapi/gssapi.h presence... yes checking for gssapi/gssapi.h... yes checking for gssapi_krb5.h... (cached) yes checking gssapi/gssapi_krb5.h usability... yes checking gssapi/gssapi_krb5.h presence... yes checking for gssapi/gssapi_krb5.h... yes checking gssapi_generic.h usability... yes checking gssapi_generic.h presence... no configure: WARNING: gssapi_generic.h: accepted by the compiler, rejected by the preprocessor! configure: WARNING: gssapi_generic.h: proceeding with the compiler's result checking for gssapi_generic.h... yes checking gssapi/gssapi_generic.h usability... yes checking gssapi/gssapi_generic.h presence... yes checking for gssapi/gssapi_generic.h... yes On Fri, Apr 3, 2009 at 5:26 PM, Simon Wilkinson wrote: > > On 4 Apr 2009, at 00:29, Ted Creedon wrote: > > sshd_conf aaadn ssh_conf >> >> # GSSAPI options >> GSSAPIAuthentication yes >> GSSAPICleanupCredentials yes >> >> ssh -vvvv -o PreferredAuthentications=gssapi-with-mic localhost >> > > Do you have a key in your KDC for host/localhost (I suspect not, and you > don't want one either) > > Kerberos has to be done against real, addresses, which resolve to hostnames > for which entries have been created in your KDC, and populated in your > servers keytab. > > Cheers, > > Simon. > > From Jason.C.Burns at wellsfargo.com Sat Apr 4 11:45:47 2009 From: Jason.C.Burns at wellsfargo.com (Jason.C.Burns at wellsfargo.com) Date: Fri, 3 Apr 2009 19:45:47 -0500 Subject: gssapi not enabled References: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk><03D62A7C-9201-42FD-885A-C58EAC800F22@inf.ed.ac.uk> Message-ID: > I think the problem may be in the compilation - I'm adding some > includes but > I can't get it to find krb5-config Wherever you set --with-kerberos5 as, it looks at /bin/ for krb5-config which it then uses to configure where to find libs, etc... J From Jason.C.Burns at wellsfargo.com Sat Apr 4 10:57:29 2009 From: Jason.C.Burns at wellsfargo.com (Jason.C.Burns at wellsfargo.com) Date: Fri, 3 Apr 2009 18:57:29 -0500 Subject: gssapi not enabled References: Message-ID: Perhaps you are missing the '--with-kerberos5=' compile time option? Jason Burns Information Security Technology Cryptography Services -> Secure Communications and Data Encryption UnixSecure Lead Engineer > -----Original Message----- > From: openssh-unix-dev-bounces+jason.c.burns=wellsfargo.com at mindrot.org > [mailto:openssh-unix-dev- > bounces+jason.c.burns=wellsfargo.com at mindrot.org] On Behalf Of Ted > Creedon > Sent: Friday, April 03, 2009 3:56 PM > To: openssh-unix-dev at mindrot.org > Subject: gssapi not enabled > > I'm trying to get gssapi-with-mic to work but the enabled field in the > method struct is disabled I.e. > > The gssapi-with-mic enable field s not enabled in in the *method > struct; it > fails at: > > if (authmethod_is_enabled(method)) > > in the authmethod_is_enabled(method) function call > > using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2) > > Questiion - what enables gssapi-with-mic? > > Thanks > > tedc > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From tcreedon at easystreet.net Sat Apr 4 12:42:02 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Fri, 3 Apr 2009 18:42:02 -0700 Subject: gssapi not enabled In-Reply-To: References: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk> <03D62A7C-9201-42FD-885A-C58EAC800F22@inf.ed.ac.uk> Message-ID: Progress! Now getting auth failures! krbf-conf is now found! I'm using russ alberry's pam modules pam_krb5 and pam_afs_session Not quite sure what to do next... Looks like the problem is in the PAM stack.. <<<<<<<<<>>>>>>>>>>> auth required /lib64/security/pam_unix.so shadow nodelay auth required /lib64/security/pam_nologin.so account required /lib64/security/pam_unix.so password required /lib64/security/pam_cracklib.so password required /lib64/security/pam_unix.so shadow nullok use_authtok session required /lib64/security/pam_unix.so session required /lib64/security/pam_limits.so session optional /usr/local/lib/security/pam_krb5.so session optional /usr/local/lib64/security/pam_afs_session.so <<<<<<<<<<<<<<<>>>>>>>>>>>>> Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request 3 Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_answer_authserv: service=ssh-connection, style= Apr 3 18:25:44 geronimo sshd[13595]: debug2: monitor_read: 3 used once, disabling now Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_request_receive entering Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request 10 Apr 3 18:25:44 geronimo sshd[13595]: debug1: temporarily_use_uid: 0/0 (e=0/0) Apr 3Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request 3 Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_answer_authserv: service=ssh-connection, style= Apr 3 18:25:44 geronimo sshd[13595]: debug2: monitor_read: 3 used once, disabling now Apr 3 18:25:44 geronimo sshd[13595]: debug3: mm_request_receive entering Apr 3 18:25:44 geronimo sshd[13595]: debug3: monitor_read: checking request 10 Apr 3 18:25:44 geronimo sshd[13595]: debug1: temporarily_use_uid: 0/0 (e=0/0) Apr 3 18:25:44 geronimo krb5kdc[9241]: AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 71.236.188.74: ISSUE: authtime 1238808344, etypes {rep=16 tkt=1 ses=16}, me_user at SERVER.COM for krbtgt/SERVER.COM at SERVER.COM Apr 3 18:25:44 geronimo syslog-ng[2290]: last message repeated 2 times Apr 3 18:25:44 geronimo sshd[13595]: debug1: restore_uid: 0/0 Apr 3 18:25:44 geronimo sshd[13595]: debug1: Kerberos password authentication failed: Input/output error Apr 3 18:25:44 geronimo sshd[13595]: debug1: krb5_cleanup_proc called Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_passwd_conv called with 1 messages Apr 3 18:25:45 geronimo sshd[13595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.xx.xx4 user=me_user Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: password authentication failed for me_user: Authentication failure Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_answer_authpassword: sending result 0 Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_send entering: type 11 Apr 3 18:25:45 geronimo sshd[13595]: Failed none for me_user from 71.236.188.74 port 60039 ssh2 Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_receive entering Apr 3 18:25:45 geronimo sshd[13595]: debug1: do_cleanup Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: cleanup Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_thread_cleanup entering 18:25:44 geronimo krb5kdc[9241]: AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 71.236.188.74: ISSUE: authtime 1238808344, etypes {rep=16 tkt=1 ses=16}, me_user at SERVER.COM for krbtgt/SERVER.COM at SERVER.COM Apr 3 18:25:44 geronimo syslog-ng[2290]: last message repeated 2 times Apr 3 18:25:44 geronimo sshd[13595]: debug1: restore_uid: 0/0 Apr 3 18:25:44 geronimo sshd[13595]: debug1: Kerberos password authentication failed: Input/output error Apr 3 18:25:44 geronimo sshd[13595]: debug1: krb5_cleanup_proc called Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_passwd_conv called with 1 messages Apr 3 18:25:45 geronimo sshd[13595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.xx.xx4 user=me_user Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: password authentication failed for me_user: Authentication failure Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_answer_authpassword: sending result 0 Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_send entering: type 11 Apr 3 18:25:45 geronimo sshd[13595]: Failed none for me_user from 71.236.188.74 port 60039 ssh2 Apr 3 18:25:45 geronimo sshd[13595]: debug3: mm_request_receive entering Apr 3 18:25:45 geronimo sshd[13595]: debug1: do_cleanup Apr 3 18:25:45 geronimo sshd[13595]: debug1: PAM: cleanup Apr 3 18:25:45 geronimo sshd[13595]: debug3: PAM: sshpam_thread_cleanup entering From sxw at inf.ed.ac.uk Sat Apr 4 11:26:00 2009 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Sat, 4 Apr 2009 01:26:00 +0100 Subject: gssapi not enabled In-Reply-To: References: <7CBDD5DD-61C1-4F6D-AB7A-24F6B5125373@inf.ed.ac.uk> Message-ID: <03D62A7C-9201-42FD-885A-C58EAC800F22@inf.ed.ac.uk> On 4 Apr 2009, at 00:29, Ted Creedon wrote: > sshd_conf aaadn ssh_conf > > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > > ssh -vvvv -o PreferredAuthentications=gssapi-with-mic localhost Do you have a key in your KDC for host/localhost (I suspect not, and you don't want one either) Kerberos has to be done against real, addresses, which resolve to hostnames for which entries have been created in your KDC, and populated in your servers keytab. Cheers, Simon. From gsocsftp at v6shell.org Sat Apr 4 14:18:54 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sat, 04 Apr 2009 03:18:54 +0000 Subject: OpenSSH sftp(1) renovation project for GSoC 2009 Message-ID: <49d6d19e.grsAX/XQvXPZU45p%gsocsftp@v6shell.org> Hello, Please pardon me if this is off topic, but I thought I ought to introduce myself. I submitted an application (aka student proposal) to OpenSSH via GSoC on Thursday (2009-04-02 19:39:21Z). Of course, I cannot know if it will be accepted, but in any case, here is the abstract for anybody on the list who may be interested in offering feedback: The objective of the OpenSSH sftp(1) renovation project is to improve the current sftp(1) client to allow its use as a drop-in replacement for scp(1). This requires implementing both recursive uploads/downloads and an scp(1)-compatible command-line interface. The scp(1) command has an `-r' flag for recursive transmission, but sftp(1) does not currently support this except by manual user intervention in interactive mode. Additionally, sftp(1) interactive-mode tab completion will be integrated. ... I searched for sftp-related bugs in Bugzilla and found several related to my project plan in one way or another. Beside the issues mentioned in the above abstract (which are in the bug list), there are a few others which should could/should/would likely be addressed in my plan as well. Cheers, Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From plambrechtsen at gmail.com Sat Apr 4 15:09:01 2009 From: plambrechtsen at gmail.com (Peter Lambrechtsen) Date: Sat, 4 Apr 2009 17:09:01 +1300 Subject: OpenSSH sftp(1) renovation project for GSoC 2009 In-Reply-To: <49d6d19e.grsAX/XQvXPZU45p%gsocsftp@v6shell.org> References: <49d6d19e.grsAX/XQvXPZU45p%gsocsftp@v6shell.org> Message-ID: <822C1797-446E-49E9-9645-E24CC291FF72@gmail.com> On 4/04/2009, at 4:18 PM, "J.A. Neitzel" wrote: > Hello, > > Please pardon me if this is off topic, but I thought I ought to > introduce myself. > > I submitted an application (aka student proposal) to OpenSSH via > GSoC on Thursday (2009-04-02 19:39:21Z). Of course, I cannot know > if it will be accepted, but in any case, here is the abstract for > anybody on the list who may be interested in offering feedback: > > The objective of the OpenSSH sftp(1) renovation project is to improve > the current sftp(1) client to allow its use as a drop-in replacement > for scp(1). This requires implementing both recursive uploads/ > downloads > and an scp(1)-compatible command-line interface. The scp(1) command > has an `-r' flag for recursive transmission, but sftp(1) does not > currently support this except by manual user intervention in > interactive mode. Additionally, sftp(1) interactive-mode tab > completion will be integrated. > > ... > I searched for sftp-related bugs in Bugzilla and found several > related to my project plan in one way or another. Beside the issues > mentioned in the above abstract (which are in the bug list), there > are a few others which should could/should/would likely be addressed > in my plan as well. Maybe if your proposal is accepted you write up a new bug in bugzilla with all your thoughts. Plus link to any of the existing bugs so we can all refer back to a single place that has captured everyones ideas and had all the suggestions prioritized so you know which are the must haves vs the nice to haves. > > > Cheers, > Jeff > -- > J.A. Neitzel > V6 Thompson Shell Port - http://v6shell.org/ > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From gsocsftp at v6shell.org Sat Apr 4 15:36:25 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sat, 04 Apr 2009 04:36:25 +0000 Subject: OpenSSH sftp(1) renovation project for GSoC 2009 In-Reply-To: <822C1797-446E-49E9-9645-E24CC291FF72@gmail.com> References: <49d6d19e.grsAX/XQvXPZU45p%gsocsftp@v6shell.org> <822C1797-446E-49E9-9645-E24CC291FF72@gmail.com> Message-ID: <49d6e3c9.a2qYAdEEuf07E6KH%gsocsftp@v6shell.org> Peter Lambrechtsen wrote: > On 4/04/2009, at 4:18 PM, "J.A. Neitzel" wrote: > > > Hello, > > > > Please pardon me if this is off topic, but I thought I ought to > > introduce myself. > > > > I submitted an application (aka student proposal) to OpenSSH via > > GSoC on Thursday (2009-04-02 19:39:21Z). Of course, I cannot know > > if it will be accepted, but in any case, here is the abstract for > > anybody on the list who may be interested in offering feedback: > > > > The objective of the OpenSSH sftp(1) renovation project is to improve > > the current sftp(1) client to allow its use as a drop-in replacement > > for scp(1). This requires implementing both recursive uploads/ > > downloads > > and an scp(1)-compatible command-line interface. The scp(1) command > > has an `-r' flag for recursive transmission, but sftp(1) does not > > currently support this except by manual user intervention in > > interactive mode. Additionally, sftp(1) interactive-mode tab > > completion will be integrated. > > > > ... > > I searched for sftp-related bugs in Bugzilla and found several > > related to my project plan in one way or another. Beside the issues > > mentioned in the above abstract (which are in the bug list), there > > are a few others which should could/should/would likely be addressed > > in my plan as well. > > Maybe if your proposal is accepted you write up a new bug in bugzilla > with all your thoughts. Plus link to any of the existing bugs so we > can all refer back to a single place that has captured everyones ideas > and had all the suggestions prioritized so you know which are the must > haves vs the nice to haves. Ah yes, that sounds like an excellent suggestion to me. Thanks for that. Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From tcreedon at easystreet.net Sun Apr 5 10:30:55 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sat, 4 Apr 2009 17:30:55 -0700 Subject: libedit Message-ID: Moving s sccessful compole of 5.2.p1 from a Suse 10.3 x86-64 box to a Suse 11.1 x86-box created a build problem ./configure --with-libedit=/usr/lib64 checking for el_init in -ledit... no configure: error: libedit not found however libedit (amd el_init) certainly exist: ookpik:/data/openssh-5.2p1.test # l /usr/lib64/libedit* lrwxrwxrwx 1 root root 17 Apr 4 17:11 /usr/lib64/libedit.so -> libedit.so.0.0.27* lrwxrwxrwx 1 root root 17 Apr 4 17:10 /usr/lib64/libedit.so.0 -> libedit.so.0.0.27* -rwxr-xr-x 1 root root 180568 Dec 3 02:50 /usr/lib64/libedit.so.0.0.27* any clues? Thanks Tedc From gsocsftp at v6shell.org Sun Apr 5 13:42:24 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sun, 05 Apr 2009 03:42:24 +0000 Subject: libedit In-Reply-To: References: Message-ID: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> Ted Creedon wrote: > Moving s sccessful compole of 5.2.p1 from a Suse 10.3 x86-64 box to a Suse > 11.1 x86-box created a build problem I wonder what the result is if you build OpenSSH in 32-bit mode? The reason I wonder is because "x86-box" == "32-bit" in my world. Does your system run in 32-bit or 64-bit mode? > ./configure --with-libedit=/usr/lib64 > checking for el_init in -ledit... no > configure: error: libedit not found So, what happens if you do a `./configure --with-libedit=/usr/lib' or a `./configure --with-libedit=/usr/lib32'? I am rather guessing on the path since I do not know anything about Suse Linux. Also, is LD_LIBRARY_PATH unset? If not, what is it set to? > however libedit (amd el_init) certainly exist: > > ookpik:/data/openssh-5.2p1.test # l /usr/lib64/libedit* > lrwxrwxrwx 1 root root 17 Apr 4 17:11 /usr/lib64/libedit.so -> > libedit.so.0.0.27* > lrwxrwxrwx 1 root root 17 Apr 4 17:10 /usr/lib64/libedit.so.0 -> > libedit.so.0.0.27* > -rwxr-xr-x 1 root root 180568 Dec 3 02:50 /usr/lib64/libedit.so.0.0.27* > > any clues? I dare not guess any more, as I may be stepping out of bounds. Hopefully, some of the preceding hints may prove useful. Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From tcreedon at easystreet.net Sun Apr 5 23:37:55 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sun, 5 Apr 2009 06:37:55 -0700 Subject: libedit In-Reply-To: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> Message-ID: adding set -x to .configure reveals that --with-libedit=/usr/lib64 makes it look for //usr/lib64/lib which is why it can't find el_init... As a general note it looks like configure needs to be rewritten to use pkg-config... Its difficult to get a working ssh because configure doesn't clearly report errors.. On Sat, Apr 4, 2009 at 8:42 PM, J.A. Neitzel wrote: > Ted Creedon wrote: > > > Moving s sccessful compole of 5.2.p1 from a Suse 10.3 x86-64 box to a > Suse > > 11.1 x86-box created a build problem > > I wonder what the result is if you build OpenSSH in 32-bit mode? > The reason I wonder is because "x86-box" == "32-bit" in my world. > Does your system run in 32-bit or 64-bit mode? > > > ./configure --with-libedit=/usr/lib64 > > checking for el_init in -ledit... no > > configure: error: libedit not found > > So, what happens if you do a `./configure --with-libedit=/usr/lib' > or a `./configure --with-libedit=/usr/lib32'? I am rather guessing > on the path since I do not know anything about Suse Linux. Also, > is LD_LIBRARY_PATH unset? If not, what is it set to? > > > however libedit (amd el_init) certainly exist: > > > > ookpik:/data/openssh-5.2p1.test # l /usr/lib64/libedit* > > lrwxrwxrwx 1 root root 17 Apr 4 17:11 /usr/lib64/libedit.so -> > > libedit.so.0.0.27* > > lrwxrwxrwx 1 root root 17 Apr 4 17:10 /usr/lib64/libedit.so.0 -> > > libedit.so.0.0.27* > > -rwxr-xr-x 1 root root 180568 Dec 3 02:50 /usr/lib64/libedit.so.0.0.27* > > > > any clues? > > I dare not guess any more, as I may be stepping out of bounds. > Hopefully, some of the preceding hints may prove useful. > > Jeff > -- > J.A. Neitzel > V6 Thompson Shell Port - http://v6shell.org/ > From jg at jguk.org Mon Apr 6 03:55:02 2009 From: jg at jguk.org (Jon Grant) Date: Sun, 5 Apr 2009 18:55:02 +0100 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> Message-ID: <19ac3f7a0904051055s10eaa030qdce7408f01f7ab98@mail.gmail.com> I'll be happy to donate 40 Euros to the project if both of these messages could be simplified as I suggest. Best regards, Jon From gsocsftp at v6shell.org Mon Apr 6 04:01:04 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sun, 05 Apr 2009 18:01:04 +0000 Subject: libedit In-Reply-To: References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> Message-ID: <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> Ted Creedon wrote: > adding set -x to .configure reveals that --with-libedit=/usr/lib64 makes it > look for //usr/lib64/lib which is why it can't find el_init... > > As a general note it looks like configure needs to be rewritten to use > pkg-config... > > Its difficult to get a working ssh because configure doesn't clearly report > errors.. Oh, I see... This seems a strange problem since //usr/lib64/lib is a valid UNIX pathname. Except for checking config.log when I need to, I have not done anything with the GNU Autotools since at least 2004. So, this problem is rather out of my territory. I do not run the portable version on OpenBSD, but I do run it on NetBSD 4.0.1_PATCH amd64 and Mac OS X 10.5.x Intel. In both cases, building with libedit support behaves as expected by doing a `./configure --with-libedit=/usr/lib'. For me, ./configure looks for /usr/lib, not //usr/lib . This is reflected both in configure output and in config.log . So, could the problem you experience be a Suse Linux problem and not a configure problem? Did you look at your config.log ? Also, I am guessing that you are trying to build with a clean OpenSSH source tree (i.e., newly extracted or `make distclean'). > On Sat, Apr 4, 2009 at 8:42 PM, J.A. Neitzel wrote: > > > Ted Creedon wrote: > > > > > Moving s sccessful compole of 5.2.p1 from a Suse 10.3 x86-64 box to a > > Suse > > > 11.1 x86-box created a build problem > > > > I wonder what the result is if you build OpenSSH in 32-bit mode? > > The reason I wonder is because "x86-box" == "32-bit" in my world. > > Does your system run in 32-bit or 64-bit mode? > > > > > ./configure --with-libedit=/usr/lib64 > > > checking for el_init in -ledit... no > > > configure: error: libedit not found > > > > So, what happens if you do a `./configure --with-libedit=/usr/lib' > > or a `./configure --with-libedit=/usr/lib32'? I am rather guessing > > on the path since I do not know anything about Suse Linux. Also, > > is LD_LIBRARY_PATH unset? If not, what is it set to? > > > > > however libedit (amd el_init) certainly exist: > > > > > > ookpik:/data/openssh-5.2p1.test # l /usr/lib64/libedit* > > > lrwxrwxrwx 1 root root 17 Apr 4 17:11 /usr/lib64/libedit.so -> > > > libedit.so.0.0.27* > > > lrwxrwxrwx 1 root root 17 Apr 4 17:10 /usr/lib64/libedit.so.0 -> > > > libedit.so.0.0.27* > > > -rwxr-xr-x 1 root root 180568 Dec 3 02:50 /usr/lib64/libedit.so.0.0.27* > > > > > > any clues? > > > > I dare not guess any more, as I may be stepping out of bounds. > > Hopefully, some of the preceding hints may prove useful. > > > > Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From peter at stuge.se Mon Apr 6 05:02:21 2009 From: peter at stuge.se (Peter Stuge) Date: Sun, 5 Apr 2009 21:02:21 +0200 Subject: libedit In-Reply-To: <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> Message-ID: <20090405190221.18525.qmail@stuge.se> J.A. Neitzel wrote: > Oh, I see... This seems a strange problem since //usr/lib64/lib > is a valid UNIX pathname. The problem isn't // but rather that configure always appends the lib directory, when in a multilib system lib64 is the final directory component in the path. //Peter From peter at stuge.se Mon Apr 6 05:04:11 2009 From: peter at stuge.se (Peter Stuge) Date: Sun, 5 Apr 2009 21:04:11 +0200 Subject: libedit In-Reply-To: <20090405190221.18525.qmail@stuge.se> References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> <20090405190221.18525.qmail@stuge.se> Message-ID: <20090405190411.19142.qmail@stuge.se> Peter Stuge wrote: > The problem isn't // but rather that configure always appends the > lib directory, when in a multilib system lib64 is the final > directory component in the path. And to be more constructive I've seen two solutions to this; 1. Separate --with-libedit-includes= and --with-libedit-libs= flags. 2. LIBEDIT_CFLAGS= and LIBEDIT_LDFLAGS= environment variables. //Peter From gsocsftp at v6shell.org Mon Apr 6 05:42:27 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sun, 05 Apr 2009 19:42:27 +0000 Subject: libedit In-Reply-To: <20090405190411.19142.qmail@stuge.se> References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> <20090405190221.18525.qmail@stuge.se> <20090405190411.19142.qmail@stuge.se> Message-ID: <49d909a3.O30RlysGtIhJl+Bd%gsocsftp@v6shell.org> Peter Stuge wrote: > Peter Stuge wrote: > > The problem isn't // but rather that configure always appends the > > lib directory, when in a multilib system lib64 is the final > > directory component in the path. > > And to be more constructive I've seen two solutions to this; > > 1. Separate --with-libedit-includes= and --with-libedit-libs= flags. > 2. LIBEDIT_CFLAGS= and LIBEDIT_LDFLAGS= environment variables. Ah yes, I understand. Thanks a lot for pointing that out. Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From jg at jguk.org Mon Apr 6 03:53:45 2009 From: jg at jguk.org (Jon Grant) Date: Sun, 5 Apr 2009 18:53:45 +0100 Subject: sftp Couldn't read packet: Connection reset by peer Message-ID: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> Hello I saw this error below. My feeling is that the second line is not needed. Would a patch be accepted to change it? If it's easy enough to do I could probably track down the bit of code generating it. the ssh error is also not quite as good as it could be, My feeling is that it doesn't need to tag "Name or service not known" on to the end of the line when it has already said it Could not resolve the hostname! Please include my email address in any replies as I am not on this mailing list. Regards, Jon j at laptop:~$ sftp oops at unknown-web-qbcdef.com Connecting to unknown-web-qbcdef.com... ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or service not known Couldn't read packet: Connection reset by peer j at laptop:~$ j at laptop:~$ ssh unknown-web-qbcdef.com ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or service not known j at laptop:~$ From william at 25thandClement.com Mon Apr 6 06:13:40 2009 From: william at 25thandClement.com (William Ahern) Date: Sun, 5 Apr 2009 13:13:40 -0700 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> Message-ID: <20090405201340.GA7268@wilbur.25thandClement.com> On Sun, Apr 05, 2009 at 06:53:45PM +0100, Jon Grant wrote: > Hello > > I saw this error below. My feeling is that the second line is not > needed. Would a patch be accepted to change it? If it's easy enough to > do I could probably track down the bit of code generating it. > > the ssh error is also not quite as good as it could be, My feeling is > that it doesn't need to tag "Name or service not known" on to the end > of the line when it has already said it Could not resolve the > hostname! That's what strerror(errno) gives, and you only think it's not needed because you probably already knew what the problem was. If the system error was "Network unreachable", but it was never printed, you might be ripping your hair out. From gsocsftp at v6shell.org Mon Apr 6 06:57:54 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sun, 05 Apr 2009 20:57:54 +0000 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <20090405201340.GA7268@wilbur.25thandClement.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <20090405201340.GA7268@wilbur.25thandClement.com> Message-ID: <49d91b52.EfZ1mikzie0kT+Rs%gsocsftp@v6shell.org> William Ahern wrote: > On Sun, Apr 05, 2009 at 06:53:45PM +0100, Jon Grant wrote: > > Hello > > > > I saw this error below. My feeling is that the second line is not > > needed. Would a patch be accepted to change it? If it's easy enough to > > do I could probably track down the bit of code generating it. > > > > the ssh error is also not quite as good as it could be, My feeling is > > that it doesn't need to tag "Name or service not known" on to the end > > of the line when it has already said it Could not resolve the > > hostname! > > That's what strerror(errno) gives, and you only think it's not needed > because you probably already knew what the problem was. If the system error > was "Network unreachable", but it was never printed, you might be ripping > your hair out. And by the same token, removing the diagnostic message: fatal("Couldn't read packet: %s", strerror(errno)); ... from sftp-client.c would be equally unkind to the user since knowing that packet cannot be read and why is too useful to remove. Removing it could provoke users to generate a local patch to add the diagnostic back in when it should not be necessary for them to do so. In short, proper diagnostics are critical for users to understand why an operation fails. Jeff From djm at mindrot.org Mon Apr 6 08:46:15 2009 From: djm at mindrot.org (Damien Miller) Date: Mon, 6 Apr 2009 08:46:15 +1000 (EST) Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> Message-ID: Please file a bug at https://buzgilla.mindrot.org/ so it doesn't get lost. -d On Sun, 5 Apr 2009, Jon Grant wrote: > Hello > > I saw this error below. My feeling is that the second line is not > needed. Would a patch be accepted to change it? If it's easy enough to > do I could probably track down the bit of code generating it. > > the ssh error is also not quite as good as it could be, My feeling is > that it doesn't need to tag "Name or service not known" on to the end > of the line when it has already said it Could not resolve the > hostname! > > Please include my email address in any replies as I am not on this mailing list. > > Regards, Jon > > j at laptop:~$ sftp oops at unknown-web-qbcdef.com > Connecting to unknown-web-qbcdef.com... > ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or > service not known > Couldn't read packet: Connection reset by peer > j at laptop:~$ > > > j at laptop:~$ ssh unknown-web-qbcdef.com > ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or > service not known > j at laptop:~$ > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From gsocsftp at v6shell.org Mon Apr 6 09:40:37 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sun, 05 Apr 2009 23:40:37 +0000 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> Message-ID: <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> Jon, Sorry, I must have misunderstood your "second line is not needed" statement in my other reply. Just to clarify if I may... Did you mean the: "Connecting to unknown-web-qbcdef.com..." or the: "Couldn't read packet: Connection reset by peer" ... line is not needed? Jeff Damien Miller wrote: > Please file a bug at https://buzgilla.mindrot.org/ so it doesn't get > lost. > > -d > > On Sun, 5 Apr 2009, Jon Grant wrote: > > > Hello > > > > I saw this error below. My feeling is that the second line is not > > needed. Would a patch be accepted to change it? If it's easy enough to > > do I could probably track down the bit of code generating it. > > > > the ssh error is also not quite as good as it could be, My feeling is > > that it doesn't need to tag "Name or service not known" on to the end > > of the line when it has already said it Could not resolve the > > hostname! > > > > Please include my email address in any replies as I am not on this mailing list. > > > > Regards, Jon > > > > j at laptop:~$ sftp oops at unknown-web-qbcdef.com > > Connecting to unknown-web-qbcdef.com... > > ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or > > service not known > > Couldn't read packet: Connection reset by peer > > j at laptop:~$ > > > > > > j at laptop:~$ ssh unknown-web-qbcdef.com > > ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or > > service not known > > j at laptop:~$ From njahnke at gmail.com Mon Apr 6 08:32:52 2009 From: njahnke at gmail.com (Nathan Jahnke) Date: Sun, 5 Apr 2009 17:32:52 -0500 Subject: select() hangs in sftp_server_main() Message-ID: <89e8c360904051532x6e564822q8457e184ecd63cfa@mail.gmail.com> First off, a disclaimer: this is not a problem with openssh per se as it is also occurring with other software on my server, but I was hoping someone reading this might know more about the problem than I do. Thank you very much in advance for your help. Problem: connecting to the server via sftp results in a hang here: if (select(max+1, rset, wset, NULL, NULL) < 0) { which is line 1428 from 5.2p1's sftp-server.c (main loop of sftp_server_main()). The same hang occurs when opening a data connection over e.g. vanilla FTP. I am sometimes able to get through after a number of seconds or minutes, but sometimes the connection times out on the client side before the server is able to respond. When the server does respond and I am connected, then if I issue e.g. 'ls' it will hang again at the select() for some time. ssh is OK; can connect with no delay and issue commands, etc. I don't think it's socket death: root at dl:~# cat /proc/net/sockstat sockets: used 304 TCP: inuse 444 orphan 302 tw 152 alloc 451 mem 5280 UDP: inuse 4 RAW: inuse 0 FRAG: inuse 0 memory 0 root at dl:~# netstat -tan | awk '{print $6}' | sort | uniq -c 2 CLOSE_WAIT 121 CLOSING 1 established) 109 ESTABLISHED 17 FIN_WAIT1 9 FIN_WAIT2 1 Foreign 300 LAST_ACK 20 LISTEN 2 SYN_RECV 433 TIME_WAIT It also doesn't seem to be out of file descriptors but I'm not 100% sure on that. And even if it were, wouldn't that produce an error, not hang? It does seem to be somewhat related to the number of connections lighttpd is serving. I can shut down lighttpd and the problem goes away. Having said this, lighttpd and apache are able to coexist in this state with no problem (apache never hangs). People can also connect to an IRC server on the same machine with no problem during these "episodes". So maybe it is limited to select()? What resource is lighttpd using that is not sockets/file descriptors that is causing select() to hang? I am pulling my hair out over this. I've tried all of the usual network tuning stuff (the various settings through sysctl, reducing the timeouts), all with no effect. The problem must be elsewhere. Linux dl 2.6.18-6-486 #1 Sat Dec 27 08:57:46 UTC 2008 i686 GNU/Linux It's running Debian Etch. What might cause select() to hang checking some sockets? Thanks, Nathan From peter at stuge.se Mon Apr 6 11:35:08 2009 From: peter at stuge.se (Peter Stuge) Date: Mon, 6 Apr 2009 03:35:08 +0200 Subject: select() hangs in sftp_server_main() In-Reply-To: <89e8c360904051532x6e564822q8457e184ecd63cfa@mail.gmail.com> References: <89e8c360904051532x6e564822q8457e184ecd63cfa@mail.gmail.com> Message-ID: <20090406013508.2757.qmail@stuge.se> Nathan Jahnke wrote: > What resource is lighttpd using that is not sockets/file > descriptors that is causing select() to hang? How is memory pressure? If you're completely out of RAM Linux will just stop processing packets. //Peter From vinschen at redhat.com Mon Apr 6 18:48:29 2009 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 6 Apr 2009 10:48:29 +0200 Subject: libedit In-Reply-To: <20090405190221.18525.qmail@stuge.se> References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> <20090405190221.18525.qmail@stuge.se> Message-ID: <20090406084829.GP852@calimero.vinschen.de> On Apr 5 21:02, Peter Stuge wrote: > J.A. Neitzel wrote: > > Oh, I see... This seems a strange problem since //usr/lib64/lib > > is a valid UNIX pathname. > > The problem isn't // but rather that configure always appends the lib > directory, when in a multilib system lib64 is the final directory > component in the path. Whatever the exact problem is, I have to chime in here because, while //usr/lib64/lib is a valid UNIX path, it's *NOT* necessarily the same as /usr/lib64/lib, and the difference is quite important at least for Cygwin. Here's the relevant snippet from POSIX-1.2008: 4.12 Pathname Resolution [...] A pathname consisting of a single shall resolve to the root directory of the process. [...] A pathname that begins with two successive characters may be interpreted in an implementation-defined manner, although more than two leading characters shall be treated as a single character. The identical definition was already part of POSIX-1.2001. A path starting with two leading slashes may be interpreted in an implementation-defined manner. That's the case for Cygwin, which interprets these paths as an UNC path pointing to a shared directory of a remote server: //server/share/... according to the Win32 syntax for UNC paths. Since that's backed by POSIX, it would be nice if such paths are not lazily generated in scripts or, even worse, in executables. In the above case that means, Cygwin would try to access the directory "lib" on a share "lib64" on the remote machine called "usr". I hope you can see how this is a bad idea. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From jg at jguk.org Mon Apr 6 21:33:06 2009 From: jg at jguk.org (Jon Grant) Date: Mon, 6 Apr 2009 13:33:06 +0200 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <20090405201340.GA7268@wilbur.25thandClement.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <20090405201340.GA7268@wilbur.25thandClement.com> Message-ID: <19ac3f7a0904060433v1a20f778jdc5a3a09bbff74b0@mail.gmail.com> 2009/4/5 William Ahern : > On Sun, Apr 05, 2009 at 06:53:45PM +0100, Jon Grant wrote: >> Hello >> >> I saw this error below. My feeling is that the second line is not >> needed. Would a patch be accepted to change it? If it's easy enough to >> do I could probably track down the bit of code generating it. >> >> the ssh error is also not quite as good as it could be, My feeling is >> that it doesn't need to tag "Name or service not known" on to the end >> of the line when it has already said it Could not resolve the >> hostname! > > That's what strerror(errno) gives, and you only think it's not needed > because you probably already knew what the problem was. If the system error > was "Network unreachable", but it was never printed, you might be ripping > your hair out. Hmm, I thought the "Could not resolve hostname" was sufficient myself. Where is that determined from? if you think it needs to remain as it is, then i'll withdraw my idea. Please include my email address in any replies. Regards, Jon From jg at jguk.org Mon Apr 6 21:34:50 2009 From: jg at jguk.org (Jon Grant) Date: Mon, 6 Apr 2009 13:34:50 +0200 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> Message-ID: <19ac3f7a0904060434o55f8e87eq89e111e33112144d@mail.gmail.com> Hi Jeff, 2009/4/6 J.A. Neitzel : > Jon, > > Sorry, I must have misunderstood your "second line is not needed" > statement in my other reply. ?Just to clarify if I may... > > Did you mean the: > ? ? ? ?"Connecting to unknown-web-qbcdef.com..." > or the: > ? ? ? ?"Couldn't read packet: Connection reset by peer" yes, I meant this one. SSH does not include that output, so does SFTP need to? Please include my email address in any replies. Regards, Jon From noreply at ci.faniq.com Mon Apr 6 22:21:32 2009 From: noreply at ci.faniq.com (Omprakash S) Date: Mon, 6 Apr 2009 22:21:32 +1000 (EST) Subject: Omprakash S has sent you a private message Message-ID: <20090406122132.08289C4AA8@natsu.mindrot.org> [1]FanIQ Omprakash S has sent you a private message [2]Click to read message [3]Read private message Please read it or Omprakash will think you ignored this :( This message has been forwarded at the request of [4]the.omprakash at gmail.com. To block all emails from FanIQ, please [5]click here. FanIQ is located at 604 mission St, Suite 600, San Francisco, CA 94105, USA. References 1. http://FanIQ.com/user/theomprakash/connect/227248398 2. http://FanIQ.com/user/theomprakash/connect/227248398 3. http://FanIQ.com/user/theomprakash/connect/227248398 4. mailto:the.omprakash at gmail.com 5. http://www.faniq.com/unsubscribe.php?invite_id=227248398&stkn=3f2ab0fa50a5eb89502c4adf0715d4b2 From tcreedon at easystreet.net Tue Apr 7 01:09:17 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Mon, 6 Apr 2009 08:09:17 -0700 Subject: libedit In-Reply-To: <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> References: <49d828a0.CC0duTR8AVZybrbB%gsocsftp@v6shell.org> <49d8f1e0.SDB/g7Y3lbKsCB/U%gsocsftp@v6shell.org> Message-ID: configure works fine on a Suse 10.3 64 bit system but - strangely not an the latest 11.1 64 bit as a note pkg-config would solve both the include and lib flags problem - but from what I can tell a new (and simpler) configure.ac wold be required... /usr/lib64/lib is a valid path - it just doesn't exist... more later today On Sun, Apr 5, 2009 at 11:01 AM, J.A. Neitzel wrote: > Ted Creedon wrote: > > > adding set -x to .configure reveals that --with-libedit=/usr/lib64 makes > it > > look for //usr/lib64/lib which is why it can't find el_init... > > > > As a general note it looks like configure needs to be rewritten to use > > pkg-config... > > > > Its difficult to get a working ssh because configure doesn't clearly > report > > errors.. > > Oh, I see... This seems a strange problem since //usr/lib64/lib > is a valid UNIX pathname. Except for checking config.log when I > need to, I have not done anything with the GNU Autotools since at > least 2004. So, this problem is rather out of my territory. > > I do not run the portable version on OpenBSD, but I do run it on > NetBSD 4.0.1_PATCH amd64 and Mac OS X 10.5.x Intel. In both cases, > building with libedit support behaves as expected by doing a > `./configure --with-libedit=/usr/lib'. > > For me, ./configure looks for /usr/lib, not //usr/lib . This is > reflected both in configure output and in config.log . > > So, could the problem you experience be a Suse Linux problem and > not a configure problem? Did you look at your config.log ? Also, > I am guessing that you are trying to build with a clean OpenSSH > source tree (i.e., newly extracted or `make distclean'). > > > On Sat, Apr 4, 2009 at 8:42 PM, J.A. Neitzel > wrote: > > > > > Ted Creedon wrote: > > > > > > > Moving s sccessful compole of 5.2.p1 from a Suse 10.3 x86-64 box to a > > > Suse > > > > 11.1 x86-box created a build problem > > > > > > I wonder what the result is if you build OpenSSH in 32-bit mode? > > > The reason I wonder is because "x86-box" == "32-bit" in my world. > > > Does your system run in 32-bit or 64-bit mode? > > > > > > > ./configure --with-libedit=/usr/lib64 > > > > checking for el_init in -ledit... no > > > > configure: error: libedit not found > > > > > > So, what happens if you do a `./configure --with-libedit=/usr/lib' > > > or a `./configure --with-libedit=/usr/lib32'? I am rather guessing > > > on the path since I do not know anything about Suse Linux. Also, > > > is LD_LIBRARY_PATH unset? If not, what is it set to? > > > > > > > however libedit (amd el_init) certainly exist: > > > > > > > > ookpik:/data/openssh-5.2p1.test # l /usr/lib64/libedit* > > > > lrwxrwxrwx 1 root root 17 Apr 4 17:11 /usr/lib64/libedit.so -> > > > > libedit.so.0.0.27* > > > > lrwxrwxrwx 1 root root 17 Apr 4 17:10 /usr/lib64/libedit.so.0 -> > > > > libedit.so.0.0.27* > > > > -rwxr-xr-x 1 root root 180568 Dec 3 02:50 > /usr/lib64/libedit.so.0.0.27* > > > > > > > > any clues? > > > > > > I dare not guess any more, as I may be stepping out of bounds. > > > Hopefully, some of the preceding hints may prove useful. > > > > > > Jeff > > -- > J.A. Neitzel > V6 Thompson Shell Port - http://v6shell.org/ > From noreply at ci.faniq.com Tue Apr 7 07:07:00 2009 From: noreply at ci.faniq.com (Omprakash S) Date: Tue, 7 Apr 2009 07:07:00 +1000 (EST) Subject: Your private message from Omprakash is about to expire Message-ID: <20090406210700.48D34C4AA7@natsu.mindrot.org> [1]FanIQ Your private message from Omprakash will expire on April 13, 2009. [2]Click to read message [3]Click to read private message Please read it or Omprakash will think you ignored this :( This message has been forwarded at the request of [4]the.omprakash at gmail.com.To block all emails from FanIQ, please [5]click here.FanIQ is located at 604 mission St, Suite 600, San Francisco, CA 94105, USA. References 1. http://www.faniq.com/user/theomprakash/connect/227248398/?reminder=53c38f5c410a0ef975f97943e849b08d 2. http://www.faniq.com/user/theomprakash/connect/227248398/?reminder=53c38f5c410a0ef975f97943e849b08d 3. http://www.faniq.com/user/theomprakash/connect/227248398/?reminder=53c38f5c410a0ef975f97943e849b08d 4. mailto:the.omprakash at gmail.com 5. http://www.faniq.com/unsubscribe.php?invite_id=227248398&stkn=3f2ab0fa50a5eb89502c4adf0715d4b2 From gsocsftp at v6shell.org Tue Apr 7 12:47:42 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Tue, 07 Apr 2009 02:47:42 +0000 Subject: Portable OpenSSH CVS install error Message-ID: <49dabece.MoCJPfLKoi34WifP%gsocsftp@v6shell.org> Hi, I did a CVS checkout this morning to patch sftp.c for Jon Grant's recent sftp request, but there seems to be an install problem on Mac OS X 10.5.6 possibly caused by recent changes to configure.ac. For example (most output pruned): % ident configure.ac configure.ac: $Id: configure.ac,v 1.419 2009/03/18 18:25:02 tim Exp $ $Revision: 1.419 $ % autoreconf % ./configure % make gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lcrypto -lz % sudo make install Password: if test ! -z ""; then \ /opt/local/bin/perl5 ./fixprogs ssh_prng_cmds ; \ fi (cd openbsd-compat && make) make[1]: Nothing to be done for `all'. (cd scard && make DESTDIR= install) make[1]: *** No rule to make target `Ssh.bin', needed by `install'. Stop. make: *** [scard-install] Error 2 ... This strikes me as odd since I did not ask for scard stuff. Installing the official openssh-5.2p1 release with a patched sftp.c works as expected. Any ideas for an install error fix? Thanks, Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From gsocsftp at v6shell.org Tue Apr 7 12:58:53 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Tue, 07 Apr 2009 02:58:53 +0000 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <19ac3f7a0904060434o55f8e87eq89e111e33112144d@mail.gmail.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> <19ac3f7a0904060434o55f8e87eq89e111e33112144d@mail.gmail.com> Message-ID: <49dac16d.twOlbj/uQ1DtZB7i%gsocsftp@v6shell.org> Jon Grant wrote: > Hi Jeff, > > 2009/4/6 J.A. Neitzel : > > Jon, > > > > Sorry, I must have misunderstood your "second line is not needed" > > statement in my other reply. ?Just to clarify if I may... > > > > Did you mean the: > > ? ? ? ?"Connecting to unknown-web-qbcdef.com..." > > or the: > > ? ? ? ?"Couldn't read packet: Connection reset by peer" > > yes, I meant this one. > > SSH does not include that output, so does SFTP need to? No, I think the "Connecting to ..." message is not needed. I patched sftp.c to remove the message this morning but ran into an unrelated problem. I can add the patch to Bugzilla if you want. -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From gsocsftp at v6shell.org Tue Apr 7 14:10:16 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Tue, 07 Apr 2009 04:10:16 +0000 Subject: Portable OpenSSH CVS install error In-Reply-To: <49DAC7B2.9070500@zip.com.au> References: <49dabece.MoCJPfLKoi34WifP%gsocsftp@v6shell.org> <49DAC7B2.9070500@zip.com.au> Message-ID: <49dad228.v6amzo5Oy/8B7Yaa%gsocsftp@v6shell.org> Darren Tucker wrote: > J.A. Neitzel wrote: > > Hi, > > > > I did a CVS checkout this morning to patch sftp.c for Jon Grant's > > recent sftp request, but there seems to be an install problem on > > Mac OS X 10.5.6 possibly caused by recent changes to configure.ac. > [...] > > make[1]: *** No rule to make target `Ssh.bin', needed by `install'. Stop. > > make: *** [scard-install] Error 2 > > > > ... > > This strikes me as odd since I did not ask for scard stuff. > > It's part of the package (as a uuencoded file). > > > Installing the official openssh-5.2p1 release with a patched sftp.c > > works as expected. > > > > Any ideas for an install error fix? > > make -f Makefile.in distprep Thanks, that did the trick. -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From dtucker at zip.com.au Tue Apr 7 13:25:38 2009 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 07 Apr 2009 13:25:38 +1000 Subject: Portable OpenSSH CVS install error In-Reply-To: <49dabece.MoCJPfLKoi34WifP%gsocsftp@v6shell.org> References: <49dabece.MoCJPfLKoi34WifP%gsocsftp@v6shell.org> Message-ID: <49DAC7B2.9070500@zip.com.au> J.A. Neitzel wrote: > Hi, > > I did a CVS checkout this morning to patch sftp.c for Jon Grant's > recent sftp request, but there seems to be an install problem on > Mac OS X 10.5.6 possibly caused by recent changes to configure.ac. [...] > make[1]: *** No rule to make target `Ssh.bin', needed by `install'. Stop. > make: *** [scard-install] Error 2 > > ... > This strikes me as odd since I did not ask for scard stuff. It's part of the package (as a uuencoded file). > Installing the official openssh-5.2p1 release with a patched sftp.c > works as expected. > > Any ideas for an install error fix? make -f Makefile.in distprep -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gsocsftp at v6shell.org Tue Apr 7 15:17:33 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Tue, 07 Apr 2009 05:17:33 +0000 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <49dac16d.twOlbj/uQ1DtZB7i%gsocsftp@v6shell.org> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> <19ac3f7a0904060434o55f8e87eq89e111e33112144d@mail.gmail.com> <49dac16d.twOlbj/uQ1DtZB7i%gsocsftp@v6shell.org> Message-ID: <49dae1ed.nxSnXybdMM82g2DP%gsocsftp@v6shell.org> "J.A. Neitzel" wrote: > Jon Grant wrote: > > > Hi Jeff, > > > > 2009/4/6 J.A. Neitzel : > > > Jon, > > > > > > Sorry, I must have misunderstood your "second line is not needed" > > > statement in my other reply. ?Just to clarify if I may... > > > > > > Did you mean the: > > > ? ? ? ?"Connecting to unknown-web-qbcdef.com..." > > > or the: > > > ? ? ? ?"Couldn't read packet: Connection reset by peer" > > > > yes, I meant this one. > > > > SSH does not include that output, so does SFTP need to? > > No, I think the "Connecting to ..." message is not needed. > I patched sftp.c to remove the message this morning but ran into > an unrelated problem. I can add the patch to Bugzilla if you want. Bug added to Bugzilla. See https://bugzilla.mindrot.org/show_bug.cgi?id=1588 for details. -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From jg at jguk.org Tue Apr 7 21:49:24 2009 From: jg at jguk.org (Jon Grant) Date: Tue, 7 Apr 2009 13:49:24 +0200 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <49dae1ed.nxSnXybdMM82g2DP%gsocsftp@v6shell.org> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> <19ac3f7a0904060434o55f8e87eq89e111e33112144d@mail.gmail.com> <49dac16d.twOlbj/uQ1DtZB7i%gsocsftp@v6shell.org> <49dae1ed.nxSnXybdMM82g2DP%gsocsftp@v6shell.org> Message-ID: <19ac3f7a0904070449v3cc8e05ehbb822286950166a7@mail.gmail.com> Hello 2009/4/7 J.A. Neitzel : [..] > Bug added to Bugzilla. > See https://bugzilla.mindrot.org/show_bug.cgi?id=1588 for details. thank you for adding the patch to bugzilla. Re the output text, my understanding is it would now look like with numbers added: 1) j at laptop:~$ sftp oops at unknown-web-qbcdef.com 2) ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or service not known 3) Couldn't read packet: Connection reset by peer So just to confirm, are (2) and (3) lines both needed? If it is me, and it "could not resolve the host name" I would not try and read a packet after that. Also for the English, "Couldn't" is different from "Could not" on the line above. Normally the short form is only used colloquially, so I would suggest to change (3) to be "Could not" if it is being retained. Regards, Jon From qralston+ml.openssh-unix-dev at andrew.cmu.edu Wed Apr 8 07:09:44 2009 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Tue, 07 Apr 2009 17:09:44 -0400 Subject: passing X11 authentication and authenticated home directories Message-ID: There are situations in which access to one's home directory depends on prior authentication. Here are several: - AFS (requires Kerberos-based tokens) - NFSv4+GSSAPI (requires a Kerberos TGT) - encrypted home directories (requires a token/password to decrypt) As it stands right now, OpenSSH X11 authentication forwarding breaks in these scenarios. This is because unlike the approach OpenSSH takes with GSSAPI credential delegation (creating a temporary file and setting environment variables to point to it), OpenSSH attempts to store the forwarded X11 authentication credentials into ~/.Xauthority. Obviously, attempting to store the credentials in this manner will fail if the user authenticates via a mechanism that neither acquired nor passed credentials (e.g., public-key authentication). For (e.g.) NFSv4+GSSAPI, one can attempt to work around this with ~/.ssh/rc, as follows: #! /bin/sh exec 1>&2 if [ "x${KRB5CCNAME}" = x ]; then echo "No Kerberos credentials found; please authenticate." export KRB5CCNAME=`mktemp /ccache/krb5cc_${UID}_XXXXXX` /usr/kerberos/bin/kinit fi # call xauth here However, the problem is that ~/.ssh/rc has no way to pass the KRB5CCNAME value to the user's shell. So, the user's shell must acquire credentials (that is, prompt the user to run kinit) *again*. This is highly undesirable. One way to avoid the issues with public key authentication is to disable it entirely, and permit only gssapi-with-mic and password/keyboard-interactive authentication. But not all clients can perform gssapi-with-mic authentication, and password/k-i authentication permits dictionary attacks (in contrast to public key auth, which does not). An intermediate-term fix would be to have OpenSSH handle forwarded X11 authentication information the same it handles forwarded GSSAPI credentials: create a new Xauthority file in a temporary directory, write the credentials to that file, and then set XAUTHORITY to point to the file. (This is actually the way OpenSSH handled forwarded X11 credentials years ago.) Longer-term, though, a better solution would be provide more flexibility in how authentication mechanisms are required/specified. For example, I would like to be able to say: gssapi-with-mic || ( publickey && (keyboard-interactive || password)) In English: to authenticate, gssapi-with-mic auth is sufficient. Otherwise, publickey auth *AND* one of either (keyboard-interactive, password) auth is sufficient. I am not certain whether the SSH v2 protocol can support such flexibility, however. :( If OpenSSH publickey authentication could be put into a PAM module, since PAM allows modules to be stacked arbitrarily, one could create PAM rules to implement the above authentication conditions. Again, though, I don't know if it's possible to do that with the SSH v2 protocol. But at any rate, right now, I'm thinking the simplest short-term thing to do is to write a patch to make OpenSSH create temporary Xauthority files instead of writing them into ~/.Xauthority. However, I'm reluctant to do that if the OpenSSH developers are completely opposed to that idea and/or have a better suggestion. Thoughts? From dkg at fifthhorseman.net Wed Apr 8 09:25:50 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 07 Apr 2009 19:25:50 -0400 Subject: passing X11 authentication and authenticated home directories In-Reply-To: References: Message-ID: <49DBE0FE.6070309@fifthhorseman.net> On 04/07/2009 05:09 PM, James Ralston wrote: > Longer-term, though, a better solution would be provide more > flexibility in how authentication mechanisms are required/specified. > For example, I would like to be able to say: > > gssapi-with-mic || ( publickey && (keyboard-interactive || password)) > > In English: to authenticate, gssapi-with-mic auth is sufficient. > Otherwise, publickey auth *AND* one of either (keyboard-interactive, > password) auth is sufficient. You might be interested in the commentary and patches associated with bug 983, tracking the idea of required authentication steps: https://bugzilla.mindrot.org/show_bug.cgi?id=983 Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090407/af606144/attachment.bin From gsocsftp at v6shell.org Wed Apr 8 11:46:16 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Wed, 08 Apr 2009 01:46:16 +0000 Subject: sftp Couldn't read packet: Connection reset by peer In-Reply-To: <19ac3f7a0904070449v3cc8e05ehbb822286950166a7@mail.gmail.com> References: <19ac3f7a0904051053l320dde5bka1f133c09ff5d2c6@mail.gmail.com> <49d94175.G3bCCB7QzzZHu0bR%gsocsftp@v6shell.org> <19ac3f7a0904060434o55f8e87eq89e111e33112144d@mail.gmail.com> <49dac16d.twOlbj/uQ1DtZB7i%gsocsftp@v6shell.org> <49dae1ed.nxSnXybdMM82g2DP%gsocsftp@v6shell.org> <19ac3f7a0904070449v3cc8e05ehbb822286950166a7@mail.gmail.com> Message-ID: <49dc01e8.S2WVBH6Znrr/vn93%gsocsftp@v6shell.org> Hello Jon, Jon Grant wrote: > Hello > > 2009/4/7 J.A. Neitzel : > [..] > > Bug added to Bugzilla. > > See https://bugzilla.mindrot.org/show_bug.cgi?id=1588 for details. > > thank you for adding the patch to bugzilla. I am glad to help, but getting the patched code committed to the source trees is something that is beyond my control. I do not have commit access, and there is a related issue that could probably be addressed in the same set of patches. See, there is also a message, Attaching to %s..., that could be turned into a debug message instead. > Re the output text, my understanding is it would now look like with > numbers added: > > 1) j at laptop:~$ sftp oops at unknown-web-qbcdef.com > 2) ssh: Could not resolve hostname unknown-web-qbcdef.com: Name or > service not known > 3) Couldn't read packet: Connection reset by peer Yes. > So just to confirm, are (2) and (3) lines both needed? If it is me, > and it "could not resolve the host name" I would not try and read a > packet after that. Yes, in essence, they are both needed. The fact that sftp calls ssh to connect to the server on the user's behalf is why you see two error messages, one from ssh and one from sftp. I could be wrong, but the cost vs. the benefit of turning the two messages into one might not be worth it. Someone else could probably do a better job of explaining this than I can since I am not yet completely familiar with the sftp-related source code. > Also for the English, "Couldn't" is different from "Could not" on the > line above. Normally the short form is only used colloquially, so I > would suggest to change (3) to be "Could not" if it is being retained. Since "...n't" is a pattern used throughout the OpenSSH source tree, I suspect that someone in charge would need to make such a decision. Cheers, Jeff -- J.A. Neitzel V6 Thompson Shell Port - http://v6shell.org/ From vargalexb at yahoo.com Wed Apr 8 18:58:52 2009 From: vargalexb at yahoo.com (Alexander Varga) Date: Wed, 8 Apr 2009 01:58:52 -0700 (PDT) Subject: sftp-server "audit" logging Message-ID: <934864.27420.qm@web52203.mail.re2.yahoo.com> Hello I would like to ask you for any assistance regarding sftp-server logging. Till now i used openssh-4.4p1.sftplogging-v1.5.patch + openssh-4.4p1, that was later replaced by filecontroll patch. With openssh-4.4p1.sftplogging-v1.5.patch I could specify SFTP server logging in sshd_config like this: LogSftp yes SftpLogFacility LOCAL7 SftpLogLevel INFO That did sftp logging like following: Oct 10 11:57:20 vision sftp-server[23768]: opendir /home/reeusda/www Oct 10 11:58:25 vision sftp-server[23768]: realpath /home/reeusda/www/1700 Oct 10 11:58:25 vision sftp-server[23768]: opendir /home/reeusda/www/1700 Oct 10 11:58:29 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew Oct 10 11:58:29 vision sftp-server[23768]: opendir /home/reeusda/www/1700/whatnew Oct 10 11:58:32 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew/03 Oct 10 11:58:32 vision sftp-server[23768]: opendir /home/reeusda/www/1700/whatnew/03 Oct 10 11:58:38 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew/03 Oct 10 11:58:38 vision sftp-server[23768]: setting file creation mode to 0666 and umask to 2 Oct 10 11:58:38 vision sftp-server[23768]: open /home/reeusda/www/1700/whatnew/03/administrative_officers_mt.htm Oct 10 11:58:38 vision sftp-server[23768]: open /u/mikem/temp/somefile.file Oct 10 11:58:38 vision sftp-server[23768]: writing 32768 bytes to file Stpfilecontrol patch doesn't have the described functionality, because as stated ": Openssh versions 4.4p1 and up provide sftp logging, so this has been taken out of the patch." .... but also after setting LogLevel to DEBUG3, i cannot see the file logging info. Log looks like this Mar 30 10:12:59 sftp2 sshd[18519]: [ID 800047 local7.info] Connection from 212.200.223.201 port 14170 Mar 30 10:13:00 sftp2 sshd[18519]: [ID 800047 local7.info] Failed none for ftp_op from 212.200.223.201 port 14170 ssh2 Mar 30 10:13:00 sftp2 sshd[18519]: [ID 800047 local7.info] Accepted keyboard-interactive/pam for ftp_op from 212.200.223.201 port 14170 ssh2 Mar 30 10:13:00 sftp2 sshd[18519]: [ID 800047 local7.info] User child is on pid 18522 Mar 30 10:13:00 sftp2 sshd[18522]: [ID 800047 local7.info] subsystem request for sftp Mar 30 10:24:23 sftp2 sshd[18522]: [ID 800047 local7.info] Connection closed by 212.200.223.201 Mar 30 10:24:23 sftp2 sshd[18522]: [ID 800047 local7.info] Transferred: sent 14952, received 2608 bytes Mar 30 10:24:23 sftp2 sshd[18522]: [ID 800047 local7.info] Closing connection to 212.200.223.201 port 14170 ...no info about chdir, fileopen, write, filedelete ... I need to log file access, creation and deletion ... (audit reasons) This is needed for my service audit purposes. Any RTFM hint if the logging granularity listed above is possible? Thank you in advance Alex From peter at stuge.se Wed Apr 8 20:29:34 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 8 Apr 2009 12:29:34 +0200 Subject: sftp-server "audit" logging In-Reply-To: <934864.27420.qm@web52203.mail.re2.yahoo.com> References: <934864.27420.qm@web52203.mail.re2.yahoo.com> Message-ID: <20090408102934.25887.qmail@stuge.se> Alexander Varga wrote: > Any RTFM hint if the logging granularity listed above is possible? I would try to RTFS, usually that's much more reliable than FMs. :) //Peter From djm at mindrot.org Wed Apr 8 21:34:19 2009 From: djm at mindrot.org (Damien Miller) Date: Wed, 8 Apr 2009 21:34:19 +1000 (EST) Subject: sftp-server "audit" logging In-Reply-To: <934864.27420.qm@web52203.mail.re2.yahoo.com> References: <934864.27420.qm@web52203.mail.re2.yahoo.com> Message-ID: On Wed, 8 Apr 2009, Alexander Varga wrote: > I need to log file access, creation and deletion ... (audit reasons) > This is needed for my service audit purposes. Any RTFM hint if the > logging granularity listed above is possible? man sftp-server From jari.aalto at cante.net Thu Apr 9 03:16:31 2009 From: jari.aalto at cante.net (Jari Aalto) Date: Wed, 08 Apr 2009 20:16:31 +0300 Subject: sshd: ssh_config default setting - PermitRootLogin yes Message-ID: <878wmbnk0g.fsf@jondo.cante.net> [Please keep CC, I'm not in this list] The default settings for PermitRootLogin appears to be 'yes'. Increased number of attacks target the ssh port 22 and root logins directly[1] throught the Internet. Would it be possible to tighten the initial installation by defaulting PermitRootLogin to 'no' (or even in *.c) in forthcoming releases and have administrators relax it if they see fit. The configuration file could have an example to encourage to use more strict security settings. Something like: PermitRootLogin no # To enable root logins inside trusted network, like local LAN # uncomment and adjust following. The 'without-password' allows only # private key authentications, whereas 'yes' would allow password # authentication. # Match Address 192.168.1.0/24 # PermitRootLogin without-password Jari [1] Admins warned of brute-force SSH attacks http://www.securityfocus.com/news/11518 From tcreedon at easystreet.net Thu Apr 9 05:25:33 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Wed, 8 Apr 2009 12:25:33 -0700 Subject: libedit not found on SUse 11.1 Message-ID: Included below is a diff between the output from configure on a 64 bit SUse 11.1 (doesn't find libedit) and a 64 bit Suse 10.3 (does find libedit) for otherwise identical setups. 1. How can I get the output set up to look at conftest.c? 2. I added a set -x to configure above LIBEDIT_MSG=no 3. ./configure --with-ldflags="-L/usr/lib64" --with-cflags="-ggdb3 -I/usr/include/gssapi" --prefix=/ --exec-prefix=/usr --libdir=/usr/lib64 --datadir=/usr --sysconfdir=/etc/ \ --with-ssl-engine --with-pam --with-rand-helper --with-kerberos5=/usr/lib/mit --with-md5-passwords --with-libedit=/usr/lib64 --with-tcp- wrappers \ --disable-strip a simpler ./configure -with-libedit=/usr/lib64 produces the same error.. Suse 11.1 Suse10.3 + LIBEDIT_MSG=no + LIBEDIT_MSG=no + test set = set + test set = set + withval=/usr/lib64 + withval=/usr/lib64 + test x/usr/lib64 '!=' xno + test x/usr/lib64 '! + test x/usr/lib64 '!=' xyes + test x/usr/lib64 '! + CPPFLAGS=' -I/usr/lib64/include' + CPPFLAGS=' -I/usr/l + test -n '' + test -n '' + LDFLAGS='-L/usr/lib64/lib -fstack-protector-all -L/usr/lib + LDFLAGS='-L/usr/lib64/lib -fstack-protector-all -L + echo 'configure:12260: checking for el_init in -ledit' + echo 'configure:12260: checking for el_in + echo -n 'checking for el_init in -ledit... ' + echo -n 'checking for el_init in -ledit.. checking for el_init in -ledit... + test '' = set checking for el_init in -ledit... + test '' + ac_check_lib_save_LIBS='-lutil -lz -lnsl ' + ac_check_lib_save_LIBS='-lutil -lz -lnsl ' + LIBS='-ledit -lcurses + LIBS='-ledit -lcurses -lutil -lz -lnsl ' -lutil -lz -lnsl ' + cat + cat + cat confdefs.h + cat confdefs.h + cat + cat + rm -f conftest.o conftest | + rm conftest.o conftest > rm: cannot remove `conftest.o': No such file or directory > rm: cannot remove `conftest': No such file or directory + ac_try='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAG + ac_try='$CC -o conftest$ac + case "(($ac_try" in + case "(($ac_try" + ac_try_echo='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $L + ac_try_echo='$CC + eval 'echo "$as_me:12296: $CC -o conftest$ac_exeext $CFLAGS + eval 'echo "$as_me:12296: $CC -o conftest$ac_exeext ++ echo 'configure:12296: gcc -o conftest -g -O2 -Wall -Wpoin ++ echo 'configure:12296: gcc -o conftest -g -O2 -Wal -lutil -lz -lnsl >&5' -lutil -lz -lnsl >&5' + ac_status=1 | + ac_status=0 + grep -v '^ *+' conftest.er1 + grep -v '^ *+' conftest.er1 + rm -f conftest.er1 + rm -f conftest.er1 + cat conftest.err + cat conftest.err + echo 'configure:12302: $? = 1' | + echo 'configure:12302: $? = 0' + exit 1 | + exit 0 + echo 'configure: failed program was:' | + test -z '' + sed 's/^/| /' conftest.c | + test -s conftest + ac_cv_lib_edit_el_init=no | + test -x conftest > + ac_cv_lib_edit_el_init=yes + rm -f core conftest.err conftest.o conftest_ipa8_conftest.o + rm -f core con + LIBS='-lutil -lz -lnsl ' + LIBS='-lutil - + echo 'configure:12320: result: no' | + echo 'configure:12320: result: yes' + echo no | + echo yes no | yes + test no = yes | + test yes = yes + echo 'configure:12333: error: libedit not found' < + echo 'configure: error: libedit not found' < configure: error: libedit not found < + exit 1 < + exit 1 < + exit_status=1 < + echo < + cat + cat + echo | + LIBEDIT='-ledit -lcurses' ++ sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p' | + LIBEDIT_MSG=yes + for ac_var in '`(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA | + echo 'configur + eval 'ac_val=$AR' | + echo -n 'check ++ ac_val=/usr/bin/ar | checking if libe + case $ac_val in | + cat confdefs.h + for ac_var in '`(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA | + cat + eval 'ac_val=$AWK' | + rm -f conftest ++ ac_val=gawk | + ac_try='$CC -c + case $ac_val in | + case "(($ac_try" in + for ac_var in '`(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA | + ac_try_echo='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ + eval 'ac_val=$BASH' | + eval 'echo "$as_me:12362: $CC -c $CFL ++ ac_val=/bin/sh | ++ echo 'configure:12362: gcc -c -g -O2 + case $ac_val in | + ac_status=0 + for ac_var in '`(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA | + grep -v '^ *+' conftest.e + eval 'ac_val=$BASH_ARGC' | + rm -f conftest.er1 ++ ac_val=15 | + cat conftest.err + case $ac_val in | + echo 'configure:12368: $? + for ac_var in '`(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA | + exit 0 + eval 'ac_val=$BASH_ARGV' | + test -z '' ++ ac_val=--disable-strip | + test -s conftest.o + case $ac_val in | + echo 'configure:12373: re + for ac_var in '`(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA | + echo yes + eval 'ac_val=$BASH_LINENO' | yes ++ ac_val=0 | + rm -f core conftest.err c + case $ac_val in | + set +x + From peter at stuge.se Thu Apr 9 07:12:43 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 8 Apr 2009 23:12:43 +0200 Subject: libedit not found on SUse 11.1 In-Reply-To: References: Message-ID: <20090408211243.22258.qmail@stuge.se> Ted Creedon wrote: > Included below is a diff Sorry, it's not very legible to me. > between the output from configure on a 64 bit SUse 11.1 (doesn't > find libedit) and a 64 bit Suse 10.3 (does find libedit) for > otherwise identical setups. Does 10.3 also use /usr/lib64 ? //Peter From tcreedon at easystreet.net Thu Apr 9 07:46:41 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Wed, 8 Apr 2009 14:46:41 -0700 Subject: configure.ac libedit problem solved Message-ID: Turns out that Suse 11.1 needs a soft link: ln -s /lib64/libncurses.so.5.6 /lib64/libcurses.so This is pretty poor error reporting.... I wonder how many carps are due to building not properly reporting errors... Thanks tedc From peter at stuge.se Thu Apr 9 07:49:52 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 8 Apr 2009 23:49:52 +0200 Subject: configure.ac libedit problem solved In-Reply-To: References: Message-ID: <20090408214952.304.qmail@stuge.se> Ted Creedon wrote: > Turns out that Suse 11.1 needs a soft link: > > ln -s /lib64/libncurses.so.5.6 /lib64/libcurses.so > > > This is pretty poor error reporting.... Was there a useful error message in config.log? //Peter From tcreedon at easystreet.net Thu Apr 9 08:03:52 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Wed, 8 Apr 2009 15:03:52 -0700 Subject: configure.ac libedit problem solved In-Reply-To: <20090408214952.304.qmail@stuge.se> References: <20090408214952.304.qmail@stuge.se> Message-ID: Absolutely, positively, guaranteed not. Just a "can't find libedit" - about as misleading as possible. Had to hack configure to figure out what was missing - took 2 days.. Had the same type of problem with kerberos/gssapi...innocous errors in a program that linked. Had to use DDD to figure that one out.. pkg-config was also misleading it reports: pkg-config --libs --cflags libedit -I/usr/include/editline -ledit -lcurses but libsurses doesn't exist, its libncurses (has been for years). Back to getting the pam stack working with gssapi.. Thanks Tedc On Wed, Apr 8, 2009 at 2:49 PM, Peter Stuge wrote: > Ted Creedon wrote: > > Turns out that Suse 11.1 needs a soft link: > > > > ln -s /lib64/libncurses.so.5.6 /lib64/libcurses.so > > > > > > This is pretty poor error reporting.... > > Was there a useful error message in config.log? > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From tim at multitalents.net Thu Apr 9 09:36:13 2009 From: tim at multitalents.net (Tim Rice) Date: Wed, 8 Apr 2009 16:36:13 -0700 (PDT) Subject: configure.ac libedit problem solved In-Reply-To: References: Message-ID: On Wed, 8 Apr 2009, Ted Creedon wrote: > Turns out that Suse 11.1 needs a soft link: > > ln -s /lib64/libncurses.so.5.6 /lib64/libcurses.so If /lib64/libcurses.so is missing, you are ethier missing the libcurses development package or there is a bug in the libcurses development package. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From peter at stuge.se Thu Apr 9 11:05:50 2009 From: peter at stuge.se (Peter Stuge) Date: Thu, 9 Apr 2009 03:05:50 +0200 Subject: configure.ac libedit problem solved In-Reply-To: References: <20090408214952.304.qmail@stuge.se> Message-ID: <20090409010550.20545.qmail@stuge.se> Ted Creedon wrote: > Absolutely, positively, guaranteed not. Did you look around where it tries to compile the failing test? When something fails during configure I find it appends hundreds of lines after the actual error, variables and such. Could you send the log? If it's too big for the list just send to me. //Peter From tcreedon at easystreet.net Thu Apr 9 13:05:22 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Wed, 8 Apr 2009 20:05:22 -0700 Subject: configure.ac libedit problem solved In-Reply-To: <20090409010550.20545.qmail@stuge.se> References: <20090408214952.304.qmail@stuge.se> <20090409010550.20545.qmail@stuge.se> Message-ID: since I liked curses to ncurses well it now compiles, the log was useless for troubleshooting, that's why I turned set -x on in configure On Wed, Apr 8, 2009 at 6:05 PM, Peter Stuge wrote: > Ted Creedon wrote: > > Absolutely, positively, guaranteed not. > > Did you look around where it tries to compile the failing test? > > When something fails during configure I find it appends hundreds of > lines after the actual error, variables and such. > > Could you send the log? If it's too big for the list just send to me. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Thu Apr 9 13:29:35 2009 From: djm at mindrot.org (Damien Miller) Date: Thu, 9 Apr 2009 13:29:35 +1000 (EST) Subject: configure.ac libedit problem solved In-Reply-To: References: <20090408214952.304.qmail@stuge.se> <20090409010550.20545.qmail@stuge.se> Message-ID: That is a first: I have always found config.log to contain everything I needed, except when configure.ac had synatactic errors. Could you please post your log somewhere so we can see what has gone wrong? On Wed, 8 Apr 2009, Ted Creedon wrote: > since I liked curses to ncurses well it now compiles, the log was useless > for troubleshooting, that's why I turned set -x on in configure > > > > On Wed, Apr 8, 2009 at 6:05 PM, Peter Stuge wrote: > > > Ted Creedon wrote: > > > Absolutely, positively, guaranteed not. > > > > Did you look around where it tries to compile the failing test? > > > > When something fails during configure I find it appends hundreds of > > lines after the actual error, variables and such. > > > > Could you send the log? If it's too big for the list just send to me. > > > > > > //Peter > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From tcreedon at easystreet.net Thu Apr 9 23:26:58 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 9 Apr 2009 06:26:58 -0700 Subject: libedit not found on SUse 11.1 In-Reply-To: <20090408211243.22258.qmail@stuge.se> References: <20090408211243.22258.qmail@stuge.se> Message-ID: Yes The configure line is included in a previous e-mail. On Wed, Apr 8, 2009 at 2:12 PM, Peter Stuge wrote: > Ted Creedon wrote: > > Included below is a diff > > Sorry, it's not very legible to me. > > > > between the output from configure on a 64 bit SUse 11.1 (doesn't > > find libedit) and a 64 bit Suse 10.3 (does find libedit) for > > otherwise identical setups. > > Does 10.3 also use /usr/lib64 ? > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From tcreedon at easystreet.net Fri Apr 10 02:23:02 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 9 Apr 2009 09:23:02 -0700 Subject: libedit not found on SUse 11.1 In-Reply-To: References: <20090408211243.22258.qmail@stuge.se> Message-ID: Forgot - the configure line.. same for all cases Debug (ddd ssh) was used to troubleshoot the gssapi problem previously described in the e-mails thanks ted On Thu, Apr 9, 2009 at 9:20 AM, Ted Creedon wrote: > included are a works and doesn't work config.log from SuSe 11.1 > > config.sh is included also. > > The difference between the two is a soft link: > > ln -s /lib64/libncurses.so.5.6 /lib64/libcurses.so > > If you want I can send a capture with set -x turned on at > LIBEDIT_MSG="no" in the configure script > > As you can see the log files don't pinpoint the correct missing library it > points to libedit when it should point to libcurses > > -------------- next part -------------- A non-text attachment was scrubbed... Name: config.sh Type: application/x-sh Size: 338 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090409/dad7a5c9/attachment.sh From tcreedon at easystreet.net Fri Apr 10 05:02:18 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 9 Apr 2009 12:02:18 -0700 Subject: if ssh port is not port 22 Message-ID: If Port is set to 422 in /etc/ssh/ssh_config, ssh client still tries to use port 22. ssh -p 422 localhost does work however becasue Port is set to 422 in sshd_config geronimo:/data/openssh-5.2p1 # ssh -vvv localhost OpenSSH_5.2p1, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc//ssh_config debug3: RNG is ready, skipping seeding debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: connect to address 127.0.0.1 port 22: Connection refused debug1: Connecting to localhost [::1] port 22. debug1: connect to address ::1 port 22: Connection refused ssh: connect to host localhost port 22: Connection refused geronimo:/data/openssh-5.2p1 # From jblaine at kickflop.net Fri Apr 10 05:17:09 2009 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 09 Apr 2009 15:17:09 -0400 Subject: if ssh port is not port 22 In-Reply-To: References: Message-ID: <49DE49B5.7020105@kickflop.net> Ted Creedon wrote: > If Port is set to 422 in /etc/ssh/ssh_config, ssh client still tries to use > port 22. ssh -p 422 localhost does work however becasue Port is set to 422 > in sshd_config > > geronimo:/data/openssh-5.2p1 # ssh -vvv localhost > OpenSSH_5.2p1, OpenSSL 0.9.8e 23 Feb 2007 > debug1: Reading configuration data /etc//ssh_config ^^^^^^^^^ Error > debug3: RNG is ready, skipping seeding > debug2: ssh_connect: needpriv 0 > debug1: Connecting to localhost [127.0.0.1] port 22. > debug1: connect to address 127.0.0.1 port 22: Connection refused > debug1: Connecting to localhost [::1] port 22. > debug1: connect to address ::1 port 22: Connection refused > ssh: connect to host localhost port 22: Connection refused > geronimo:/data/openssh-5.2p1 # > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From tcreedon at easystreet.net Fri Apr 10 05:46:32 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 9 Apr 2009 12:46:32 -0700 Subject: if ssh port is not port 22 In-Reply-To: <49DE49B5.7020105@kickflop.net> References: <49DE49B5.7020105@kickflop.net> Message-ID: Sorry, I had 2 ssh_config files, one in /etc/ and one in /etc/ssh Just poking along trying to get NX up and running. It depends on ssh... Thanks tedc From mra at malloc.org Fri Apr 10 05:51:33 2009 From: mra at malloc.org (Matt Anderson) Date: Thu, 09 Apr 2009 15:51:33 -0400 Subject: if ssh port is not port 22 In-Reply-To: References: Message-ID: <49DE51C5.40405@malloc.org> Ted Creedon wrote: > If Port is set to 422 in /etc/ssh/ssh_config, ssh client still tries to use > port 22. ssh -p 422 localhost does work however becasue Port is set to 422 > in sshd_config Sounds like what you want is /etc/ssh/config or ~/.ssh/config to include something like: localhost: Port 422 -matt From tcreedon at easystreet.net Fri Apr 10 06:09:36 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 9 Apr 2009 13:09:36 -0700 Subject: if ssh port is not port 22 In-Reply-To: <49DE51C5.40405@malloc.org> References: <49DE51C5.40405@malloc.org> Message-ID: I screwed it up - had 2 ssh_conf files... Works fine Busy getting my pam stack set up thanks ted On Thu, Apr 9, 2009 at 12:51 PM, Matt Anderson wrote: > Ted Creedon wrote: > > If Port is set to 422 in /etc/ssh/ssh_config, ssh client still tries to > use > > port 22. ssh -p 422 localhost does work however becasue Port is set to > 422 > > in sshd_config > > Sounds like what you want is /etc/ssh/config or ~/.ssh/config to include > something like: > localhost: > Port 422 > > -matt > From djm at mindrot.org Fri Apr 10 07:39:47 2009 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Apr 2009 07:39:47 +1000 (EST) Subject: libedit not found on SUse 11.1 In-Reply-To: References: <20090408211243.22258.qmail@stuge.se> Message-ID: I think you are not understanding: configure leaves a file config.log that includes detailed debugging output. The brief messages written on standard output by configure are not what we are after. On Thu, 9 Apr 2009, Ted Creedon wrote: > Yes > > The configure line is included in a previous e-mail. > > On Wed, Apr 8, 2009 at 2:12 PM, Peter Stuge wrote: > > > Ted Creedon wrote: > > > Included below is a diff > > > > Sorry, it's not very legible to me. > > > > > > > between the output from configure on a 64 bit SUse 11.1 (doesn't > > > find libedit) and a 64 bit Suse 10.3 (does find libedit) for > > > otherwise identical setups. > > > > Does 10.3 also use /usr/lib64 ? > > > > > > //Peter > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From peter at stuge.se Fri Apr 10 07:45:33 2009 From: peter at stuge.se (Peter Stuge) Date: Thu, 9 Apr 2009 23:45:33 +0200 Subject: libedit not found on SUse 11.1 In-Reply-To: References: <20090408211243.22258.qmail@stuge.se> Message-ID: <20090409214533.9443.qmail@stuge.se> Ted Creedon wrote: > included are a works and doesn't work config.log from SuSe 11.1 Thanks! > As you can see the log files don't pinpoint the correct missing > library I think it does. Look at the following snippet: --8<-- config.log.doesnt.work.with.no.curses.link configure:12735: checking for libwrap configure:12764: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 -ggdb3 -I/usr/include/gssapi -fstack-protector-all -L/usr/lib64 conftest.c -lwrap -lutil -lz -lnsl >&5 configure:12771: $? = 0 configure:12780: result: yes configure:12826: checking for el_init in -ledit configure:12862: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 -ggdb3 -I/usr/include/gssapi -I/usr/lib64/include -L/usr/lib64/lib -fstack-protector-all -L/usr/lib64 conftest.c -ledit -lcurses -lutil -lz -lnsl >&5 /usr/lib64/gcc/x86_64-suse-linux/4.3/../../../../x86_64-suse-linux/bin/ld: cannot find -lcurses collect2: ld returned 1 exit status configure:12869: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "OpenSSH" | #define PACKAGE_TARNAME "openssh" | #define PACKAGE_VERSION "Portable" | #define PACKAGE_STRING "OpenSSH Portable" | #define PACKAGE_BUGREPORT "openssh-unix-dev at mindrot.org" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define LOGIN_PROGRAM_FALLBACK "/bin/login" | #define _PATH_PASSWD_PROG "/usr/bin/passwd" | #define HAVE_ATTRIBUTE__NONNULL__ 1 | #define HAVE_CRYPT_H 1 | #define HAVE_DIRENT_H 1 | #define HAVE_ENDIAN_H 1 | #define HAVE_FEATURES_H 1 | #define HAVE_FCNTL_H 1 | #define HAVE_GETOPT_H 1 | #define HAVE_GLOB_H 1 | #define HAVE_LIMITS_H 1 | #define HAVE_NETDB_H 1 | #define HAVE_PATHS_H 1 | #define HAVE_POLL_H 1 | #define HAVE_PTY_H 1 | #define HAVE_RPC_TYPES_H 1 | #define HAVE_SECURITY_PAM_APPL_H 1 | #define HAVE_SHADOW_H 1 | #define HAVE_STDDEF_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_STRING_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_SYS_BITYPES_H 1 | #define HAVE_SYS_CDEFS_H 1 | #define HAVE_SYS_DIR_H 1 | #define HAVE_SYS_MMAN_H 1 | #define HAVE_SYS_MOUNT_H 1 | #define HAVE_SYS_POLL_H 1 | #define HAVE_SYS_PRCTL_H 1 | #define HAVE_SYS_SELECT_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_SYS_STROPTS_H 1 | #define HAVE_SYS_STATVFS_H 1 | #define HAVE_SYS_SYSMACROS_H 1 | #define HAVE_SYS_TIME_H 1 | #define HAVE_SYS_UN_H 1 | #define HAVE_TIME_H 1 | #define HAVE_TTYENT_H 1 | #define HAVE_UNISTD_H 1 | #define HAVE_UTIME_H 1 | #define HAVE_UTMP_H 1 | #define HAVE_UTMPX_H 1 | #define HAVE_LASTLOG_H 1 | #define PAM_TTY_KLUDGE 1 | #define LOCKED_PASSWD_PREFIX "!" | #define SPT_TYPE SPT_REUSEARGV | #define LINK_OPNOTSUPP_ERRNO EPERM | #define _PATH_BTMP "/var/log/btmp" | #define USE_BTMP 1 | #define HAVE_LINUX_IF_TUN_H 1 | #define SSH_TUN_LINUX 1 | #define SSH_TUN_COMPAT_AF 1 | #define SSH_TUN_PREPEND_AF 1 | #define HAVE_LIBNSL 1 | #define HAVE_DIRNAME 1 | #define HAVE_LIBGEN_H 1 | #define HAVE_BASENAME 1 | #define HAVE_LIBZ 1 | #define HAVE_UTIMES 1 | #define HAVE_LOGIN 1 | #define HAVE_LOGOUT 1 | #define HAVE_UPDWTMP 1 | #define HAVE_LOGWTMP 1 | #define HAVE_STRFTIME 1 | #define GLOB_HAS_ALTDIRFUNC 1 | #define HAVE_DECL_GLOB_NOMATCH 1 | #define HAVE_PROC_PID 1 | #define LIBWRAP 1 | /* end confdefs.h. */ | | /* Override any GCC internal prototype to avoid an error. | Use char because int might match the return type of a GCC | builtin and then its argument prototype would still apply. */ | #ifdef __cplusplus | extern "C" | #endif | char el_init (); | int | main () | { | return el_init (); | ; | return 0; | } configure:12890: result: no configure:12903: error: libedit not found -->8-- After this, config.log has a dump of lots of internal autoconf state. But this line is key: --8<-- /usr/lib64/gcc/x86_64-suse-linux/4.3/../../../../x86_64-suse-linux/bin/ld: cannot find -lcurses -->8-- It shows the actual error message, which was encountered during the libedit probing. //Peter From openssh at roumenpetrov.info Fri Apr 10 07:54:57 2009 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 10 Apr 2009 00:54:57 +0300 Subject: libedit not found on SUse 11.1 In-Reply-To: <20090409214533.9443.qmail@stuge.se> References: <20090408211243.22258.qmail@stuge.se> <20090409214533.9443.qmail@stuge.se> Message-ID: <49DE6EB1.1060209@roumenpetrov.info> Peter Stuge wrote: > Ted Creedon wrote: >> included are a works and doesn't work config.log from SuSe 11.1 [SNIP] > configure:12826: checking for el_init in -ledit > configure:12862: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 -ggdb3 -I/usr/include/gssapi -I/usr/lib64/include -L/usr/lib64/lib -fstack-protector-all -L/usr/lib64 conftest.c -ledit -lcurses > -lutil -lz -lnsl >&5 > /usr/lib64/gcc/x86_64-suse-linux/4.3/../../../../x86_64-suse-linux/bin/ld: cannot find -lcurses [SNIP] I think configure has to try to link libedit without curses library first and next with one of libraries ncursesw, ncurses, curses or termcap . Roumen From tcreedon at easystreet.net Fri Apr 10 07:56:59 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Thu, 9 Apr 2009 14:56:59 -0700 Subject: libedit not found on SUse 11.1 In-Reply-To: References: <20090408211243.22258.qmail@stuge.se> Message-ID: The 2 attached files are config.log(s) one that configures and one that does not On Thu, Apr 9, 2009 at 2:39 PM, Damien Miller wrote: > I think you are not understanding: configure leaves a file config.log > that includes detailed debugging output. The brief messages written on > standard output by configure are not what we are after. > > On Thu, 9 Apr 2009, Ted Creedon wrote: > > > Yes > > > > The configure line is included in a previous e-mail. > > > > On Wed, Apr 8, 2009 at 2:12 PM, Peter Stuge wrote: > > > > > Ted Creedon wrote: > > > > Included below is a diff > > > > > > Sorry, it's not very legible to me. > > > > > > > > > > between the output from configure on a 64 bit SUse 11.1 (doesn't > > > > find libedit) and a 64 bit Suse 10.3 (does find libedit) for > > > > otherwise identical setups. > > > > > > Does 10.3 also use /usr/lib64 ? > > > > > > > > > //Peter > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From cjk32 at cam.ac.uk Sat Apr 11 05:26:22 2009 From: cjk32 at cam.ac.uk (Christopher Key) Date: Fri, 10 Apr 2009 20:26:22 +0100 Subject: '#' in usernames with scp Message-ID: <49DF9D5E.3040603@cam.ac.uk> Hello, Some hosting companies insist on having usernames of the form user#account(@example.com). The ssh client is quite happy with such usernames, but scp fails with 'invalid user name'. Looking at the source code, scp rejects ' " ` # and ' ', whereas ssh apparently enforces no such restriction. My question is twofold: Firstly, why do ssh and scp behave differently? If the restricted characters are eitther dangerous or outside spec, why does ssh permit them? If not, why is scp rejecting them? Secondly, is there any chance of getting this changed to be consistent? I'd obviously prefer that scp accepted '#' characters so that I the standard source works for me, although if there's a good reason for rejecting some characters, should ssh not be updated to reject them too? Christopher Key From peter at stuge.se Sat Apr 11 09:16:48 2009 From: peter at stuge.se (Peter Stuge) Date: Sat, 11 Apr 2009 01:16:48 +0200 Subject: '#' in usernames with scp In-Reply-To: <49DF9D5E.3040603@cam.ac.uk> References: <49DF9D5E.3040603@cam.ac.uk> Message-ID: <20090410231648.19926.qmail@stuge.se> Christopher Key wrote: > Firstly, why do ssh and scp behave differently? This is a guess, but because scp must execute a shell on the server I can see that it has to have some limitations. Also, the SCP protocol (really RCP protocol) is very old. It could also be a bug because of how scp executes ssh. What happens if you exhaust all methods available for specifying usernames? //Peter From tcreedon at easystreet.net Sun Apr 12 07:23:11 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sat, 11 Apr 2009 14:23:11 -0700 Subject: gssapi patches Message-ID: are these patches in in 5.2.p1?Kerberos/GSSAPI Support in OpenSSH http://www.sxw.org.uk/computing/patches/openssh.html *Key exchange **Cascading Credentials *Thanks, Tedc From tcreedon at easystreet.net Sun Apr 12 11:09:20 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sat, 11 Apr 2009 18:09:20 -0700 Subject: ssh_gssapi_check_mechanism fails Message-ID: Gssapi is failing at the following statement in sshconnect2.c, ok never gets set to 1:: ssh_gssapi_check_mechanism fails /* Check to see if the mechanism is usable before we offer it */ while (mech < gss_supported->count && !ok) { /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && ssh_gssapi_check_mechanism(&gssctxt, &gss_supported->elements[mech], authctxt->host)) { ok = 1; /* Mechanism works */ } else { mech++; } } The debug errors are: debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Unknown code debug1: Unspecified GSS failure. Minor code may provide more information Unknown code debug1: Unspecified GSS failure. Minor code may provide more information From gsocsftp at v6shell.org Mon Apr 13 05:31:46 2009 From: gsocsftp at v6shell.org (J.A. Neitzel) Date: Sun, 12 Apr 2009 19:31:46 +0000 Subject: OpenSSH sftp(1) renovation project for GSoC 2009 In-Reply-To: <49d6e3c9.a2qYAdEEuf07E6KH%gsocsftp@v6shell.org> References: <49d6d19e.grsAX/XQvXPZU45p%gsocsftp@v6shell.org> <822C1797-446E-49E9-9645-E24CC291FF72@gmail.com> <49d6e3c9.a2qYAdEEuf07E6KH%gsocsftp@v6shell.org> Message-ID: <49e241a2.+sDsRioyXzoGnefs%gsocsftp@v6shell.org> "J.A. Neitzel" wrote: > Peter Lambrechtsen wrote: > > > On 4/04/2009, at 4:18 PM, "J.A. Neitzel" wrote: > > > > > Hello, > > > > > > Please pardon me if this is off topic, but I thought I ought to > > > introduce myself. > > > > > > I submitted an application (aka student proposal) to OpenSSH via > > > GSoC on Thursday (2009-04-02 19:39:21Z). Of course, I cannot know > > > if it will be accepted, but in any case, here is the abstract for > > > anybody on the list who may be interested in offering feedback: > > > > > > The objective of the OpenSSH sftp(1) renovation project is to improve > > > the current sftp(1) client to allow its use as a drop-in replacement > > > for scp(1). This requires implementing both recursive uploads/ > > > downloads > > > and an scp(1)-compatible command-line interface. The scp(1) command > > > has an `-r' flag for recursive transmission, but sftp(1) does not > > > currently support this except by manual user intervention in > > > interactive mode. Additionally, sftp(1) interactive-mode tab > > > completion will be integrated. > > > > > > ... > > > I searched for sftp-related bugs in Bugzilla and found several > > > related to my project plan in one way or another. Beside the issues > > > mentioned in the above abstract (which are in the bug list), there > > > are a few others which should could/should/would likely be addressed > > > in my plan as well. > > > > Maybe if your proposal is accepted you write up a new bug in bugzilla > > with all your thoughts. Plus link to any of the existing bugs so we > > can all refer back to a single place that has captured everyones ideas > > and had all the suggestions prioritized so you know which are the must > > haves vs the nice to haves. > > Ah yes, that sounds like an excellent suggestion to me. > Thanks for that. Added to Bugzilla as: https://bugzilla.mindrot.org/show_bug.cgi?id=1589 . Jeff -- J.A. Neitzel GSoC OpenSSH sftp(1) renovation project - http://gsocsftp.v6shell.org/ From ganesh.k at servion.com Wed Apr 15 17:28:40 2009 From: ganesh.k at servion.com (Ganesh K.) Date: Wed, 15 Apr 2009 12:58:40 +0530 Subject: OpenSSH for Windows2003 References: <195F87456A640A40B0FE493E37D945F1B99F40@sgslwgex2k3.sgsl.int> Message-ID: <195F87456A640A40B0FE493E37D945F1B99F43@sgslwgex2k3.sgsl.int> Hi, We are trying to connect SFTP server from Windows2003 server. Steps carried out: a) Installed OpenSSH client in Windows Server. b) Generated Public key and the same has been uploaded in SFTP Server. c) When we run the SFTP.exe in command prompt we are getting an error,PFA d) I have changed compatability mode to Windows2000, but still same error is coming. Kindly help us to resolve the issue. Thanks & Regards K.Ganesh ________________________________ Serviont Global Solutions Mobile : +91-9920839338 www.servion.com From mouring at eviladmin.org Fri Apr 17 05:13:00 2009 From: mouring at eviladmin.org (Ben Lindstrom) Date: Thu, 16 Apr 2009 14:13:00 -0500 Subject: OpenSSH for Windows2003 In-Reply-To: <195F87456A640A40B0FE493E37D945F1B99F43@sgslwgex2k3.sgsl.int> References: <195F87456A640A40B0FE493E37D945F1B99F40@sgslwgex2k3.sgsl.int> <195F87456A640A40B0FE493E37D945F1B99F43@sgslwgex2k3.sgsl.int> Message-ID: On Apr 15, 2009, at 2:28 AM, Ganesh K. wrote: > Hi, > > We are trying to connect SFTP server from Windows2003 server. > > Steps carried out: > > a) Installed OpenSSH client in Windows Server. > b) Generated Public key and the same has been uploaded in SFTP Server. > c) When we run the SFTP.exe in command prompt we are getting an > error,PFA > d) I have changed compatability mode to Windows2000, but still same > error is coming. It isn't clear what your problem is. I don't know of any "PFA" error on any OpenSSH platform. If you can clarify what your issues are then maybe folks will respond. - Ben From jg at jguk.org Fri Apr 17 07:06:27 2009 From: jg at jguk.org (Jon Grant) Date: Thu, 16 Apr 2009 22:06:27 +0100 Subject: ^C +C not working with sftp Message-ID: <19ac3f7a0904161406o9e284faxf7caf0008f67ff68@mail.gmail.com> Hello I sftp'd to the wrong machine, and noticed there was no way to get out of it, ^C and ^D didn't do anything, they just submitted as a wrong password. d at -laptop:~/Documents/$ sftp mydomains.com Connecting to mydomains.com... d at mydomains.com's password: ^CPermission denied, please try again. ssh on the other hand does accept ^C. could the same be added to sftp? I'm not on this mailing list, so please include my email address in any replies. Best regards, Jon From djm at mindrot.org Fri Apr 17 11:16:20 2009 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Apr 2009 11:16:20 +1000 (EST) Subject: ^C +C not working with sftp In-Reply-To: <19ac3f7a0904161406o9e284faxf7caf0008f67ff68@mail.gmail.com> References: <19ac3f7a0904161406o9e284faxf7caf0008f67ff68@mail.gmail.com> Message-ID: Please file a bug at http://bugzilla.mindrot.org/ so this doesn't get lost. -d On Thu, 16 Apr 2009, Jon Grant wrote: > Hello > > I sftp'd to the wrong machine, and noticed there was no way to get out > of it, ^C and ^D didn't do anything, they just submitted as a wrong > password. > > d at -laptop:~/Documents/$ sftp mydomains.com > Connecting to mydomains.com... > d at mydomains.com's password: > ^CPermission denied, please try again. > > ssh on the other hand does accept ^C. could the same be added to sftp? > > I'm not on this mailing list, so please include my email address in any replies. > Best regards, Jon > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From jg at jguk.org Fri Apr 17 21:50:07 2009 From: jg at jguk.org (Jon Grant) Date: Fri, 17 Apr 2009 13:50:07 +0200 Subject: ^C +C not working with sftp In-Reply-To: References: <19ac3f7a0904161406o9e284faxf7caf0008f67ff68@mail.gmail.com> Message-ID: <19ac3f7a0904170450y1cc3852ei8f8d25f89dd8c6db@mail.gmail.com> 2009/4/17 Damien Miller : > Please file a bug at http://bugzilla.mindrot.org/ so this doesn't get > lost. Ok. Filed as https://bugzilla.mindrot.org/show_bug.cgi?id=1590 Would be great if someone has time to look into adding ctrl+C support to sftp. I'm not on this mailing list so please include my email address in any replies. Regards, Jon From dave at boostpro.com Sat Apr 18 00:17:40 2009 From: dave at boostpro.com (David Abrahams) Date: Fri, 17 Apr 2009 10:17:40 -0400 Subject: MacOS ssh implementations slow Message-ID: It appears that scp transfers to a Linux machine (even a VM running on the Mac) are about twice the speed of scp's to the Mac. This is true of both openssh 5.1p1 (supplied by Apple) and 5.2p1 (built from macports). Note that I'm not talking about anything having to do with DNS lookup; these measurements are dominated by raw transfer rate. $ time /usr/bin/scp -r user at IP:directory /tmp MacOS: real 1m54.649s user 0m1.879s sys 0m1.680s Linux: real 1m8.447s user 0m0.400s sys 0m0.856s Is this a known issue? Is there any way around it? Slow SSH is really intolerable, since I use it for everything. Thanks in advance, -- Dave Abrahams BoostPro Computing http://www.boostpro.com From bbelnap at gmail.com Sat Apr 18 02:04:34 2009 From: bbelnap at gmail.com (Bob Belnap) Date: Fri, 17 Apr 2009 10:04:34 -0600 Subject: Issues with ssh-agent connecting to a large number of hosts at once Message-ID: <3be13d470904170904n45859c8fq78432cf096089a8@mail.gmail.com> Hi, I'm having problems with ssh-agent when I am connecting to a large (several hundred) hosts at once. I'm using a kanif ( http://taktuk.gforge.inria.fr/kanif/) which is a very nice package that distributes ssh connections across the hosts you are connecting to (a fan-out sort of approach, so all connections are not coming from one host). However, all hosts have to authenticate, so all the hosts have to wind their way back to the ssh-agent. This problem isn't isolated to just kanif, however. I see it when using other utilities that rely on many concurrent connections to the ssh-agent. running strace on the ssh-agent, things start out ok, then go sour and it starts spitting out: read(160, 0xbf8f300a, 1024) = -1 EAGAIN (Resource temporarily unavailable) read(160, 0xbf8f300a, 1024) = -1 EAGAIN (Resource temporarily unavailable) read(160, 0xbf8f300a, 1024) = -1 EAGAIN (Resource temporarily unavailable) while pegging the cpu. Tracking the number of connections to the agent once every second (while true; do netstat -x | grep -c ; sleep 1) looks like: 5 5 5 35 98 154 155 200 287 287 at that point I kill the agent, but it will stick at that value if I don't. It's not always 287, but varies. I've seen it as high as 447 connections at once, but it's usually in the 200 range. I've tried different ssh-agents on different kernels and machines, and haven't found a combination that works. However, it seems like most FreeBSD machines I've tried did not have the problem. Also, using pagent on windows does not have any issues (*gasp*) It seems to me that I'm hitting some kind of kernel limit (open file limit perhaps?) But I've fiddled with every sysctl value I can find, and haven't found the right magic. Anyone run into this or can offer further debugging suggestions? (btw, ssh-v shows: OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g) Thanks. --Bob From 1.41421 at gmail.com Sat Apr 18 09:48:16 2009 From: 1.41421 at gmail.com (JCA) Date: Fri, 17 Apr 2009 17:48:16 -0600 Subject: SCP client prints out "lost connection" error message occasionally Message-ID: I am using the OpenSSH client (version 5.2p1) in a Linux box L to interact with an embedded SSH server S. When carrying out a recursive transfer from S to L by means of the scp command issued in L (S does not support sftp) the client occasionally prints out a "lost connection" error message at the very end of the transfer. After some debugging I found out that the error message (as printed out from lostconn() in scp.c) occurs because the ssh process in L, spawned by the scp command, has already terminated, but the scp command still wants to write something to the pipe it uses to communicate with this ssh process. I have observed a few things of interest here. First, the traces for the SSH server in S reveal that, in all cases (i.e. whether or not the "lost connection" error is printed out by the client) the exchange gets successfully completed. All the files that have to be transferred are transferred all right, with no data missing in the transferred files. More to the point: The traces show that the server started the closing phase by sending an exit-status SSH_MSG_CHANNEL_REQUEST message followed by an SSH_MSG_CHANNEL_EOF message and an SSH_MSG_CHANNEL_CLOSE message, to which the OpenSSH client at L replies with an SSH_MSG_CHANNEL_CLOSE message of its own: The session is closed correctly, as far as the server in S is concerned. Second, if I modify ssh.c in the OpenSSH code so that before exiting main() the program sleeps for one second, the "lost connection" error message never appears. Third, the ssh process always exits with a 0 return value. I can see this "lost connection" issue only when L and S are connected via a fast network. By this I mean that I don't see with a 100Mbps or a 10Mbps network, but I do with a 1Gbps network. Any ideas on how to characterize this further? From bob at proulx.com Sat Apr 18 11:48:21 2009 From: bob at proulx.com (Bob Proulx) Date: Fri, 17 Apr 2009 20:48:21 -0500 Subject: Issues with ssh-agent connecting to a large number of hosts at once In-Reply-To: <3be13d470904170904n45859c8fq78432cf096089a8@mail.gmail.com> References: <3be13d470904170904n45859c8fq78432cf096089a8@mail.gmail.com> Message-ID: <20090418014821.GA6095@discord.proulx.com> Bob Belnap wrote: > It seems to me that I'm hitting some kind of kernel limit (open file limit > perhaps?) But I've fiddled with every sysctl value I can find, and haven't > found the right magic. Anyone run into this or can offer further debugging > suggestions? (btw, ssh-v shows: OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL > 0.9.8g) I don't have a perfect understanding of this but not seeing anyone else say anything I will jump in and make some suggestions imperfect though they will be. Different types of kernels will handle this differently and will account for why different systems behave differently. But most have a limited amount of memory available for network resources. Quickly opening and closing network connections can cause memory to be consumed at a high right. Once the available memory is exceeded system calls fail for being out of resources until more resources are available. This is what you are seeing. Why do resources become consumed? Look at RFC793 and you will find the TCP state diagram. Look particularly at the TIME_WAIT state. You are probably creating many connections hanging around in the TIME_WAIT state after they are closed and until the timeout. Each of those consumes network memory. You can see these connections by looking at the state reported by netstat. (e.g. 'netstat | grep TIME_WAIT') If you see many connections in the TIME_WAIT state then this is what you are running into. In many kernels with a limited amount of network resources this limits the rate at which connections may be created and closed. I am not familiar with TakTuk but it appears to try to avoid this problem by spreading the load around. That is good. But perhaps you are still exceeding the system limits. It appears to me that you are. This isn't really particular to ssh but is generic to anything that creates TCP connections. Since ssh uses TCP it has the same limitation as any other program that uses TCP and leaves connections in the TIME_WAIT state until they timeout and their resources are reclaimed. Hope that helps. Bob From tcreedon at easystreet.net Mon Apr 20 03:29:02 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sun, 19 Apr 2009 10:29:02 -0700 Subject: ssh_gssapi_check_mechanism fails In-Reply-To: <20090417205801.GB19971@astro.su.se> References: <20090417205801.GB19971@astro.su.se> Message-ID: 4 servers all running various versions of OpenSuse and all have openssh5.2.p1 I have complete control on the configurations, including kerberos. RIght now I'd like to get gssapi working consistently and then move to implementing Russ Alberry's pam_krb5 module. For debugging I'l looking at krb5kdc.log on the krb5 server as well as strace of both openssh clients and servers. There needs to be better error messaging from openssh for sure. Should I upgrade all the servers to the same version of gssapi? server ookpik openSUSE 11.1 (x86_64) VERSION = 11.1 /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/sasl2/libgssapiv2.so /usr/lib64/sasl2/libgssapiv2.so.2 /usr/lib64/sasl2/libgssapiv2.so.2.0.22 server nuiqsut openSUSE 11.1 (i586) VERSION = 11.1 /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib/sasl2/libgssapiv2.so /usr/lib/sasl2/libgssapiv2.so.2 /usr/lib/sasl2/libgssapiv2.so.2.0.22 server redcloud SUSE LINUX 10.1 (X86-64) VERSION = 10.1 /lib/modules/2.6.16.27-0.9-default/kernel/net/sunrpc/auth_gss/rpcsec_gss_krb5.ko /lib/modules/2.6.16.27-0.9-xen/kernel/net/sunrpc/auth_gss/rpcsec_gss_krb5.ko /lib/security/pam_krb5.so /lib/security/pam_krb5afs.so /lib64/security/pam_krb5 /lib64/security/pam_krb5.so /lib64/security/pam_krb5/pam_krb5_storetmp /lib64/security/pam_krb5afs.so /usr/lib/baselibs-32bit/bin/krb5-config /usr/lib/freeradius/rlm_krb5-1.1.0.so /usr/lib/freeradius/rlm_krb5.so /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib/libkrb5.so /usr/lib/libkrb5.so.3 /usr/lib/libkrb5.so.3.2 /usr/lib/libkrb5support.so /usr/lib/libkrb5support.so.0 /usr/lib/libkrb5support.so.0.0 /usr/lib/mit/bin/krb5-config /usr/lib/mit/bin/krb524init /usr/lib/mit/sbin/krb5-send-pr /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/libkrb5.so /usr/lib64/libkrb5.so.3 /usr/lib64/libkrb5.so.3.2 /usr/lib64/libkrb5support.so /usr/lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so.0.0 /usr/lib64/postgresql/backup/libkrb5.so.17 server geronimo openSUSE 10.3 (X86-64) VERSION = 10.3 /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 /usr/lib64/libgssapi.a /usr/lib64/libgssapi.la /usr/lib64/libgssapi.so /usr/lib64/libgssapi.so.2 /usr/lib64/libgssapi.so.2.0.0 /usr/lib64/libgssapi_krb5.so /usr/lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so.2.2 /usr/lib64/pkgconfig/libgssapi.pc /usr/lib64/sasl2/libgssapiv2.so /usr/lib64/sasl2/libgssapiv2.so.2 /usr/lib64/sasl2/libgssapiv2.so.2.0.22 From tcreedon at easystreet.net Mon Apr 20 04:05:22 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sun, 19 Apr 2009 11:05:22 -0700 Subject: Stack trace dor gssapi-with-mic Message-ID: I think I had better update akk the kerberos and gssapi to the latest? Please advise. Thanks Tedc ssh -vvv admin at geronimo.creedon.biz <<<<<<<>>>>>>>> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity ((nil)) debug2: key: /root/.ssh/id_rsa (0x568da0) debug2: key: /root/.ssh/id_dsa (0x568dc0) debug1: Authentications that can continue: gssapi-with-mic debug3: start over, passed a different list gssapi-with-mic debug3: preferred gssapi-with-mic debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic *** glibc detected *** ssh: double free or corruption (!prev): 0x0000000000574a20 *** ======= Backtrace: ========= /lib64/libc.so.6[0x2b044f62537e] /lib64/libc.so.6(__libc_free+0x6c)[0x2b044f62699c] /usr/lib64/libkrb5.so.3(krb5_free_cred_contents+0x6d)[0x2b044f1620cd] /usr/lib64/libkrb5.so.3(krb5_free_creds+0x9)[0x2b044f162139] /usr/lib64/libkrb5.so.3(krb5_free_tgt_creds+0x1d)[0x2b044f16216d] /usr/lib64/libkrb5.so.3(krb5_get_credentials+0x209)[0x2b044f15d299] /usr/lib64/libgssapi_krb5.so.2(krb5_gss_init_sec_context+0x998)[0x2b044f00ed68] ssh[0x433b09] ssh[0x433d3b] ssh[0x412c83] ssh[0x412e86] ssh[0x42d2ca] ssh[0x4139a8] ssh[0x40e407] ssh[0x4071ee] /lib64/libc.so.6(__libc_start_main+0xf4)[0x2b044f5d7154] ssh[0x405d69] ======= Memory map: ======== 00400000-0044f000 r-xp 00000000 08:05 571523 /usr/bin/ssh 0054f000-00551000 rw-p 0004f000 08:05 571523 /usr/bin/ssh 00551000-00596000 rw-p 00551000 00:00 0 [heap] 2b044e6c7000-2b044e6e2000 r-xp 00000000 08:05 33837 /lib64/ld-2.4.so 2b044e6e2000-2b044e6e4000 rw-p 2b044e6e2000 00:00 0 2b044e7e2000-2b044e7e4000 rw-p 0001b000 08:05 33837 /lib64/ld-2.4.so 2b044e7e4000-2b044e922000 r-xp 00000000 08:05 110687 /usr/lib64/libcrypto.so.0.9.8 2b044e922000-2b044ea21000 ---p 0013e000 08:05 110687 /usr/lib64/libcrypto.so.0.9.8 2b044ea21000-2b044ea44000 rw-p 0013d000 08:05 110687 /usr/lib64/libcrypto.so.0.9.8 2b044ea44000-2b044ea47000 rw-p 2b044ea44000 00:00 0 2b044ea47000-2b044ea7c000 r--s 00000000 08:05 570425 /var/run/nscd/passwd 2b044ea86000-2b044ea88000 r-xp 00000000 08:05 33878 /lib64/libutil-2.4.so 2b044ea88000-2b044eb87000 ---p 00002000 08:05 33878 /lib64/libutil-2.4.so 2b044eb87000-2b044eb89000 rw-p 00001000 08:05 33878 /lib64/libutil-2.4.so 2b044eb89000-2b044eb9d000 r-xp 00000000 08:05 48294 /lib64/libz.so.1.2.3 2b044eb9d000-2b044ec9c000 ---p 00014000 08:05 48294 /lib64/libz.so.1.2.3 2b044ec9c000-2b044ec9d000 rw-p 00013000 08:05 48294 /lib64/libz.so.1.2.3 2b044ec9d000-2b044ecb0000 r-xp 00000000 08:05 33855 /lib64/libnsl-2.4.so 2b044ecb0000-2b044edaf000 ---p 00013000 08:05 33855 /lib64/libnsl-2.4.so 2b044edaf000-2b044edb1000 rw-p 00012000 08:05 33855 /lib64/libnsl-2.4.so 2b044edb1000-2b044edb4000 rw-p 2b044edb1000 00:00 0 2b044edb4000-2b044edbd000 r-xp 00000000 08:05 33848 /lib64/libcrypt-2.4.so 2b044edbd000-2b044eebc000 ---p 00009000 08:05 33848 /lib64/libcrypt-2.4.so 2b044eebc000-2b044eebf000 rw-p 00008000 08:05 33848 /lib64/libcrypt-2.4.so 2b044eebf000-2b044eeed000 rw-p 2b044eebf000 00:00 0 2b044eeed000-2b044eefe000 r-xp 00000000 08:05 33872 /lib64/libresolv-2.4.so 2b044eefe000-2b044effd000 ---p 00011000 08:05 33872 /lib64/libresolv-2.4.so 2b044effd000-2b044efff000 rw-p 00010000 08:05 33872 /lib64/libresolv-2.4.so 2b044efff000-2b044f001000 rw-p 2b044efff000 00:00 0 2b044f001000-2b044f018000 r-xp 00000000 08:05 79430 /usr/lib64/libgssapi_krb5.so.2.2 2b044f018000-2b044f118000 ---p 00017000 08:05 79430 /usr/lib64/libgssapi_krb5.so.2.2 2b044f118000-2b044f119000 rw-p 00017000 08:05 79430 /usr/lib64/libgssapi_krb5.so.2.2 2b044f119000-2b044f11a000 rw-p 2b044f119000 00:00 0 2b044f11a000-2b044f18e000 r-xp 00000000 08:05 79444 /usr/lib64/libkrb5.so.3.2 2b044f18e000-2b044f28d000 ---p 00074000 08:05 79444 /usr/lib64/libkrb5.so.3.2 2b044f28d000-2b044f291000 rw-p 00073000 08:05 79444 /usr/lib64/libkrb5.so.3.2 2b044f291000-2b044f2b3000 r-xp 00000000 08:05 79434 /usr/lib64/libAborted From Sergio.Gelato at astro.su.se Mon Apr 20 06:10:17 2009 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Sun, 19 Apr 2009 22:10:17 +0200 Subject: Stack trace dor gssapi-with-mic In-Reply-To: References: Message-ID: <20090419201017.GA1845@astro.su.se> * Ted Creedon [2009-04-19 11:05:22 -0700]: > I think I had better update akk the kerberos and gssapi to the latest? > > Please advise. > > Thanks > > Tedc > ssh -vvv admin at geronimo.creedon.biz > <<<<<<<>>>>>>>> > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /root/.ssh/identity ((nil)) > debug2: key: /root/.ssh/id_rsa (0x568da0) > debug2: key: /root/.ssh/id_dsa (0x568dc0) > debug1: Authentications that can continue: gssapi-with-mic > debug3: start over, passed a different list gssapi-with-mic > debug3: preferred gssapi-with-mic > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > *** glibc detected *** ssh: double free or corruption (!prev): > 0x0000000000574a20 *** > ======= Backtrace: ========= > /lib64/libc.so.6[0x2b044f62537e] > /lib64/libc.so.6(__libc_free+0x6c)[0x2b044f62699c] > /usr/lib64/libkrb5.so.3(krb5_free_cred_contents+0x6d)[0x2b044f1620cd] > /usr/lib64/libkrb5.so.3(krb5_free_creds+0x9)[0x2b044f162139] > /usr/lib64/libkrb5.so.3(krb5_free_tgt_creds+0x1d)[0x2b044f16216d] > /usr/lib64/libkrb5.so.3(krb5_get_credentials+0x209)[0x2b044f15d299] > /usr/lib64/libgssapi_krb5.so.2(krb5_gss_init_sec_context+0x998)[0x2b044f00ed68] This looks like a client-side problem. Is the client also running some version of SuSE? At this point I would look at the source code for the MIT Kerberos package (the exact version installed on your client) and work out what must have been happening. Running the ssh client under valgrind may also prove instructive. Does your ccache contain a ticket for host/geronimo.creedon.biz after the error? From tcreedon at easystreet.net Mon Apr 20 07:52:45 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sun, 19 Apr 2009 14:52:45 -0700 Subject: Stack trace dor gssapi-with-mic In-Reply-To: <20090419201017.GA1845@astro.su.se> References: <20090419201017.GA1845@astro.su.se> Message-ID: I think there are two problems: 1. geronimo.creedon.biz reverse dnslookups as a comcast uri (its on a comcast dhcp line) - the forward dns is set up using dyndns. Look at the garbled klist below.. 2. all the servers are suse's - 10.0 thru 11.1 see the previous or I can update all to 11.1.. ted redcloud:~ # ping geronimo.creedon.biz PING geronimo.creedon.biz (71.236.188.74) 56(84) bytes of data. 64 bytes from c-71-236-188-74.hsd1.or.comcast.net (71.236.188.74): icmp_seq=1 ttl=62 time=27.4 ms kinit -f root ssh -vvv geronimo.creedon.biz debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic *** glibc detected *** ssh: double free or corruption (!prev): 0x0000000000574b60 *** ======= Backtrace: ========= /lib64/libc.so.6[0x2b790e29237e] /lib64/libc.so.6(__libc_free+0x6c)[0x2b790e29399c] /usr/lib64/libkrb5.so.3(krb5_free_cred_contents+0x6d)[0x2b790ddcf0cd] /usr/lib64/libkrb5.so.3(krb5_free_creds+0x9)[0x2b790ddcf139] /usr/lib64/libkrb5.so.3(krb5_free_tgt_creds+0x1d)[0x2b790ddcf16d] /usr/lib64/libkrb5.so.3(krb5_get_credentials+0x209)[0x2b790ddca299] /usr/lib64/libgssapi_krb5.so.2(krb5_gss_init_sec_context+0x998)[0x2b790dc7bd68] ssh[0x433b09] ssh[0x433d3b] ssh[0x412c83] ssh[0x412e86] ssh[0x42d2ca] ssh[0x4139a8] ssh[0x40e407] ssh[0x4071ee] /lib64/libc.so.6(__libc_start_main+0xf4)[0x2b790e244154] ssh[0x405d69] ======= Memory map: ======== 00400000-0044f000 r-xp 00000000 08:05 571523 /usr/bin/ssh 0054f000-00551000 rw-p 0004f000 08:05 571523 /usr/bin/ssh 00551000-00596000 rw-p 00551000 00:00 0 [heap] 2b790d334000-2b790d34f000 r-xp 00000000 08:05 33837 /lib64/ld-2.4.so 2b790d34f000-2b790d351000 rw-p 2b790d34f000 00:00 0 2b790d44f000-2b790d451000 rw-p 0001b000 08:05 33837 /lib64/ld-2.4.so 2b790d451000-2b790d58f000 r-xp 00000000 08:05 110687 /usr/lib64/libcrypto.so.0.9.8 2b790d58f000-2b790d68e000 ---p 0013e000 08:05 110687 /usr/lib64/libcrypto.so.0.9.8 2b790d68e000-2b790d6b1000 rw-p 0013d000 08:05 110687 /usr/lib64/libcrypto.so.0.9.8 2b790d6b1000-2b790d6b4000 rw-p 2b790d6b1000 00:00 0 2b790d6b4000-2b790d6e9000 r--s 00000000 08:05 570797 /var/run/nscd/passwd 2b790d6f3000-2b790d6f5000 r-xp 00000000 08:05 33878 /lib64/libutil-2.4.so 2b790d6f5000-2b790d7f4000 ---p 00002000 08:05 33878 /lib64/libutil-2.4.so 2b790d7f4000-2b790d7f6000 rw-p 00001000 08:05 33878 /lib64/libutil-2.4.so 2b790d7f6000-2b790d80a000 r-xp 00000000 08:05 48294 /lib64/libz.so.1.2.3 2b790d80a000-2b790d909000 ---p 00014000 08:05 48294 /lib64/libz.so.1.2.3 2b790d909000-2b790d90a000 rw-p 00013000 08:05 48294 /lib64/libz.so.1.2.3 2b790d90a000-2b790d91d000 r-xp 00000000 08:05 33855 /lib64/libnsl-2.4.so 2b790d91d000-2b790da1c000 ---p 00013000 08:05 33855 /lib64/libnsl-2.4.so 2b790da1c000-2b790da1e000 rw-p 00012000 08:05 33855 /lib64/libnsl-2.4.so 2b790da1e000-2b790da21000 rw-p 2b790da1e000 00:00 0 2b790da21000-2b790da2a000 r-xp 00000000 08:05 33848 /lib64/libcrypt-2.4.so 2b790da2a000-2b790db29000 ---p 00009000 08:05 33848 /lib64/libcrypt-2.4.so 2b790db29000-2b790db2c000 rw-p 00008000 08:05 33848 /lib64/libcrypt-2.4.so 2b790db2c000-2b790db5a000 rw-p 2b790db2c000 00:00 0 2b790db5a000-2b790db6b000 r-xp 00000000 08:05 33872 /lib64/libresolv-2.4.so 2b790db6b000-2b790dc6a000 ---p 00011000 08:05 33872 /lib64/libresolv-2.4.so 2b790dc6a000-2b790dc6c000 rw-p 00010000 08:05 33872 /lib64/libresolv-2.4.so 2b790dc6c000-2b790dc6e000 rw-p 2b790dc6c000 00:00 0 2b790dc6e000-2b790dc85000 r-xp 00000000 08:05 79430 /usr/lib64/libgssapi_krb5.so.2.2 2b790dc85000-2b790dd85000 ---p 00017000 08:05 79430 /usr/lib64/libgssapi_krb5.so.2.2 2b790dd85000-2b790dd86000 rw-p 00017000 08:05 79430 /usr/lib64/libgssapi_krb5.so.2.2 2b790dd86000-2b790dd87000 rw-p 2b790dd86000 00:00 0 2b790dd87000-2b790ddfb000 r-xp 00000000 08:05 79444 /usr/lib64/libkrb5.so.3.2 2b790ddfb000-2b790defa000 ---p 00074000 08:05 79444 /usr/lib64/libkrb5.so.3.2 2b790defa000-2b790defe000 rw-p 00073000 08:05 79444 /usr/lib64/libkrb5.so.3.2 2b790defe000-2b790df20000 r-xp 00000000 08:05 79434 /usr/lib64/libk5crypto.so.3.0 2b790df20000-2b790e01f000 ---p 00022000 08:05 79434 /usr/lib64/libk5crypto.so.3.0 2b790e01f000-2b790e021000 rw-p 00021000 08:05 79434 /usr/lib64/libk5crypto.so.3.0 2b790e021000-2b790e024000 r-xp 00000000 08:05 79446 /usr/lib64/libkrb5support.so.0.0 2b790e024000-2b790e123000 ---p 00003000 08:05 79446 /usr/lib64/libkrb5support.so.0.0 2b790e123000-2b790e124000 rw-p 00002000 08:05 79446 /usr/lib64/libkrb5support.so.0.0 2b790e124000-2b790e125000 rw-p 2b790e124000 00:00 0 2b790e125000-2b790e127000 r-Aborted redcloud:~ # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root at CREEDON.BIZ Valid starting Expires Service principal 04/19/09 14:42:40 04/19/09 15:42:40 krbtgt/CREEDON.BIZ at CREEDON.BIZ renew until 04/19/09 15:42:40 04/19/09 14:43:00 04/19/09 15:42:40 /\@UW\0\0\0\0\0ST.NET at UW\0\0\0\0\0BIZ for client @GW\0\0\0\0\0BIZ, renew until 04/19/09 15:42:40 From dan at nf15.lightwave.net.ru Mon Apr 20 08:43:32 2009 From: dan at nf15.lightwave.net.ru (Dan Yefimov) Date: Mon, 20 Apr 2009 02:43:32 +0400 Subject: Stack trace dor gssapi-with-mic In-Reply-To: References: <20090419201017.GA1845@astro.su.se> Message-ID: <49EBA914.10706@nf15.lightwave.net.ru> On 20.04.2009 1:52, Ted Creedon wrote: > > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > *** glibc detected *** ssh: double free or corruption (!prev): > 0x0000000000574b60 *** > ======= Backtrace: ========= > /lib64/libc.so.6[0x2b790e29237e] > /lib64/libc.so.6(__libc_free+0x6c)[0x2b790e29399c] > /usr/lib64/libkrb5.so.3(krb5_free_cred_contents+0x6d)[0x2b790ddcf0cd] > /usr/lib64/libkrb5.so.3(krb5_free_creds+0x9)[0x2b790ddcf139] > /usr/lib64/libkrb5.so.3(krb5_free_tgt_creds+0x1d)[0x2b790ddcf16d] > /usr/lib64/libkrb5.so.3(krb5_get_credentials+0x209)[0x2b790ddca299] > /usr/lib64/libgssapi_krb5.so.2(krb5_gss_init_sec_context+0x998)[0x2b790dc7bd68] According to above lines, the problem is in /usr/lib64/libkrb5.so.3. So the solution should be first upgrading Kerberos up to the latest available version, and if that doesn't help, digging into Kerberos source. Most probably the problem is that krb5_free_cred_contents() doesn't reset some pointer to NULL after calling free() on it's target. -- Sincerely Your, Dan. From tcreedon at easystreet.net Mon Apr 20 09:09:38 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Sun, 19 Apr 2009 16:09:38 -0700 Subject: Stack trace dor gssapi-with-mic In-Reply-To: <49EBA914.10706@nf15.lightwave.net.ru> References: <20090419201017.GA1845@astro.su.se> <49EBA914.10706@nf15.lightwave.net.ru> Message-ID: I'm going to update all my servers to the latest - will take a day or so.. thanks ted On Sun, Apr 19, 2009 at 3:43 PM, Dan Yefimov wrote: > On 20.04.2009 1:52, Ted Creedon wrote: > > > > debug3: authmethod_is_enabled gssapi-with-mic > > debug1: Next authentication method: gssapi-with-mic > > *** glibc detected *** ssh: double free or corruption (!prev): > > 0x0000000000574b60 *** > > ======= Backtrace: ========= > > /lib64/libc.so.6[0x2b790e29237e] > > /lib64/libc.so.6(__libc_free+0x6c)[0x2b790e29399c] > > /usr/lib64/libkrb5.so.3(krb5_free_cred_contents+0x6d)[0x2b790ddcf0cd] > > /usr/lib64/libkrb5.so.3(krb5_free_creds+0x9)[0x2b790ddcf139] > > /usr/lib64/libkrb5.so.3(krb5_free_tgt_creds+0x1d)[0x2b790ddcf16d] > > /usr/lib64/libkrb5.so.3(krb5_get_credentials+0x209)[0x2b790ddca299] > > > /usr/lib64/libgssapi_krb5.so.2(krb5_gss_init_sec_context+0x998)[0x2b790dc7bd68] > > According to above lines, the problem is in /usr/lib64/libkrb5.so.3. So the > solution should be first upgrading Kerberos up to the latest available > version, > and if that doesn't help, digging into Kerberos source. Most probably the > problem is that krb5_free_cred_contents() doesn't reset some pointer to > NULL > after calling free() on it's target. > -- > > Sincerely Your, Dan. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From Sergio.Gelato at astro.su.se Mon Apr 20 17:47:26 2009 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Mon, 20 Apr 2009 09:47:26 +0200 Subject: Stack trace dor gssapi-with-mic In-Reply-To: References: <20090419201017.GA1845@astro.su.se> Message-ID: <20090420074725.GA6638@hanuman.astro.su.se> * Ted Creedon [2009-04-19 14:52:45 -0700]: > I think there are two problems: > 1. geronimo.creedon.biz reverse dnslookups as a comcast uri (its on a > comcast dhcp line) - the forward dns is set up using dyndns. Look at the > garbled klist below.. Both the stack trace and the garbled klist point to a serious problem with the installation of MIT Kerberos on redcloud. (I assume your klist is MIT Kerberos like the libraries ssh is linked against.) The DNS forward/reverse mismatch is not a sufficient explanation for that klist output; a corrupt credentials cache is more likely. (The timestamps look correct, though; only the principals for that second ticket don't make sense.) Try purging and reinstalling the Kerberos RPMs on redcloud. If this were a fundamental problem with SuSE 10.1 I'd think it would have been reported by others. Check also the contents of /etc/krb5.conf. Try testing basic Kerberos functionality independently of ssh. For example, does aklog work for you? If it does, then maybe only the GSSAPI library (which aklog doesn't use) is bad. > redcloud:~ # klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: root at CREEDON.BIZ > > Valid starting Expires Service principal > 04/19/09 14:42:40 04/19/09 15:42:40 krbtgt/CREEDON.BIZ at CREEDON.BIZ > renew until 04/19/09 15:42:40 > 04/19/09 14:43:00 04/19/09 15:42:40 /\@UW\0\0\0\0\0ST.NET at UW\0\0\0\0\0BIZ > for client @GW\0\0\0\0\0BIZ, renew until 04/19/09 15:42:40 > From bbelnap at gmail.com Tue Apr 21 00:21:46 2009 From: bbelnap at gmail.com (Bob Belnap) Date: Mon, 20 Apr 2009 08:21:46 -0600 Subject: Issues with ssh-agent connecting to a large number of hosts at once In-Reply-To: <20090418014821.GA6095@discord.proulx.com> References: <3be13d470904170904n45859c8fq78432cf096089a8@mail.gmail.com> <20090418014821.GA6095@discord.proulx.com> Message-ID: <3be13d470904200721q7b51ac13vfc01163c9d879805@mail.gmail.com> Thanks Bob, for your detailed and informative response. Comments inline... On Fri, Apr 17, 2009 at 7:48 PM, Bob Proulx wrote: > I don't have a perfect understanding of this but not seeing anyone > else say anything I will jump in and make some suggestions imperfect > though they will be. Different types of kernels will handle this > differently and will account for why different systems behave > differently. But most have a limited amount of memory available for > network resources. Quickly opening and closing network connections > can cause memory to be consumed at a high right. Once the available > memory is exceeded system calls fail for being out of resources until > more resources are available. This is what you are seeing. > > Why do resources become consumed? Look at RFC793 and you will find > the TCP state diagram. Look particularly at the TIME_WAIT state. You > are probably creating many connections hanging around in the TIME_WAIT > state after they are closed and until the timeout. Each of those > consumes network memory. You can see these connections by looking at > the state reported by netstat. (e.g. 'netstat | grep TIME_WAIT') If > you see many connections in the TIME_WAIT state then this is what you > are running into. In many kernels with a limited amount of network > resources this limits the rate at which connections may be created and > closed. > Connections aren't in the TIME_WAIT state, they are either CONNECTED or CONNECTING (about evenly split) > This isn't really particular to ssh but is generic to anything that > creates TCP connections. Since ssh uses TCP it has the same > limitation as any other program that uses TCP and leaves connections > in the TIME_WAIT state until they timeout and their resources are > reclaimed. Yes, I realize this is not an issue with ssh in particular, but since it is triggered by ssh, I had hoped this group could more easily point out what limit is being triggered. I am continuing to research the issue.. --Bob From tcreedon at easystreet.net Tue Apr 21 01:01:14 2009 From: tcreedon at easystreet.net (Ted Creedon) Date: Mon, 20 Apr 2009 08:01:14 -0700 Subject: Stack trace dor gssapi-with-mic In-Reply-To: <20090420074725.GA6638@hanuman.astro.su.se> References: <20090419201017.GA1845@astro.su.se> <20090420074725.GA6638@hanuman.astro.su.se> Message-ID: I'm running OpenAFS which relies on krb5 The garbled cc is a surprise to me too.. It does not explain the inconsistencies between the other 3 servers though Best bet is to get to the latest of everything..It'll take a day or so.. thanks tedc On Mon, Apr 20, 2009 at 12:47 AM, Sergio Gelato wrote: > * Ted Creedon [2009-04-19 14:52:45 -0700]: > > I think there are two problems: > > 1. geronimo.creedon.biz reverse dnslookups as a comcast uri (its on a > > comcast dhcp line) - the forward dns is set up using dyndns. Look at the > > garbled klist below.. > > Both the stack trace and the garbled klist point to a serious problem > with the installation of MIT Kerberos on redcloud. (I assume your klist is > MIT Kerberos like the libraries ssh is linked against.) The DNS > forward/reverse > mismatch is not a sufficient explanation for that klist output; a > corrupt credentials cache is more likely. (The timestamps look correct, > though; only the principals for that second ticket don't make sense.) > > Try purging and reinstalling the Kerberos RPMs on redcloud. If this > were a fundamental problem with SuSE 10.1 I'd think it would have been > reported by others. > > Check also the contents of /etc/krb5.conf. > > Try testing basic Kerberos functionality independently of ssh. > For example, does aklog work for you? If it does, then maybe only the > GSSAPI library (which aklog doesn't use) is bad. > > > redcloud:~ # klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: root at CREEDON.BIZ > > > > Valid starting Expires Service principal > > 04/19/09 14:42:40 04/19/09 15:42:40 krbtgt/CREEDON.BIZ at CREEDON.BIZ > > renew until 04/19/09 15:42:40 > > 04/19/09 14:43:00 04/19/09 15:42:40 /\@UW\0\0\0\0\0ST.NET > @UW\0\0\0\0\0BIZ > > for client @GW\0\0\0\0\0BIZ, renew until 04/19/09 15:42:40 > > > From djm at mindrot.org Tue Apr 21 11:52:37 2009 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Apr 2009 11:52:37 +1000 (EST) Subject: Summer of Code student for OpenSSH: Carlos Silva Message-ID: Hi, We are delighted to accept Carlos Silva's proposal to renovate sftp(1) as part of the Google Summer of Code. Many of the ~40 applications we received were of high quality and choosing the best one from the top five was particularly difficult. Unfortunately, since this is our first time through the GSoC and because we only have one "full-time" mentor (me), we are only able to host one student this year. Otherwise we would have happily taken more -- the quality of the best applications was very high. I hope that the other student applicants are not discouraged and I invite them to apply again next year or, if they are interested, to look at contributing to OpenSSH outside the GSoC - there are plenty of small bugs at https://bugzilla.mindrot.org/ that need love :) -d From mackyle at gmail.com Tue Apr 21 12:12:32 2009 From: mackyle at gmail.com (Kyle McKay) Date: Mon, 20 Apr 2009 19:12:32 -0700 Subject: ssh localhost yes | true Message-ID: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> Referring to "CLOSED FIXED" Bug 85: https://bugzilla.mindrot.org/show_bug.cgi?id=85 Assuming that you have your machine setup so that the following commands run without prompting: ssh -2 localhost pwd ssh -1 localhost pwd Then this command: ssh -1 localhost yes | true always produces this output: Write failed flushing stdout buffer. write stdout: Broken pipe Yet this command has varying behavior: ssh -2 localhost yes | true Sometimes it returns right away without producing any output at all (which begs the question why the output is so different between -1 and -2, but that's not the primary question of this email). The no-output case happens on Ubuntu where the output of ssh -V is: OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 The same thing happens when running both server AND client from a MacPorts installation where the output of ssh -V is: OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009 HOWEVER, the "ssh -2 localhost yes | true" command just hangs indefinitely on Mac OS X 10.5.6 where the output of ssh -V is: OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006 It turns out that it's the version of sshd that seems to matter as the older ssh OpenSSL 0.9.7l client talking to a newer sshd daemon doesn't hang (and the logs at the end of this message seem to bear that out). Now back to the "CLOSED FIXED" Bug 85. The last comment is: ---- Comment #9 From Damien Miller 2008-07-22 12:06:22 ---- Mass update RESOLVED->CLOSED after release of openssh-5.1 The problem ssh version on Mac OS X is marked "OpenSSH_5.1p1" and yet it clearly has the bug. The comment on Bug 85 leads me to believe it should have the fix but the date of the comment suggests that it might not (which turns out to be the case). And the bug doesn't mention any dependency on and configure options or on a particular version of OpenSSL for the fix. Can anyone shed some light on how to tell based on the versions reported by ssh -V / sshd -V whether or not the hanging problem will be present? And is there anyway to see the OpenSSL version of the remote sshd via ssh from another host? (The -v option to ssh only reports "remote software version OpenSSH_5.1" and does not include the OpenSSL version.) Thanks, Kyle P.S. No, I don't actually need to run "ssh localhost yes | true" however I often use Subversion with the svn+ssh protocol and the recent Subversion fix for issue 2580 creates a situation very much like "ssh localhost yes | true" where the ssh process never exits. http://subversion.tigris.org/issues/show_bug.cgi?id=2580 P.P.S. The last part of the debug log from ssh client when it hangs: ... debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed connection hangs at this point and sshd log looks like this: ... debug1: server_input_channel_req: channel 0 request eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed connection hangs at this point whereas when it doesn't hang, ssh client log looks like this: ... debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow ... and sshd log looks like this: ... debug1: server_input_channel_req: channel 0 request eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 24887 debug1: session_exit_message: session 0 channel 0 pid 24887 debug2: channel 0: request exit-signal confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow ... From djm at mindrot.org Tue Apr 21 16:10:18 2009 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Apr 2009 16:10:18 +1000 (EST) Subject: ssh localhost yes | true In-Reply-To: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> Message-ID: On Mon, 20 Apr 2009, Kyle McKay wrote: > Referring to "CLOSED FIXED" Bug 85: > > https://bugzilla.mindrot.org/show_bug.cgi?id=85 ... > HOWEVER, the "ssh -2 localhost yes | true" command just > hangs indefinitely on Mac OS X 10.5.6 where the output of > ssh -V is: > > OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006 > > It turns out that it's the version of sshd that seems to matter > as the older ssh OpenSSL 0.9.7l client talking to a newer sshd > daemon doesn't hang (and the logs at the end of this message > seem to bear that out). This doesn't look like bug#85 based on what you sent below. It looks more like a whatever that you were running failing to notice its stdout closing. Either way, the problem is far more likely to be due to modifications that Apple have made to the ssh/sshd they ship in their base OS rather than anything to do with OpenSSL. > Can anyone shed some light on how to tell based on the versions > reported by ssh -V / sshd -V whether or not the hanging problem > will be present? OpenSSH 5.1 has the fix. Since we had to extend the SSH protocol to fix this bug, both ends (ssh and sshd) need to be this version or greater for it to work. > And is there anyway to see the OpenSSL version of the remote > sshd via ssh from another host? (The -v option to ssh only > reports "remote software version OpenSSH_5.1" and does > not include the OpenSSL version.) No, the OpenSSL version is really not relevant since it handles crypto and not much else. > P.S. No, I don't actually need to run "ssh localhost yes | true" > however I often use Subversion with the svn+ssh protocol and the > recent Subversion fix for issue 2580 creates a situation very > much like "ssh localhost yes | true" where the ssh process never > exits. > > http://subversion.tigris.org/issues/show_bug.cgi?id=2580 > > P.P.S. The last part of the debug log from ssh client when it > hangs: > > ... > debug2: channel 0: write failed > debug2: channel 0: close_write > debug2: channel 0: send eow > debug2: channel 0: output open -> closed > connection hangs at this point The client is doing the right thing. > and sshd log looks like this: > > ... > debug1: server_input_channel_req: channel 0 request eow at openssh.com > reply 0 > debug2: channel 0: rcvd eow > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > connection hangs at this point The server is doing the right thing, but the underlying process is not terminating when its output it closed. > whereas when it doesn't hang, ssh client log looks like this: > > ... > debug2: channel 0: write failed > debug2: channel 0: close_write > debug2: channel 0: send eow > debug2: channel 0: output open -> closed > debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com > reply 0 > debug2: channel 0: rcvd eow > ... Yes, the client signals that its input fd has closed, the server closed the output fd of its process and the process exited. > and sshd log looks like this: > > ... > debug1: server_input_channel_req: channel 0 request eow at openssh.com > reply 0 > debug2: channel 0: rcvd eow ^^^ this is the client signalling that its input has closed > debug2: channel 0: close_read > debug2: channel 0: input open -> closed ^^^ server closes output of child process > debug1: Received SIGCHLD. ^^^ child process exits > debug1: session_by_pid: pid 24887 > debug1: session_exit_message: session 0 channel 0 pid 24887 > debug2: channel 0: request exit-signal confirm 0 > debug1: session_exit_message: release channel 0 ^^^ server sends notification that it has exited. -d From srinivas.ramana at wipro.com Tue Apr 21 03:42:30 2009 From: srinivas.ramana at wipro.com (srinivas.ramana at wipro.com) Date: Mon, 20 Apr 2009 23:12:30 +0530 Subject: support of openSSH + Certificates Message-ID: <34BAE4FA891DCA498C6D46840F4F896F0E8ADB@BLR-SJP-MBX01.wipro.com> Hi, We want to use openSSH for one of our project. But we need certificate exchange support. I have gone through the documentation. It says openSSH support key management but no mention of certificates. I have seen some people outside openSSH giving patches for supporting X.509 but not sure how stable are those patches. Is there a way that openSSH support certificates? Your guidance will help a lot. Thanks & Regards, -- Srinivas R Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From mackyle at gmail.com Tue Apr 21 16:39:41 2009 From: mackyle at gmail.com (Kyle McKay) Date: Mon, 20 Apr 2009 23:39:41 -0700 Subject: ssh localhost yes | true In-Reply-To: References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> Message-ID: <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> Thanks for your response. On Apr 20, 2009, at 23:10, Damien Miller wrote: > On Mon, 20 Apr 2009, Kyle McKay wrote: > >> Referring to "CLOSED FIXED" Bug 85: >> >> https://bugzilla.mindrot.org/show_bug.cgi?id=85 > > ... > >> HOWEVER, the "ssh -2 localhost yes | true" command just >> hangs indefinitely on Mac OS X 10.5.6 where the output of >> ssh -V is: >> >> OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006 >> >> It turns out that it's the version of sshd that seems to matter >> as the older ssh OpenSSL 0.9.7l client talking to a newer sshd >> daemon doesn't hang (and the logs at the end of this message >> seem to bear that out). > > This doesn't look like bug#85 based on what you sent below. It looks > more like a whatever that you were running failing to notice its > stdout > closing. Actually after looking at this some more, I think Apple's sshd is just missing the Bug 85 patch and I think the debug messages back this up. >> ... >> debug2: channel 0: write failed >> debug2: channel 0: close_write >> debug2: channel 0: send eow >> debug2: channel 0: output open -> closed >> connection hangs at this point > > The client is doing the right thing. > >> and sshd log looks like this: >> >> ... >> debug1: server_input_channel_req: channel 0 request eow at openssh.com >> reply 0 >> debug2: channel 0: rcvd eow >> debug2: channel 0: close_read >> debug2: channel 0: input open -> closed >> connection hangs at this point > > The server is doing the right thing, but the underlying process is not > terminating when its output it closed. At this point the child should have exited. However, if it's depending on a SIGPIPE to do so and sshd is using socketpair instead of pipe to communicate with it, Bug 85 comes into play and the child doesn't get a SIGPIPE as a result of input transitioning from open -> closed and so doesn't exit. >> whereas when it doesn't hang, ssh client log looks like this: >> >> ... >> debug2: channel 0: write failed >> debug2: channel 0: close_write >> debug2: channel 0: send eow >> debug2: channel 0: output open -> closed >> debug1: client_input_channel_req: channel 0 rtype exit-signal >> reply 0 >> debug1: client_input_channel_req: channel 0 rtype eow at openssh.com >> reply 0 >> debug2: channel 0: rcvd eow >> ... > > Yes, the client signals that its input fd has closed, the server > closed > the output fd of its process and the process exited. > >> and sshd log looks like this: >> >> ... >> debug1: server_input_channel_req: channel 0 request eow at openssh.com >> reply 0 >> debug2: channel 0: rcvd eow > > ^^^ this is the client signalling that its input has closed > >> debug2: channel 0: close_read >> debug2: channel 0: input open -> closed > > ^^^ server closes output of child process > >> debug1: Received SIGCHLD. > > ^^^ child process exits And in this case sshd included the Bug 85 fix and so was using pipes to communicate with the child and the child therefore got a SIGPIPE on the input open -> closed transition and exited. Kyle From djm at mindrot.org Tue Apr 21 16:53:08 2009 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Apr 2009 16:53:08 +1000 (EST) Subject: ssh localhost yes | true In-Reply-To: <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> Message-ID: On Mon, 20 Apr 2009, Kyle McKay wrote: > Thanks for your response. > > On Apr 20, 2009, at 23:10, Damien Miller wrote: > > > > This doesn't look like bug#85 based on what you sent below. It looks > > more like a whatever that you were running failing to notice its stdout > > closing. > > Actually after looking at this some more, I think Apple's sshd is just > missing the Bug 85 patch and I think the debug messages back this up. No, Apple's sshd clearly does have the bug #85 patch: > debug2: channel 0: rcvd eow Would not be printed otherwise. Perhaps they have forcibly disabled USE_PIPES in session.c? It is required for the patch to correctly function. > And in this case sshd included the Bug 85 fix and so was using pipes to > communicate with the child and the child therefore got a SIGPIPE on the input > open -> closed transition and exited. No, in both cases the signalling between sshd and the child process is identical from the logs. There may be differences depending on whether Apple has modified their sshd to avoid using pipes (thwarting the half-close fix in the process), but you will need to post a full debug log from the server to tell. -d From mackyle at gmail.com Tue Apr 21 18:27:44 2009 From: mackyle at gmail.com (Kyle McKay) Date: Tue, 21 Apr 2009 01:27:44 -0700 Subject: ssh localhost yes | true In-Reply-To: References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> Message-ID: <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> Yup, you're right. Apple has disabled the USE_PIPES define in their source code. Here's the original file: http://www.opensource.apple.com/darwinsource/10.5.6/OpenSSH-95.1.5/openssh/session.c.orig And the file they're using: http://www.opensource.apple.com/darwinsource/10.5.6/OpenSSH-95.1.5/openssh/session.c Here's the diff: --- session.c.orig +++ session.c @@ -424,7 +424,9 @@ } } +#ifndef __APPLE__ #define USE_PIPES +#endif /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after @@ -2082,8 +2084,10 @@ n_bytes = packet_remaining(); tty_parse_modes(s->ttyfd, &n_bytes); +#ifndef __APPLE_PRIVPTY__ if (!use_privsep) pty_setowner(s->pw, s->tty); +#endif /* Set window size from the packet. */ pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s- >ypixel); @@ -2321,9 +2325,11 @@ if (s->pid != 0) record_logout(s->pid, s->tty, s->pw->pw_name); +#ifndef __APPLE_PRIVPTY__ /* Release the pseudo-tty. */ if (getuid() == 0) pty_release(s->tty); +#endif /* * Close the server side of the socket pairs. We must do this after Thanks for your help. Kyle On Apr 20, 2009, at 23:53, Damien Miller wrote: > On Mon, 20 Apr 2009, Kyle McKay wrote: > >> Thanks for your response. >> >> On Apr 20, 2009, at 23:10, Damien Miller wrote: >>> >>> This doesn't look like bug#85 based on what you sent below. It looks >>> more like a whatever that you were running failing to notice its >>> stdout >>> closing. >> >> Actually after looking at this some more, I think Apple's sshd is >> just >> missing the Bug 85 patch and I think the debug messages back this up. > > No, Apple's sshd clearly does have the bug #85 patch: > >> debug2: channel 0: rcvd eow > > Would not be printed otherwise. Perhaps they have forcibly disabled > USE_PIPES in session.c? It is required for the patch to correctly > function. > >> And in this case sshd included the Bug 85 fix and so was using >> pipes to >> communicate with the child and the child therefore got a SIGPIPE on >> the input >> open -> closed transition and exited. > > No, in both cases the signalling between sshd and the child process is > identical from the logs. There may be differences depending on whether > Apple has modified their sshd to avoid using pipes (thwarting the > half-close fix in the process), but you will need to post a full debug > log from the server to tell. > > -d From miguel.sanders at arcelormittal.com Wed Apr 22 02:58:37 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders at arcelormittal.com) Date: Tue, 21 Apr 2009 18:58:37 +0200 Subject: GSSAPIKeyExchange and GSSAPIStrictAcceptorCheck Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B342A0@GEN-MXB-V04.msad.arcelor.net> Hi folks Is there any particular reason why these two great features (thanks Simon!) are not part of the OpenSSH mainstream? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From peter at stuge.se Wed Apr 22 08:22:11 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 22 Apr 2009 00:22:11 +0200 Subject: support of openSSH + Certificates In-Reply-To: <34BAE4FA891DCA498C6D46840F4F896F0E8ADB@BLR-SJP-MBX01.wipro.com> References: <34BAE4FA891DCA498C6D46840F4F896F0E8ADB@BLR-SJP-MBX01.wipro.com> Message-ID: <20090421222211.14845.qmail@stuge.se> srinivas.ramana at wipro.com wrote: > Is there a way that openSSH support certificates? Not out of the box. See http://roumenpetrov.info/openssh/ //Peter From petesea at bigfoot.com Wed Apr 22 05:27:24 2009 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Tue, 21 Apr 2009 12:27:24 -0700 (PDT) Subject: Env var for options/config Message-ID: Is there any way to define openssh options via an env var? Something like: SSH_OPTIONS='-oBatchMode=yes ...' or SSH_CONFIG=/path/to/alternate/ssh_config The reason I'd like to be able to use this is so I can override certain options without interfering with the users normal configuration file. In the case of commands that indirectly call ssh, like cvs, there's no way to define specific options on the command line, so the only choices are to change the users ssh config file or create a wrapper script for ssh. Setting an environment variable is (IMO) just more clean and transparent. If there isn't currently an environment variable, is there any chance this could be added in some future release? If so, I think the "SSH_OPTIONS" env would be the most flexible, since you could always simulate the "SSH_CONFIG" approach using "SSH_OPTIONS=-F/path/to/config". It would also provide a very easy way to help debug authentication issues with cvs, eg: $ SSH_OPTIONS='-v' cvs checkout ... From peter at stuge.se Wed Apr 22 16:01:25 2009 From: peter at stuge.se (Peter Stuge) Date: Wed, 22 Apr 2009 08:01:25 +0200 Subject: Env var for options/config In-Reply-To: References: Message-ID: <20090422060125.19751.qmail@stuge.se> petesea at bigfoot.com wrote: > Is there any way to define openssh options via an env var? No. > is there any chance this could be added in some future release? I don't know.. I don't think any of the developers would like to do it. But you can always create a patch and file it in the tracker. //Peter From stevesk at pobox.com Thu Apr 23 08:58:04 2009 From: stevesk at pobox.com (Kevin Steves) Date: Wed, 22 Apr 2009 15:58:04 -0700 Subject: Issues with ssh-agent connecting to a large number of hosts at once In-Reply-To: <3be13d470904170904n45859c8fq78432cf096089a8@mail.gmail.com> References: <3be13d470904170904n45859c8fq78432cf096089a8@mail.gmail.com> Message-ID: <20090422225804.GA15409@steam.sbcglobal.net> On Fri, Apr 17, 2009 at 10:04:34AM -0600, Bob Belnap wrote: : read(160, 0xbf8f300a, 1024) = -1 EAGAIN (Resource temporarily : unavailable) looks like select() tells us a non-blocking fd is ready for reading but there is nothing to read and we loop forever on EAGAIN. is it an ssh(1) that is connecting to the agent? there is an ssh-agent -d option, you could add some debug() to troubleshoot. From djm at mindrot.org Thu Apr 23 23:38:03 2009 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Apr 2009 23:38:03 +1000 (EST) Subject: ssh localhost yes | true (follow up) In-Reply-To: <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> Message-ID: On Thu, 23 Apr 2009, Kyle wrote: > I filed bug 6810722 with Apple and sent them a patch that makes the half-close > fix work again without causing problems with shells (like Apple's bash that > attempt to detect when they're being run by a remote shell daemon such as sshd > by apparently checking standard input to see if it's a socket). > > On Apr 21, 2009, at 01:27, Kyle McKay wrote: > > On Apr 20, 2009, at 23:53, Damien Miller wrote: > > > There may be differences depending on whether > > > Apple has modified their sshd to avoid using pipes (thwarting the > > > half-close fix in the process), but you will need to post a full debug > > > log from the server to tell. > > > > > > -d > > > > Yup, you're right. Apple has disabled the USE_PIPES define in their source > > code. > > > FYI, patch is below. I think it violates some assumptions we make in channels.c to mix socketpairs and pipes like this, but I have to check. -d From markus.r.friedl at arcor.de Thu Apr 23 23:43:03 2009 From: markus.r.friedl at arcor.de (Markus Friedl) Date: Thu, 23 Apr 2009 15:43:03 +0200 Subject: ssh localhost yes | true (follow up) In-Reply-To: References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> Message-ID: <20090423134303.GA22291@folly> On Thu, Apr 23, 2009 at 11:38:03PM +1000, Damien Miller wrote: > I think it violates some assumptions we make in channels.c to mix > socketpairs and pipes like this, but I have to check. yes, it violates assumptions. From mackyle at gmail.com Thu Apr 23 23:22:08 2009 From: mackyle at gmail.com (Kyle McKay) Date: Thu, 23 Apr 2009 06:22:08 -0700 Subject: ssh localhost yes | true (follow up) In-Reply-To: <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> Message-ID: <70E8B286-3946-44A1-BF9B-C897D1D049EB@gmail.com> I filed bug 6810722 with Apple and sent them a patch that makes the half-close fix work again without causing problems with shells (like Apple's bash that attempt to detect when they're being run by a remote shell daemon such as sshd by apparently checking standard input to see if it's a socket). On Apr 21, 2009, at 01:27, Kyle McKay wrote: > On Apr 20, 2009, at 23:53, Damien Miller wrote: >> There may be differences depending on whether >> Apple has modified their sshd to avoid using pipes (thwarting the >> half-close fix in the process), but you will need to post a full >> debug >> log from the server to tell. >> >> -d > > Yup, you're right. Apple has disabled the USE_PIPES define in their > source code. FYI, patch is below. Again, thanks for all your help with this. Kyle Patch is against the version of session.c that has all of Apple's patches already applied and can be found at: http://www.opensource.apple.com/darwinsource/10.5.6/OpenSSH-95.1.5/openssh/session.c --- session.c 2008-08-13 17:40:56.000000000 -0700 +++ session.c 2009-04-23 04:39:14.000000000 -0700 @@ -424,9 +424,7 @@ } } -#ifndef __APPLE__ #define USE_PIPES -#endif /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after @@ -440,11 +438,12 @@ #ifdef USE_PIPES int pin[2], pout[2], perr[2]; - /* Allocate pipes for communicating with the program. */ - if (pipe(pin) < 0) { - error("%s: pipe in: %.100s", __func__, strerror(errno)); + /* Allocate socketpair for communicating with the program input. */ + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pin) < 0) { + error("%s: socketpair #1: %.100s", __func__, strerror(errno)); return -1; } + /* Allocate pipes for communicating with the program output. */ if (pipe(pout) < 0) { error("%s: pipe out: %.100s", __func__, strerror(errno)); close(pin[0]); From mackyle at gmail.com Fri Apr 24 05:30:48 2009 From: mackyle at gmail.com (Kyle McKay) Date: Thu, 23 Apr 2009 12:30:48 -0700 Subject: ssh localhost yes | true (follow up) In-Reply-To: <20090423134303.GA22291@folly> References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> <20090423134303.GA22291@folly> Message-ID: <426232DD-0068-486F-878E-2DE7ED5E861A@gmail.com> On Apr 23, 2009, at 06:43, Markus Friedl wrote: > On Thu, Apr 23, 2009 at 11:38:03PM +1000, Damien Miller wrote: >> I think it violates some assumptions we make in channels.c to mix >> socketpairs and pipes like this, but I have to check. > > yes, it violates assumptions. I'm running with the changes and haven't noticed any problems. scp is working, X tunnels are working, port forwarding is working, bash is happy (ssh localhost printenv shows it's running ~/.bashrc) the half-close fix is working (ssh localhost yes | true doesn't hang). channels.c clearly works with pipes or sockets, it doesn't have any tests of USE_PIPES in it, it's not calling fstat and I don't see any tests of S_IFSOCK or S_IFIFO so I'm unclear on how it would be able to tell the difference between 3 separate pairs of pipes (normal USE_PIPES case), 1 shared socket pair + 1 separate socket pair (normal !USE_PIPES case) and 1 socket pair + 2 pairs of pipes. Of course I'm looking at the version of channels.c that Apple's using: http://www.opensource.apple.com/darwinsource/10.5.6/OpenSSH-95.1.5/openssh/channels.c which is "channels.c,v 1.286 2008/07/16 11:52:19 djm" plus an Apple patch, so maybe there's newer version of channels.c that Apple's not using that is sensitive to the mixed combination? Is there something else I should be looking at/testing? Kyle From djm at mindrot.org Fri Apr 24 07:54:06 2009 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Apr 2009 07:54:06 +1000 (EST) Subject: ssh localhost yes | true (follow up) In-Reply-To: <426232DD-0068-486F-878E-2DE7ED5E861A@gmail.com> References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> <20090423134303.GA22291@folly> <426232DD-0068-486F-878E-2DE7ED5E861A@gmail.com> Message-ID: On Thu, 23 Apr 2009, Kyle McKay wrote: > On Apr 23, 2009, at 06:43, Markus Friedl wrote: > > On Thu, Apr 23, 2009 at 11:38:03PM +1000, Damien Miller wrote: > >> I think it violates some assumptions we make in channels.c to mix > >> socketpairs and pipes like this, but I have to check. > > > > yes, it violates assumptions. > > I'm running with the changes and haven't noticed any problems. > > scp is working, X tunnels are working, port forwarding is working, > bash is happy (ssh localhost printenv shows it's running ~/.bashrc) > the half-close fix is working (ssh localhost yes | true doesn't hang). > > channels.c clearly works with pipes or sockets, it doesn't have any > tests of USE_PIPES in it, it's not calling fstat and I don't see any > tests of S_IFSOCK or S_IFIFO so I'm unclear on how it would be able to > tell the difference between 3 separate pairs of pipes (normal > USE_PIPES case), 1 shared socket pair + 1 separate socket pair > (normal !USE_PIPES case) and 1 socket pair + 2 pairs of pipes. The test is in channel_register_fds(), look for c->sock. Why not fix the bug in bash instead of putting weird hacks in ssh? -d From mackyle at gmail.com Fri Apr 24 09:32:38 2009 From: mackyle at gmail.com (Kyle McKay) Date: Thu, 23 Apr 2009 16:32:38 -0700 Subject: ssh localhost yes | true (follow up) In-Reply-To: References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> <20090423134303.GA22291@folly> <426232DD-0068-486F-878E-2DE7ED5E861A@gmail.com> Message-ID: On Apr 23, 2009, at 14:54, Damien Miller wrote: > On Thu, 23 Apr 2009, Kyle McKay wrote: > >> On Apr 23, 2009, at 06:43, Markus Friedl wrote: >>> On Thu, Apr 23, 2009 at 11:38:03PM +1000, Damien Miller wrote: >>>> I think it violates some assumptions we make in channels.c to mix >>>> socketpairs and pipes like this, but I have to check. >>> >>> yes, it violates assumptions. >> >> I'm running with the changes and haven't noticed any problems. >> >> scp is working, X tunnels are working, port forwarding is working, >> bash is happy (ssh localhost printenv shows it's running ~/.bashrc) >> the half-close fix is working (ssh localhost yes | true doesn't >> hang). >> >> channels.c clearly works with pipes or sockets, it doesn't have any >> tests of USE_PIPES in it, it's not calling fstat and I don't see any >> tests of S_IFSOCK or S_IFIFO so I'm unclear on how it would be able >> to >> tell the difference between 3 separate pairs of pipes (normal >> USE_PIPES case), 1 shared socket pair + 1 separate socket pair >> (normal !USE_PIPES case) and 1 socket pair + 2 pairs of pipes. > > The test is in channel_register_fds(), look for c->sock. Thanks for pointing me to that. Looks like you get some extra behavior if rfd == wfd, but you're not getting that behavior normally when USE_PIPES is always defined in session.c, so nothing obvious jumps out at me as breakage-waiting-to- happen with the patch applied. > Why not fix the bug in bash instead of putting weird hacks in ssh? > > -d Apparently bash isn't the only program to test that and sending Apple a bunch of patches for a bunch of different programs is likely to delay getting any fix accepted (be lucky if they take any fix at all and issue an official update containing the fix within the next 6 months). In fact, Ubuntu bash gets it right, ("ssh localhost yes | true" does not hang while "ssh localhost printenv" indicates ~/.bashrc is being run) so that suggests Apple's bash sources are behind the times or also contain bug-inducing patches or there is some other Darwin- specific behavior going on that breaks things. Why not enhance ssh to officially support a socket/pipe combination? Kyle From djm at mindrot.org Fri Apr 24 10:43:27 2009 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Apr 2009 10:43:27 +1000 (EST) Subject: ssh localhost yes | true (follow up) In-Reply-To: References: <557361F6-9026-43BE-9AB0-0452FAA46433@gmail.com> <1E9039D8-956B-4081-9BCF-9EE522396C58@gmail.com> <3FD43A99-22AF-4CCC-A035-035D80B48AB5@gmail.com> <5CF846CA-F373-4D9A-87B3-7A10747DBAE6@gmail.com> <20090423134303.GA22291@folly> <426232DD-0068-486F-878E-2DE7ED5E861A@gmail.com> Message-ID: On Thu, 23 Apr 2009, Kyle McKay wrote: > > > tests of S_IFSOCK or S_IFIFO so I'm unclear on how it would be able to > > > tell the difference between 3 separate pairs of pipes (normal > > > USE_PIPES case), 1 shared socket pair + 1 separate socket pair > > > (normal !USE_PIPES case) and 1 socket pair + 2 pairs of pipes. > > > > The test is in channel_register_fds(), look for c->sock. > > Thanks for pointing me to that. > > Looks like you get some extra behavior if rfd == wfd, but you're not getting > that behavior normally when USE_PIPES is always defined in session.c, so > nothing obvious jumps out at me as breakage-waiting-to-happen with the patch > applied. channel code bugs rarely manifest in obvious ways, and they are difficult to debug when they do. I can't say for certain that mixing socketpairs and pipes will or won't cause problems, but I don't think it is a good path to go down if it is just papering over other problems. > Apparently bash isn't the only program to test that and sending Apple a bunch > of patches for a bunch of different programs is likely to delay getting any > fix accepted (be lucky if they take any fix at all and issue an official > update containing the fix within the next 6 months). > > In fact, Ubuntu bash gets it right, ("ssh localhost yes | true" does not hang > while "ssh localhost printenv" indicates ~/.bashrc is being run) so that > suggests Apple's bash sources are behind the times or also contain > bug-inducing patches or there is some other Darwin-specific behavior going on > that breaks things. > > Why not enhance ssh to officially support a socket/pipe combination? I don't think it is an "enhancement" to work around a bug that will be fixed in a couple of months. It is just added complexity that we will have to maintain forever. -d From openssh at roumenpetrov.info Mon Apr 27 01:36:58 2009 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sun, 26 Apr 2009 18:36:58 +0300 Subject: support of openSSH + Certificates In-Reply-To: <34BAE4FA891DCA498C6D46840F4F896F0E8ADB@BLR-SJP-MBX01.wipro.com> References: <34BAE4FA891DCA498C6D46840F4F896F0E8ADB@BLR-SJP-MBX01.wipro.com> Message-ID: <49F47F9A.5070002@roumenpetrov.info> srinivas.ramana at wipro.com wrote: > Hi, > > We want to use openSSH for one of our project. But we need certificate exchange support. I have gone through the documentation. It says openSSH support key management but no mention of certificates. I have seen some people outside openSSH giving patches for supporting X.509 but not sure how stable are those patches. If you address issues similar to CVE-2008-5077 my patch for "X.509 certificate support in OpenSSH" is not impacted. The checks for return value from openssl functions is always performed and this is from first version. [SNIP] Roumen