From eric.hu at harman.com Tue Feb 2 06:18:08 2010 From: eric.hu at harman.com (Hu, Eric) Date: Mon, 1 Feb 2010 13:18:08 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" Message-ID: <12FF1C857C510C43BA8B1B028B69AD52BEC9E2@HICGWSEX01.ad.harman.com> Hello, I sent this last week before signing up for the list, but haven't seen it in the archives, so I'm guessing it got discarded either as spam or HTML (sorry about that). In any case, the following was sent to comp.security.ssh early last week and I have gotten no response there. Can anyone here shed some light? Thanks, Eric ------------------------------------------ Hello, I'm running an SSH daemon on Cygwin on Windows Server 2003. ?SSH version is 5.1. ?cygrunsrv version is 1.34. I have the following in my sshd_config file. Match User user ? ? ForceCommand start.sh What some users have discovered is that they can log in with arbitrarily mixed case user names. ?For instance, logging in as "usEr" is exactly the same as logging in with "USer" as well as the other fourteen possible combinations for a four-letter username. ?Further, only the all-lowercase version invokes "start.sh." I thought I might be able to solve this with the following. AllowUsers user I thought this would force sshd to only let one case combination through. ?However, all case combinations can still log in and "start.sh" is not getting executed. ?In other words, there is a discrepancy between "Match User" and "AllowUsers" in this regard. Does anyone have any idea how to get around this? ?I don't want to add 2^(length of user name) "Match User" entries to the sshd_config file for every user, which is the only remedy at the moment. Thanks From hlein at korelogic.com Tue Feb 2 08:02:42 2010 From: hlein at korelogic.com (Hank Leininger) Date: Mon, 1 Feb 2010 16:02:42 -0500 Subject: Repost: [patch] Automatically add keys to agent Message-ID: <20100201210242.GW30476@marklar.spinoli.org> On 2010-01-29, joshua stein wrote: > > Imagine an attacker has access to your account on a target system. > then all bets are off anyway. Oh? On the _target_ system. SSH'ing into a possibly compromised system should not put your local system at risk. That's why agent and X11 forwarding default to off in the client, sftp is preferred over scp, etc. [ It would be an interesting exercise to trap ^D / exit / logout, and present a fake originalhost$ prompt, and see what you can collect from someone. From their SSH client version, you may be able to guess their OS's default shell & prompt. But that's another matter. ] > > The ways to avoid ever falling into this trap: > > > > 1) Always ssh with -v, and read the verbose messages every time, so you > > are certain you know where the prompt originated. Not likely. > > > > 2) Always ssh-add your passphrases locally first, before ssh'ing > > anywhere. For best results, set BatchMode=yes by default in [snip] > > 3) don't turn the option on. nobody's proposing that it be on by > default. My point was that this was already a concern, and that those are the ways to avoid being victimized currently. Adding the proposed feature without recognizing this risk could easily lead people to enabling it when it can get them into trouble. I do appreciate that the proposal is to default to 'no', but am concerned that people are talking about the convenience with no regard to the consequences. Thanks, -- Hank Leininger BE5D FCCA 673B D18B 98A9 3175 896E 3D4A 1B4D C5AC -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 447 bytes Desc: not available URL: From hlein at korelogic.com Tue Feb 2 08:29:02 2010 From: hlein at korelogic.com (Hank Leininger) Date: Mon, 1 Feb 2010 16:29:02 -0500 Subject: "phishing" (was: [patch] Automatically add keys to agent) Message-ID: <20100201212902.GY30476@marklar.spinoli.org> [ Sorry, I did not see the renamed thread until I'd already replied on the old one. Calling this a phishing attack is exactly right. ] On 2010-01-30, Joachim Schipper wrote: > If I understand you correctly, you argue that connecting to malicious > hosts is currently secure, and will remain secure, but that it will > become easier to convince people to send the passphrase for their key. Yes. Exactly. [ ObDisclaimer: not "is currently secure" but "is currently secure as far as we know" ;) ] > You are right that this is a concern, but note that an attacker would > only learn the passphrase to a key, which should be uninteresting > without the key. Absolutely. So it's not a complete compromise of usable credentials. ...Unless the user has reused that passphrase somewhere else, and/or used a "really good password" as also their passphrase. The attacker would have to find some other device on which you've used those credentials, or gain access to your encrypted private key file some other way. (Depending on the environment this may not be as difficult as it should be, such as internal networks using NFS'ed home directories, etc. But that is not ssh's fault.) > More importantly, as you note, the current situation is no better. If > you currently use keys, the attacker could send another 'Enter > passphrase for ' message to obtain the passphrase. (And of > course, if you currently use passwords, an attacker could obtain your > password!) > You are not wrong, but isn't this point applicable to a much wider > range of cases than those covered by my patch? And do you know why it > hasn't been addressed yet? Agreed. Really this has always been an issue--people may debate over how large or small, but it has always been there. I do not know that it has been discussed specifically, but it's akin to fake login prompts in computer labs / internet cafe's, fake "Good signature" PGP output in the top of an email (when using a text reader like pine and pgp4pine, where there's no clear delineation between filter-added-headers and message body), etc. So, I'm not saying the proposed patch introduces a new technical vulnerability. What it (may) do is change people's behavior / expectations, making the social / phishing vulnerability larger than it was before. There is probably room for an entirely different discussion of: can the ssh(1) client do anything to reduce the risk of this? Such as canary'ing the prompts, in a way easy for the user to verify, but hard for a remote system to blindly guess? I don't have any good ideas that seem clean enough to not be highly annoying (or have untenable requirements like "there must be an X display that ssh can talk to, to pop the request up in"), but strong enough not to be faked out. ...If that were sufficiently addressed, then this downside to AddKeyToAgent would go away too. Thanks, -- Hank Leininger BE5D FCCA 673B D18B 98A9 3175 896E 3D4A 1B4D C5AC -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 443 bytes Desc: not available URL: From djm at mindrot.org Tue Feb 2 11:25:44 2010 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 Feb 2010 11:25:44 +1100 (EST) Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <12FF1C857C510C43BA8B1B028B69AD52BEC9E2@HICGWSEX01.ad.harman.com> References: <12FF1C857C510C43BA8B1B028B69AD52BEC9E2@HICGWSEX01.ad.harman.com> Message-ID: [+Corinna Vinschen] It looks like Windows is matching users case-insensitively. OpenSSH always performs case-sensitive matching (following Unix). If this is the case, then perhaps we should tolower() all usernames on Windows? -d On Mon, 1 Feb 2010, Hu, Eric wrote: > Hello, > > I sent this last week before signing up for the list, but haven't seen > it in the archives, so I'm guessing it got discarded either as spam > or HTML (sorry about that). In any case, the following was sent to > comp.security.ssh early last week and I have gotten no response there. > Can anyone here shed some light? > > ------------------------------------------ > > Hello, > > I'm running an SSH daemon on Cygwin on Windows Server 2003. SSH > version is 5.1. cygrunsrv version is 1.34. I have the following in my > sshd_config file. > > Match User user > ForceCommand start.sh > > What some users have discovered is that they can log in with > arbitrarily mixed case user names. For instance, logging in as "usEr" > is exactly the same as logging in with "USer" as well as the other > fourteen possible combinations for a four-letter username. Further, > only the all-lowercase version invokes "start.sh." I thought I might > be able to solve this with the following. > > AllowUsers user > > I thought this would force sshd to only let one case combination > through. However, all case combinations can still log in and > "start.sh" is not getting executed. In other words, there is a > discrepancy between "Match User" and "AllowUsers" in this regard. > Does anyone have any idea how to get around this? I don't want to add > 2^(length of user name) "Match User" entries to the sshd_config file > for every user, which is the only remedy at the moment. From eric.hu at harman.com Tue Feb 2 11:52:27 2010 From: eric.hu at harman.com (Hu, Eric) Date: Mon, 1 Feb 2010 18:52:27 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: Message-ID: <12FF1C857C510C43BA8B1B028B69AD52BECCF7@HICGWSEX01.ad.harman.com> Does that mean "AllowUsers" is going through Windows and "Match User" is going through the OpenSSH machinery (sorry, I've read the docs reasonably well, but haven't looked at the code at all)? Not being very familiar with the code, it's hard for me to recommend a solution. Had I not discovered this oddity, I would've guessed the order of events is something like 1) OpenSSH gets authentication information including user name 2) OpenSSH checks Allow/Deny directives in sshd_config 3) If user passes in step 2, send info to Windows 4) If Windows says authentication passes, OpenSSH runs through Match clauses Using tolower() at step 4 (ie, before running Match clauses) would probably work. Not knowing the broader implications, it makes more sense to me for OpenSSH to report a failure at step 2. -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Monday, February 01, 2010 4:26 PM To: Hu, Eric Cc: openssh-unix-dev at mindrot.org; Corinna Vinschen Subject: Re: case sensitivity, "Match User" and "AllowUsers" [+Corinna Vinschen] It looks like Windows is matching users case-insensitively. OpenSSH always performs case-sensitive matching (following Unix). If this is the case, then perhaps we should tolower() all usernames on Windows? -d On Mon, 1 Feb 2010, Hu, Eric wrote: > Hello, > > I sent this last week before signing up for the list, but haven't seen > it in the archives, so I'm guessing it got discarded either as spam > or HTML (sorry about that). In any case, the following was sent to > comp.security.ssh early last week and I have gotten no response there. > Can anyone here shed some light? > > ------------------------------------------ > > Hello, > > I'm running an SSH daemon on Cygwin on Windows Server 2003. SSH > version is 5.1. cygrunsrv version is 1.34. I have the following in my > sshd_config file. > > Match User user > ForceCommand start.sh > > What some users have discovered is that they can log in with > arbitrarily mixed case user names. For instance, logging in as "usEr" > is exactly the same as logging in with "USer" as well as the other > fourteen possible combinations for a four-letter username. Further, > only the all-lowercase version invokes "start.sh." I thought I might > be able to solve this with the following. > > AllowUsers user > > I thought this would force sshd to only let one case combination > through. However, all case combinations can still log in and > "start.sh" is not getting executed. In other words, there is a > discrepancy between "Match User" and "AllowUsers" in this regard. > Does anyone have any idea how to get around this? I don't want to add > 2^(length of user name) "Match User" entries to the sshd_config file > for every user, which is the only remedy at the moment. From vinschen at redhat.com Tue Feb 2 21:53:56 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 2 Feb 2010 11:53:56 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: References: <12FF1C857C510C43BA8B1B028B69AD52BEC9E2@HICGWSEX01.ad.harman.com> Message-ID: <20100202105356.GA17818@calimero.vinschen.de> On Feb 2 11:25, Damien Miller wrote: > [+Corinna Vinschen] Thanks, but not necessary, I'm subscribed to this list anyway. > It looks like Windows is matching users case-insensitively. OpenSSH > always performs case-sensitive matching (following Unix). If this is > the case, then perhaps we should tolower() all usernames on Windows? That might be a good idea. I was surprised to read what Eric wrote, but it turned out that this is just a result of how getpwnam is implemented in Cygwin. Given Windows' underlying case-insensitivity in terms of user and group names, the getpwnam function checks the user name using strcasecmp. The returned struct passwd contain the name in the original case, though, and that in turn is used in match_user() to check the user name. The most simple patch would be Index: match.c =================================================================== RCS file: /cvs/openssh/match.c,v retrieving revision 1.26 diff -u -p -r1.26 match.c --- match.c 10 Jun 2008 23:34:46 -0000 1.26 +++ match.c 2 Feb 2010 10:40:26 -0000 @@ -98,7 +98,7 @@ match_pattern(const char *s, const char return 0; /* Check if the next character of the string is acceptable. */ - if (*pattern != '?' && *pattern != *s) + if (*pattern != '?' && tolower (*pattern) != tolower (*s)) return 0; /* Move to the next character, both in string and in pattern. */ Wouldn't that be acceptable for Unix as well, given that the username is supposed not to contain capital letters anyway? This function is also used to compare hostnames, and hostnames are usually case-insensitive as well, so this would be the right thing to do to allow arbitrary host strings. Is there any advantage to do the pattern matching case-sensitive? Alternatively, wouldn't it make sense to add a parameter to match_pattern and match_pattern_list to control case-sensitivity when calling these functions? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From vinschen at redhat.com Tue Feb 2 22:39:02 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 2 Feb 2010 12:39:02 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100202105356.GA17818@calimero.vinschen.de> References: <12FF1C857C510C43BA8B1B028B69AD52BEC9E2@HICGWSEX01.ad.harman.com> <20100202105356.GA17818@calimero.vinschen.de> Message-ID: <20100202113902.GA19205@calimero.vinschen.de> On Feb 2 11:53, Corinna Vinschen wrote: > On Feb 2 11:25, Damien Miller wrote: > > [+Corinna Vinschen] > > Thanks, but not necessary, I'm subscribed to this list anyway. > > > It looks like Windows is matching users case-insensitively. OpenSSH > > always performs case-sensitive matching (following Unix). If this is > > the case, then perhaps we should tolower() all usernames on Windows? > > That might be a good idea. I was surprised to read what Eric wrote, but > it turned out that this is just a result of how getpwnam is implemented > in Cygwin. Given Windows' underlying case-insensitivity in terms of > user and group names, the getpwnam function checks the user name using > strcasecmp. The returned struct passwd contain the name in the original > case, though, and that in turn is used in match_user() to check the user > name. > > The most simple patch would be > > Index: match.c > =================================================================== > RCS file: /cvs/openssh/match.c,v > retrieving revision 1.26 > diff -u -p -r1.26 match.c > --- match.c 10 Jun 2008 23:34:46 -0000 1.26 > +++ match.c 2 Feb 2010 10:40:26 -0000 > @@ -98,7 +98,7 @@ match_pattern(const char *s, const char > return 0; > > /* Check if the next character of the string is acceptable. */ > - if (*pattern != '?' && *pattern != *s) > + if (*pattern != '?' && tolower (*pattern) != tolower (*s)) > return 0; > > /* Move to the next character, both in string and in pattern. */ > > Wouldn't that be acceptable for Unix as well, given that the username is > supposed not to contain capital letters anyway? This function is also > used to compare hostnames, and hostnames are usually case-insensitive as > well, so this would be the right thing to do to allow arbitrary host > strings. Is there any advantage to do the pattern matching case-sensitive? > > Alternatively, wouldn't it make sense to add a parameter to > match_pattern and match_pattern_list to control case-sensitivity when > calling these functions? Of course, using tolower has an obvious disadvantage. It doesn't work for multibyte codesets, like UTF-8. Usernames are stored in UTF-16 in Windows and consequentially they can contain any character from the entire Unicode range. So, after all, it might be more feasible to convert the string and the pattern to wide char, call towlower on the string, and convert back to multibyte, before calling match_pattern. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From Robert.Dahlem at gmx.net Wed Feb 3 23:37:14 2010 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Wed, 03 Feb 2010 13:37:14 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100202105356.GA17818@calimero.vinschen.de> References: <12FF1C857C510C43BA8B1B028B69AD52BEC9E2@HICGWSEX01.ad.harman.com> <20100202105356.GA17818@calimero.vinschen.de> Message-ID: <4B696DFA.5000800@gmx.net> Hi, On 02.02.2010 11:53, Corinna Vinschen wrote: > - if (*pattern != '?' && *pattern != *s) > + if (*pattern != '?' && tolower (*pattern) != tolower (*s)) > Wouldn't that be acceptable for Unix as well, given that the username is > supposed not to contain capital letters anyway? I wouldn't consider this acceptable. Corinna is someone else in Unix than corinna. Regards, Robert From edk at caribbeanblue.ru Thu Feb 4 06:12:58 2010 From: edk at caribbeanblue.ru (Konstantin Leonov) Date: Thu, 4 Feb 2010 00:12:58 +0500 Subject: Hacking source: un-forward local port? Message-ID: Hello! I was looking around for a solution which would allow me to un-forward already locally forwarded port but had no luck. So I decided to try and add it myself. I am not a good C coder, in fact, I've never really coded under unix before(it's just half a year since I fully moved from windowz). Here is what I made by now: http://www.linuxquestions.org/questions/programming-9/c-coding-hacking-ssh-dynamic-local-port-forwarding-implementation-786608/ By querying ~C and "-KL" now it is possible to remove local listener and later, reuse it to forward to another destination. I didn't test it with specifying bind address, and I guess that will probably fail anyways since I've only one input param in newly created function. If this hack can be of any help and developed further, to be added in OpenSSH later: that would be great! In fact I just had nothing to do and some guy on forum posted that question about impossibility of removing local port forward in openssh so I took some time and tried to hack sources to implement that myself, just my curiosity. Maybe if I'll wish, I'll get back to this later and see if I can improve it and make it not as ugly hack as it is now :) Anyway, can someone explain me why such an easy thingy has not been fully implemented recently? Noone ever asked? Noone ever thought? Or it was me who searched not good enough? Anyways it is neither in stable nor in SVN releases. Dynamic un-forwarding works great in PuTTY, for instance. Konstantin. From dan at doxpara.com Thu Feb 4 07:19:13 2010 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 3 Feb 2010 15:19:13 -0500 Subject: Hacking source: un-forward local port? In-Reply-To: References: Message-ID: <09D63DD6-E073-4476-8F9E-4A15FBD9E2E7@doxpara.com> I'm something of a fan of -D and socksifying client apps. Better than littering local port namespace, anyway. On Feb 3, 2010, at 2:12 PM, Konstantin Leonov wrote: > Hello! > > I was looking around for a solution which would allow me to un-forward > already locally forwarded port but had no luck. > > So I decided to try and add it myself. > I am not a good C coder, in fact, I've never really coded under unix > before(it's just half a year since I fully moved from windowz). Here > is what I made by now: > http://www.linuxquestions.org/questions/programming-9/c-coding-hacking-ssh-dynamic-local-port-forwarding-implementation-786608/ > By querying ~C and "-KL" now it is possible to remove local > listener and later, reuse it to forward to another destination. > I didn't test it with specifying bind address, and I guess that will > probably fail anyways since I've only one input param in newly created > function. > > If this hack can be of any help and developed further, to be added in > OpenSSH later: that would be great! In fact I just had nothing to do > and some guy on forum posted that question about impossibility of > removing local port forward in openssh so I took some time and tried > to hack sources to implement that myself, just my curiosity. > Maybe if I'll wish, I'll get back to this later and see if I can > improve it and make it not as ugly hack as it is now :) > > Anyway, can someone explain me why such an easy thingy has not been > fully implemented recently? Noone ever asked? Noone ever thought? Or > it was me who searched not good enough? Anyways it is neither in > stable nor in SVN releases. Dynamic un-forwarding works great in > PuTTY, for instance. > > Konstantin. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Thu Feb 4 12:49:24 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Feb 2010 12:49:24 +1100 (EST) Subject: Hacking source: un-forward local port? In-Reply-To: References: Message-ID: On Thu, 4 Feb 2010, Konstantin Leonov wrote: > Hello! > > I was looking around for a solution which would allow me to un-forward > already locally forwarded port but had no luck. I plan to add this through the ControlMaster socket, but haven't got around to it yet. Hopefully I will get it in before 5.4, but it isn't looking likely. Until then I recommend you use -D/DynamicForward and a socks client, e.g. OpenBSD's netcat or Goto-san's connect.c[1] -d [1] http://www.meadowy.org/~gotoh/ssh/connect.c From joachim at joachimschipper.nl Fri Feb 5 07:31:04 2010 From: joachim at joachimschipper.nl (Joachim Schipper) Date: Thu, 4 Feb 2010 21:31:04 +0100 Subject: "phishing" (was: [patch] Automatically add keys to agent) In-Reply-To: <20100201212902.GY30476@marklar.spinoli.org> References: <20100201212902.GY30476@marklar.spinoli.org> Message-ID: <20100204203104.GB28192@polymnia.sshunet.nl> [Sorry for the wait; I've been/am extremely busy.] On Mon, Feb 01, 2010 at 04:29:02PM -0500, Hank Leininger wrote: > On 2010-01-30, Joachim Schipper wrote: > > [Y]ou argue that connecting to malicious hosts is [and will remain] > > secure, but that it will become easier to convince people to send > > the passphrase for their key [once my patch to automatically add > > keys to the agent has been applied]. > > Yes. Exactly. > > [ ObDisclaimer: not "is currently secure" but "is currently secure as > far as we know" ;) ] > > You are not wrong, but isn't this point applicable to [the current > > situation as much as to] my patch? And do you know why it > > hasn't been addressed yet? > > Agreed. Really this has always been an issue--people may debate over > how large or small, but it has always been there. I do not know that it > has been discussed specifically, but it's akin to fake login prompts in > computer labs / internet cafe's, fake "Good signature" PGP output in the > top of an email (when using a text reader like pine and pgp4pine, where > there's no clear delineation between filter-added-headers and message > body), etc. > > So, I'm not saying the proposed patch introduces a new technical > vulnerability. What it (may) do is change people's behavior / > expectations, making the social / phishing vulnerability larger than it > was before. > > There is probably room for an entirely different discussion of: can the > ssh(1) client do anything to reduce the risk of this? Such as > canary'ing the prompts, in a way easy for the user to verify, but hard > for a remote system to blindly guess? I don't have any good ideas that > seem clean enough to not be highly annoying (or have untenable > requirements like "there must be an X display that ssh can talk to, to > pop the request up in"), but strong enough not to be faked out. ...If > that were sufficiently addressed, then this downside to AddKeyToAgent > would go away too. I've thought about this a bit. It's possible to solve the more basic attacks by cribbing telnet's messages: (All is well, user makes a typo) me at myhost $ ssh goodhost me at goodhost's password: me at goodhost's password: >> Connected to goodhost. me at goodhost $ exit >> Connection closed by foreign host. me at myhost $ (Fake prompt; "Connected to..." tips off user) me at myhost $ ssh badhost me at badhost's password: >> Connected to badhost. me at badhost's password: (Ignore exit; lack of "Connection closed..." tips off user) me at myhost $ ssh badhost me at badhost's password: Connected to badhost. me at badhost $ exit >> me at myhost $ I don't think it's possible to prevent this, though: (Pretend to crash, user enters password into an unrelated program) me at myhost $ ssh badhost me at badhost's password: Connected to badhost. >> Segmentation fault (core dumped) >> me at myhost $ sudo -v >> Password: On the other hand, ssh crashing is rare enough to make people pay attention and checking for this attack is easy (press ~), so the telnet messages may be good enough. (Note that a watcher process wouldn't help; people wouldn't know to expect a "Connection closed: ssh crashed" message.) Can you spot any flaws? Do you have any suggestions? Joachim P.S. As an UI issue, "Channel closed" should be used instead of "Connection closed" when closing one channel of a multiplexed connection. From petesea at bigfoot.com Fri Feb 5 13:09:25 2010 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Thu, 04 Feb 2010 18:09:25 -0800 (PST) Subject: Debug server prints debug messages on client Message-ID: Last June I asked the following question, but didn't receive any responses: http://marc.info/?l=openssh-unix-dev&m=124406679122871&w=2 I just did the same test using openssh-5.3p1 and the results are the same. Is this a bug? Or intentional? If it's a bug, I'll report it. If it's intentional, any chance it could be changed? Or a server-side way to override it? From dtucker at zip.com.au Fri Feb 5 14:10:35 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Feb 2010 14:10:35 +1100 Subject: Debug server prints debug messages on client In-Reply-To: References: Message-ID: <4B6B8C2B.9080009@zip.com.au> petesea at bigfoot.com wrote: > Last June I asked the following question, but didn't receive any responses: > > http://marc.info/?l=openssh-unix-dev&m=124406679122871&w=2 > > I just did the same test using openssh-5.3p1 and the results are the same. > > Is this a bug? Or intentional? > > If it's a bug, I'll report it. If it's intentional, any chance it > could be changed? Or a server-side way to override it? /path/to/sshd -De -o LogLevel=debug3 used to do it (although it looks like a debug3 leaked in there recently). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From minger at gmail.com Fri Feb 5 15:03:06 2010 From: minger at gmail.com (Ming) Date: Thu, 4 Feb 2010 23:03:06 -0500 Subject: ssh -f and pid Message-ID: I'd like to second the patch -- or functionality like it -- that Folkert van Heusden proposed twelve months ago for the distribution. Without ssh -f returning the pid to the caller, numerous daemon and script monitor packages can't manage ssh, as they can countless other daemons that properly return pid. A monitor needs to record the pids of ssh processes it has started to kill them or to know when they have died. Proper keep alive settings are no use against connections reset by peer. > Hi, Ssh -f forks itself in the background. Very usefull if you would like to e.g. tunnel munin over ssh. Now it's tricky to terminate one process if you have multiple running. It seems that ssh currently (looked at 5.1p1) has no write-pid-to-file functionality So I implemented a patch which do so. Tested it a little and it seems to work. Hopefully it is of any use in my form or inspires the developers to implement this kind of functionality in the ssh distribution. Url: http://www.vanheusden.com/Linux/openssh-5.1p1_writepidfile.diff.gz From djm at mindrot.org Fri Feb 5 15:21:25 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Feb 2010 15:21:25 +1100 (EST) Subject: ssh -f and pid In-Reply-To: References: Message-ID: On Thu, 4 Feb 2010, Ming wrote: > I'd like to second the patch -- or functionality like it -- that > Folkert van Heusden proposed twelve months ago for the distribution. > > Without ssh -f returning the pid to the caller, numerous daemon and > script monitor packages can't manage ssh, as they can countless other > daemons that properly return pid. A monitor needs to record the pids > of ssh processes it has started to kill them or to know when they have > died. Proper keep alive settings are no use against connections reset > by peer. It isn't necessary. You can tear down ssh connections from the control socket and learn the PID of a running SSH, see the commands listed under -O in ssh(1). -d From minger at gmail.com Fri Feb 5 15:39:53 2010 From: minger at gmail.com (Ming) Date: Thu, 4 Feb 2010 23:39:53 -0500 Subject: ssh -f and pid In-Reply-To: References: Message-ID: On Thu, Feb 4, 2010 at 11:21 PM, Damien Miller wrote: > On Thu, 4 Feb 2010, Ming wrote: > > > I'd like to second the patch -- or functionality like it -- that > > Folkert van Heusden proposed twelve months ago for the distribution. > > > > Without ssh -f returning the pid to the caller, numerous daemon and > > script monitor packages can't manage ssh, as they can countless other > > daemons that properly return pid. A monitor needs to record the pids > > of ssh processes it has started to kill them or to know when they have > > died. Proper keep alive settings are no use against connections reset > > by peer. > > It isn't necessary. You can tear down ssh connections from the control > socket and learn the PID of a running SSH, see the commands listed > under -O in ssh(1). > > -d > > A individual can do an number of things with a understanding of and beyond the man page, but how do you get ssh to play nicely in a ecosystem of monitoring software? Say the os has bunch of ssh processes active. How the monitoring software in a standard way which ones it created -- and thus track -- and which ones it hasn't? ControlPath has to be specified for -O and command line query required? How is ssh suppose to plug and play with monitoring software? From djm at mindrot.org Fri Feb 5 16:49:17 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Feb 2010 16:49:17 +1100 (EST) Subject: ssh -f and pid In-Reply-To: References: Message-ID: On Thu, 4 Feb 2010, Ming wrote: > > It isn't necessary. You can tear down ssh connections from the control > > socket and learn the PID of a running SSH, see the commands listed > > under -O in ssh(1). > > > A individual can do an number of things with a understanding of and beyond > the man page, but how do you get ssh to play nicely in a ecosystem of > monitoring software? It isn't above and beyond the manpage, checking the state of a running connection is a clearly documented feature. > Say the os has bunch of ssh processes active. How the monitoring software > in a standard way which ones it created -- and thus track -- and which ones > it hasn't? It can request separate control sockets if it likes. > ControlPath has to be specified for -O and command line query required? How > is ssh suppose to plug and play with monitoring software? I think the monitoring software needs to support ssh and not the other way around. There are lots of ways one might monitor ssh, and I don't think we could even be "plug and play" with all of them. -d From minger at gmail.com Fri Feb 5 18:06:19 2010 From: minger at gmail.com (Ming) Date: Fri, 5 Feb 2010 02:06:19 -0500 Subject: ssh -f and pid In-Reply-To: References: Message-ID: On Fri, Feb 5, 2010 at 12:49 AM, Damien Miller wrote: > On Thu, 4 Feb 2010, Ming wrote: > > > > It isn't necessary. You can tear down ssh connections from the control > > > socket and learn the PID of a running SSH, see the commands listed > > > under -O in ssh(1). > > > > > A individual can do an number of things with a understanding of and > beyond > > the man page, but how do you get ssh to play nicely in a ecosystem of > > monitoring software? > > It isn't above and beyond the manpage, checking the state of a running > connection is a clearly documented feature. > > > Say the os has bunch of ssh processes active. How the monitoring > software > > in a standard way which ones it created -- and thus track -- and which > ones > > it hasn't? > > It can request separate control sockets if it likes. > > > ControlPath has to be specified for -O and command line query required? > How > > is ssh suppose to plug and play with monitoring software? > > I think the monitoring software needs to support ssh and not the other > way around. There are lots of ways one might monitor ssh, and I don't think > we could even be "plug and play" with all of them. > > -d > The monitoring software just needs to know the pid of the command executed. That's all it needs to be plug and play. And they only kill the process by pid. Looking at all the times (via Google) you have offered the same ssh -O solution across the web to people have asked for a pid the years, it seems that it is *your* stance not to be "plug and play." The few monitoring packages I experimented all expect a pid from the daemon. Luckily, I could find one package, autossh, that specifically -- and only -- monitors ssh. Now, I have to run two packages, one to monitor ssh specifically and one for all my other daemons and scripts. At least it works. Would the security of openssh be so compromised by spitting out its pid? -M From minger at gmail.com Fri Feb 5 18:14:40 2010 From: minger at gmail.com (Ming) Date: Fri, 5 Feb 2010 02:14:40 -0500 Subject: ssh -f and pid In-Reply-To: References: Message-ID: Just to be clear, even with Van Huesden's patch to ssh, it would not be "plug and play." At least ssh could meet the dominant paradigm of tracking pid half-way through the pid file. Half-way, part-way, is a lot better than the socket no-way. On Fri, Feb 5, 2010 at 2:06 AM, Ming wrote: > > > On Fri, Feb 5, 2010 at 12:49 AM, Damien Miller wrote: > >> On Thu, 4 Feb 2010, Ming wrote: >> >> > > It isn't necessary. You can tear down ssh connections from the control >> > > socket and learn the PID of a running SSH, see the commands listed >> > > under -O in ssh(1). >> > > >> > A individual can do an number of things with a understanding of and >> beyond >> > the man page, but how do you get ssh to play nicely in a ecosystem of >> > monitoring software? >> >> It isn't above and beyond the manpage, checking the state of a running >> connection is a clearly documented feature. >> >> > Say the os has bunch of ssh processes active. How the monitoring >> software >> > in a standard way which ones it created -- and thus track -- and which >> ones >> > it hasn't? >> >> It can request separate control sockets if it likes. >> >> > ControlPath has to be specified for -O and command line query required? >> How >> > is ssh suppose to plug and play with monitoring software? >> >> I think the monitoring software needs to support ssh and not the other >> way around. There are lots of ways one might monitor ssh, and I don't >> think >> we could even be "plug and play" with all of them. >> >> -d >> > > The monitoring software just needs to know the pid of the command executed. > That's all it needs to be plug and play. And they only kill the process by > pid. Looking at all the times (via Google) you have offered the same ssh > -O solution across the web to people have asked for a pid the years, it > seems that it is *your* stance not to be "plug and play." > > The few monitoring packages I experimented all expect a pid from the > daemon. > > Luckily, I could find one package, autossh, that specifically -- and only > -- monitors ssh. Now, I have to run two packages, one to monitor ssh > specifically and one for all my other daemons and scripts. > > At least it works. Would the security of openssh be so compromised by > spitting out its pid? > > -M > > > > > > > From vinay.purohit at nomura.com Fri Feb 5 18:43:14 2010 From: vinay.purohit at nomura.com (vinay.purohit at nomura.com) Date: Fri, 5 Feb 2010 13:13:14 +0530 Subject: Segmentation Fault while compiling and installing openssh-3.9p1 Message-ID: <4360815C40D4CF48852D5253A88E84AF03BFB467@mumex3008.ASIAPAC.NOM> I am trying to compile and install openssh-3.9p1 (with openssl-0.9.7j) on my personal dev env to have a play. I get the below mentioned segmentation fault message. --------- Generating public/private rsa1 key pair. /bin/sh: line 1: 10901 Segmentation fault ./ssh-keygen -t rsa1 -f /home/vinay/var/vinay_ssh/etc/ssh_host_key -N "" Generating public/private dsa key pair. /bin/sh: line 1: 10902 Segmentation fault ./ssh-keygen -t dsa -f /home/vinay/var/vinay_ssh/etc/ssh_host_dsa_key -N "" Generating public/private rsa key pair. /bin/sh: line 1: 10903 Segmentation fault ./ssh-keygen -t rsa -f /home/vinay/var/vinay_ssh/etc/ssh_host_rsa_key -N "" make: *** [host-key] Error 139 --------- My configure and install script looks something like this ./configure --with-libs=-ldl --includedir=$HOME/var/vinay_ssh/include --prefix=$HOME/var/vinay_ssh --exec_prefix=$HOME/var/vinay_ssh --with-ssl-dir=$HOME/var/openssl make clean make install Config steps shows this OpenSSH has been configured with the following options: User binaries: /home/vinay/var/vinay_ssh/bin System binaries: /home/vinay/var/vinay_ssh/sbin Configuration files: /home/vinay/var/vinay_ssh/etc Askpass program: /home/vinay/var/vinay_ssh/libexec/ssh-askpass Manual pages: /home/vinay/var/vinay_ssh/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/home/vinay/var/vinay_ssh/bin Manpage format: doc PAM support: no KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/home/vinay/var/openssl/include Linker flags: -L/home/vinay/var/openssl/lib Libraries: -lcrypto -lutil -lz -lnsl -ldl -lcrypt -lresolv -lresolv Can someone shed light on why could the segmentation fault be generated ? Regds Vinay This e-mail (including any attachments) is confidential, may contain proprietary or privileged information and is intended for the named recipient(s) only. Unintended recipients are prohibited from taking action on the basis of information in this e-mail and must delete all copies. Nomura will not accept responsibility or liability for the accuracy or completeness of, or the presence of any virus or disabling code in, this e-mail. If verification is sought please request a hard copy. Any reference to the terms of executed transactions should be treated as preliminary only and subject to formal written confirmation by Nomura. Nomura reserves the right to monitor e-mail communications through its networks (in accordance with applicable laws). No confidentiality or privilege is waived or lost by Nomura by any mistransmission of this e-mail. Any reference to "Nomura" is a reference to any entity in the Nomura Holdings, Inc. group. Please read our Electronic Communications Legal Notice which forms part of this e-mail: http://www.Nomura.com/email_disclaimer.htm From dtucker at zip.com.au Fri Feb 5 21:52:05 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Feb 2010 21:52:05 +1100 Subject: Segmentation Fault while compiling and installing openssh-3.9p1 In-Reply-To: <4360815C40D4CF48852D5253A88E84AF03BFB467@mumex3008.ASIAPAC.NOM> References: <4360815C40D4CF48852D5253A88E84AF03BFB467@mumex3008.ASIAPAC.NOM> Message-ID: <4B6BF855.6000904@zip.com.au> vinay.purohit at nomura.com wrote: > I am trying to compile and install openssh-3.9p1 (with openssl-0.9.7j) That openssh version is 6 years old and the openssl version is 4 years old. > on my personal dev env to have a play. I get the below mentioned > segmentation fault message. > > --------- > Generating public/private rsa1 key pair. > /bin/sh: line 1: 10901 Segmentation fault ./ssh-keygen -t rsa1 -f I'm guessing it's crashing in libcrypto, which probably means it's broken. Does openssl's self-test ("make test") pass? How about with current versions of both? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Feb 5 22:23:22 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Feb 2010 22:23:22 +1100 (EST) Subject: ssh -f and pid In-Reply-To: References: Message-ID: On Fri, 5 Feb 2010, Ming wrote: > The monitoring software just needs to know the pid of the command executed. > That's all it needs to be plug and play. And they only kill the process by > pid. Looking at all the times (via Google) you have offered the same ssh > -O solution across the web to people have asked for a pid the years, it > seems that it is *your* stance not to be "plug and play." > > The few monitoring packages I experimented all expect a pid from the daemon. > > Luckily, I could find one package, autossh, that specifically -- and only -- > monitors ssh. Now, I have to run two packages, one to monitor ssh > specifically and one for all my other daemons and scripts. > > At least it works. Would the security of openssh be so compromised by > spitting out its pid? It is difficult holding a conversation with someone who refuses to listen to advice, so let me make this as simple as possible: [djm at demiurge ~]$ ssh -nNfS ~/ctl-sock-blah localhost [djm at demiurge ~]$ ssh -S ~/ctl-sock-blah -O check localhost Master running (pid=3517) [djm at demiurge ~]$ ssh -S ~/ctl-sock-blah -O exit localhost Exit request sent. Like I said, it is easy to determine the PID via the control socket. -d From chris at qwirx.com Fri Feb 5 20:04:28 2010 From: chris at qwirx.com (Chris Wilson) Date: Fri, 5 Feb 2010 10:04:28 +0100 (CET) Subject: Segmentation Fault while compiling and installing openssh-3.9p1 In-Reply-To: <4360815C40D4CF48852D5253A88E84AF03BFB467@mumex3008.ASIAPAC.NOM> References: <4360815C40D4CF48852D5253A88E84AF03BFB467@mumex3008.ASIAPAC.NOM> Message-ID: Hi Vinay, On Fri, 5 Feb 2010, vinay.purohit at nomura.com wrote: > I am trying to compile and install openssh-3.9p1 (with openssl-0.9.7j) > on my personal dev env to have a play. I get the below mentioned > segmentation fault message. I'm not quite sure where you got the impression that people would give up their free time to debug a five-year old version of OpenSSH and a three-year old version of OpenSSL. I certainly wouldn't. If you're reporting a bug in OpenSSH, you could at least do everyone the courtesy of trying with the latest version, to ensure that it's not a bug that's already been fixed in the last five years, and thus a complete waste of time to investigate and fix again. Also you did not provide nearly enough information about your platform, nor a debugger backtrace of the segmentation fault. Cheers, Chris. -- _ ___ __ _ / __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer | \ _/_/_/_//_/___/ | We are GNU-free your mind-and your software | From eric.hu at harman.com Sat Feb 6 11:38:25 2010 From: eric.hu at harman.com (Hu, Eric) Date: Fri, 5 Feb 2010 18:38:25 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100202113902.GA19205@calimero.vinschen.de> Message-ID: <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> >From the below code (lines 191-203 of auth.c in allowed_user, called from getpwnamallow), the logic for "AllowUsers" calls match_user with the passwd struct's name (line 194). This should fail if the wrong case combination is given, should it not? /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { for (i = 0; i < options.num_allow_users; i++) if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s from %.100s not allowed because " "not listed in AllowUsers", pw->pw_name, hostname); return 0; } } The only thing consistent with what I originally saw and the above is if getpwnam (where pw in the above code comes from) returns the all-lowercase version of the name in the passwd struct. I think the problem might be in auth2.c. Lines 234-236 are shown below. /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); authctxt->user = xstrdup(user); >From this, it is possible for authctxt->user to hold a different string than authctxt->pw->pw_name. Perhaps the patch is simply changing line 236 to the following? authctxt->user = xstrdup(authctxt->pw->pw_name); I'm not familiar enough with the code to track down what happens to the lines under "Match User" in the configuration file. -----Original Message----- From: openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org [mailto:openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org] On Behalf Of Corinna Vinschen Sent: Tuesday, February 02, 2010 3:39 AM To: openssh-unix-dev at mindrot.org Subject: Re: case sensitivity, "Match User" and "AllowUsers" On Feb 2 11:53, Corinna Vinschen wrote: > On Feb 2 11:25, Damien Miller wrote: > > [+Corinna Vinschen] > > Thanks, but not necessary, I'm subscribed to this list anyway. > > > It looks like Windows is matching users case-insensitively. OpenSSH > > always performs case-sensitive matching (following Unix). If this is > > the case, then perhaps we should tolower() all usernames on Windows? > > That might be a good idea. I was surprised to read what Eric wrote, but > it turned out that this is just a result of how getpwnam is implemented > in Cygwin. Given Windows' underlying case-insensitivity in terms of > user and group names, the getpwnam function checks the user name using > strcasecmp. The returned struct passwd contain the name in the original > case, though, and that in turn is used in match_user() to check the user > name. > > The most simple patch would be > > Index: match.c > =================================================================== > RCS file: /cvs/openssh/match.c,v > retrieving revision 1.26 > diff -u -p -r1.26 match.c > --- match.c 10 Jun 2008 23:34:46 -0000 1.26 > +++ match.c 2 Feb 2010 10:40:26 -0000 > @@ -98,7 +98,7 @@ match_pattern(const char *s, const char > return 0; > > /* Check if the next character of the string is acceptable. */ > - if (*pattern != '?' && *pattern != *s) > + if (*pattern != '?' && tolower (*pattern) != tolower (*s)) > return 0; > > /* Move to the next character, both in string and in pattern. */ > > Wouldn't that be acceptable for Unix as well, given that the username is > supposed not to contain capital letters anyway? This function is also > used to compare hostnames, and hostnames are usually case-insensitive as > well, so this would be the right thing to do to allow arbitrary host > strings. Is there any advantage to do the pattern matching case-sensitive? > > Alternatively, wouldn't it make sense to add a parameter to > match_pattern and match_pattern_list to control case-sensitivity when > calling these functions? Of course, using tolower has an obvious disadvantage. It doesn't work for multibyte codesets, like UTF-8. Usernames are stored in UTF-16 in Windows and consequentially they can contain any character from the entire Unicode range. So, after all, it might be more feasible to convert the string and the pattern to wide char, call towlower on the string, and convert back to multibyte, before calling match_pattern. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at eviladmin.org Sat Feb 6 15:18:19 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Fri, 5 Feb 2010 22:18:19 -0600 Subject: sshd killed due to dos attack In-Reply-To: References:

Message-ID: <981E08F6-52DF-40D7-955F-B33F6E12D8A5@eviladmin.org> On Jan 28, 2010, at 3:30 AM, ravindra Chavalam wrote: > Hi Ben, > > Thanks a lot for the response. I gave MaxStartups 10:30:60 (these are > defaults i suppose for our requirements). Still facing the same issue. Is > sshd getting killed is the expected behaviour?in that case how can i work > around so that instead of killing sshd i just drop extra connections. Also > interesting fact is drop_connections is not getting called? If your programing is causing sshd to segfault. Then you need to figure out what combination of garbage you're sending is doing that. I suspect you're triggering an edge case that isn't being handled graceful. The proper behavior is that sshd will continue to run and will drop all or random connections based on MaxStartups definition. - Ben From lgupta1 at hotmail.com Sat Feb 6 15:42:51 2010 From: lgupta1 at hotmail.com (Lokesh Gupta) Date: Sat, 6 Feb 2010 04:42:51 +0000 Subject: Logging all user commands Message-ID: Hi!! We are looking to implement a solution where in the background we want to capture all the commands typed by a user. One of the ways we are thinking of achieving this is to make some changes at an appropriate place in the ssh client's program flow. Given the ssh client eventually sends the command typed by the user to the sshd, I am sure somewhere within ssh program there is a place where the "string" typed by the user is present. Can someone please tell? (i) If there already is a string that carries the command that has been typed by the user? If so, do you know where it is? Which file we should be looking at in the ssh codebase? (ii) Is this feature already implemented by someone? If so, we can perhaps just leverage that rather than doing any additional coding for this? Business Reasons for why this is required ----- Typically in a large puclic enterprise, you want to make sure that there is controlled access to your production environments. In addition, you also want to make sure that you have some sort of audit trail in place when a person has logged in to the production environment and know what commands s/he has typed - this one one side acts as a deterrent to someone who is not being a good corporate citizen, and at the same time also helps analyze what did we do wrong when say doing a post-mortem of a production issue for which someone had to login to a prod box and do some fixes. Any help with this will be greatly appreciated. Regards Lokesh _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. http://clk.atdmt.com/GBL/go/201469230/direct/01/ From ralf.hack at gmail.com Sat Feb 6 21:24:15 2010 From: ralf.hack at gmail.com (Ralf Hack) Date: Sat, 6 Feb 2010 10:24:15 +0000 Subject: Logging all user commands In-Reply-To: References: Message-ID: <2e9b14771002060224n27fb8b4br6335163f763144e8@mail.gmail.com> Hi, interception of data is technically possible but I doubt you will find what you are looking for. In ssh there can be many command streams when you tunnel a connection from one server to another for example. It would be much more suitable to audit any changes on the server side within the user environment. Suitably configured login/logout scripts can capture the command history of your chosen shell environment for example. Suitably configured restricted shells can offer restricted access to executables based on role. Or you can use products such as grsecurity ( www.grsecurity.org) which appears to allow audit logging to be configured to user groups. Often, I use 'screen' myself to record an installation into a logfile for further reference. In a much more draconian move you can force access through a key logging server as the only portal for making changes to the system. Do not fall into the temptation of 'fixing' ssh which was designed for security, networking and connectivity. This are quite opposite principles from the full audit and micro audit of the business model you are seeking. In general I consider the overall premise to audit log all changes unfeasible. What about the changes to the configuration file that were done 6/12/18 months ago and now that the server gets restarted kicking in and preventing you from starting some service. How will you be able to find the exact change ? Or when looking at post mortem audit against a system in a state that not known it becomes very tricky to track back the actual changes. Consider someone change the /etc/group file using an interactive command (e.g. vi /etc/group 10Gcw5 u :q!) then you have a very difficult time to identify what exactly was changed. Consider someone running a script against your server; how would you know that it is your approved script and not something they typed in manually. In my years of system administration the best tool to identify what happened was to talk to the person logged in at the time. Everything else must be covered by training, backup, redundancy in systems, more training, application self logging and access control to permit only the right sort of people. Hope this helps. On Sat, Feb 6, 2010 at 4:42 AM, Lokesh Gupta wrote: > > Hi!! > > > > We are looking to implement a solution where in the background we want to > capture all the commands typed by a user. > > > > One of the ways we are thinking of achieving this is to make some changes > at an appropriate place in the ssh client's program flow. Given the ssh > client eventually sends the command typed by the user to the sshd, I am sure > somewhere within ssh program there is a place where the "string" typed by > the user is present. > > > > Can someone please tell? > > > > (i) If there already is a string that carries the command that has been > typed by the user? If so, do you know where it is? Which file we should be > looking at in the ssh codebase? > > > > (ii) Is this feature already implemented by someone? If so, we can perhaps > just leverage that rather than doing any additional coding for this? > > > > Business Reasons for why this is required > > ----- > > Typically in a large puclic enterprise, you want to make sure that there is > controlled access to your production environments. In addition, you also > want to make sure that you have some sort of audit trail in place when a > person has logged in to the production environment and know what commands > s/he has typed - this one one side acts as a deterrent to someone who is not > being a good corporate citizen, and at the same time also helps analyze what > did we do wrong when say doing a post-mortem of a production issue for which > someone had to login to a prod box and do some fixes. > > > > Any help with this will be greatly appreciated. > > > > Regards > > > > Lokesh > > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > http://clk.atdmt.com/GBL/go/201469230/direct/01/ > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From ravindra1103 at gmail.com Sun Feb 7 14:46:43 2010 From: ravindra1103 at gmail.com (ravindra Chavalam) Date: Sun, 7 Feb 2010 09:16:43 +0530 Subject: sshd killed due to dos attack In-Reply-To: <981E08F6-52DF-40D7-955F-B33F6E12D8A5@eviladmin.org> References:

<981E08F6-52DF-40D7-955F-B33F6E12D8A5@eviladmin.org> Message-ID: Actually we added our macros which masked SIGPIPE signal handling code. That was the issue. Now i kept the line signal(SIGPIPE,SIG_IGN) which solved the issue. Thanks a lot for the response. I learnt a lot about sshd now Regards, Ravindranath On Sat, Feb 6, 2010 at 9:48 AM, Ben Lindstrom wrote: > > On Jan 28, 2010, at 3:30 AM, ravindra Chavalam wrote: > > > Hi Ben, > > > > Thanks a lot for the response. I gave MaxStartups 10:30:60 (these are > > defaults i suppose for our requirements). Still facing the same issue. Is > > sshd getting killed is the expected behaviour?in that case how can i work > > around so that instead of killing sshd i just drop extra connections. > Also > > interesting fact is drop_connections is not getting called? > > If your programing is causing sshd to segfault. Then you need to figure > out what combination of garbage you're sending is doing that. I suspect > you're triggering an edge case that isn't being handled graceful. > > The proper behavior is that sshd will continue to run and will drop all or > random connections based on MaxStartups definition. > > - Ben From sfandino at yahoo.com Sun Feb 7 21:39:28 2010 From: sfandino at yahoo.com (=?ISO-8859-1?Q?Salvador_Fandi=F1o?=) Date: Sun, 07 Feb 2010 11:39:28 +0100 Subject: ssh -f and pid In-Reply-To: References: Message-ID: <4B6E9860.8030707@yahoo.com> Ming wrote: > On Fri, Feb 5, 2010 at 12:49 AM, Damien Miller wrote: > >> On Thu, 4 Feb 2010, Ming wrote: >> >>>> It isn't necessary. You can tear down ssh connections from the control >>>> socket and learn the PID of a running SSH, see the commands listed >>>> under -O in ssh(1). >>>> >>> A individual can do an number of things with a understanding of and >> beyond >>> the man page, but how do you get ssh to play nicely in a ecosystem of >>> monitoring software? >> It isn't above and beyond the manpage, checking the state of a running >> connection is a clearly documented feature. >> >>> Say the os has bunch of ssh processes active. How the monitoring >> software >>> in a standard way which ones it created -- and thus track -- and which >> ones >>> it hasn't? >> It can request separate control sockets if it likes. >> >>> ControlPath has to be specified for -O and command line query required? >> How >>> is ssh suppose to plug and play with monitoring software? >> I think the monitoring software needs to support ssh and not the other >> way around. There are lots of ways one might monitor ssh, and I don't think >> we could even be "plug and play" with all of them. >> >> -d >> > > The monitoring software just needs to know the pid of the command executed. > That's all it needs to be plug and play. And they only kill the process by > pid. Looking at all the times (via Google) you have offered the same ssh > -O solution across the web to people have asked for a pid the years, it > seems that it is *your* stance not to be "plug and play." > > The few monitoring packages I experimented all expect a pid from the daemon. Just don't use -f ! The monitoring software should be able fork itself the new ssh process and get the PID back as the result of the fork call. Or is your monitoring software allowing the user to introduce the password or passphrase interactively? - Salva From jchadima at redhat.com Fri Feb 12 02:23:29 2010 From: jchadima at redhat.com (Jan Chadima) Date: Thu, 11 Feb 2010 10:23:29 -0500 (EST) Subject: Allow to use agent for distribution of public keys In-Reply-To: <2095514651.1184981265901804804.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: <519649505.1185001265901809642.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Discussion to the https://bugzilla.mindrot.org/show_bug.cgi?id=1663 > 1) you lose the ability to specify key restrictions. I.e. you can't > force commands on a per-key basis, disable port-forwarding, etc. This extension is designed to provide some non kerberos possibility to create domains for groups of roughly equivalent users. It distributes the authorized keys from a single point in the form of the file "authorized_keys" with all the functionality. It is possible to make more "match" sections in the sshd_config with the same or different agent specifications and with the different other options. > 2) I think it would be better if you don't run the agent from sshd. > Instead, you add a single directive to sshd_config to inform it of an > agent socket path and use ssh-agent's "-a" option to make it listen on >a single location. The per session fork may be useful, when the executed process should be run under the authorized user privileges. > 3) ssh-agent has not be written with robustness against deliberately > malformed input in mind and will fatal() at the first encoding error. > This is good behaviour for a per-user agent, but could lead to > system-level DoS when used to manage public keys for a host. The fork-execute at each autentization have some advantages and some disadvantages. The advantages are: better stability - killing the process does not cause the DoS. Less vulnerability for memory leaks. The process finishes with all non freed memory after each authentization. The disadvantages: more process and more sockets used. The brute force atack may cause the DoS, but I'm not sure which resource will be short first. In the case LDAP transfer it will be surely the LDAP server :) -- JFCh From Jon.Kibler at aset.com Mon Feb 15 02:59:07 2010 From: Jon.Kibler at aset.com (Jon Kibler) Date: Sun, 14 Feb 2010 10:59:07 -0500 Subject: Priv Sep SSH has / as CWD Message-ID: <4B781DCB.2000805@aset.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, This may or may not be a bug. However, it is DEFINITELY NOT how I would expect and want to see sshd work! If you run lsof against sshd on a privilege separated user, it shows that sshd's CWD is /. I would hope that the CWD would be at a minimum /var/empty/sshd and I would really have thought it would be something along the lines of /var/empty/sshd/USER. (In fact, lsof does not show any references to /var/empty... which I assume means that it is only referenced during startup??) I also noticed that the listener sshd also has / as its CWD. I would have thought that it would have had ~root or /var/run as its CWD to prevent core files from being left in / where it may be possible for someone to find and pursue those files. Tech details of this issue follow signature paragraph. TIA for at least thinking about this! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224 e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com s: JonRKibler http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc/ssh Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: yes SELinux support: yes Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized - -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset - -fstack-protector-all -std=gnu99 Preprocessor flags: Linker flags: -fstack-protector-all Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv - -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err +for sshd: -lwrap -lpam -ldl -lselinux PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory =============== root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj [priv] kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2 root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd =============== > lsof -p 23936 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > sshd 23936 root cwd DIR 9,1 4096 2 / > sshd 23936 root rtd DIR 9,1 4096 2 / > sshd 23936 root txt REG 253,6 447744 1081352 /usr/local/sbin/sshd (deleted) > sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so > sshd 23936 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so > sshd 23936 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 > sshd 23936 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 > sshd 23936 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1 > sshd 23936 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1 > sshd 23936 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so > sshd 23936 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so > sshd 23936 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 > sshd 23936 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so > sshd 23936 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e > sshd 23936 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 > sshd 23936 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so > sshd 23936 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 > sshd 23936 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 > sshd 23936 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 > sshd 23936 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 > sshd 23936 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so > sshd 23936 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so > sshd 23936 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 > sshd 23936 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so > sshd 23936 root 0u CHR 1,3 1908 /dev/null > sshd 23936 root 1u CHR 1,3 1908 /dev/null > sshd 23936 root 2u CHR 1,3 1908 /dev/null > sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN) =============== > lsof -p 3100 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > sshd 3100 root cwd DIR 9,1 4096 2 / > sshd 3100 root rtd DIR 9,1 4096 2 / > sshd 3100 root txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted) > sshd 3100 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so > sshd 3100 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so > sshd 3100 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 > sshd 3100 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 > sshd 3100 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1 > sshd 3100 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1 > sshd 3100 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so > sshd 3100 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so > sshd 3100 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 > sshd 3100 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so > sshd 3100 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e > sshd 3100 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 > sshd 3100 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so > sshd 3100 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 > sshd 3100 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 > sshd 3100 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 > sshd 3100 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 > sshd 3100 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so > sshd 3100 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so > sshd 3100 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 > sshd 3100 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so > sshd 3100 root DEL REG 0,9 3642343 /dev/zero > sshd 3100 root mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so > sshd 3100 root mem REG 9,1 11176 65864 /lib64/security/pam_tally.so > sshd 3100 root mem REG 9,1 11504 65760 /lib64/security/pam_env.so > sshd 3100 root mem REG 9,1 48824 65797 /lib64/security/pam_unix.so > sshd 3100 root mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0 > sshd 3100 root mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so > sshd 3100 root mem REG 9,1 4040 65758 /lib64/security/pam_deny.so > sshd 3100 root mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so > sshd 3100 root mem REG 9,1 4416 65779 /lib64/security/pam_permit.so > sshd 3100 root mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so > sshd 3100 root mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so > sshd 3100 root mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so > sshd 3100 root mem REG 9,1 15048 65770 /lib64/security/pam_limits.so > sshd 3100 root mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so > sshd 3100 root mem REG 9,1 5080 65803 /lib64/security/pam_warn.so > sshd 3100 root DEL REG 0,9 3642362 /dev/zero > sshd 3100 root 0u CHR 1,3 1908 /dev/null > sshd 3100 root 1u CHR 1,3 1908 /dev/null > sshd 3100 root 2u CHR 1,3 1908 /dev/null > sshd 3100 root 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) > sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket > sshd 3100 root 5u CHR 5,2 778 /dev/ptmx > sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket =============== > lsof -p 3102 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > sshd 3102 kiblerj cwd DIR 9,1 4096 2 / > sshd 3102 kiblerj rtd DIR 9,1 4096 2 / > sshd 3102 kiblerj txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted) > sshd 3102 kiblerj mem REG 9,1 139416 65572 /lib64/ld-2.5.so > sshd 3102 kiblerj mem REG 9,1 1717800 65573 /lib64/libc-2.5.so > sshd 3102 kiblerj mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 > sshd 3102 kiblerj mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 > sshd 3102 kiblerj mem REG 9,1 247496 65887 /lib64/libsepol.so.1 > sshd 3102 kiblerj mem REG 9,1 95464 65888 /lib64/libselinux.so.1 > sshd 3102 kiblerj mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so > sshd 3102 kiblerj mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so > sshd 3102 kiblerj mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 > sshd 3102 kiblerj mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so > sshd 3102 kiblerj mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e > sshd 3102 kiblerj mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 > sshd 3102 kiblerj mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so > sshd 3102 kiblerj mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 > sshd 3102 kiblerj mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 > sshd 3102 kiblerj mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 > sshd 3102 kiblerj mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 > sshd 3102 kiblerj mem REG 9,1 18152 65886 /lib64/libutil-2.5.so > sshd 3102 kiblerj mem REG 9,1 23360 65880 /lib64/libdl-2.5.so > sshd 3102 kiblerj mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 > sshd 3102 kiblerj mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so > sshd 3102 kiblerj DEL REG 0,9 3642343 /dev/zero > sshd 3102 kiblerj mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so > sshd 3102 kiblerj mem REG 9,1 11176 65864 /lib64/security/pam_tally.so > sshd 3102 kiblerj mem REG 9,1 11504 65760 /lib64/security/pam_env.so > sshd 3102 kiblerj mem REG 9,1 48824 65797 /lib64/security/pam_unix.so > sshd 3102 kiblerj mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0 > sshd 3102 kiblerj mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so > sshd 3102 kiblerj mem REG 9,1 4040 65758 /lib64/security/pam_deny.so > sshd 3102 kiblerj mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so > sshd 3102 kiblerj mem REG 9,1 4416 65779 /lib64/security/pam_permit.so > sshd 3102 kiblerj mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so > sshd 3102 kiblerj mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so > sshd 3102 kiblerj mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so > sshd 3102 kiblerj mem REG 9,1 15048 65770 /lib64/security/pam_limits.so > sshd 3102 kiblerj mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so > sshd 3102 kiblerj mem REG 9,1 5080 65803 /lib64/security/pam_warn.so > sshd 3102 kiblerj DEL REG 0,9 3642362 /dev/zero > sshd 3102 kiblerj 0u CHR 1,3 1908 /dev/null > sshd 3102 kiblerj 1u CHR 1,3 1908 /dev/null > sshd 3102 kiblerj 2u CHR 1,3 1908 /dev/null > sshd 3102 kiblerj 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) > sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382 socket > sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389 socket > sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe > sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe > sshd 3102 kiblerj 8u IPv4 3642410 TCP localhost.localdomain:x11-ssh-offset (LISTEN) > sshd 3102 kiblerj 9u CHR 5,2 778 /dev/ptmx > sshd 3102 kiblerj 11u CHR 5,2 778 /dev/ptmx > sshd 3102 kiblerj 12u CHR 5,2 778 /dev/ptmx =============== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt4HcoACgkQUVxQRc85QlM+BACbBjERGBltYMMaAbjOXxj9sUKe NoMAn3a+1qMrDnuAPTV8yAV8O16H9FPL =vRks -----END PGP SIGNATURE----- From dan at lightwave.net.ru Mon Feb 15 07:19:13 2010 From: dan at lightwave.net.ru (Dan Yefimov) Date: Sun, 14 Feb 2010 23:19:13 +0300 Subject: Priv Sep SSH has / as CWD In-Reply-To: <4B781DCB.2000805@aset.com> References: <4B781DCB.2000805@aset.com> Message-ID: <4B785AC1.30302@lightwave.net.ru> On 14.02.2010 18:59, Jon Kibler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > This may or may not be a bug. However, it is DEFINITELY NOT how I would > expect and want to see sshd work! > > If you run lsof against sshd on a privilege separated user, it shows > that sshd's CWD is /. I would hope that the CWD would be at a minimum > /var/empty/sshd and I would really have thought it would be something > along the lines of /var/empty/sshd/USER. (In fact, lsof does not show > any references to /var/empty... which I assume means that it is only > referenced during startup??) > > I also noticed that the listener sshd also has / as its CWD. I would > have thought that it would have had ~root or /var/run as its CWD to > prevent core files from being left in / where it may be possible for > someone to find and pursue those files. > > Tech details of this issue follow signature paragraph. > > TIA for at least thinking about this! > > Jon Kibler > - -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224 > e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com > s: JonRKibler > http://www.linkedin.com/in/jonrkibler > > My PGP Fingerprint is: > BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 > > > > > > OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > OpenSSH has been configured with the following options: > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc/ssh > Askpass program: /usr/local/libexec/ssh-askpass > Manual pages: /usr/local/share/man/manX > PID file: /var/run > Privilege separation chroot path: /var/empty > sshd default user PATH: > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > Manpage format: doc > PAM support: yes > OSF SIA support: no > KerberosV support: yes > SELinux support: yes > Smartcard support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: yes > libedit support: no > Solaris process contract support: no > IP address in $DISPLAY hack: no > Translate v4 in v6 hack: yes > BSD Auth support: no > Random number source: OpenSSL internal ONLY > > Host: x86_64-unknown-linux-gnu > Compiler: gcc > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized > - -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset > - -fstack-protector-all -std=gnu99 > Preprocessor flags: > Linker flags: -fstack-protector-all > Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv > - -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err > +for sshd: -lwrap -lpam -ldl -lselinux > > PAM is enabled. You may need to install a PAM control file > for sshd, otherwise password authentication may fail. > Example PAM control files can be found in the contrib/ > subdirectory > > > > =============== > root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj [priv] > kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2 > root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd > =============== >> lsof -p 23936 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> sshd 23936 root cwd DIR 9,1 4096 2 / >> sshd 23936 root rtd DIR 9,1 4096 2 / >> sshd 23936 root txt REG 253,6 447744 1081352 /usr/local/sbin/sshd (deleted) >> sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so >> sshd 23936 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so >> sshd 23936 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 >> sshd 23936 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 >> sshd 23936 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1 >> sshd 23936 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1 >> sshd 23936 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so >> sshd 23936 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so >> sshd 23936 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 >> sshd 23936 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so >> sshd 23936 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e >> sshd 23936 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 >> sshd 23936 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so >> sshd 23936 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 >> sshd 23936 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 >> sshd 23936 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 >> sshd 23936 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 >> sshd 23936 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so >> sshd 23936 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so >> sshd 23936 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 >> sshd 23936 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so >> sshd 23936 root 0u CHR 1,3 1908 /dev/null >> sshd 23936 root 1u CHR 1,3 1908 /dev/null >> sshd 23936 root 2u CHR 1,3 1908 /dev/null >> sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN) > =============== >> lsof -p 3100 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> sshd 3100 root cwd DIR 9,1 4096 2 / >> sshd 3100 root rtd DIR 9,1 4096 2 / >> sshd 3100 root txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted) >> sshd 3100 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so >> sshd 3100 root mem REG 9,1 1717800 65573 /lib64/libc-2.5.so >> sshd 3100 root mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 >> sshd 3100 root mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 >> sshd 3100 root mem REG 9,1 247496 65887 /lib64/libsepol.so.1 >> sshd 3100 root mem REG 9,1 95464 65888 /lib64/libselinux.so.1 >> sshd 3100 root mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so >> sshd 3100 root mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so >> sshd 3100 root mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 >> sshd 3100 root mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so >> sshd 3100 root mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e >> sshd 3100 root mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 >> sshd 3100 root mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so >> sshd 3100 root mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 >> sshd 3100 root mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 >> sshd 3100 root mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 >> sshd 3100 root mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 >> sshd 3100 root mem REG 9,1 18152 65886 /lib64/libutil-2.5.so >> sshd 3100 root mem REG 9,1 23360 65880 /lib64/libdl-2.5.so >> sshd 3100 root mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 >> sshd 3100 root mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so >> sshd 3100 root DEL REG 0,9 3642343 /dev/zero >> sshd 3100 root mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so >> sshd 3100 root mem REG 9,1 11176 65864 /lib64/security/pam_tally.so >> sshd 3100 root mem REG 9,1 11504 65760 /lib64/security/pam_env.so >> sshd 3100 root mem REG 9,1 48824 65797 /lib64/security/pam_unix.so >> sshd 3100 root mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0 >> sshd 3100 root mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so >> sshd 3100 root mem REG 9,1 4040 65758 /lib64/security/pam_deny.so >> sshd 3100 root mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so >> sshd 3100 root mem REG 9,1 4416 65779 /lib64/security/pam_permit.so >> sshd 3100 root mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so >> sshd 3100 root mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so >> sshd 3100 root mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so >> sshd 3100 root mem REG 9,1 15048 65770 /lib64/security/pam_limits.so >> sshd 3100 root mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so >> sshd 3100 root mem REG 9,1 5080 65803 /lib64/security/pam_warn.so >> sshd 3100 root DEL REG 0,9 3642362 /dev/zero >> sshd 3100 root 0u CHR 1,3 1908 /dev/null >> sshd 3100 root 1u CHR 1,3 1908 /dev/null >> sshd 3100 root 2u CHR 1,3 1908 /dev/null >> sshd 3100 root 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) >> sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket >> sshd 3100 root 5u CHR 5,2 778 /dev/ptmx >> sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket > =============== >> lsof -p 3102 >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> sshd 3102 kiblerj cwd DIR 9,1 4096 2 / >> sshd 3102 kiblerj rtd DIR 9,1 4096 2 / >> sshd 3102 kiblerj txt REG 253,6 447744 1081353 /usr/local/sbin/sshd (deleted) >> sshd 3102 kiblerj mem REG 9,1 139416 65572 /lib64/ld-2.5.so >> sshd 3102 kiblerj mem REG 9,1 1717800 65573 /lib64/libc-2.5.so >> sshd 3102 kiblerj mem REG 9,1 37368 65723 /lib64/libwrap.so.0.7.6 >> sshd 3102 kiblerj mem REG 253,5 85608 1050003 /usr/lib64/libz.so.1.2.3 >> sshd 3102 kiblerj mem REG 9,1 247496 65887 /lib64/libsepol.so.1 >> sshd 3102 kiblerj mem REG 9,1 95464 65888 /lib64/libselinux.so.1 >> sshd 3102 kiblerj mem REG 9,1 48600 65885 /lib64/libcrypt-2.5.so >> sshd 3102 kiblerj mem REG 9,1 114352 65884 /lib64/libnsl-2.5.so >> sshd 3102 kiblerj mem REG 9,1 46800 65890 /lib64/libpam.so.0.81.5 >> sshd 3102 kiblerj mem REG 9,1 9472 65857 /lib64/libkeyutils-1.2.so >> sshd 3102 kiblerj mem REG 9,1 1366208 65895 /lib64/libcrypto.so.0.9.8e >> sshd 3102 kiblerj mem REG 9,1 10000 65894 /lib64/libcom_err.so.2.1 >> sshd 3102 kiblerj mem REG 9,1 92736 65603 /lib64/libresolv-2.5.so >> sshd 3102 kiblerj mem REG 253,5 153624 1050086 /usr/lib64/libk5crypto.so.3.1 >> sshd 3102 kiblerj mem REG 253,5 35728 1050085 /usr/lib64/libkrb5support.so.0.1 >> sshd 3102 kiblerj mem REG 253,5 613896 1050087 /usr/lib64/libkrb5.so.3.3 >> sshd 3102 kiblerj mem REG 253,5 190976 1050089 /usr/lib64/libgssapi_krb5.so.2.2 >> sshd 3102 kiblerj mem REG 9,1 18152 65886 /lib64/libutil-2.5.so >> sshd 3102 kiblerj mem REG 9,1 23360 65880 /lib64/libdl-2.5.so >> sshd 3102 kiblerj mem REG 9,1 107112 65889 /lib64/libaudit.so.0.0.0 >> sshd 3102 kiblerj mem REG 9,1 53880 65588 /lib64/libnss_files-2.5.so >> sshd 3102 kiblerj DEL REG 0,9 3642343 /dev/zero >> sshd 3102 kiblerj mem REG 9,1 23736 65586 /lib64/libnss_dns-2.5.so >> sshd 3102 kiblerj mem REG 9,1 11176 65864 /lib64/security/pam_tally.so >> sshd 3102 kiblerj mem REG 9,1 11504 65760 /lib64/security/pam_env.so >> sshd 3102 kiblerj mem REG 9,1 48824 65797 /lib64/security/pam_unix.so >> sshd 3102 kiblerj mem REG 253,5 40896 1049703 /usr/lib64/libcrack.so.2.8.0 >> sshd 3102 kiblerj mem REG 9,1 12272 65790 /lib64/security/pam_succeed_if.so >> sshd 3102 kiblerj mem REG 9,1 4040 65758 /lib64/security/pam_deny.so >> sshd 3102 kiblerj mem REG 9,1 5648 65778 /lib64/security/pam_nologin.so >> sshd 3102 kiblerj mem REG 9,1 4416 65779 /lib64/security/pam_permit.so >> sshd 3102 kiblerj mem REG 9,1 12928 65756 /lib64/security/pam_cracklib.so >> sshd 3102 kiblerj mem REG 9,1 15152 65786 /lib64/security/pam_selinux.so >> sshd 3102 kiblerj mem REG 9,1 6808 65768 /lib64/security/pam_keyinit.so >> sshd 3102 kiblerj mem REG 9,1 15048 65770 /lib64/security/pam_limits.so >> sshd 3102 kiblerj mem REG 9,1 6584 65773 /lib64/security/pam_loginuid.so >> sshd 3102 kiblerj mem REG 9,1 5080 65803 /lib64/security/pam_warn.so >> sshd 3102 kiblerj DEL REG 0,9 3642362 /dev/zero >> sshd 3102 kiblerj 0u CHR 1,3 1908 /dev/null >> sshd 3102 kiblerj 1u CHR 1,3 1908 /dev/null >> sshd 3102 kiblerj 2u CHR 1,3 1908 /dev/null >> sshd 3102 kiblerj 3u IPv4 3642329 TCP FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) >> sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382 socket >> sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389 socket >> sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe >> sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe >> sshd 3102 kiblerj 8u IPv4 3642410 TCP localhost.localdomain:x11-ssh-offset (LISTEN) >> sshd 3102 kiblerj 9u CHR 5,2 778 /dev/ptmx >> sshd 3102 kiblerj 11u CHR 5,2 778 /dev/ptmx >> sshd 3102 kiblerj 12u CHR 5,2 778 /dev/ptmx > =============== > OpenSSH has nothing to do with that. That is a kernel feature. If some process does chroot() while having it as a CWD, it will be shown as "/" by lsof just because it is root directory for that process. -- Sincerely Yours, Dan. From thesource at ldb-jab.org Mon Feb 15 08:00:21 2010 From: thesource at ldb-jab.org (LDB) Date: Sun, 14 Feb 2010 16:00:21 -0500 Subject: Priv Sep SSH has / as CWD In-Reply-To: <4B785AC1.30302@lightwave.net.ru> References: <4B781DCB.2000805@aset.com> <4B785AC1.30302@lightwave.net.ru> Message-ID: <4B786465.70303@master.ldb-jab.org> On 02/14/2010 03:19 PM, Dan Yefimov wrote: > On 14.02.2010 18:59, Jon Kibler wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> This may or may not be a bug. However, it is DEFINITELY NOT how I would >> expect and want to see sshd work! >> >> If you run lsof against sshd on a privilege separated user, it shows >> that sshd's CWD is /. I would hope that the CWD would be at a minimum >> /var/empty/sshd and I would really have thought it would be something >> along the lines of /var/empty/sshd/USER. (In fact, lsof does not show >> any references to /var/empty... which I assume means that it is only >> referenced during startup??) >> >> I also noticed that the listener sshd also has / as its CWD. I would >> have thought that it would have had ~root or /var/run as its CWD to >> prevent core files from being left in / where it may be possible for >> someone to find and pursue those files. >> >> Tech details of this issue follow signature paragraph. >> >> TIA for at least thinking about this! >> >> Jon Kibler >> - -- >> Jon R. Kibler >> Chief Technical Officer >> Advanced Systems Engineering Technology, Inc. >> Charleston, SC USA >> o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224 >> e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com >> s: JonRKibler >> http://www.linkedin.com/in/jonrkibler >> >> My PGP Fingerprint is: >> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 >> >> >> >> >> >> OpenSSH_5.3p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 >> >> OpenSSH has been configured with the following options: >> User binaries: /usr/local/bin >> System binaries: /usr/local/sbin >> Configuration files: /usr/local/etc/ssh >> Askpass program: /usr/local/libexec/ssh-askpass >> Manual pages: /usr/local/share/man/manX >> PID file: /var/run >> Privilege separation chroot path: /var/empty >> sshd default user PATH: >> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin >> Manpage format: doc >> PAM support: yes >> OSF SIA support: no >> KerberosV support: yes >> SELinux support: yes >> Smartcard support: no >> S/KEY support: no >> TCP Wrappers support: yes >> MD5 password support: yes >> libedit support: no >> Solaris process contract support: no >> IP address in $DISPLAY hack: no >> Translate v4 in v6 hack: yes >> BSD Auth support: no >> Random number source: OpenSSL internal ONLY >> >> Host: x86_64-unknown-linux-gnu >> Compiler: gcc >> Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized >> - -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset >> - -fstack-protector-all -std=gnu99 >> Preprocessor flags: >> Linker flags: -fstack-protector-all >> Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv >> - -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err >> +for sshd: -lwrap -lpam -ldl -lselinux >> >> PAM is enabled. You may need to install a PAM control file >> for sshd, otherwise password authentication may fail. >> Example PAM control files can be found in the contrib/ >> subdirectory >> >> >> >> =============== >> root 3100 23936 0 14:58 ? 00:00:00 sshd: kiblerj [priv] >> kiblerj 3102 3100 0 14:58 ? 00:00:00 sshd: kiblerj at pts/2 >> root 23936 1 0 14:31 ? 00:00:00 /usr/local/sbin/sshd >> =============== >>> lsof -p 23936 >>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >>> sshd 23936 root cwd DIR 9,1 4096 2 / >>> sshd 23936 root rtd DIR 9,1 4096 2 / >>> sshd 23936 root txt REG 253,6 447744 1081352 >>> /usr/local/sbin/sshd (deleted) >>> sshd 23936 root mem REG 9,1 139416 65572 /lib64/ld-2.5.so >>> sshd 23936 root mem REG 9,1 1717800 65573 >>> /lib64/libc-2.5.so >>> sshd 23936 root mem REG 9,1 37368 65723 >>> /lib64/libwrap.so.0.7.6 >>> sshd 23936 root mem REG 253,5 85608 1050003 >>> /usr/lib64/libz.so.1.2.3 >>> sshd 23936 root mem REG 9,1 247496 65887 >>> /lib64/libsepol.so.1 >>> sshd 23936 root mem REG 9,1 95464 65888 >>> /lib64/libselinux.so.1 >>> sshd 23936 root mem REG 9,1 48600 65885 >>> /lib64/libcrypt-2.5.so >>> sshd 23936 root mem REG 9,1 114352 65884 >>> /lib64/libnsl-2.5.so >>> sshd 23936 root mem REG 9,1 46800 65890 >>> /lib64/libpam.so.0.81.5 >>> sshd 23936 root mem REG 9,1 9472 65857 >>> /lib64/libkeyutils-1.2.so >>> sshd 23936 root mem REG 9,1 1366208 65895 >>> /lib64/libcrypto.so.0.9.8e >>> sshd 23936 root mem REG 9,1 10000 65894 >>> /lib64/libcom_err.so.2.1 >>> sshd 23936 root mem REG 9,1 92736 65603 >>> /lib64/libresolv-2.5.so >>> sshd 23936 root mem REG 253,5 153624 1050086 >>> /usr/lib64/libk5crypto.so.3.1 >>> sshd 23936 root mem REG 253,5 35728 1050085 >>> /usr/lib64/libkrb5support.so.0.1 >>> sshd 23936 root mem REG 253,5 613896 1050087 >>> /usr/lib64/libkrb5.so.3.3 >>> sshd 23936 root mem REG 253,5 190976 1050089 >>> /usr/lib64/libgssapi_krb5.so.2.2 >>> sshd 23936 root mem REG 9,1 18152 65886 >>> /lib64/libutil-2.5.so >>> sshd 23936 root mem REG 9,1 23360 65880 >>> /lib64/libdl-2.5.so >>> sshd 23936 root mem REG 9,1 107112 65889 >>> /lib64/libaudit.so.0.0.0 >>> sshd 23936 root mem REG 9,1 53880 65588 >>> /lib64/libnss_files-2.5.so >>> sshd 23936 root 0u CHR 1,3 1908 /dev/null >>> sshd 23936 root 1u CHR 1,3 1908 /dev/null >>> sshd 23936 root 2u CHR 1,3 1908 /dev/null >>> sshd 23936 root 3u IPv4 3632731 TCP *:ssh (LISTEN) >> =============== >>> lsof -p 3100 >>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >>> sshd 3100 root cwd DIR 9,1 4096 2 / >>> sshd 3100 root rtd DIR 9,1 4096 2 / >>> sshd 3100 root txt REG 253,6 447744 1081353 >>> /usr/local/sbin/sshd (deleted) >>> sshd 3100 root mem REG 9,1 139416 65572 >>> /lib64/ld-2.5.so >>> sshd 3100 root mem REG 9,1 1717800 65573 >>> /lib64/libc-2.5.so >>> sshd 3100 root mem REG 9,1 37368 65723 >>> /lib64/libwrap.so.0.7.6 >>> sshd 3100 root mem REG 253,5 85608 1050003 >>> /usr/lib64/libz.so.1.2.3 >>> sshd 3100 root mem REG 9,1 247496 65887 >>> /lib64/libsepol.so.1 >>> sshd 3100 root mem REG 9,1 95464 65888 >>> /lib64/libselinux.so.1 >>> sshd 3100 root mem REG 9,1 48600 65885 >>> /lib64/libcrypt-2.5.so >>> sshd 3100 root mem REG 9,1 114352 65884 >>> /lib64/libnsl-2.5.so >>> sshd 3100 root mem REG 9,1 46800 65890 >>> /lib64/libpam.so.0.81.5 >>> sshd 3100 root mem REG 9,1 9472 65857 >>> /lib64/libkeyutils-1.2.so >>> sshd 3100 root mem REG 9,1 1366208 65895 >>> /lib64/libcrypto.so.0.9.8e >>> sshd 3100 root mem REG 9,1 10000 65894 >>> /lib64/libcom_err.so.2.1 >>> sshd 3100 root mem REG 9,1 92736 65603 >>> /lib64/libresolv-2.5.so >>> sshd 3100 root mem REG 253,5 153624 1050086 >>> /usr/lib64/libk5crypto.so.3.1 >>> sshd 3100 root mem REG 253,5 35728 1050085 >>> /usr/lib64/libkrb5support.so.0.1 >>> sshd 3100 root mem REG 253,5 613896 1050087 >>> /usr/lib64/libkrb5.so.3.3 >>> sshd 3100 root mem REG 253,5 190976 1050089 >>> /usr/lib64/libgssapi_krb5.so.2.2 >>> sshd 3100 root mem REG 9,1 18152 65886 >>> /lib64/libutil-2.5.so >>> sshd 3100 root mem REG 9,1 23360 65880 >>> /lib64/libdl-2.5.so >>> sshd 3100 root mem REG 9,1 107112 65889 >>> /lib64/libaudit.so.0.0.0 >>> sshd 3100 root mem REG 9,1 53880 65588 >>> /lib64/libnss_files-2.5.so >>> sshd 3100 root DEL REG 0,9 3642343 >>> /dev/zero >>> sshd 3100 root mem REG 9,1 23736 65586 >>> /lib64/libnss_dns-2.5.so >>> sshd 3100 root mem REG 9,1 11176 65864 >>> /lib64/security/pam_tally.so >>> sshd 3100 root mem REG 9,1 11504 65760 >>> /lib64/security/pam_env.so >>> sshd 3100 root mem REG 9,1 48824 65797 >>> /lib64/security/pam_unix.so >>> sshd 3100 root mem REG 253,5 40896 1049703 >>> /usr/lib64/libcrack.so.2.8.0 >>> sshd 3100 root mem REG 9,1 12272 65790 >>> /lib64/security/pam_succeed_if.so >>> sshd 3100 root mem REG 9,1 4040 65758 >>> /lib64/security/pam_deny.so >>> sshd 3100 root mem REG 9,1 5648 65778 >>> /lib64/security/pam_nologin.so >>> sshd 3100 root mem REG 9,1 4416 65779 >>> /lib64/security/pam_permit.so >>> sshd 3100 root mem REG 9,1 12928 65756 >>> /lib64/security/pam_cracklib.so >>> sshd 3100 root mem REG 9,1 15152 65786 >>> /lib64/security/pam_selinux.so >>> sshd 3100 root mem REG 9,1 6808 65768 >>> /lib64/security/pam_keyinit.so >>> sshd 3100 root mem REG 9,1 15048 65770 >>> /lib64/security/pam_limits.so >>> sshd 3100 root mem REG 9,1 6584 65773 >>> /lib64/security/pam_loginuid.so >>> sshd 3100 root mem REG 9,1 5080 65803 >>> /lib64/security/pam_warn.so >>> sshd 3100 root DEL REG 0,9 3642362 >>> /dev/zero >>> sshd 3100 root 0u CHR 1,3 1908 >>> /dev/null >>> sshd 3100 root 1u CHR 1,3 1908 >>> /dev/null >>> sshd 3100 root 2u CHR 1,3 1908 >>> /dev/null >>> sshd 3100 root 3u IPv4 3642329 TCP >>> FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) >>> sshd 3100 root 4u unix 0xffff8100189aa8c0 3642382 socket >>> sshd 3100 root 5u CHR 5,2 778 >>> /dev/ptmx >>> sshd 3100 root 6u unix 0xffff810034004ec0 3642390 socket >> =============== >>> lsof -p 3102 >>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >>> sshd 3102 kiblerj cwd DIR 9,1 4096 2 / >>> sshd 3102 kiblerj rtd DIR 9,1 4096 2 / >>> sshd 3102 kiblerj txt REG 253,6 447744 1081353 >>> /usr/local/sbin/sshd (deleted) >>> sshd 3102 kiblerj mem REG 9,1 139416 65572 >>> /lib64/ld-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 1717800 65573 >>> /lib64/libc-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 37368 65723 >>> /lib64/libwrap.so.0.7.6 >>> sshd 3102 kiblerj mem REG 253,5 85608 1050003 >>> /usr/lib64/libz.so.1.2.3 >>> sshd 3102 kiblerj mem REG 9,1 247496 65887 >>> /lib64/libsepol.so.1 >>> sshd 3102 kiblerj mem REG 9,1 95464 65888 >>> /lib64/libselinux.so.1 >>> sshd 3102 kiblerj mem REG 9,1 48600 65885 >>> /lib64/libcrypt-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 114352 65884 >>> /lib64/libnsl-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 46800 65890 >>> /lib64/libpam.so.0.81.5 >>> sshd 3102 kiblerj mem REG 9,1 9472 65857 >>> /lib64/libkeyutils-1.2.so >>> sshd 3102 kiblerj mem REG 9,1 1366208 65895 >>> /lib64/libcrypto.so.0.9.8e >>> sshd 3102 kiblerj mem REG 9,1 10000 65894 >>> /lib64/libcom_err.so.2.1 >>> sshd 3102 kiblerj mem REG 9,1 92736 65603 >>> /lib64/libresolv-2.5.so >>> sshd 3102 kiblerj mem REG 253,5 153624 1050086 >>> /usr/lib64/libk5crypto.so.3.1 >>> sshd 3102 kiblerj mem REG 253,5 35728 1050085 >>> /usr/lib64/libkrb5support.so.0.1 >>> sshd 3102 kiblerj mem REG 253,5 613896 1050087 >>> /usr/lib64/libkrb5.so.3.3 >>> sshd 3102 kiblerj mem REG 253,5 190976 1050089 >>> /usr/lib64/libgssapi_krb5.so.2.2 >>> sshd 3102 kiblerj mem REG 9,1 18152 65886 >>> /lib64/libutil-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 23360 65880 >>> /lib64/libdl-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 107112 65889 >>> /lib64/libaudit.so.0.0.0 >>> sshd 3102 kiblerj mem REG 9,1 53880 65588 >>> /lib64/libnss_files-2.5.so >>> sshd 3102 kiblerj DEL REG 0,9 3642343 >>> /dev/zero >>> sshd 3102 kiblerj mem REG 9,1 23736 65586 >>> /lib64/libnss_dns-2.5.so >>> sshd 3102 kiblerj mem REG 9,1 11176 65864 >>> /lib64/security/pam_tally.so >>> sshd 3102 kiblerj mem REG 9,1 11504 65760 >>> /lib64/security/pam_env.so >>> sshd 3102 kiblerj mem REG 9,1 48824 65797 >>> /lib64/security/pam_unix.so >>> sshd 3102 kiblerj mem REG 253,5 40896 1049703 >>> /usr/lib64/libcrack.so.2.8.0 >>> sshd 3102 kiblerj mem REG 9,1 12272 65790 >>> /lib64/security/pam_succeed_if.so >>> sshd 3102 kiblerj mem REG 9,1 4040 65758 >>> /lib64/security/pam_deny.so >>> sshd 3102 kiblerj mem REG 9,1 5648 65778 >>> /lib64/security/pam_nologin.so >>> sshd 3102 kiblerj mem REG 9,1 4416 65779 >>> /lib64/security/pam_permit.so >>> sshd 3102 kiblerj mem REG 9,1 12928 65756 >>> /lib64/security/pam_cracklib.so >>> sshd 3102 kiblerj mem REG 9,1 15152 65786 >>> /lib64/security/pam_selinux.so >>> sshd 3102 kiblerj mem REG 9,1 6808 65768 >>> /lib64/security/pam_keyinit.so >>> sshd 3102 kiblerj mem REG 9,1 15048 65770 >>> /lib64/security/pam_limits.so >>> sshd 3102 kiblerj mem REG 9,1 6584 65773 >>> /lib64/security/pam_loginuid.so >>> sshd 3102 kiblerj mem REG 9,1 5080 65803 >>> /lib64/security/pam_warn.so >>> sshd 3102 kiblerj DEL REG 0,9 3642362 >>> /dev/zero >>> sshd 3102 kiblerj 0u CHR 1,3 1908 >>> /dev/null >>> sshd 3102 kiblerj 1u CHR 1,3 1908 >>> /dev/null >>> sshd 3102 kiblerj 2u CHR 1,3 1908 >>> /dev/null >>> sshd 3102 kiblerj 3u IPv4 3642329 TCP >>> FOO.DOM:ssh->68-26-27-159.pools.spcsdns.net:54719 (ESTABLISHED) >>> sshd 3102 kiblerj 4u unix 0xffff8100189aa8c0 3642382 >>> socket >>> sshd 3102 kiblerj 5u unix 0xffff810034004940 3642389 >>> socket >>> sshd 3102 kiblerj 6r FIFO 0,6 3642409 pipe >>> sshd 3102 kiblerj 7w FIFO 0,6 3642409 pipe >>> sshd 3102 kiblerj 8u IPv4 3642410 TCP >>> localhost.localdomain:x11-ssh-offset (LISTEN) >>> sshd 3102 kiblerj 9u CHR 5,2 778 >>> /dev/ptmx >>> sshd 3102 kiblerj 11u CHR 5,2 778 >>> /dev/ptmx >>> sshd 3102 kiblerj 12u CHR 5,2 778 >>> /dev/ptmx >> =============== >> > OpenSSH has nothing to do with that. That is a kernel feature. If some > process does chroot() while having it as a CWD, it will be shown as "/" > by lsof just because it is root directory for that process. In addition, if execute a "man daemon" on any newer Linux system. you will determine that is one of the core requirements for becoming a daemon, chdir(/). I only mention "man daemon" as an example of what becoming a daemon requires. sshd does not necessarily use this built-in function. LDB From djm at mindrot.org Mon Feb 15 08:10:34 2010 From: djm at mindrot.org (Damien Miller) Date: Mon, 15 Feb 2010 08:10:34 +1100 (EST) Subject: Priv Sep SSH has / as CWD In-Reply-To: <4B781DCB.2000805@aset.com> References: <4B781DCB.2000805@aset.com> Message-ID: On Sun, 14 Feb 2010, Jon Kibler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > This may or may not be a bug. However, it is DEFINITELY NOT how I would > expect and want to see sshd work! > > If you run lsof against sshd on a privilege separated user, it shows > that sshd's CWD is /. I would hope that the CWD would be at a minimum > /var/empty/sshd and I would really have thought it would be something > along the lines of /var/empty/sshd/USER. (In fact, lsof does not show > any references to /var/empty... which I assume means that it is only > referenced during startup??) cwd is relative to the chroot directory. Remember what chroot does? > I also noticed that the listener sshd also has / as its CWD. I would > have thought that it would have had ~root or /var/run as its CWD to > prevent core files from being left in / where it may be possible for > someone to find and pursue those files. chdir(/) is the normal behaviour of daemon programs. If your system writes .core files with world-readable permissions then your have bigger problems. -d From Jon.Kibler at aset.com Mon Feb 15 11:04:22 2010 From: Jon.Kibler at aset.com (Jon Kibler) Date: Sun, 14 Feb 2010 19:04:22 -0500 Subject: Priv Sep SSH has / as CWD In-Reply-To: References: <4B781DCB.2000805@aset.com> Message-ID: <4B788F86.2070609@aset.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Thanks for your reply. Looking at the man pages for sshd and sshd_config, it is not 100% clear that when privilege separation occurs that the daemon is chrooted to /var/empty (or elsewhere). However, that makes sense. Thanks for the clarification. It would be good if that information got included in the man pages. Regarding the sshd listener running in "/" and world readable core files... unfortunately, that is the way that RHEL/CentOS is configured. In the "functions" for init (/etc/init.d/functions), one of the first steps is to set 'umask 022'. I have tried to change this in the past only to have stuff break. I have also tried setting permissions on "/" to 751 and also broke stuff. Thus, for daemons that run with "/" as their home directory, we can get core files in "/" that are world readable. I do not like it, but that is the RHEL environment I have to live with. :-( This leaves me with 2 questions: 1) Can I change the init script for sshd to set umask to '077' without breaking stuff? 2) If I put 'cd /var/run' in the init script before sshd starts, will it actually run from /var/run without breaking stuff? Thanks for your help! Good information. Jon Kibler On 2/14/10 4:10 PM, Damien Miller wrote: > On Sun, 14 Feb 2010, Jon Kibler wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> This may or may not be a bug. However, it is DEFINITELY NOT how I would >> expect and want to see sshd work! >> >> If you run lsof against sshd on a privilege separated user, it shows >> that sshd's CWD is /. I would hope that the CWD would be at a minimum >> /var/empty/sshd and I would really have thought it would be something >> along the lines of /var/empty/sshd/USER. (In fact, lsof does not show >> any references to /var/empty... which I assume means that it is only >> referenced during startup??) > > cwd is relative to the chroot directory. Remember what chroot does? > >> I also noticed that the listener sshd also has / as its CWD. I would >> have thought that it would have had ~root or /var/run as its CWD to >> prevent core files from being left in / where it may be possible for >> someone to find and pursue those files. > > chdir(/) is the normal behaviour of daemon programs. If your system writes > .core files with world-readable permissions then your have bigger problems. > > -d - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224 e: Jon.Kibler at aset.com or Jon.R.Kibler at gmail.com s: JonRKibler http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt4j4YACgkQUVxQRc85QlOOfQCgnDUZZbekm5x4PuhosPKIRoWd IMQAn2lxwxXr5O85kCyYKN8LBdRFc7U3 =gda8 -----END PGP SIGNATURE----- From djm at mindrot.org Mon Feb 15 11:32:35 2010 From: djm at mindrot.org (Damien Miller) Date: Mon, 15 Feb 2010 11:32:35 +1100 (EST) Subject: Priv Sep SSH has / as CWD In-Reply-To: <4B788F86.2070609@aset.com> References: <4B781DCB.2000805@aset.com> <4B788F86.2070609@aset.com> Message-ID: On Sun, 14 Feb 2010, Jon Kibler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Thanks for your reply. > > Looking at the man pages for sshd and sshd_config, it is not 100% clear > that when privilege separation occurs that the daemon is chrooted to > /var/empty (or elsewhere). However, that makes sense. Thanks for the > clarification. It would be good if that information got included in the > man pages. I don't think the manual pages need to detail the internal operations of each program. People who are interested in privilege separation would do better to read Niels' original paper at: http://www.citi.umich.edu/u/provos/papers/privsep.pdf > Regarding the sshd listener running in "/" and world readable core > files... unfortunately, that is the way that RHEL/CentOS is configured. > In the "functions" for init (/etc/init.d/functions), one of the first > steps is to set 'umask 022'. I have tried to change this in the past > only to have stuff break. I have also tried setting permissions on "/" > to 751 and also broke stuff. Thus, for daemons that run with "/" as > their home directory, we can get core files in "/" that are world > readable. I do not like it, but that is the RHEL environment I have to > live with. :-( If RHEL drops core files from privileged processes that are world-readable then the system has a major security vulnerability independent of sshd. Any system daemon that calls getpw* that can be tricked into segfaulting would likely leak password hashes from /etc/shadow (or worse). Have you confirmed that core files are indeed world-readable? > This leaves me with 2 questions: > 1) Can I change the init script for sshd to set umask to '077' > without breaking stuff? This shouldn't break anything in sshd. > 2) If I put 'cd /var/run' in the init script before sshd starts, will > it actually run from /var/run without breaking stuff? No, it will always chroot to /. This is done automatically by the call to daemon(3) and is perfectly normal practice for system daemons, probably to allow administrators to be able to unmount filesystems without having to kill processes. -d From gerardo.petti at ericsson.com Tue Feb 16 04:05:46 2010 From: gerardo.petti at ericsson.com (Gerardo Petti) Date: Mon, 15 Feb 2010 18:05:46 +0100 Subject: FIPS186-3 and NIST SP800-57 support Message-ID: Hello, I saw from OpenSSH man pages that the DSA key length must be 1024 bytes (according to the standard FIPS 186-2). According to the FIPS186-3 and NIST SP800-57, DSA key length could be greater than 1024 bytes (2048, 3072). Will OpenSSH be compliant with this new standard? If yes, could you share with me the delivery plan of OpenSSh version implementing FIPS186-3/NIST SP800-57 standard? Thanks in advance. Best Regards GERARDO PETTI Software Engineer, AXE IO Area Ericsson Italy TEI/XSD via Madonna di Fatima, 2 Pagani, Italy gerardo.petti at ericsson.com www.ericsson.com This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer From dtucker at zip.com.au Tue Feb 16 18:29:46 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Feb 2010 18:29:46 +1100 Subject: FIPS186-3 and NIST SP800-57 support In-Reply-To: References: Message-ID: <4B7A496A.9020403@zip.com.au> Gerardo Petti wrote: > I saw from OpenSSH man pages that the DSA key length must be 1024 bytes > (according to the standard FIPS 186-2). > > According to the FIPS186-3 and NIST SP800-57, DSA key length could be > greater than 1024 bytes (2048, 3072). FIPS 186-3 also specifies hashes other than SHA-1 for key lengths >1024. > Will OpenSSH be compliant with this new standard? As far as DSA key length goes I think it's already compliant with FIPS 186-3 as far as is possible within the SSH protocol spec. See https://bugzilla.mindrot.org/show_bug.cgi?id=1647 for details. If you want keys stronger than 1024 bits then use RSA. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From fgasper at freeshell.org Wed Feb 17 15:30:44 2010 From: fgasper at freeshell.org (Felipe Gasper) Date: Tue, 16 Feb 2010 22:30:44 -0600 Subject: ssh-keygen: inconsistency with need for passphrase Message-ID: <4B7B70F4.4070704@freeshell.org> Hello, I think something is inconsistent between the code that parses -e and -y options in ssh-keygen. This command: ssh-keygen -ef key_file ...will never prompt for a passphrase; however, this one: ssh-keygen -yf key_file ...will prompt for it, despite that it returns basically the same information as -e (in a slightly different format). Or am I missing something? I didn?t see anything on the man page to indicate a rationale for this. -F -- Felipe M. L. Gasper http://felipegasper.com ?Wisdom can never learn enough. Ignorance is sufficient unto itself.? -Mechtild of Magdeburg ?Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis.? -Jack Handey From frphoebus at yahoo.fr Thu Feb 18 23:51:41 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Thu, 18 Feb 2010 12:51:41 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Message-ID: <166075.15103.qm@web23802.mail.ird.yahoo.com> Hi all, Environment: Compiler: IBM XL C/C++ Enterprise Edition for AIX v9.0 Server: AIX 5.3 TL 10 SP1 I use configure with the following option to configure the makefile. --------------------------------? export CC=cc export CFLAGS="-I/opt/freeware/include/openssl/ -I/usr/local/include" export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??????????????? --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??????????????? --with-tcp-wrappers=/usr/local/lib \ ??????????????? --with-zlib=/opt/freeware \ ???????????? ???--with-ssl-dir=/opt/freeware \ ??????????????? --with-xauth=/usr/bin/X11/xauth \ ??????????????? --with-md5-passwords \ ??????????????? --with-kerberos5 \ ??????????????? --with-pam \ ??????????????? --with-pid-dir=/var/run -------------------------------? A resume of the ouput?at the end of?configure . --------------------------------? OpenSSH has been configured with the following options: ???????????????????? User binaries: /usr/local/bin ?????????????????? System binaries: /usr/local/sbin ?????????????? Configuration files: /usr/local/etc/ssh ?????????????????? Askpass program: /usr/local/libexec/ssh-askpass ????????????????????? Manual pages: /usr/local/share/man/manX ????????????????????????? PID file: /var/run ? Privilege separation chroot path: /var/empty ??????????? sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ??????????????????? Manpage format: man ?????????????????????? PAM support: yes ?????????????????? OSF SIA support: no ???????????????? KerberosV support: yes ?????????????????? SELinux support: no ???????????????? Smartcard support: no ???????????????????? S/KEY support: no ????????????? TCP Wrappers support: yes ????????????? MD5 password support: yes ?????????????????? libedit support: no ? Solaris process contract support: no ?????? IP address in $DISPLAY hack: no ?????????? Translate v4 in v6 hack: no ????????????????? BSD Auth support: no ????????????? Random number source: OpenSSL internal ONLY ? ????????????? Host: powerpc-ibm-aix5.3.0.0 ????????? Compiler: cc -qlanglvl=extc89 ??? Compiler flags: -I/opt/freeware/include/openssl/ -I/usr/local/include -DBROKEN_GETADDRINFO Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include? -I/usr/local/include -I/usr/local/include/gssapi ????? Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib ???????? Libraries: -lcrypto -lz? -lkrb5 -lk5crypto -lcom_err ???????? +for sshd:? -lwrap -lpam -ldl ? PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory ----------------------------------- ? The ouput of make command?is: ??????? echo >??????? if test ! -z ""; then? /usr/bin/perl ./fixprogs ssh_prng_cmds ;? fi >??????? (cd openbsd-compat && make) >??????? cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ -I/usr/local/include -qmaxmem=-1? -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/lib/libwrap.a? -DHAVE_CONFIG_H -c bsd-arc4random.c >"../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. >"../openbsd-compat/port-aix.h", line 94.69: 1506-046 (S) Syntax error. >make: 1254-004 The error code from the last command is 1. >Stop. >make: 1254-004 The error code from the last command is 2. > >Stop. I don't undestand why?this error. Could you help or provides some advices? Thanks. ? Regards, Phoebus From frphoebus at yahoo.fr Fri Feb 19 00:25:16 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Thu, 18 Feb 2010 13:25:16 +0000 (GMT) Subject: : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Message-ID: <71868.58287.qm@web23807.mail.ird.yahoo.com> Hi all, 1. Environment: Compiler: IBM XL C/C++ Enterprise Edition for AIX v9.0 Server: AIX 5.3 TL 10 SP1 2. What i did. I use configure with the following option to configure the makefile. --------------------------------? export CC=cc export CFLAGS="-I/opt/freeware/include/openssl/ -I/usr/local/include" export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??????????????? --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??????????????? --with-tcp-wrappers=/usr/local/lib \ ??????????????? --with-zlib=/opt/freeware \ ???????????? ???--with-ssl-dir=/opt/freeware \ ??????????????? --with-xauth=/usr/bin/X11/xauth \ ??????????????? --with-md5-passwords \ ??????????????? --with-kerberos5 \ ??????????????? --with-pam \ ??????????????? --with-pid-dir=/var/run -------------------------------? A resume of the ouput?at the end of?configure . --------------------------------? OpenSSH has been configured with the following options: ???????????????????? User binaries: /usr/local/bin ?????????????????? System binaries: /usr/local/sbin ?????????????? Configuration files: /usr/local/etc/ssh ?????????????????? Askpass program: /usr/local/libexec/ssh-askpass ????????????????????? Manual pages: /usr/local/share/man/manX ????????????????????????? PID file: /var/run ? Privilege separation chroot path: /var/empty ??????????? sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ??????????????????? Manpage format: man ?????????????????????? PAM support: yes ?????????????????? OSF SIA support: no ???????????????? KerberosV support: yes ?????????????????? SELinux support: no ???????????????? Smartcard support: no ???????????????????? S/KEY support: no ????????????? TCP Wrappers support: yes ????????????? MD5 password support: yes ?????????????????? libedit support: no ? Solaris process contract support: no ?????? IP address in $DISPLAY hack: no ?????????? Translate v4 in v6 hack: no ????????????????? BSD Auth support: no ????????????? Random number source: OpenSSL internal ONLY ? ????????????? Host: powerpc-ibm-aix5.3.0.0 ????????? Compiler: cc -qlanglvl=extc89 ??? Compiler flags: -I/opt/freeware/include/openssl/ -I/usr/local/include -DBROKEN_GETADDRINFO Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include? -I/usr/local/include -I/usr/local/include/gssapi ????? Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib ???????? Libraries: -lcrypto -lz? -lkrb5 -lk5crypto -lcom_err ???????? +for sshd:? -lwrap -lpam -ldl ? PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory ----------------------------------- ? 3. The error. The ouput of make command?is: ??????? echo >??????? if test ! -z ""; then? /usr/bin/perl ./fixprogs ssh_prng_cmds ;? fi >??????? (cd openbsd-compat && make) >??????? cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ -I/usr/local/include -qmaxmem=-1? -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/lib/libwrap.a? -DHAVE_CONFIG_H -c bsd-arc4random.c >"../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. >"../openbsd-compat/port-aix.h", line 94.69: 1506-046 (S) Syntax error. >make: 1254-004 The error code from the last command is 1. >Stop. >make: 1254-004 The error code from the last command is 2. > >Stop. I don't undestand why?this error. Could you help or provides some advices? Thanks. ? Regards, Phoebus From tim at multitalents.net Fri Feb 19 02:56:18 2010 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Feb 2010 07:56:18 -0800 (PST) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <166075.15103.qm@web23802.mail.ird.yahoo.com> References: <166075.15103.qm@web23802.mail.ird.yahoo.com> Message-ID: On Thu, 18 Feb 2010, phoebus phoebus wrote: > Hi all, > > Environment: > Compiler: IBM XL C/C++ Enterprise Edition for AIX v9.0 > Server: AIX 5.3 TL 10 SP1 > [snip] > > (cd openbsd-compat && make) > > cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ -I/usr/local/include -qmaxmem=-1? -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/lib/libwrap.a? -DHAVE_CONFIG_H -c bsd-arc4random.c > >"../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. > >"../openbsd-compat/port-aix.h", line 94.69: 1506-046 (S) Syntax error. > >make: 1254-004 The error code from the last command is 1. > >Stop. > >make: 1254-004 The error code from the last command is 2. > > > >Stop. > > I don't undestand why this error. Could you help or provides some advices? > Thanks. If we look at lines 92 & 94 we see int sys_auth_allowed_user(struct passwd *, Buffer *); int sys_auth_record_login(const char *, const char *, const char *, Buffer *); So the question is why is it choking on Buffer? Try cc -E to see what the preprocessor makes of all the headers and source. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vinschen at redhat.com Fri Feb 19 02:59:21 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 18 Feb 2010 16:59:21 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> References: <20100202113902.GA19205@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> Message-ID: <20100218155921.GS5683@calimero.vinschen.de> On Feb 5 18:38, Hu, Eric wrote: > >From the below code (lines 191-203 of auth.c in allowed_user, called from getpwnamallow), the logic for "AllowUsers" calls match_user with the passwd struct's name (line 194). This should fail if the wrong case combination is given, should it not? > > /* Return false if AllowUsers isn't empty and user isn't listed there */ > if (options.num_allow_users > 0) { > for (i = 0; i < options.num_allow_users; i++) > if (match_user(pw->pw_name, hostname, ipaddr, > options.allow_users[i])) > break; > /* i < options.num_allow_users iff we break for loop */ > if (i >= options.num_allow_users) { > logit("User %.100s from %.100s not allowed because " > "not listed in AllowUsers", pw->pw_name, hostname); > return 0; > } > } > > The only thing consistent with what I originally saw and the above is if getpwnam (where pw in the above code comes from) returns the all-lowercase version of the name in the passwd struct. I think the problem might be in auth2.c. Lines 234-236 are shown below. > > /* setup auth context */ > authctxt->pw = PRIVSEP(getpwnamallow(user)); > authctxt->user = xstrdup(user); > > >From this, it is possible for authctxt->user to hold a different string than authctxt->pw->pw_name. Perhaps the patch is simply changing line 236 to the following? > > authctxt->user = xstrdup(authctxt->pw->pw_name); This sounds like a good idea. Alternatively: Index: auth2.c =================================================================== RCS file: /cvs/openssh/auth2.c,v retrieving revision 1.151 diff -u -p -r1.151 auth2.c --- auth2.c 22 Jun 2009 06:11:07 -0000 1.151 +++ auth2.c 18 Feb 2010 15:58:02 -0000 @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32 /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); authctxt->user = xstrdup(user); - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { + if (authctxt->pw && strcmp(service, "ssh-connection")==0 + && !strcmp (user, authctxt->pw->pw_name)) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); } else { This would disallow any login using the username in a case which differs from the case used in /etc/passwd. And it wouldn't hurt any casesensitive system either. Damien, would that be ok? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From frphoebus at yahoo.fr Fri Feb 19 03:55:53 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Thu, 18 Feb 2010 16:55:53 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: References: <166075.15103.qm@web23802.mail.ird.yahoo.com> Message-ID: <660602.46584.qm@web23802.mail.ird.yahoo.com> Tim, I tryed "cc -E" but i don't have more information in the ouput. To pass the argument to the preprocessor, i used the varaibale CPP="cc -E" I put in attachment? the logs. ./launch.ksh? 2>&1 | tee myconfig.log? ( launch.ksh contains the variable arguments for configure). make 2>&1 | tee mymake.log How can i find what it makes on of all the headers and source ? Regards, Phoebus ----- Message d'origine ---- De : Tim Rice ? : openssh-unix-dev at mindrot.org Envoy? le : Jeu 18 F?vrier 2010, 16 h 56 min 18 s Objet?: Re: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 On Thu, 18 Feb 2010, phoebus phoebus wrote: > Hi all, > > Environment: > Compiler: IBM XL C/C++ Enterprise Edition for AIX v9.0 > Server: AIX 5.3 TL 10 SP1 > [snip] > >? ? ? ? (cd openbsd-compat && make) > >? ? ? ? cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ -I/usr/local/include -qmaxmem=-1? -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/lib/libwrap.a? -DHAVE_CONFIG_H -c bsd-arc4random.c > >"../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. > >"../openbsd-compat/port-aix.h", line 94.69: 1506-046 (S) Syntax error. > >make: 1254-004 The error code from the last command is 1. > >Stop. > >make: 1254-004 The error code from the last command is 2. > > > >Stop. > > I don't undestand why this error. Could you help or provides some advices? > Thanks. If we look at lines 92 & 94 we see int sys_auth_allowed_user(struct passwd *, Buffer *); int sys_auth_record_login(const char *, const char *, const char *, Buffer *); So the question is why is it choking on Buffer? Try cc -E to see what the preprocessor makes of all the headers and source. -- Tim Rice??? ??? ??? ??? Multitalents??? (707) 887-1469 tim at multitalents.net -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: mymake.log URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: myconfig.log URL: From mouring at eviladmin.org Fri Feb 19 04:02:03 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Thu, 18 Feb 2010 11:02:03 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100218155921.GS5683@calimero.vinschen.de> References: <20100202113902.GA19205@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> <20100218155921.GS5683@calimero.vinschen.de> Message-ID: On Feb 18, 2010, at 9:59 AM, Corinna Vinschen wrote: > [..] > This sounds like a good idea. Alternatively: > > Index: auth2.c > =================================================================== > RCS file: /cvs/openssh/auth2.c,v > retrieving revision 1.151 > diff -u -p -r1.151 auth2.c > --- auth2.c 22 Jun 2009 06:11:07 -0000 1.151 > +++ auth2.c 18 Feb 2010 15:58:02 -0000 > @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32 > /* setup auth context */ > authctxt->pw = PRIVSEP(getpwnamallow(user)); > authctxt->user = xstrdup(user); > - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { > + if (authctxt->pw && strcmp(service, "ssh-connection")==0 > + && !strcmp (user, authctxt->pw->pw_name)) { > authctxt->valid = 1; > debug2("input_userauth_request: setting up authctxt for %s", user); > } else { > > This would disallow any login using the username in a case which > differs from the case used in /etc/passwd. And it wouldn't hurt > any casesensitive system either. > > Damien, would that be ok? I'm sorry, but this feel like a bad idea. Why are we not fixing it in cygwin? This seems like it would be an issue for any application that cares about comparing the username against the password entry. - Ben From eric.hu at harman.com Fri Feb 19 04:36:49 2010 From: eric.hu at harman.com (Hu, Eric) Date: Thu, 18 Feb 2010 11:36:49 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: Message-ID: <12FF1C857C510C43BA8B1B028B69AD5208AF5A24@HICGWSEX01.ad.harman.com> Based on what I've seen, this is an OpenSSH issue. My original post explains why. If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?" The user name used for one is not being used for the other. Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue. If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem. If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue. Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions. -----Original Message----- From: openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org [mailto:openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org] On Behalf Of Ben Lindstrom Sent: Thursday, February 18, 2010 9:02 AM To: openssh openssh Subject: Re: case sensitivity, "Match User" and "AllowUsers" On Feb 18, 2010, at 9:59 AM, Corinna Vinschen wrote: > [..] > This sounds like a good idea. Alternatively: > > Index: auth2.c > =================================================================== > RCS file: /cvs/openssh/auth2.c,v > retrieving revision 1.151 > diff -u -p -r1.151 auth2.c > --- auth2.c 22 Jun 2009 06:11:07 -0000 1.151 > +++ auth2.c 18 Feb 2010 15:58:02 -0000 > @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32 > /* setup auth context */ > authctxt->pw = PRIVSEP(getpwnamallow(user)); > authctxt->user = xstrdup(user); > - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { > + if (authctxt->pw && strcmp(service, "ssh-connection")==0 > + && !strcmp (user, authctxt->pw->pw_name)) { > authctxt->valid = 1; > debug2("input_userauth_request: setting up authctxt for %s", user); > } else { > > This would disallow any login using the username in a case which > differs from the case used in /etc/passwd. And it wouldn't hurt > any casesensitive system either. > > Damien, would that be ok? I'm sorry, but this feel like a bad idea. Why are we not fixing it in cygwin? This seems like it would be an issue for any application that cares about comparing the username against the password entry. - Ben _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From tim at multitalents.net Fri Feb 19 04:41:24 2010 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Feb 2010 09:41:24 -0800 (PST) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <660602.46584.qm@web23802.mail.ird.yahoo.com> References: <166075.15103.qm@web23802.mail.ird.yahoo.com> <660602.46584.qm@web23802.mail.ird.yahoo.com> Message-ID: On Thu, 18 Feb 2010, phoebus phoebus wrote: > Tim, > I tryed "cc -E" but i don't have more information in the ouput. To pass the argument to the preprocessor, i used the varaibale CPP="cc -E" > I put in attachment the logs. > > How can i find what it makes on of all the headers and source ? $ cd openbsd-compat # cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ \ -I/usr/local/include -qmaxmem=-1 -I. -I.. -I. -I./.. \ -I/opt/freeware/include -I/usr/local/lib/libwrap.a -DHAVE_CONFIG_H \ -E bsd-arc4random.c > junk Now look at junk and see whrere Buffer is defined. > Regards, > Phoebus > > ----- Message d'origine ---- > [snip] > > >? ? ? ? (cd openbsd-compat && make) > > >? ? ? ? cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ -I/usr/local/include -qmaxmem=-1? -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/lib/libwrap.a? -DHAVE_CONFIG_H -c bsd-arc4random.c > > >"../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. > > >"../openbsd-compat/port-aix.h", line 94.69: 1506-046 (S) Syntax error. > > >make: 1254-004 The error code from the last command is 1. > > >Stop. > > >make: 1254-004 The error code from the last command is 2. > > > > > >Stop. > > > > I don't undestand why this error. Could you help or provides some advices? > > Thanks. > > If we look at lines 92 & 94 we see > int sys_auth_allowed_user(struct passwd *, Buffer *); > int sys_auth_record_login(const char *, const char *, const char *, Buffer *); > So the question is why is it choking on Buffer? > > Try cc -E to see what the preprocessor makes of all the headers and source. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at eviladmin.org Fri Feb 19 05:30:35 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Thu, 18 Feb 2010 12:30:35 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <12FF1C857C510C43BA8B1B028B69AD5208AF5A24@HICGWSEX01.ad.harman.com> References: <12FF1C857C510C43BA8B1B028B69AD5208AF5A24@HICGWSEX01.ad.harman.com> Message-ID: <8682F8A7-D87F-415D-8745-F13E2E97AA94@eviladmin.org> On Feb 18, 2010, at 11:36 AM, Hu, Eric wrote: > Based on what I've seen, this is an OpenSSH issue. My original post explains why. If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?" The user name used for one is not being used for the other. > > Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue. If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem. If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue. Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions. Think about this for a moment.. if I do pw = getpwnam("MoUrInG"); and I get back pw->pw_name = "mouring" Whose fault is it? OpenSSH or the OS that it is running on? This is what this boils down to is getpwnam() on cygwin must not be returning pw->pw_name = (const char *login). This being stated.. Do we have any other examples of UNIX, UNIX-like, or UNIX-emulation setups that fail to honor this very simple case? Sadly, the POSIX description seems to leave this as a gray area like a of POSIX stuff does. However, it feels pretty clear what the correct behavior should be. - Ben From eric.hu at harman.com Fri Feb 19 06:13:37 2010 From: eric.hu at harman.com (Hu, Eric) Date: Thu, 18 Feb 2010 13:13:37 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <8682F8A7-D87F-415D-8745-F13E2E97AA94@eviladmin.org> Message-ID: <12FF1C857C510C43BA8B1B028B69AD5208AF5B17@HICGWSEX01.ad.harman.com> It's not clear to me. One name is getting sent to "AllowUsers" and another is getting sent to "Match User." That's OpenSSH's doing no matter how you slice it. getpwnam looks like it gets called before both. Again, I couldn't find the "Match User" code so I don't know this for sure, but I can't see why you would execute "Match User" statements before knowing whether the user is allowed. If getpwnam is indeed called before both, why would pw->pw_name be used for one config statement, but not the other? I would think either "AllowUsers" should be using "const char *login" or "Match User" should be using pw->pw_name. -----Original Message----- From: Ben Lindstrom [mailto:mouring at eviladmin.org] Sent: Thursday, February 18, 2010 10:31 AM To: Hu, Eric Cc: openssh openssh Subject: Re: case sensitivity, "Match User" and "AllowUsers" On Feb 18, 2010, at 11:36 AM, Hu, Eric wrote: > Based on what I've seen, this is an OpenSSH issue. My original post explains why. If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?" The user name used for one is not being used for the other. > > Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue. If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem. If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue. Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions. Think about this for a moment.. if I do pw = getpwnam("MoUrInG"); and I get back pw->pw_name = "mouring" Whose fault is it? OpenSSH or the OS that it is running on? This is what this boils down to is getpwnam() on cygwin must not be returning pw->pw_name = (const char *login). This being stated.. Do we have any other examples of UNIX, UNIX-like, or UNIX-emulation setups that fail to honor this very simple case? Sadly, the POSIX description seems to leave this as a gray area like a of POSIX stuff does. However, it feels pretty clear what the correct behavior should be. - Ben From vinschen at redhat.com Fri Feb 19 07:51:00 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 18 Feb 2010 21:51:00 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <8682F8A7-D87F-415D-8745-F13E2E97AA94@eviladmin.org> References: <12FF1C857C510C43BA8B1B028B69AD5208AF5A24@HICGWSEX01.ad.harman.com> <8682F8A7-D87F-415D-8745-F13E2E97AA94@eviladmin.org> Message-ID: <20100218205100.GA4646@calimero.vinschen.de> On Feb 18 12:30, Ben Lindstrom wrote: > > On Feb 18, 2010, at 11:36 AM, Hu, Eric wrote: > > > Based on what I've seen, this is an OpenSSH issue. My original post explains why. If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?" The user name used for one is not being used for the other. > > > > Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue. If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem. If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue. Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions. > > Think about this for a moment.. if I do > > pw = getpwnam("MoUrInG"); > > and I get back > > pw->pw_name = "mouring" > > Whose fault is it? OpenSSH or the OS that it is running on? It's not Cygwin's fault. Usernames on Windows *are* caseinsensitive. The password entry contains the name in one format, but you can write in in every case. That's a property of the underlying system. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From frphoebus at yahoo.fr Fri Feb 19 10:07:35 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Thu, 18 Feb 2010 23:07:35 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Message-ID: <4885.49349.qm@web23805.mail.ird.yahoo.com> Tim, The junk file is not in attachment because is too big. i found occurences for line 92 into junk file at: * line 2544 to 2555 #line 92 "/usr/include/time.h" struct tm { int tm_sec; int tm_min; int tm_hour; int tm_mday; int tm_mon; int tm_year; int tm_wday; int tm_yday; int tm_isdst; }; * line 2939 to 2944 #line 92 int sys_auth_allowed_user(struct passwd *, Buffer *); int sys_auth_record_login(const char *, const char *, const char *, Buffer *); char *sys_auth_get_lastlogin_msg(const char *, uid_t); * line 4617 to 4636 #line 92 int RAND_set_rand_method(const RAND_METHOD *meth); const RAND_METHOD *RAND_get_rand_method(void); int RAND_set_rand_engine(ENGINE *engine); RAND_METHOD *RAND_SSLeay(void); void RAND_cleanup(void ); int RAND_bytes(unsigned char *buf,int num); int RAND_pseudo_bytes(unsigned char *buf,int num); void RAND_seed(const void *buf,int num); void RAND_add(const void *buf,int num,double entropy); int RAND_load_file(const char *file,long max_bytes); int RAND_write_file(const char *file); const char *RAND_file_name(char *file,size_t num); int RAND_status(void); int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); int RAND_poll(void); i found occurence for line 94 into junk files at: * line 325 to 341 #line 94 typedef int pdtx_t; typedef short psx_t; typedef ushort_t pshift_t; typedef ushort_t sshift_t; typedef int unidx_t; typedef int snidx_t; typedef int vmnodeidx_t; typedef int kvpn_t; typedef int krpn_t; typedef int32long64_t vmsize_t; typedef int32long64_t vmm_lock_t; * line 3238 to 3252 #line 94 extern size_t __getmbcurmax (void); extern int __getmaxdispwidth (void); * line 4009 to 4010 #line 94 } ; What the next step ! Regards, Phoebus ----- Message d'origine ---- De : Tim Rice ? : openssh-unix-dev at mindrot.org Envoy? le : Jeu 18 F?vrier 2010, 18 h 41 min 24 s Objet : Re: Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 On Thu, 18 Feb 2010, phoebus phoebus wrote: > Tim, > I tryed "cc -E" but i don't have more information in the ouput. To pass the argument to the preprocessor, i used the varaibale CPP="cc -E" > I put in attachment the logs. > > How can i find what it makes on of all the headers and source ? $ cd openbsd-compat # cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ \ -I/usr/local/include -qmaxmem=-1 -I. -I.. -I. -I./.. \ -I/opt/freeware/include -I/usr/local/lib/libwrap.a -DHAVE_CONFIG_H \ -E bsd-arc4random.c > junk Now look at junk and see whrere Buffer is defined. > Regards, > Phoebus > > ----- Message d'origine ---- > [snip] > > > (cd openbsd-compat && make) > > > cc -qlanglvl=extc89 -I/opt/freeware/include/openssl/ -I/usr/local/include -qmaxmem=-1 -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/lib/libwrap.a -DHAVE_CONFIG_H -c bsd-arc4random.c > > >"../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. > > >"../openbsd-compat/port-aix.h", line 94.69: 1506-046 (S) Syntax error. > > >make: 1254-004 The error code from the last command is 1. > > >Stop. > > >make: 1254-004 The error code from the last command is 2. > > > > > >Stop. > > > > I don't undestand why this error. Could you help or provides some advices? > > Thanks. > > If we look at lines 92 & 94 we see > int sys_auth_allowed_user(struct passwd *, Buffer *); > int sys_auth_record_login(const char *, const char *, const char *, Buffer *); > So the question is why is it choking on Buffer? > > Try cc -E to see what the preprocessor makes of all the headers and source. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Fri Feb 19 11:57:30 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Feb 2010 11:57:30 +1100 Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4885.49349.qm@web23805.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> Message-ID: <4B7DE1FA.7000900@zip.com.au> phoebus phoebus wrote: > The junk file is not in attachment because is too big. Can you put it up someplace where we can look at it? If nothing else you could open a bug at bugzilla.mindrot.org and attach it (using "create attachment"). Since port-aix.h includes "buffer.h" there should be something like this in the preprocessed output: typedef struct { u_char *buf; /* Buffer for data. */ u_int alloc; /* Number of bytes allocated for data. */ u_int offset; /* Offset of first byte containing data. */ u_int end; /* Offset of last byte containing data. */ } Buffer; If that's not there then I don't understand why. My (long shot) guess is that there's a system header called "buffer.h" which the compiler is finding in preference to the OpenSSH one. You could try "find /usr/include -name buffer.h" and if there is one, compare its contents to the "junk" file created earlier and see if it's in there. Another long shot: you could copy buffer.h into the openbsd-compat directory and re-try "make". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frphoebus at yahoo.fr Fri Feb 19 17:07:43 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 06:07:43 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7DE1FA.7000900@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> Message-ID: <826870.58162.qm@web23805.mail.ird.yahoo.com> Hi Darren, I fond buffer.h in: ca06:/# find . -name buffer.h ./home/frphoebus/openssh/openssh-5.3p1/buffer.h (move to openbsd-compat and renamed buffer-myopenssh.h) ./opt/freeware/include/openssl/buffer.h (move to openbsd-compat and renamed buffer-myopenssl.h) ca06:/# The size of the files are different ca06:/home/frphoebus/openssh/openssh-5.3p1/openbsd-compat# du -k buffer-myopenssh.h buffer-myopenssl.h junk 4?????? buffer-myopenssh.h 8?????? buffer-myopenssl.h 140???? junk 1. I did make with buffer-myopenssh.h (renamed buffer.h) the make output is in file: mymake-buffer-myopenssh.log 2. I did make with buffer-myopenssl.h (renamed buffer.h) the make output is in file: mymake-buffer-myopenssl.log In case 1 , the make progress. It does'nt find some gssapi file. I don't install kerberos fileset. I suppoe it's why he make fail. In case 2, the make failed with the same message that before when i opened this thread. I think i need to use buffer.h located in the directory openssh-5.3p1 and move it in openbsd-compat. Could you confirm ? PS: I spilt the junk file in 3 parts. I'll post it in 3 new messages in the same threads. Thanks, Phoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 1 h 57 min 30 s Objet?: Re: Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > The junk file is not in attachment because is too big. Can you put it up someplace where we can look at it?? If nothing else you could open a bug at bugzilla.mindrot.org and attach it (using "create attachment"). Since port-aix.h includes "buffer.h" there should be something like this in the preprocessed output: typedef struct { ? ? u_char? *buf;? ? ? ? ? /* Buffer for data. */ ? ? u_int? ? alloc;? ? ? ? /* Number of bytes allocated for data. */ ? ? u_int? ? offset;? ? ? ? /* Offset of first byte containing data. */ ? ? u_int? ? end;? ? ? ? ? /* Offset of last byte containing data. */ }? ? ? Buffer; If that's not there then I don't understand why.? My (long shot) guess is that there's a system header called "buffer.h" which the compiler is finding in preference to the OpenSSH one.? You could try "find /usr/include -name buffer.h" and if there is one, compare its contents to the "junk" file created earlier and see if it's in there. Another long shot: you could copy buffer.h into the openbsd-compat directory and re-try "make". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: mymake-buffer-myopenssh.log URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: mymake-buffer-myopenssl.log URL: From frphoebus at yahoo.fr Fri Feb 19 17:13:42 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 06:13:42 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7DE1FA.7000900@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> Message-ID: <683507.11662.qm@web23802.mail.ird.yahoo.com> Darren, PS: I spilt the junk file in 3 parts. I'll post it in 3 new messages in the same threads. This is the first part of the junk files. File xaa in attachment. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 1 h 57 min 30 s Objet : Re: Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > The junk file is not in attachment because is too big. Can you put it up someplace where we can look at it? If nothing else you could open a bug at bugzilla.mindrot.org and attach it (using "create attachment"). Since port-aix.h includes "buffer.h" there should be something like this in the preprocessed output: typedef struct { u_char *buf; /* Buffer for data. */ u_int alloc; /* Number of bytes allocated for data. */ u_int offset; /* Offset of first byte containing data. */ u_int end; /* Offset of last byte containing data. */ } Buffer; If that's not there then I don't understand why. My (long shot) guess is that there's a system header called "buffer.h" which the compiler is finding in preference to the OpenSSH one. You could try "find /usr/include -name buffer.h" and if there is one, compare its contents to the "junk" file created earlier and see if it's in there. Another long shot: you could copy buffer.h into the openbsd-compat directory and re-try "make". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frphoebus at yahoo.fr Fri Feb 19 17:14:48 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 06:14:48 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7DE1FA.7000900@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> Message-ID: <44139.683.qm@web23808.mail.ird.yahoo.com> Darren, PS: I spilt the junk file in 3 parts. I'll post it in 3 new messages in the same threads. This is the second part of the junk files. File xab in attachment. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 1 h 57 min 30 s Objet : Re: Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > The junk file is not in attachment because is too big. Can you put it up someplace where we can look at it? If nothing else you could open a bug at bugzilla.mindrot.org and attach it (using "create attachment"). Since port-aix.h includes "buffer.h" there should be something like this in the preprocessed output: typedef struct { u_char *buf; /* Buffer for data. */ u_int alloc; /* Number of bytes allocated for data. */ u_int offset; /* Offset of first byte containing data. */ u_int end; /* Offset of last byte containing data. */ } Buffer; If that's not there then I don't understand why. My (long shot) guess is that there's a system header called "buffer.h" which the compiler is finding in preference to the OpenSSH one. You could try "find /usr/include -name buffer.h" and if there is one, compare its contents to the "junk" file created earlier and see if it's in there. Another long shot: you could copy buffer.h into the openbsd-compat directory and re-try "make". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frphoebus at yahoo.fr Fri Feb 19 17:15:28 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 06:15:28 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7DE1FA.7000900@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> Message-ID: <730665.1751.qm@web23808.mail.ird.yahoo.com> Darren, PS: I spilt the junk file in 3 parts. I'll post it in 3 new messages in the same threads. This is the third and last part of the junk files. File xac in attachment. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 1 h 57 min 30 s Objet : Re: Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > The junk file is not in attachment because is too big. Can you put it up someplace where we can look at it? If nothing else you could open a bug at bugzilla.mindrot.org and attach it (using "create attachment"). Since port-aix.h includes "buffer.h" there should be something like this in the preprocessed output: typedef struct { u_char *buf; /* Buffer for data. */ u_int alloc; /* Number of bytes allocated for data. */ u_int offset; /* Offset of first byte containing data. */ u_int end; /* Offset of last byte containing data. */ } Buffer; If that's not there then I don't understand why. My (long shot) guess is that there's a system header called "buffer.h" which the compiler is finding in preference to the OpenSSH one. You could try "find /usr/include -name buffer.h" and if there is one, compare its contents to the "junk" file created earlier and see if it's in there. Another long shot: you could copy buffer.h into the openbsd-compat directory and re-try "make". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at eviladmin.org Fri Feb 19 19:41:00 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Fri, 19 Feb 2010 02:41:00 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100218205100.GA4646@calimero.vinschen.de> References: <12FF1C857C510C43BA8B1B028B69AD5208AF5A24@HICGWSEX01.ad.harman.com> <8682F8A7-D87F-415D-8745-F13E2E97AA94@eviladmin.org> <20100218205100.GA4646@calimero.vinschen.de> Message-ID: <389A1C47-01B5-4DAD-B712-CF89C148E14D@eviladmin.org> On Feb 18, 2010, at 2:51 PM, Corinna Vinschen wrote: > On Feb 18 12:30, Ben Lindstrom wrote: >> >> On Feb 18, 2010, at 11:36 AM, Hu, Eric wrote: >> >>> Based on what I've seen, this is an OpenSSH issue. My original post explains why. If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?" The user name used for one is not being used for the other. >>> >>> Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue. If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem. If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue. Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions. >> >> Think about this for a moment.. if I do >> >> pw = getpwnam("MoUrInG"); >> >> and I get back >> >> pw->pw_name = "mouring" >> >> Whose fault is it? OpenSSH or the OS that it is running on? > > It's not Cygwin's fault. So you are saying that cygwin's getpw*() functions are written by Microsoft thus are closed source and not implemented via glibc? If that is the case then you may have an argument. If you are using getpw*() from glibc or an other cygwin maintained libraries then you've lost the argument since it is then cygwin's issue. > Usernames on Windows *are* caseinsensitive. > The password entry contains the name in one format, but you can write > in in every case. That's a property of the underlying system. You do your community a disservice by propagating this misfeature. OpenSSH isn't the only code base affected by this. Off the top of my head mod_svn and apache's mod_access have similar features. So unless you've patched them (and every piece of code like them), and made every developer writing code on your platform aware of this difference there will be other instances of this issue that will cause someone massive heartburn. In the end, I have no say if this is accepted; I gave up that right when I walked away from being a commiter. However, it doesn't stop me from feeling that it's fixing a symptom leaving the the core issue. - Ben From dtucker at zip.com.au Fri Feb 19 20:00:27 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Feb 2010 20:00:27 +1100 Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <826870.58162.qm@web23805.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> Message-ID: <4B7E532B.6080105@zip.com.au> phoebus phoebus wrote: > Hi Darren, > > I fond buffer.h in: > > ca06:/# find . -name buffer.h > ./home/frphoebus/openssh/openssh-5.3p1/buffer.h (move to openbsd-compat and renamed buffer-myopenssh.h) > ./opt/freeware/include/openssl/buffer.h (move to openbsd-compat and renamed buffer-myopenssl.h) > ca06:/# Aha! Your preprocessed source has /opt/freeware/include/openssl/buffer.h before ../buffer.h, and OpenSSH's buffer.h has: #ifndef BUFFER_H #define BUFFER_H I'll bet /opt/freeware/include/openssl/buffer.h has exactly the same symbol. Please try changing those two lines in OpenSSH's buffer.h (in an otherwise vanilla unpacked tarball) to: #ifndef OSSH_BUFFER_H #define OSSH_BUFFER_H What version of OpenSSL are you using? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Feb 19 20:08:14 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Feb 2010 20:08:14 +1100 Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7E532B.6080105@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> Message-ID: <4B7E54FE.8040804@zip.com.au> Darren Tucker wrote: > phoebus phoebus wrote: >> Hi Darren, >> >> I fond buffer.h in: >> >> ca06:/# find . -name buffer.h >> ./home/frphoebus/openssh/openssh-5.3p1/buffer.h (move to >> openbsd-compat and renamed buffer-myopenssh.h) >> ./opt/freeware/include/openssl/buffer.h (move to openbsd-compat and >> renamed buffer-myopenssl.h) >> ca06:/# > > Aha! Your preprocessed source has > /opt/freeware/include/openssl/buffer.h before ../buffer.h, and OpenSSH's > buffer.h has: [...] From your original post, you're using: export CFLAGS="-I/opt/freeware/include/openssl/ -I/usr/local/include" export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ --with-cflags="-O -D__STR31__ -qmaxmem=-1" \ --with-cflags="-DBROKEN_GETADDRINFO" \ --with-tcp-wrappers=/usr/local/lib \ --with-zlib=/opt/freeware \ --with-ssl-dir=/opt/freeware \ I think the CFLAGS=-I/opt/freeware/include/openssl/ is the source of your problem, and should be unnecessary because you also have "--with-ssl-dir=/opt/freeware". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Fri Feb 19 21:03:00 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 19 Feb 2010 11:03:00 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <389A1C47-01B5-4DAD-B712-CF89C148E14D@eviladmin.org> References: <12FF1C857C510C43BA8B1B028B69AD5208AF5A24@HICGWSEX01.ad.harman.com> <8682F8A7-D87F-415D-8745-F13E2E97AA94@eviladmin.org> <20100218205100.GA4646@calimero.vinschen.de> <389A1C47-01B5-4DAD-B712-CF89C148E14D@eviladmin.org> Message-ID: <20100219100300.GA6013@calimero.vinschen.de> On Feb 19 02:41, Ben Lindstrom wrote: > On Feb 18, 2010, at 2:51 PM, Corinna Vinschen wrote: > > On Feb 18 12:30, Ben Lindstrom wrote: > >> Think about this for a moment.. if I do > >> > >> pw = getpwnam("MoUrInG"); > >> > >> and I get back > >> > >> pw->pw_name = "mouring" > >> > >> Whose fault is it? OpenSSH or the OS that it is running on? > > > > It's not Cygwin's fault. > > So you are saying that cygwin's getpw*() functions are written by > Microsoft thus are closed source and not implemented via glibc? If They are implemented as open source but not via glibc. > that is the case then you may have an argument. If you are using > getpw*() from glibc or an other cygwin maintained libraries then > you've lost the argument since it is then cygwin's issue. > > > Usernames on Windows *are* caseinsensitive. > > The password entry contains the name in one format, but you can write > > in in every case. That's a property of the underlying system. > > You do your community a disservice by propagating this misfeature. I don't think so. A system using caseinsensitive usernames is as valid as a system using casesensitive usernames. You might not like it, but opinion doesn't change the fact. Cygwin has no choice in the matter if it wants to work smoothly on Windows. Our passwd entries are usually generated from the Windows SAM or AD, whatever is used in the environment. Admins often use case in usernames like, say, "Corinna", with uppercase c when entering the user in the database. Sometimes, in bigger companies, it's even an automatic process generating usernames from the real user name. That does not mean the user can't login using any other case, like simple lowercase, "corinna". It's the same username using the same password, and both meaning the same user SID (Windows equivalent to uid/gid). Ok, so the username "foo", "Foo", and "FOO", all mean the same user on Windows. Why exactly then should it be wrong, if Cygwin returns the same passwd entry with the same uid for the user? After all, it *is* the same user. *Not* returning the passwd entry and claiming the user doesn't exist would be wrong. Last but not least, POSIX-1.2008 only says this: The getpwnam() function shall search the user database for an entry with a matching name. Note the lack of a requirement that "matching" means "strcmp". Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From dtucker at zip.com.au Fri Feb 19 22:39:43 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 19 Feb 2010 22:39:43 +1100 Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <120475.44703.qm@web23806.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> Message-ID: <4B7E787F.3030508@zip.com.au> phoebus phoebus wrote: > Dareen, > > I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the Linux tool box for AIX 5.3 > [...] > When i run make, i have the following erros: > > include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c > "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz -lkrb5 -lk5crypto -lcom_err > ld: 0706-006 Cannot find or open library file: -l k5crypto > ld:open(): A file or directory in the path name does not exist. > ld: 0706-006 Cannot find or open library file: -l com_err > ld:open(): A file or directory in the path name does not exist. > make: 1254-004 The error code from the last command is 255. > > Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. > I 'm now continuing my investigation. I would guess either the native kerberos doesn't have the library files openssh is looking for, or they're located someplace the linker can't find them. Can you list the files in the kerberos filesets (I vaguely recall "lslpp -l" but it's been a while) and does it contain the libk5crypto and libcom_err files? If so, where? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frphoebus at yahoo.fr Fri Feb 19 22:20:55 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 11:20:55 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7E54FE.8040804@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> Message-ID: <120475.44703.qm@web23806.mail.ird.yahoo.com> Dareen, I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from? 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the?Linux tool box for AIX 5.3 You find the error. Now i do the configure with the following commands and i pass the previous erros. export CC=cc export CFLAGS="-I/usr/local/include" export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" export CPP="cc -E" ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??--with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??--with-tcp-wrappers=/usr/local/lib \ ??--with-zlib=/opt/freeware \ ??--with-ssl-dir=/opt/freeware \ ??--with-xauth=/usr/bin/X11/xauth \ ??--with-md5-passwords \ ??--with-kerberos5 \ ??--with-pam \ ??--with-pid-dir=/var/run When i run make, i have the following erros: include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\"? -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"? -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"? -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"? -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"? -D_PATH_SSH_PIDDIR=\"/var/run\"? -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"? -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. ??????? cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o? sshconnect.o sshconnect1.o sshconnect2.o mux.o? roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz? -lkrb5 -lk5crypto -lcom_err ld: 0706-006 Cannot find or open library file: -l k5crypto ??????? ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ??????? ld:open(): A file or directory in the path name does not exist. make: 1254-004 The error code from the last command is 255. Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. I 'm now continuing my investigation. Regards, Phoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 10 h 08 min 14 s Objet?: Re: Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Darren Tucker wrote: > phoebus phoebus wrote: >> Hi Darren, >> >> I fond buffer.h in: >> >> ca06:/# find . -name buffer.h >> ./home/frphoebus/openssh/openssh-5.3p1/buffer.h (move to openbsd-compat and renamed buffer-myopenssh.h) >> ./opt/freeware/include/openssl/buffer.h (move to openbsd-compat and renamed buffer-myopenssl.h) >> ca06:/# > > Aha!? Your preprocessed source has /opt/freeware/include/openssl/buffer.h before ../buffer.h, and OpenSSH's buffer.h has: [...] From your original post, you're using: export CFLAGS="-I/opt/freeware/include/openssl/ -I/usr/local/include" export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ? ? ? ? ? ? ? ? --with-cflags="-O -D__STR31__ -qmaxmem=-1"? \ ? ? ? ? ? ? ? ? --with-cflags="-DBROKEN_GETADDRINFO" \ ? ? ? ? ? ? ? ? --with-tcp-wrappers=/usr/local/lib \ ? ? ? ? ? ? ? ? --with-zlib=/opt/freeware \ ? ? ? ? ? ? ? ? --with-ssl-dir=/opt/freeware \ I think the CFLAGS=-I/opt/freeware/include/openssl/ is the source of your problem, and should be unnecessary because you also have "--with-ssl-dir=/opt/freeware". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From paul.mansfield at taptu.com Fri Feb 19 22:21:56 2010 From: paul.mansfield at taptu.com (Paul Mansfield) Date: Fri, 19 Feb 2010 11:21:56 +0000 Subject: ssh feature - ignore colon in host name Message-ID: <4B7E7454.2000105@taptu.com> sorry if this has been discussed and rejected before, I'm new to the list, I did google but didn't find anything. -- quite often I use ssh and scp within a few minutes, so I might do this... scp myfile user at host.example.com: ssh user at host.example.com it would make life a lot easier if I could type scp myfile user at host.example.com: ssh !$ or sometimes I simply copy too much and paste in host name and then have the faff of removing it. ok, that's a particularly bad example of being lazy :-) for the above to work, ssh would have to ignore the colon, that's all. I don't think the colon can have any significance in the hostname, so throwing it away wouldn't be harmful!? I could write a wrapper script, but I'm lazy, and figured it would be nicer if ssh could simply have this quick hack... please thanks for your time Paul From frphoebus at yahoo.fr Fri Feb 19 23:57:00 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 12:57:00 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <4B7E787F.3030508@zip.com.au> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> Message-ID: <465680.58111.qm@web23803.mail.ird.yahoo.com> Darren, ca06:/#? lslpp -L -b'Kerberos_5' ? Fileset????????????????????? Level? State? Type? Description (Uninstaller) ? ---------------------------------------------------------------------------- ? krb5.client.rte??????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Client ca06:/# lslpp -L? krb5.* ? Fileset????????????????????? Level? State? Type? Description (Uninstaller) ? ---------------------------------------------------------------------------- ? krb5.client.rte??????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Client ? krb5.client.samples??????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Samples ? krb5.doc.en_US.html??????? 1.4.0.8??? C???? F??? Network Auth Service HTML ?????????????????????????????????????????????????? Documentation - U.S. English ? krb5.doc.en_US.pdf???????? 1.4.0.8??? C???? F??? Network Auth Service PDF ?????????????????????????????????????????????????? Documentation - U.S. English ? krb5.msg.en_US.client.rte? 1.4.0.8??? C???? F??? Network Auth Service Client ?????????????????????????????????????????????????? Msgs - U.S. English ? krb5.toolkit.adt?????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? App. Dev. Toolkit I don't find these library. There aren't included in the fileset kbr5.server.rte. In attachement the listing of the filesets (filesetKbr5.txt) installed. FYI: packages inclsdes in the AIX Expansion pack are listed in the file??ExpansionPackAix53-112008.txt (screen copy from smit). I don't know how to find the IBM libraries and i don't?sure is possible to use MIT kb5 library for the compilation in AIX platfrom. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 12 h 39 min 43 s Objet?: Re: Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > Dareen, > > I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from? 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the Linux tool box for AIX 5.3 > [...] > When i run make, i have the following erros: > > include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\"? -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"? -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"? -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"? -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"? -D_PATH_SSH_PIDDIR=\"/var/run\"? -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"? -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c > "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. >? ? ? ? cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o? sshconnect.o sshconnect1.o sshconnect2.o mux.o? roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz? -lkrb5 -lk5crypto -lcom_err > ld: 0706-006 Cannot find or open library file: -l k5crypto >? ? ? ? ld:open(): A file or directory in the path name does not exist. > ld: 0706-006 Cannot find or open library file: -l com_err >? ? ? ? ld:open(): A file or directory in the path name does not exist. > make: 1254-004 The error code from the last command is 255. > > Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. > I 'm now continuing my investigation. I would guess either the native kerberos doesn't have the library files openssh is looking for, or they're located someplace the linker can't find them.? Can you list the files in the kerberos filesets (I vaguely recall "lslpp -l" but it's been a while) and does it contain the libk5crypto and libcom_err files?? If so, where? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: filesetKbr5.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ExpansionPackAix53-112008.txt URL: From vinschen at redhat.com Sat Feb 20 04:37:31 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 19 Feb 2010 18:37:31 +0100 Subject: [PATCH/cygwin] reduce number of propagated environment variables Message-ID: <20100219173731.GE5683@calimero.vinschen.de> Hi, could somebody apply the below patch, please? It removes a couple of environment variables which are propagated to the child process so far, but which not really necessary to keep child processes running. What's left now is the bare minimum which is requested by scripts, typically. Thanks, Corinna Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.21 diff -u -p -r1.21 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 8 Mar 2009 00:40:28 -0000 1.21 +++ openbsd-compat/bsd-cygwin_util.c 19 Feb 2010 17:35:28 -0000 @@ -85,23 +85,14 @@ static struct wenv { size_t namelen; } wenv_arr[] = { { NL("ALLUSERSPROFILE=") }, - { NL("COMMONPROGRAMFILES=") }, { NL("COMPUTERNAME=") }, { NL("COMSPEC=") }, { NL("CYGWIN=") }, - { NL("NUMBER_OF_PROCESSORS=") }, { NL("OS=") }, { NL("PATH=") }, { NL("PATHEXT=") }, - { NL("PROCESSOR_ARCHITECTURE=") }, - { NL("PROCESSOR_IDENTIFIER=") }, - { NL("PROCESSOR_LEVEL=") }, - { NL("PROCESSOR_REVISION=") }, - { NL("PROGRAMFILES=") }, { NL("SYSTEMDRIVE=") }, { NL("SYSTEMROOT=") }, - { NL("TMP=") }, - { NL("TEMP=") }, { NL("WINDIR=") } }; -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From eric.hu at harman.com Sat Feb 20 05:47:24 2010 From: eric.hu at harman.com (Hu, Eric) Date: Fri, 19 Feb 2010 12:47:24 -0600 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100219100300.GA6013@calimero.vinschen.de> Message-ID: <12FF1C857C510C43BA8B1B028B69AD5208B44A09@HICGWSEX01.ad.harman.com> > On Feb 19 02:41, Ben Lindstrom wrote: > > On Feb 18, 2010, at 2:51 PM, Corinna Vinschen wrote: > > > On Feb 18 12:30, Ben Lindstrom wrote: > > >> Think about this for a moment.. if I do > > >> > > >> pw = getpwnam("MoUrInG"); > > >> > > >> and I get back > > >> > > >> pw->pw_name = "mouring" > > >> > > >> Whose fault is it? OpenSSH or the OS that it is running on? > > > > > > It's not Cygwin's fault. > > > > So you are saying that cygwin's getpw*() functions are written by > > Microsoft thus are closed source and not implemented via glibc? If > > They are implemented as open source but not via glibc. > > > that is the case then you may have an argument. If you are using > > getpw*() from glibc or an other cygwin maintained libraries then > > you've lost the argument since it is then cygwin's issue. > > > > > Usernames on Windows *are* caseinsensitive. > > > The password entry contains the name in one format, but you can write > > > in in every case. That's a property of the underlying system. > > > > You do your community a disservice by propagating this misfeature. > > I don't think so. A system using caseinsensitive usernames is as valid > as a system using casesensitive usernames. You might not like it, but > opinion doesn't change the fact. Cygwin has no choice in the matter if > it wants to work smoothly on Windows. > > Our passwd entries are usually generated from the Windows SAM or AD, > whatever is used in the environment. Admins often use case in usernames > like, say, "Corinna", with uppercase c when entering the user in the > database. Sometimes, in bigger companies, it's even an automatic > process generating usernames from the real user name. That does not > mean the user can't login using any other case, like simple lowercase, > "corinna". It's the same username using the same password, and both > meaning the same user SID (Windows equivalent to uid/gid). > > Ok, so the username "foo", "Foo", and "FOO", all mean the same user on > Windows. Why exactly then should it be wrong, if Cygwin returns the > same passwd entry with the same uid for the user? After all, it *is* > the same user. *Not* returning the passwd entry and claiming the user > doesn't exist would be wrong. > > Last but not least, POSIX-1.2008 only says this: > > The getpwnam() function shall search the user database for an entry > with a matching name. > > Note the lack of a requirement that "matching" means "strcmp". > > > Corinna > I must say once again I don't think getpwnam is the core of the problem. >From what I can tell (again, may not be correct, I was hoping for enlightenment from someone reading this), "AllowUsers" looks at pw->pw_name and "Match User" looks at authctxt->user. I have no idea why this is, but code that assumes two non-const values are equal seems way more wrong to me than either side of the getpwnam argument. From openssh at roumenpetrov.info Sat Feb 20 08:26:41 2010 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 19 Feb 2010 23:26:41 +0200 Subject: [PATCH/cygwin] reduce number of propagated environment variables In-Reply-To: <20100219173731.GE5683@calimero.vinschen.de> References: <20100219173731.GE5683@calimero.vinschen.de> Message-ID: <4B7F0211.6070105@roumenpetrov.info> Hi Corinna, Corinna Vinschen wrote: > Hi, > > could somebody apply the below patch, please? It removes a couple of > environment variables which are propagated to the child process so far, > but which not really necessary to keep child processes running. What's > left now is the bare minimum which is requested by scripts, typically. > > > Thanks, > Corinna > > > Index: openbsd-compat/bsd-cygwin_util.c > =================================================================== > RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v > retrieving revision 1.21 > diff -u -p -r1.21 bsd-cygwin_util.c > --- openbsd-compat/bsd-cygwin_util.c 8 Mar 2009 00:40:28 -0000 1.21 > +++ openbsd-compat/bsd-cygwin_util.c 19 Feb 2010 17:35:28 -0000 > @@ -85,23 +85,14 @@ static struct wenv { > size_t namelen; > } wenv_arr[] = { > { NL("ALLUSERSPROFILE=") }, > - { NL("COMMONPROGRAMFILES=") }, > { NL("COMPUTERNAME=") }, > { NL("COMSPEC=") }, > { NL("CYGWIN=") }, > - { NL("NUMBER_OF_PROCESSORS=") }, > { NL("OS=") }, > { NL("PATH=") }, > { NL("PATHEXT=") }, > - { NL("PROCESSOR_ARCHITECTURE=") }, > - { NL("PROCESSOR_IDENTIFIER=") }, > - { NL("PROCESSOR_LEVEL=") }, > - { NL("PROCESSOR_REVISION=") }, > - { NL("PROGRAMFILES=") }, > { NL("SYSTEMDRIVE=") }, > { NL("SYSTEMROOT=") }, > - { NL("TMP=") }, > - { NL("TEMP=") }, > { NL("WINDIR=") } > }; > > Why TMP and TEMP are in the list for removal ? Some open-source project may use TMP . What is impact if PROCESSOR_* is removed ? Did you test as example with python ? Roumen From vinschen at redhat.com Sat Feb 20 09:01:47 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 19 Feb 2010 23:01:47 +0100 Subject: [PATCH/cygwin] reduce number of propagated environment variables In-Reply-To: <4B7F0211.6070105@roumenpetrov.info> References: <20100219173731.GE5683@calimero.vinschen.de> <4B7F0211.6070105@roumenpetrov.info> Message-ID: <20100219220147.GG5683@calimero.vinschen.de> On Feb 19 23:26, Roumen Petrov wrote: > Hi Corinna, > > Corinna Vinschen wrote: > >- { NL("TMP=") }, > >- { NL("TEMP=") }, > Why TMP and TEMP are in the list for removal ? > Some open-source project may use TMP . And it doesn't hurt if they are not set. The default is /tmp, as usual. TMP and TEMP are also not set if you start a child process under sshd on other systems like OpenBSD or Linux. On the contrary, we stumbled over the disadvantage to propagate /tmp to the child only yesterday. If TMP and TEMP are set to a directory which only the privileged user running sshd has acess to, then the user switch results in unusable TMP and TEMP settings. Setting TMP orTEMP or TMPDIR should better be done in the user's profile. > What is impact if PROCESSOR_* is removed ? Did you test as example > with python ? The idea in sshd was for many years not to propagate any variables from the privileged user running sshd to the unprivileged child process. The Cygwin version propagates a couple of variables becase they are required to run child processes, but the idea also was to keep the list as small as possible. The removed variables are not actually necessary. Even ALLUSERSPROFILE is a questionable variable which I could be convinced to sacrifice. No, I didn't test with python. Cygwin's python should work without these variables. You are not actually trying to tell me that python really uses these environment variables to fetch information about the CPU, right? The variables are not available on other systems and the user could set them to arbitrary values. /proc/cpuinfo for instance, which is available on Cygwin as well, is a much more reliable source of information. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From frphoebus at yahoo.fr Sat Feb 20 08:20:19 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Fri, 19 Feb 2010 21:20:19 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <738719.11152.qm@web113215.mail.gq1.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> <465680.58111.qm@web23803.mail.ird.yahoo.com> <738719.11152.qm@web113215.mail.gq1.yahoo.com> Message-ID: <444521.91771.qm@web23804.mail.ird.yahoo.com> Hi Eric, I opened a PMR to IBM support. At this time, the support doesn't provide a solution. My case have been escalated and support will get back to me soon (i think for the middle of the next week). I hope there are no copyright protection or others disclosure agreement for these libraries !! Regards, Frphoebus ________________________________ De : Eric Halcik ? : phoebus phoebus Envoy? le : Ven 19 F?vrier 2010, 21 h 41 min 38 s Objet : Re: Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Pleasew forgive the intrusion... Have you tried opening a ticket with IBM support about the package that contains the libraries you are looking for? Regards Eric ________________________________ From: phoebus phoebus To: Darren Tucker Cc: openssh-unix-dev at mindrot.org Sent: Fri, February 19, 2010 7:57:00 AM Subject: Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Darren, ca06:/# lslpp -L -b'Kerberos_5' Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- krb5.client.rte 1.4.0.8 C F Network Authentication Service Client ca06:/# lslpp -L krb5.* Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- krb5.client.rte 1.4.0.8 C F Network Authentication Service Client krb5.client.samples 1.4.0.8 C F Network Authentication Service Samples krb5.doc.en_US.html 1.4.0.8 C F Network Auth Service HTML Documentation - U.S. English krb5.doc.en_US.pdf 1.4.0.8 C F Network Auth Service PDF Documentation - U.S. English krb5.msg.en_US.client.rte 1.4.0.8 C F Network Auth Service Client Msgs - U.S. English krb5.toolkit.adt 1.4.0.8 C F Network Authentication Service App. Dev. Toolkit I don't find these library. There aren't included in the fileset kbr5.server.rte. In attachement the listing of the filesets (filesetKbr5.txt) installed. FYI: packages inclsdes in the AIX Expansion pack are listed in the file ExpansionPackAix53-112008.txt (screen copy from smit). I don't know how to find the IBM libraries and i don't sure is possible to use MIT kb5 library for the compilation in AIX platfrom. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 12 h 39 min 43 s Objet : Re: Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > Dareen, > > I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the Linux tool box for AIX 5.3 > [...] > When i run make, i have the following erros: > > include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c > "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz -lkrb5 -lk5crypto -lcom_err > ld: 0706-006 Cannot find or open library file: -l k5crypto > ld:open(): A file or directory in the path name does not exist. > ld: 0706-006 Cannot find or open library file: -l com_err > ld:open(): A file or directory in the path name does not exist. > make: 1254-004 The error code from the last command is 255. > > Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. > I 'm now continuing my investigation. I would guess either the native kerberos doesn't have the library files openssh is looking for, or they're located someplace the linker can't find them. Can you list the files in the kerberos filesets (I vaguely recall "lslpp -l" but it's been a while) and does it contain the libk5crypto and libcom_err files? If so, where? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Sat Feb 20 09:44:59 2010 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 20 Feb 2010 00:44:59 +0200 Subject: [PATCH/cygwin] reduce number of propagated environment variables In-Reply-To: <20100219220147.GG5683@calimero.vinschen.de> References: <20100219173731.GE5683@calimero.vinschen.de> <4B7F0211.6070105@roumenpetrov.info> <20100219220147.GG5683@calimero.vinschen.de> Message-ID: <4B7F146B.2030907@roumenpetrov.info> Corinna Vinschen wrote: > On Feb 19 23:26, Roumen Petrov wrote: >> Hi Corinna, >> >> Corinna Vinschen wrote: >>> - { NL("TMP=") }, >>> - { NL("TEMP=") }, > >> Why TMP and TEMP are in the list for removal ? >> Some open-source project may use TMP . > > And it doesn't hurt if they are not set. The default is /tmp, as > usual. TMP and TEMP are also not set if you start a child process > under sshd on other systems like OpenBSD or Linux. > > On the contrary, we stumbled over the disadvantage to propagate /tmp to > the child only yesterday. If TMP and TEMP are set to a directory which > only the privileged user running sshd has acess to, then the user switch > results in unusable TMP and TEMP settings. Setting TMP orTEMP or TMPDIR > should better be done in the user's profile. OK >> What is impact if PROCESSOR_* is removed ? Did you test as example >> with python ? > > The idea in sshd was for many years not to propagate any variables from > the privileged user running sshd to the unprivileged child process. > The Cygwin version propagates a couple of variables becase they are > required to run child processes, but the idea also was to keep the > list as small as possible. The removed variables are not actually > necessary. Even ALLUSERSPROFILE is a questionable variable which I > could be convinced to sacrifice. > > No, I didn't test with python. Cygwin's python should work without > these variables. You are not actually trying to tell me that python > really uses these environment variables to fetch information about the > CPU, right? The variables are not available on other systems and the > user could set them to arbitrary values. /proc/cpuinfo for instance, > which is available on Cygwin as well, is a much more reliable source of > information. Yes but user may use cygwin sshd to access system and to run non-cygwin python. Value of PROCESSOR_ARCHITECTURE and PROCESSOR_IDENTIFIER are output from platform.uname() if platform is identified as win32. No idea for other projects. > Corinna > Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From peter at stuge.se Sat Feb 20 12:26:16 2010 From: peter at stuge.se (Peter Stuge) Date: Sat, 20 Feb 2010 02:26:16 +0100 Subject: ssh feature - ignore colon in host name In-Reply-To: <4B7E7454.2000105@taptu.com> References: <4B7E7454.2000105@taptu.com> Message-ID: <20100220012616.21296.qmail@stuge.se> Paul Mansfield wrote: > I don't think the colon can have any significance in the hostname, It has in IPv6 addresses. //Peter From vinschen at redhat.com Sat Feb 20 19:55:47 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 20 Feb 2010 09:55:47 +0100 Subject: [PATCH/cygwin] reduce number of propagated environment variables In-Reply-To: <4B7F146B.2030907@roumenpetrov.info> References: <20100219173731.GE5683@calimero.vinschen.de> <4B7F0211.6070105@roumenpetrov.info> <20100219220147.GG5683@calimero.vinschen.de> <4B7F146B.2030907@roumenpetrov.info> Message-ID: <20100220085547.GH5683@calimero.vinschen.de> On Feb 20 00:44, Roumen Petrov wrote: > Corinna Vinschen wrote: > >No, I didn't test with python. Cygwin's python should work without > >these variables. You are not actually trying to tell me that python > >really uses these environment variables to fetch information about the > >CPU, right? The variables are not available on other systems and the > >user could set them to arbitrary values. /proc/cpuinfo for instance, > >which is available on Cygwin as well, is a much more reliable source of > >information. > > Yes but user may use cygwin sshd to access system and to run > non-cygwin python. > Value of PROCESSOR_ARCHITECTURE and PROCESSOR_IDENTIFIER are output from > platform.uname() if platform is identified as win32. So, what is the output of platform.uname() on a native Win32 python if these environment variables don't exist? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From laurent at gautrot.org Sat Feb 20 08:51:41 2010 From: laurent at gautrot.org (Laurent GAUTROT) Date: Fri, 19 Feb 2010 22:51:41 +0100 Subject: ssh feature - ignore colon in host name In-Reply-To: References: Message-ID: <4B7F07ED.6010801@gautrot.org> > From: Paul Mansfield > Subject: ssh feature - ignore colon in host name > > it would make life a lot easier if I could type > scp myfile user at host.example.com: > ssh !$ > > or sometimes I simply copy too much and paste in host name and then have > the faff of removing it. ok, that's a particularly bad example of being > lazy :-) What about [Esc]-[.]. This would display the last argument of the previous command. You would then just have to remove the colon with backspace, for instance. From william.sescu at gmail.com Mon Feb 22 19:07:13 2010 From: william.sescu at gmail.com (William Sescu) Date: Mon, 22 Feb 2010 09:07:13 +0100 Subject: Different Results when transferring data over sftp or scp in the log file Message-ID: Hello OpenSSH developers, I am running OpenSSH 5.3p1 on Solaris x86 64bit and I am analyzing the OpenSSH logfiles for security reasons. I wrote a script that counts the tranferred bytes per session. When I open a SFTP session then I see the following line in the OpenSSH log (LogLevel VERBOSE) So far so good. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Feb 19 15:24:29 solaris sshd[10184]: [ID 800047 local7.info] Transferred: sent 10557432, received 11172752 bytes ? ?(this is a 10Mbyte put and get) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- But when I do the same with SCP, then I don't get any report at all about the transferred bytes. Is this a bug or expected behaviour? I would very appreciate if you guys could help me regarding this issue. Best regards, William From paul.mansfield at taptu.com Tue Feb 23 00:00:18 2010 From: paul.mansfield at taptu.com (Paul Mansfield) Date: Mon, 22 Feb 2010 13:00:18 +0000 Subject: ssh feature - ignore colon in host name In-Reply-To: <20100220012616.21296.qmail@stuge.se> References: <4B7E7454.2000105@taptu.com> <20100220012616.21296.qmail@stuge.se> Message-ID: <4B827FE2.1030407@taptu.com> On 20/02/10 01:26, Peter Stuge wrote: > Paul Mansfield wrote: >> I don't think the colon can have any significance in the hostname, > > It has in IPv6 addresses. oop, of course! silly me! ok, how about a trailing colon then? From scott_n at xypro.com Tue Feb 23 05:12:25 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 22 Feb 2010 10:12:25 -0800 Subject: ssh feature - ignore colon in host name In-Reply-To: <4B827FE2.1030407@taptu.com> References: <4B7E7454.2000105@taptu.com> <20100220012616.21296.qmail@stuge.se> <4B827FE2.1030407@taptu.com> Message-ID: <78DD71C304F38B41885A242996B96F73021C4960@xyservd.XYPRO-23.LOCAL> > -----Original Message----- > From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org > [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On > Behalf Of Paul Mansfield > Sent: Monday, February 22, 2010 5:00 AM > To: openssh-unix-dev at mindrot.org > Subject: Re: ssh feature - ignore colon in host name > > On 20/02/10 01:26, Peter Stuge wrote: > > Paul Mansfield wrote: > >> I don't think the colon can have any significance in the hostname, > > > > It has in IPv6 addresses. > > oop, of course! silly me! > > ok, how about a trailing colon then? Again, what about IPv6? I'm no IPv6 guru, but wouldn't a couldn't a /64 address end in a colon? i.e.: Network: abcd:0123:4567:89ab::/64 Host: abcd:0123:4567:89ab:9999:: (equivalent to abcd:0123:4567:89ab:9999:0:0:0) DISCLAIMER: I may be wrong -- It's been a long time since I looked at IPv6 formats. From chrivers at iversen-net.dk Tue Feb 23 06:21:49 2010 From: chrivers at iversen-net.dk (Christian Iversen) Date: Mon, 22 Feb 2010 20:21:49 +0100 Subject: ssh feature - ignore colon in host name In-Reply-To: <4B7E7454.2000105@taptu.com> References: <4B7E7454.2000105@taptu.com> Message-ID: <4B82D94D.6020101@iversen-net.dk> On 2010-02-19 12:21, Paul Mansfield wrote: > sorry if this has been discussed and rejected before, I'm new to the > list, I did google but didn't find anything. > -- > > quite often I use ssh and scp within a few minutes, so I might do this... > > scp myfile user at host.example.com: > ssh user at host.example.com > > it would make life a lot easier if I could type > scp myfile user at host.example.com: > ssh !$ > > or sometimes I simply copy too much and paste in host name and then have > the faff of removing it. ok, that's a particularly bad example of being > lazy :-) > > for the above to work, ssh would have to ignore the colon, that's all. I > don't think the colon can have any significance in the hostname, so > throwing it away wouldn't be harmful!? > > I could write a wrapper script, but I'm lazy, and figured it would be > nicer if ssh could simply have this quick hack... please This, as others have mentioned, does not belong in ssh. However, you can very easily do this without creating a wrapper script. Just add the following to your .zshrc (or rewrite for other shells): function ssh() { /usr/bin/ssh $@[1,-2] ${@[-1]%:} } This will invoke (the real) ssh with all the positional arguments, except ":" will be removed from the last argument, if present. No extra files needed, no wrapper scripts, no measurable performance hit, standard ssh software. Better solution in my book :) -- Med venlig hilsen Christian Iversen From frphoebus at yahoo.fr Tue Feb 23 10:08:55 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Mon, 22 Feb 2010 23:08:55 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <27039.15627.qm@web113201.mail.gq1.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> <465680.58111.qm@web23803.mail.ird.yahoo.com> <738719.11152.qm@web113215.mail.gq1.yahoo.com> <444521.91771.qm@web23804.mail.ird.yahoo.com> <27039.15627.qm@web113201.mail.gq1.yahoo.com> Message-ID: <128986.87959.qm@web23802.mail.ird.yahoo.com> Hi Eric, Do you locate the libraries on your dev box ? Regards, Frphoebus ________________________________ De : Eric Halcik ? : phoebus phoebus Envoy? le : Ven 19 F?vrier 2010, 22 h 37 min 02 s Objet : Re: Re : Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Hmm.. I've usually had really good luck with support.. Did you set it as a level 3? They don't seem to handle those with the same urgency ( as I'm sure you already know, sorry) Let me take a peek at one of my dev boxes to see if I can locate that lib Regards Eric ________________________________ From: phoebus phoebus To: Eric Halcik Cc: openssh-unix-dev at mindrot.org Sent: Fri, February 19, 2010 4:20:19 PM Subject: Re : Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Hi Eric, I opened a PMR to IBM support. At this time, the support doesn't provide a solution. My case have been escalated and support will get back to me soon (i think for the middle of the next week). I hope there are no copyright protection or others disclosure agreement for these libraries !! Regards, Frphoebus ________________________________ De : Eric Halcik ? : phoebus phoebus Envoy? le : Ven 19 F?vrier 2010, 21 h 41 min 38 s Objet : Re: Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Pleasew forgive the intrusion... Have you tried opening a ticket with IBM support about the package that contains the libraries you are looking for? Regards Eric ________________________________ From: phoebus phoebus To: Darren Tucker Cc: openssh-unix-dev at mindrot.org Sent: Fri, February 19, 2010 7:57:00 AM Subject: Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Darren, ca06:/# lslpp -L -b'Kerberos_5' Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- krb5.client.rte 1.4.0.8 C F Network Authentication Service Client ca06:/# lslpp -L krb5.* Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- krb5.client.rte 1.4.0.8 C F Network Authentication Service Client krb5.client.samples 1.4.0.8 C F Network Authentication Service Samples krb5.doc.en_US.html 1.4.0.8 C F Network Auth Service HTML Documentation - U.S. English krb5.doc.en_US.pdf 1.4.0.8 C F Network Auth Service PDF Documentation - U.S. English krb5.msg.en_US.client.rte 1.4.0.8 C F Network Auth Service Client Msgs - U.S. English krb5.toolkit.adt 1.4.0.8 C F Network Authentication Service App. Dev. Toolkit I don't find these library. There aren't included in the fileset kbr5.server.rte. In attachement the listing of the filesets (filesetKbr5.txt) installed. FYI: packages inclsdes in the AIX Expansion pack are listed in the file ExpansionPackAix53-112008.txt (screen copy from smit). I don't know how to find the IBM libraries and i don't sure is possible to use MIT kb5 library for the compilation in AIX platfrom. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 12 h 39 min 43 s Objet : Re: Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > Dareen, > > I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the Linux tool box for AIX 5.3 > [...] > When i run make, i have the following erros: > > include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c > "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz -lkrb5 -lk5crypto -lcom_err > ld: 0706-006 Cannot find or open library file: -l k5crypto > ld:open(): A file or directory in the path name does not exist. > ld: 0706-006 Cannot find or open library file: -l com_err > ld:open(): A file or directory in the path name does not exist. > make: 1254-004 The error code from the last command is 255. > > Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. > I 'm now continuing my investigation. I would guess either the native kerberos doesn't have the library files openssh is looking for, or they're located someplace the linker can't find them. Can you list the files in the kerberos filesets (I vaguely recall "lslpp -l" but it's been a while) and does it contain the libk5crypto and libcom_err files? If so, where? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From petesea at bigfoot.com Tue Feb 23 14:22:24 2010 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Mon, 22 Feb 2010 19:22:24 -0800 (PST) Subject: S_ISSOCK fails in openssh >= 5.1 Message-ID: Starting with openssh 5.1 the following code fails (when executed on a remote host)... prior to 5.0 this worked, ie S_ISSOCK says STDIN is a socket. struct stat s; fstat(STDIN_FILENO, &s); if (S_ISSOCK(s.st_mode)) // STDIN is a socket else // STDIN is not a socket Soo... if I have a command on a remote host that includes the above code and I ssh to the remote host and execute the command, S_ISSOCK will fail if the ssh server is >= 5.1. Is this change on purpose or a bug? From kai_yang2008 at 163.com Mon Feb 22 20:45:11 2010 From: kai_yang2008 at 163.com (kai_yang2008) Date: Mon, 22 Feb 2010 17:45:11 +0800 (CST) Subject: ld: Unsatisfied symbol "options" in file ./libssh.a[hostfile.o] Message-ID: <55921ce0.df04.126f510e9f2.Coremail.kai_yang2008@163.com> Hi All, I have want to add a option in ssh_config to co-work with ldap.But when I am compiling , i was encountered a ld error, which says "cc -o ssh-keygen ssh-keygen.o -Wl,+nodefaultrpath -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lz -lnsl -lxnet -lsec -lgssapi_krb5 -lkrb5 -lpthread ld: Unsatisfied symbol "options" in file ./libssh.a[hostfile.o] 1 errors." The following is my codes: I have externed Options options like " extern Options options" in hostfile.c .......... extern Options options .......... static HostStatus check_host_in_hostfile_by_key_or_type(const char *filename, const char *host, const Key *key, int keytype, Key *found, int *numret) { FILE *f; char line[8192]; int linenum = 0; u_int kbits; char *cp, *cp2, *hashed_host; HostStatus end_return; debug3("check_host_in_hostfile: filename %s", filename); /* Open the file containing the list of known hosts. */ f = fopen(filename, "r"); if (!f) { if(options.usesshldaphostkey) return check_hostkey_in_ldap(host,key,HOST_NEW); else return HOST_NEW; } ....... So any ideas about this? Thanks! Kai Yang From frphoebus at yahoo.fr Wed Feb 24 03:15:32 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Tue, 23 Feb 2010 16:15:32 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <465680.58111.qm@web23803.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> <465680.58111.qm@web23803.mail.ird.yahoo.com> Message-ID: <645093.80297.qm@web23802.mail.ird.yahoo.com> Hi Darren, I opended a PMR to IBM support to find the libraries. The first IBM answer was: "There is no support for the packages of the AIX Toolbox, neither for OpenSSL not for any other package. Please refer to the following document that explicitly mentions this:???????????????????????????????????? ?????????????????????????????????????????????????????????????????????????? http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.html ????????????????????????????????? As this document states the issue needs to be reported by eMail?to the following address: aixtoolbox-list at ists.sourceforge.net".??? After asked one more times my question because the first answer, it's not the answer of my question. Kerberos is part of the media "Expansion pack" and not?"AIX Toolbox". I had a second answer: "The libraries are not part of the regular AIX delivery.????????????????????????????????????????????????????????????????????? Please make sure the problem is reported to the eMail address I mentioned in my previous update". I push one more time to have more information from IBM support. I'll kept you in touch. Regards, Thierry Bertaud ----- Message d'origine ---- De : phoebus phoebus ? : Darren Tucker Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 13 h 57 min 00 s Objet?: Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Darren, ca06:/#? lslpp -L -b'Kerberos_5' ? Fileset????????????????????? Level? State? Type? Description (Uninstaller) ? ---------------------------------------------------------------------------- ? krb5.client.rte??????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Client ca06:/# lslpp -L? krb5.* ? Fileset????????????????????? Level? State? Type? Description (Uninstaller) ? ---------------------------------------------------------------------------- ? krb5.client.rte??????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Client ? krb5.client.samples??????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Samples ? krb5.doc.en_US.html??????? 1.4.0.8??? C???? F??? Network Auth Service HTML ?????????????????????????????????????????????????? Documentation - U.S. English ? krb5.doc.en_US.pdf???????? 1.4.0.8??? C???? F??? Network Auth Service PDF ?????????????????????????????????????????????????? Documentation - U.S. English ? krb5.msg.en_US.client.rte? 1.4.0.8??? C???? F??? Network Auth Service Client ?????????????????????????????????????????????????? Msgs - U.S. English ? krb5.toolkit.adt?????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? App. Dev. Toolkit I don't find these library. There aren't included in the fileset kbr5.server.rte. In attachement the listing of the filesets (filesetKbr5.txt) installed. FYI: packages inclsdes in the AIX Expansion pack are listed in the file??ExpansionPackAix53-112008.txt (screen copy from smit). I don't know how to find the IBM libraries and i don't?sure is possible to use MIT kb5 library for the compilation in AIX platfrom. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 12 h 39 min 43 s Objet?: Re: Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > Dareen, > > I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from? 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the Linux tool box for AIX 5.3 > [...] > When i run make, i have the following erros: > > include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\"? -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"? -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"? -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"? -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"? -D_PATH_SSH_PIDDIR=\"/var/run\"? -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"? -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c > "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. >? ? ? ? cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o? sshconnect.o sshconnect1.o sshconnect2.o mux.o? roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz? -lkrb5 -lk5crypto -lcom_err > ld: 0706-006 Cannot find or open library file: -l k5crypto >? ? ? ? ld:open(): A file or directory in the path name does not exist. > ld: 0706-006 Cannot find or open library file: -l com_err >? ? ? ? ld:open(): A file or directory in the path name does not exist. > make: 1254-004 The error code from the last command is 255. > > Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. > I 'm now continuing my investigation. I would guess either the native kerberos doesn't have the library files openssh is looking for, or they're located someplace the linker can't find them.? Can you list the files in the kerberos filesets (I vaguely recall "lslpp -l" but it's been a while) and does it contain the libk5crypto and libcom_err files?? If so, where? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frphoebus at yahoo.fr Wed Feb 24 09:32:00 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Tue, 23 Feb 2010 22:32:00 +0000 (GMT) Subject: dirty hack to solve: 0509-150 Dependent module libcrypto.a(libcrypto.so.0.9.7) could not be loaded Message-ID: <180505.54983.qm@web23808.mail.ird.yahoo.com> Hi all, I build openssh for aix with a dirty hack. This is my configure: export CC=cc export CFLAGS="-I/usr/local/include" export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" export CPP="cc -E" ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ --with-tcp-wrappers=/usr/local/lib \ --with-zlib=/opt/freeware \ --with-ssl-dir=/opt/freeware \ --with-xauth=/usr/bin/X11/xauth \ --with-md5-passwords \ --with-pam \ --with-pid-dir=/var/run The summary of the configure ouput: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc/ssh Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: powerpc-ibm-aix5.3.0.0 Compiler: cc -qlanglvl=extc89 Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -blibpath:/usr/lib:/lib Libraries: -lcrypto -lz +for sshd: -lwrap -lpam -ldl PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory I run "make" with success. When i run "make install" it failed with the following output. exec(): 0509-036 Cannot load program ./ssh-keygen because of the following errors: 0509-150 Dependent module libcrypto.a(libcrypto.so.0.9.7) could not be loaded. 0509-022 Cannot load module libcrypto.a(libcrypto.so.0.9.7). 0509-026 System error: A file or directory in the path name does not exist. make: 1254-004 The error code from the last command is 255. I try to understand this message. ca06:/home/frphoebus/openssh/openssh-5.3p1# ldd ./ssh-keygen ./ssh-keygen needs: /usr/lib/libc.a(shr.o) /usr/lib/libcrypto.a(libcrypto.so.0.9.7) /unix /usr/lib/libcrypt.a(shr.o) ca06:/home/frphoebus/openssh/openssh-5.3p1# The library libcrypto.a is from openssl and libcrypt.a from the fileset bos.rte.security. The both files exist. ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a openssl-0.9.7l-2 ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a openssl-0.9.7l-2 ca06:/root# ca06:/root# lslpp -Jw /usr/lib/libcrypt.a File Fileset Type ---------------------------------------------------------------------------- /usr/lib/libcrypt.a bos.rte.security File ca06:/root# ca06:/usr/local/etc/ssh# ls -l /opt/freeware/lib/libcrypto.a -rwxr-xr-x 1 root system 6210482 04 Sep 2007 /opt/freeware/lib/libcrypto.a ca06:/usr/local/etc/ssh# ls -l /usr/lib/libcrypt.a -r-xr-xr-x 1 bin bin 10993 04 Aug 2009 /usr/lib/libcrypt.a ca06:/usr/local/etc/ssh# I trying to update my path for look in /opt/freeware/lib before /usr/lib or /usr/lib before /opt/freeware/lib. The make install failed with the same output in the 2 case. I copied libcrypto.a in a temp directory and extracted its content. Everything is ok. ca06:/home/frphoebus/libcrypto# ar -xv ./libcrypto.a x - libcrypto.so.0.9.7 x - libcrypto.so.0 I dumped part of the object files: ca06:/home/frphoebus/openssh/openssh-5.3p1# dump -H ./ssh-keygen ./ssh-keygen: ***Loader Section*** Loader Header Information VERSION# #SYMtableENT #RELOCent LENidSTR 0x00000001 0x000000cd 0x000001f5 0x0000003e #IMPfilID OFFidSTR LENstrTBL OFFstrTBL 0x00000003 0x00002ad4 0x000005fe 0x00002b12 ***Import File Strings*** INDEX PATH BASE MEMBER 0 /usr/lib:/lib 1 libc.a shr.o 2 libcrypto.a libcrypto.so.0.9.7 After i copied libcrypto.a in /usr/lib because it's the path indicated by the dump for the object. Now, make install is succesfull. Could you explain me how to do a clean "make install" without doing a dirty hack ? Thanks in advance. Regards, Frphoebus From scott_n at xypro.com Wed Feb 24 09:36:39 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Tue, 23 Feb 2010 14:36:39 -0800 Subject: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded In-Reply-To: <180505.54983.qm@web23808.mail.ird.yahoo.com> References: <180505.54983.qm@web23808.mail.ird.yahoo.com> Message-ID: <78DD71C304F38B41885A242996B96F7302213C46@xyservd.XYPRO-23.LOCAL> You need OpenSSL 0.9.7 > -----Original Message----- > From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org > [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On > Behalf Of phoebus phoebus > Sent: Tuesday, February 23, 2010 2:32 PM > To: openssh-unix-dev at mindrot.org > Subject: dirty hack to solve: 0509-150 Dependent > modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded > > Hi all, > > I build openssh for aix with a dirty hack. > > This is my configure: > export CC=cc > export CFLAGS="-I/usr/local/include" > export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" > export CPP="cc -E" > ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh > \ > --with-cflags="-O -D__STR31__ -qmaxmem=-1" -- > with-cflags="-DBROKEN_GETADDRINFO" \ > --with-tcp-wrappers=/usr/local/lib \ > --with-zlib=/opt/freeware \ > --with-ssl-dir=/opt/freeware \ > --with-xauth=/usr/bin/X11/xauth \ > --with-md5-passwords \ > --with-pam \ > --with-pid-dir=/var/run > > The summary of the configure ouput: > OpenSSH has been configured with the following options: > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc/ssh > Askpass program: /usr/local/libexec/ssh- > askpass > Manual pages: /usr/local/share/man/manX > PID file: /var/run > Privilege separation chroot path: /var/empty > sshd default user PATH: > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > Manpage format: man > PAM support: yes > OSF SIA support: no > KerberosV support: no > SELinux support: no > Smartcard support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: yes > libedit support: no > Solaris process contract support: no > IP address in $DISPLAY hack: no > Translate v4 in v6 hack: no > BSD Auth support: no > Random number source: OpenSSL internal ONLY > > Host: powerpc-ibm-aix5.3.0.0 > Compiler: cc -qlanglvl=extc89 > Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO > Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib - > I/opt/freeware/include > Linker flags: -L/opt/freeware/lib -L/usr/local/lib - > L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib - > blibpath:/usr/lib:/lib > Libraries: -lcrypto -lz > +for sshd: -lwrap -lpam -ldl > > PAM is enabled. You may need to install a PAM control file > for sshd, otherwise password authentication may fail. > Example PAM control files can be found in the contrib/ > subdirectory > > I run "make" with success. When i run "make install" it failed with the > following output. > exec(): 0509-036 Cannot load program ./ssh-keygen because of > the following errors: > 0509-150 Dependent module > libcrypto.a(libcrypto.so.0.9.7) could not be loaded. > 0509-022 Cannot load module > libcrypto.a(libcrypto.so.0.9.7). > 0509-026 System error: A file or directory in the path > name does not exist. > make: 1254-004 The error code from the last command is 255. > > I try to understand this message. > ca06:/home/frphoebus/openssh/openssh-5.3p1# ldd ./ssh-keygen > ./ssh-keygen needs: > /usr/lib/libc.a(shr.o) > /usr/lib/libcrypto.a(libcrypto.so.0.9.7) > /unix > /usr/lib/libcrypt.a(shr.o) > ca06:/home/frphoebus/openssh/openssh-5.3p1# > > The library libcrypto.a is from openssl and libcrypt.a from the fileset > bos.rte.security. The both files exist. > ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a > openssl-0.9.7l-2 > ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a > openssl-0.9.7l-2 > ca06:/root# > ca06:/root# lslpp -Jw /usr/lib/libcrypt.a > File Fileset > Type > ------------------------------------------------------------- > --------------- > /usr/lib/libcrypt.a bos.rte.security > File > ca06:/root# > ca06:/usr/local/etc/ssh# ls -l /opt/freeware/lib/libcrypto.a > -rwxr-xr-x 1 root system 6210482 04 Sep 2007 > /opt/freeware/lib/libcrypto.a > ca06:/usr/local/etc/ssh# ls -l /usr/lib/libcrypt.a > -r-xr-xr-x 1 bin bin 10993 04 Aug 2009 > /usr/lib/libcrypt.a > ca06:/usr/local/etc/ssh# > > I trying to update my path for look in /opt/freeware/lib before > /usr/lib > or /usr/lib before /opt/freeware/lib. The make install failed with the > same output in the 2 case. > > I copied libcrypto.a in a temp directory and extracted its content. > Everything is ok. > ca06:/home/frphoebus/libcrypto# ar -xv ./libcrypto.a > x - libcrypto.so.0.9.7 > x - libcrypto.so.0 > > I dumped part of the object files: > ca06:/home/frphoebus/openssh/openssh-5.3p1# dump -H ./ssh- > keygen > > ./ssh-keygen: > > ***Loader Section*** > Loader Header Information > VERSION# #SYMtableENT #RELOCent LENidSTR > 0x00000001 0x000000cd 0x000001f5 0x0000003e > > #IMPfilID OFFidSTR LENstrTBL OFFstrTBL > 0x00000003 0x00002ad4 0x000005fe 0x00002b12 > > > ***Import File Strings*** > INDEX PATH BASE MEMBER > 0 /usr/lib:/lib > 1 libc.a shr.o > 2 libcrypto.a > libcrypto.so.0.9.7 > > After i copied libcrypto.a in /usr/lib because it's the path indicated > by the dump > for the object. > Now, make install is succesfull. > > Could you explain me how to do a clean "make install" without doing a > dirty hack ? > > Thanks in advance. > > Regards, > Frphoebus > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Wed Feb 24 09:43:20 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Feb 2010 09:43:20 +1100 (EST) Subject: ld: Unsatisfied symbol "options" in file ./libssh.a[hostfile.o] In-Reply-To: <55921ce0.df04.126f510e9f2.Coremail.kai_yang2008@163.com> References: <55921ce0.df04.126f510e9f2.Coremail.kai_yang2008@163.com> Message-ID: ssh-keygen doesn't have a config file, so it doesn't link against anything that provides an options struct. You need to pass your new flag in as an argument. On Mon, 22 Feb 2010, kai_yang2008 wrote: > Hi All, > I have want to add a option in ssh_config to co-work with ldap.But when I am compiling , i was encountered a > ld error, which says "cc -o ssh-keygen ssh-keygen.o -Wl,+nodefaultrpath -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lz -lnsl -lxnet -lsec -lgssapi_krb5 -lkrb5 -lpthread > ld: Unsatisfied symbol "options" in file ./libssh.a[hostfile.o] > 1 errors." > The following is my codes: > I have externed Options options like " extern Options options" in hostfile.c > > .......... > extern Options options > .......... > static HostStatus > check_host_in_hostfile_by_key_or_type(const char *filename, > const char *host, const Key *key, int keytype, Key *found, int *numret) > { > FILE *f; > char line[8192]; > int linenum = 0; > u_int kbits; > char *cp, *cp2, *hashed_host; > HostStatus end_return; > debug3("check_host_in_hostfile: filename %s", filename); > /* Open the file containing the list of known hosts. */ > f = fopen(filename, "r"); > if (!f) > { > if(options.usesshldaphostkey) > return check_hostkey_in_ldap(host,key,HOST_NEW); > else > > return HOST_NEW; > } > ....... > > So any ideas about this? > Thanks! > > Kai Yang > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Wed Feb 24 09:46:09 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Feb 2010 09:46:09 +1100 (EST) Subject: S_ISSOCK fails in openssh >= 5.1 In-Reply-To: References: Message-ID: On Mon, 22 Feb 2010, petesea at bigfoot.com wrote: > Starting with openssh 5.1 the following code fails (when executed on a remote > host)... prior to 5.0 this worked, ie S_ISSOCK says STDIN is a socket. > > struct stat s; > fstat(STDIN_FILENO, &s); > if (S_ISSOCK(s.st_mode)) > // STDIN is a socket > else > // STDIN is not a socket > > Soo... if I have a command on a remote host that includes the above code and I > ssh to the remote host and execute the command, S_ISSOCK will fail if the ssh > server is >= 5.1. > > Is this change on purpose or a bug? Yes, it is on purpose to better support independant signalling of input/output closure. The channel between a shell/program and sshd is an implementation detail and is not part of any promised interface, so it is unwise to depend upon it. If you want to detect if your program is running under sshd, then you might want to try testing for the presence of a SSH_CLIENT environment variable. -d From frphoebus at yahoo.fr Wed Feb 24 09:52:04 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Tue, 23 Feb 2010 22:52:04 +0000 (GMT) Subject: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded In-Reply-To: <78DD71C304F38B41885A242996B96F7302213C46@xyservd.XYPRO-23.LOCAL> References: <180505.54983.qm@web23808.mail.ird.yahoo.com> <78DD71C304F38B41885A242996B96F7302213C46@xyservd.XYPRO-23.LOCAL> Message-ID: <905609.73590.qm@web23806.mail.ird.yahoo.com> Hi Scott, Thanks for your feedback. I have installed OpenSSL 0.9.7. ca06:/usr/local/etc/ssh# rpm -qa | grep openssl openssl-0.9.7l-2 openssl-devel-0.9.7l-2 ca06:/usr/local/etc/ssh# rpm -qi openssl-0.9.7l-2 Name : openssl Relocations: /opt/freeware Version : 0.9.7l Vendor: (none) Release : 2 Build Date: Tue 4 Sep 20:42:24 2007 Install date: Thu 28 May 15:41:08 2009 Build Host: delrio.austin.ibm.com Group : System Environment/Libraries Source RPM: openssl-0.9.7l-2.src.rpm Size : 9680080 License: OpenSSL License URL : http://www.openssl.org/ Summary : Secure Sockets Layer and cryptography libraries and tools The configure find it during his pass. checking OpenSSL header version... 9070cf (OpenSSL 0.9.7l 28 Sep 2006) checking OpenSSL library version... 9070cf (OpenSSL 0.9.7l 28 Sep 2006) checking whether OpenSSL's headers match the library... yes checking if programs using OpenSSL functions will link... yes checking whether OpenSSL has crippled AES support... no checking if EVP_DigestUpdate returns an int... yes checking for SHA256_Update... no checking for EVP_sha256... no checking for ia_openinfo in -liaf... no checking whether OpenSSL's PRNG is internally seeded... yes I think my issue is other thing. Regards, Frphoebus ________________________________ De : Scott Neugroschl ? : openssh-unix-dev at mindrot.org Envoy? le : Mar 23 F?vrier 2010, 23 h 36 min 39 s Objet : RE: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded You need OpenSSL 0.9.7 > -----Original Message----- > From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org > [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On > Behalf Of phoebus phoebus > Sent: Tuesday, February 23, 2010 2:32 PM > To: openssh-unix-dev at mindrot.org > Subject: dirty hack to solve: 0509-150 Dependent > modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded > > Hi all, > > I build openssh for aix with a dirty hack. > > This is my configure: > export CC=cc > export CFLAGS="-I/usr/local/include" > export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" > export CPP="cc -E" > ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh > \ > --with-cflags="-O -D__STR31__ -qmaxmem=-1" -- > with-cflags="-DBROKEN_GETADDRINFO" \ > --with-tcp-wrappers=/usr/local/lib \ > --with-zlib=/opt/freeware \ > --with-ssl-dir=/opt/freeware \ > --with-xauth=/usr/bin/X11/xauth \ > --with-md5-passwords \ > --with-pam \ > --with-pid-dir=/var/run > > The summary of the configure ouput: > OpenSSH has been configured with the following options: > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc/ssh > Askpass program: /usr/local/libexec/ssh- > askpass > Manual pages: /usr/local/share/man/manX > PID file: /var/run > Privilege separation chroot path: /var/empty > sshd default user PATH: > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > Manpage format: man > PAM support: yes > OSF SIA support: no > KerberosV support: no > SELinux support: no > Smartcard support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: yes > libedit support: no > Solaris process contract support: no > IP address in $DISPLAY hack: no > Translate v4 in v6 hack: no > BSD Auth support: no > Random number source: OpenSSL internal ONLY > > Host: powerpc-ibm-aix5.3.0.0 > Compiler: cc -qlanglvl=extc89 > Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO > Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib - > I/opt/freeware/include > Linker flags: -L/opt/freeware/lib -L/usr/local/lib - > L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib - > blibpath:/usr/lib:/lib > Libraries: -lcrypto -lz > +for sshd: -lwrap -lpam -ldl > > PAM is enabled. You may need to install a PAM control file > for sshd, otherwise password authentication may fail. > Example PAM control files can be found in the contrib/ > subdirectory > > I run "make" with success. When i run "make install" it failed with the > following output. > exec(): 0509-036 Cannot load program ./ssh-keygen because of > the following errors: > 0509-150 Dependent module > libcrypto.a(libcrypto.so.0.9.7) could not be loaded. > 0509-022 Cannot load module > libcrypto.a(libcrypto.so.0.9.7). > 0509-026 System error: A file or directory in the path > name does not exist. > make: 1254-004 The error code from the last command is 255. > > I try to understand this message. > ca06:/home/frphoebus/openssh/openssh-5.3p1# ldd ./ssh-keygen > ./ssh-keygen needs: > /usr/lib/libc.a(shr.o) > /usr/lib/libcrypto.a(libcrypto.so.0.9.7) > /unix > /usr/lib/libcrypt.a(shr.o) > ca06:/home/frphoebus/openssh/openssh-5.3p1# > > The library libcrypto.a is from openssl and libcrypt.a from the fileset > bos.rte.security. The both files exist. > ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a > openssl-0.9.7l-2 > ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a > openssl-0.9.7l-2 > ca06:/root# > ca06:/root# lslpp -Jw /usr/lib/libcrypt.a > File Fileset > Type > ------------------------------------------------------------- > --------------- > /usr/lib/libcrypt.a bos.rte.security > File > ca06:/root# > ca06:/usr/local/etc/ssh# ls -l /opt/freeware/lib/libcrypto.a > -rwxr-xr-x 1 root system 6210482 04 Sep 2007 > /opt/freeware/lib/libcrypto.a > ca06:/usr/local/etc/ssh# ls -l /usr/lib/libcrypt.a > -r-xr-xr-x 1 bin bin 10993 04 Aug 2009 > /usr/lib/libcrypt.a > ca06:/usr/local/etc/ssh# > > I trying to update my path for look in /opt/freeware/lib before > /usr/lib > or /usr/lib before /opt/freeware/lib. The make install failed with the > same output in the 2 case. > > I copied libcrypto.a in a temp directory and extracted its content. > Everything is ok. > ca06:/home/frphoebus/libcrypto# ar -xv ./libcrypto.a > x - libcrypto.so.0.9.7 > x - libcrypto.so.0 > > I dumped part of the object files: > ca06:/home/frphoebus/openssh/openssh-5.3p1# dump -H ./ssh- > keygen > > ./ssh-keygen: > > ***Loader Section*** > Loader Header Information > VERSION# #SYMtableENT #RELOCent LENidSTR > 0x00000001 0x000000cd 0x000001f5 0x0000003e > > #IMPfilID OFFidSTR LENstrTBL OFFstrTBL > 0x00000003 0x00002ad4 0x000005fe 0x00002b12 > > > ***Import File Strings*** > INDEX PATH BASE MEMBER > 0 /usr/lib:/lib > 1 libc.a shr.o > 2 libcrypto.a > libcrypto.so.0.9.7 > > After i copied libcrypto.a in /usr/lib because it's the path indicated > by the dump > for the object. > Now, make install is succesfull. > > Could you explain me how to do a clean "make install" without doing a > dirty hack ? > > Thanks in advance. > > Regards, > Frphoebus > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From kai_yang2008 at 163.com Wed Feb 24 13:04:08 2010 From: kai_yang2008 at 163.com (kai_yang2008) Date: Wed, 24 Feb 2010 10:04:08 +0800 (CST) Subject: ld: Unsatisfied symbol "options" in file ./libssh.a[hostfile.o] In-Reply-To: References: <55921ce0.df04.126f510e9f2.Coremail.kai_yang2008@163.com> Message-ID: <144b9db4.c4f4.126fdb7895f.Coremail.kai_yang2008@163.com> Hi Miller, Oh, thank you very much. I shoud pass the option "usesshldaphostkey" as a argument to the function "check_host_in_hostfile_by_key_or_type". Best regards, Kai Yang ?2010-02-24?06:43:20?"Damien?Miller"????? >ssh-keygen?doesn't?have?a?config?file,?so?it?doesn't?link?against >anything?that?provides?an?options?struct.?You?need?to?pass?your?new >flag?in?as?an?argument. > >On?Mon,?22?Feb?2010,?kai_yang2008?wrote: > >>?Hi?All, >>?I?have?want?to?add?a?option?in?ssh_config?to?co-work?with?ldap.But?when?I?am?compiling?,?i?was?encountered?a >>?ld?error,?which?says?"cc?-o?ssh-keygen?ssh-keygen.o?-Wl,+nodefaultrpath?-L.?-Lopenbsd-compat/?-lssh?-lopenbsd-compat??-lz?-lnsl?-lxnet?-lsec?-lgssapi_krb5?-lkrb5?-lpthread >>?ld:?Unsatisfied?symbol?"options"?in?file?./libssh.a[hostfile.o] >>?1?errors." >>?The?following?is?my?codes: >>?I?have?externed?Options?options?like?"?extern?Options?options"?in?hostfile.c >>?? >>?.......... >>?extern?Options?options >>?.......... >>?static?HostStatus >>?check_host_in_hostfile_by_key_or_type(const?char?*filename, >>?????const?char?*host,?const?Key?*key,?int?keytype,?Key?*found,?int?*numret) >>?{ >>?????????FILE?*f; >>?????????char?line[8192]; >>?????????int?linenum?=?0; >>?????????u_int?kbits; >>?????????char?*cp,?*cp2,?*hashed_host; >>?????????HostStatus?end_return; >>?????????debug3("check_host_in_hostfile:?filename?%s",?filename); >>?????????/*?Open?the?file?containing?the?list?of?known?hosts.?*/ >>?????????f?=?fopen(filename,?"r"); >>?????????if?(!f) >>?????????{ >>?????????????????if(options.usesshldaphostkey) >>?????????????????????????return?check_hostkey_in_ldap(host,key,HOST_NEW); >>?????????????????else >>? >>?????????????????return?HOST_NEW; >>?} >>?....... >>?? >>?So?any?ideas?about?this? >>?Thanks! >>?? >>?Kai?Yang >>?_______________________________________________ >>?openssh-unix-dev?mailing?list >>?openssh-unix-dev at mindrot.org >>?https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> From frphoebus at yahoo.fr Wed Feb 24 19:27:44 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Wed, 24 Feb 2010 08:27:44 +0000 (GMT) Subject: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded In-Reply-To: <905609.73590.qm@web23806.mail.ird.yahoo.com> References: <180505.54983.qm@web23808.mail.ird.yahoo.com> <78DD71C304F38B41885A242996B96F7302213C46@xyservd.XYPRO-23.LOCAL> <905609.73590.qm@web23806.mail.ird.yahoo.com> Message-ID: <967951.29435.qm@web23802.mail.ird.yahoo.com> Scott, I found?one solution. It's necessary to use: export LD_LIBRARY_PATH=/opt/freeware/lib Now, i have a sucessful "make install". Of , course, i deleted the file libcrypto.a copied previously in /usr/lib. Regards, Frphoebus ________________________________ De : phoebus phoebus ? : Scott Neugroschl ; openssh-unix-dev at mindrot.org Envoy? le : Mar 23 F?vrier 2010, 23 h 52 min 04 s Objet?: Re : dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded Hi Scott, Thanks for your feedback. I have installed OpenSSL 0.9.7. ? ? ? ? ca06:/usr/local/etc/ssh# rpm -qa | grep openssl ? ? ? ? openssl-0.9.7l-2 ? ? ? ? openssl-devel-0.9.7l-2 ? ? ? ? ca06:/usr/local/etc/ssh# rpm -qi openssl-0.9.7l-2 ? ? ? ? Name? ? ? ? : openssl? ? ? ? ? ? ? ? ? ? ? Relocations: /opt/freeware ? ? ? ? Version? ? : 0.9.7l? ? ? ? ? ? ? ? ? ? ? ? ? ? Vendor: (none) ? ? ? ? Release? ? : 2? ? ? ? ? ? ? ? ? ? ? ? ? ? Build Date: Tue? 4 Sep 20:42:24 2007 ? ? ? ? Install date: Thu 28 May 15:41:08 2009? ? ? Build Host: delrio.austin.ibm.com ? ? ? ? Group? ? ? : System Environment/Libraries? Source RPM: openssl-0.9.7l-2.src.rpm ? ? ? ? Size? ? ? ? : 9680080? ? ? ? ? ? ? ? ? ? ? ? ? License: OpenSSL License ? ? ? ? URL? ? ? ? : http://www.openssl.org/ ? ? ? ? Summary? ? : Secure Sockets Layer and cryptography libraries and tools The configure find it during his pass. ? ? checking OpenSSL header version... 9070cf (OpenSSL 0.9.7l 28 Sep 2006) ? ? checking OpenSSL library version... 9070cf (OpenSSL 0.9.7l 28 Sep 2006) ? ? checking whether OpenSSL's headers match the library... yes ? ? checking if programs using OpenSSL functions will link... yes ? ? checking whether OpenSSL has crippled AES support... no ? ? checking if EVP_DigestUpdate returns an int... yes ? ? checking for SHA256_Update... no ? ? checking for EVP_sha256... no ? ? checking for ia_openinfo in -liaf... no ? ? checking whether OpenSSL's PRNG is internally seeded... yes I think my issue is other thing. Regards, Frphoebus ________________________________ De : Scott Neugroschl ? : openssh-unix-dev at mindrot.org Envoy? le : Mar 23 F?vrier 2010, 23 h 36 min 39 s Objet : RE: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded You need OpenSSL 0.9.7 > -----Original Message----- > From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org > [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On > Behalf Of phoebus phoebus > Sent: Tuesday, February 23, 2010 2:32 PM > To: openssh-unix-dev at mindrot.org > Subject: dirty hack to solve: 0509-150 Dependent > modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded > > Hi all, > > I build openssh for aix with a dirty hack. > > This is my configure: >? ? ? ? export CC=cc >? ? ? ? export CFLAGS="-I/usr/local/include" >? ? ? ? export LDFLAGS="-L/opt/freeware/lib/ -L/usr/local/lib" >? ? ? ? export CPP="cc -E" >? ? ? ? ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh > \ >? ? ? ? ? ? ? ? ? ? ? ? --with-cflags="-O -D__STR31__ -qmaxmem=-1" -- > with-cflags="-DBROKEN_GETADDRINFO" \ >? ? ? ? ? ? ? ? ? ? ? ? --with-tcp-wrappers=/usr/local/lib \ >? ? ? ? ? ? ? ? ? ? ? ? --with-zlib=/opt/freeware \ >? ? ? ? ? ? ? ? ? ? ? ? --with-ssl-dir=/opt/freeware \ >? ? ? ? ? ? ? ? ? ? ? ? --with-xauth=/usr/bin/X11/xauth \ >? ? ? ? ? ? ? ? ? ? ? ? --with-md5-passwords \ >? ? ? ? ? ? ? ? ? ? ? ? --with-pam \ >? ? ? ? ? ? ? ? ? ? ? ? --with-pid-dir=/var/run > > The summary of the configure ouput: >? ? ? ? OpenSSH has been configured with the following options: >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? User binaries: /usr/local/bin >? ? ? ? ? ? ? ? ? ? ? ? ? ? System binaries: /usr/local/sbin >? ? ? ? ? ? ? ? ? ? ? ? Configuration files: /usr/local/etc/ssh >? ? ? ? ? ? ? ? ? ? ? ? ? ? Askpass program: /usr/local/libexec/ssh- > askpass >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Manual pages: /usr/local/share/man/manX >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? PID file: /var/run >? ? ? ? ? Privilege separation chroot path: /var/empty >? ? ? ? ? ? ? ? ? ? sshd default user PATH: > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin >? ? ? ? ? ? ? ? ? ? ? ? ? ? Manpage format: man >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? PAM support: yes >? ? ? ? ? ? ? ? ? ? ? ? ? ? OSF SIA support: no >? ? ? ? ? ? ? ? ? ? ? ? ? KerberosV support: no >? ? ? ? ? ? ? ? ? ? ? ? ? ? SELinux support: no >? ? ? ? ? ? ? ? ? ? ? ? ? Smartcard support: no >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? S/KEY support: no >? ? ? ? ? ? ? ? ? ? ? TCP Wrappers support: yes >? ? ? ? ? ? ? ? ? ? ? MD5 password support: yes >? ? ? ? ? ? ? ? ? ? ? ? ? ? libedit support: no >? ? ? ? ? Solaris process contract support: no >? ? ? ? ? ? ? ? IP address in $DISPLAY hack: no >? ? ? ? ? ? ? ? ? ? Translate v4 in v6 hack: no >? ? ? ? ? ? ? ? ? ? ? ? ? BSD Auth support: no >? ? ? ? ? ? ? ? ? ? ? Random number source: OpenSSL internal ONLY > >? ? ? ? ? ? ? ? ? ? ? Host: powerpc-ibm-aix5.3.0.0 >? ? ? ? ? ? ? ? ? Compiler: cc -qlanglvl=extc89 >? ? ? ? ? ? Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO >? ? ? ? Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib - > I/opt/freeware/include >? ? ? ? ? ? ? Linker flags: -L/opt/freeware/lib -L/usr/local/lib - > L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib - > blibpath:/usr/lib:/lib >? ? ? ? ? ? ? ? ? Libraries: -lcrypto -lz >? ? ? ? ? ? ? ? ? +for sshd:? -lwrap -lpam -ldl > >? ? ? ? PAM is enabled. You may need to install a PAM control file >? ? ? ? for sshd, otherwise password authentication may fail. >? ? ? ? Example PAM control files can be found in the contrib/ >? ? ? ? subdirectory > > I run "make" with success. When i run "make install" it failed with the > following output. >? ? ? ? exec(): 0509-036 Cannot load program ./ssh-keygen because of > the following errors: >? ? ? ? ? ? ? ? 0509-150? Dependent module > libcrypto.a(libcrypto.so.0.9.7) could not be loaded. >? ? ? ? ? ? ? ? 0509-022 Cannot load module > libcrypto.a(libcrypto.so.0.9.7). >? ? ? ? ? ? ? ? 0509-026 System error: A file or directory in the path > name does not exist. >? ? ? ? make: 1254-004 The error code from the last command is 255. > > I try to understand this message. >? ? ? ? ca06:/home/frphoebus/openssh/openssh-5.3p1# ldd ./ssh-keygen >? ? ? ? ./ssh-keygen needs: >? ? ? ? ? ? ? ? ? /usr/lib/libc.a(shr.o) >? ? ? ? ? ? ? ? ? /usr/lib/libcrypto.a(libcrypto.so.0.9.7) >? ? ? ? ? ? ? ? ? /unix >? ? ? ? ? ? ? ? ? /usr/lib/libcrypt.a(shr.o) >? ? ? ? ca06:/home/frphoebus/openssh/openssh-5.3p1# > > The library libcrypto.a is from openssl and libcrypt.a from the fileset > bos.rte.security. The both files exist. >? ? ? ? ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a >? ? ? ? openssl-0.9.7l-2 >? ? ? ? ca06:/root# rpm -qf /opt/freeware/lib/libcrypto.a >? ? ? ? openssl-0.9.7l-2 >? ? ? ? ca06:/root# >? ? ? ? ca06:/root# lslpp -Jw /usr/lib/libcrypt.a >? ? ? ? ? File? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Fileset > Type > ------------------------------------------------------------- > --------------- >? ? ? ? ? /usr/lib/libcrypt.a? ? ? ? ? ? ? ? ? ? ? ? bos.rte.security > File >? ? ? ? ca06:/root# >? ? ? ? ca06:/usr/local/etc/ssh# ls -l /opt/freeware/lib/libcrypto.a >? ? ? ? -rwxr-xr-x? ? 1 root? ? system? ? ? 6210482 04 Sep 2007 > /opt/freeware/lib/libcrypto.a >? ? ? ? ca06:/usr/local/etc/ssh# ls -l /usr/lib/libcrypt.a >? ? ? ? -r-xr-xr-x? ? 1 bin? ? ? bin? ? ? ? ? 10993 04 Aug 2009 > /usr/lib/libcrypt.a >? ? ? ? ca06:/usr/local/etc/ssh# > > I trying to update my path for look in /opt/freeware/lib before > /usr/lib > or /usr/lib before /opt/freeware/lib. The make install failed with the > same output in the 2 case. > > I copied libcrypto.a in a temp directory and extracted its content. > Everything is ok. >? ? ? ? ca06:/home/frphoebus/libcrypto# ar -xv ./libcrypto.a >? ? ? ? x - libcrypto.so.0.9.7 >? ? ? ? x - libcrypto.so.0 > > I dumped part of the object files: >? ? ? ? ca06:/home/frphoebus/openssh/openssh-5.3p1# dump -H ./ssh- > keygen > >? ? ? ? ./ssh-keygen: > >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ***Loader Section*** >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Loader Header Information >? ? ? ? VERSION#? ? ? ? #SYMtableENT? ? #RELOCent? ? ? ? LENidSTR >? ? ? ? 0x00000001? ? ? 0x000000cd? ? ? 0x000001f5? ? ? 0x0000003e > >? ? ? ? #IMPfilID? ? ? ? OFFidSTR? ? ? ? LENstrTBL? ? ? ? OFFstrTBL >? ? ? ? 0x00000003? ? ? 0x00002ad4? ? ? 0x000005fe? ? ? 0x00002b12 > > >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ***Import File Strings*** >? ? ? ? INDEX? PATH? ? ? ? ? ? ? ? ? ? ? ? ? BASE MEMBER >? ? ? ? 0? ? ? /usr/lib:/lib >? ? ? ? 1? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? libc.a? ? ? ? ? ? ? shr.o >? ? ? ? 2? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? libcrypto.a > libcrypto.so.0.9.7 > > After i copied libcrypto.a in /usr/lib because it's the path indicated > by the dump > for the object. > Now, make install is succesfull. > > Could you explain me how to do a clean "make install" without doing a > dirty hack ? > > Thanks in advance. > > Regards, > Frphoebus > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev ? ? ? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Wed Feb 24 20:58:20 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 24 Feb 2010 20:58:20 +1100 Subject: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded In-Reply-To: <967951.29435.qm@web23802.mail.ird.yahoo.com> References: <180505.54983.qm@web23808.mail.ird.yahoo.com> <78DD71C304F38B41885A242996B96F7302213C46@xyservd.XYPRO-23.LOCAL> <905609.73590.qm@web23806.mail.ird.yahoo.com> <967951.29435.qm@web23802.mail.ird.yahoo.com> Message-ID: <4B84F83C.2040207@zip.com.au> phoebus phoebus wrote: > Scott, > > I found one solution. > It's necessary to use: > > export LD_LIBRARY_PATH=/opt/freeware/lib You can also get the linker to bake that into the binary with -blibpath. It's mentioned in README.platform in the AIX section: If you wish to use dynamic libraries that aren't in the normal system locations (eg IBM's OpenSSL and zlib packages) then you will need to define the environment variable blibpath before running configure, eg blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frphoebus at yahoo.fr Wed Feb 24 23:26:34 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Wed, 24 Feb 2010 12:26:34 +0000 (GMT) Subject: dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded In-Reply-To: <4B84F83C.2040207@zip.com.au> References: <180505.54983.qm@web23808.mail.ird.yahoo.com> <78DD71C304F38B41885A242996B96F7302213C46@xyservd.XYPRO-23.LOCAL> <905609.73590.qm@web23806.mail.ird.yahoo.com> <967951.29435.qm@web23802.mail.ird.yahoo.com> <4B84F83C.2040207@zip.com.au> Message-ID: <81437.53057.qm@web23806.mail.ird.yahoo.com> Hi Darren, That's better in this way. Thanks for the update and your time. I shoud read better the documentation next time. Cheers, Frphoebus ________________________________ De : Darren Tucker ? : phoebus phoebus Cc : Scott Neugroschl ; openssh-unix-dev at mindrot.org Envoy? le : Mer 24 F?vrier 2010, 10 h 58 min 20 s Objet?: Re: Re : Re : dirty hack to solve: 0509-150 Dependent modulelibcrypto.a(libcrypto.so.0.9.7) could not be loaded phoebus phoebus wrote: > Scott, > > I found one solution. > It's necessary to use: > > export LD_LIBRARY_PATH=/opt/freeware/lib You can also get the linker to bake that into the binary with -blibpath.? It's mentioned in README.platform in the AIX section: If you wish to use dynamic libraries that aren't in the normal system locations (eg IBM's OpenSSL and zlib packages) then you will need to define the environment variable blibpath before running configure, eg blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \ ? --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From frphoebus at yahoo.fr Thu Feb 25 03:38:06 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Wed, 24 Feb 2010 16:38:06 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <645093.80297.qm@web23802.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> <465680.58111.qm@web23803.mail.ird.yahoo.com> <645093.80297.qm@web23802.mail.ird.yahoo.com> Message-ID: <463149.91460.qm@web23806.mail.ird.yahoo.com> Darren, This is the last and final update, i received from IBM. First of all, let me summup some of the facts: ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): No such file or directory ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): No such file or directory With our expansion pack we dont provide this libraries as we statically link them in our code wherever its needed." ? So at this point, we cannot supply these files. Maybe the expansion pack team / open source team can if you really need them: There is no support for the packages of the AIX Toolbox ?ml As this document states the issue needs to be reported by eMail to the following address: aixtoolbox-list at lists.sourceforge.net ? But I like to comment on the original issue and hopefully the following is helping you to achieve what you need. You can transfer this "quite old" manual to current openssh / kerberos releases: ------------------------------------------------------------------------ Customer needs to just download the latest version of OpenSSH 4.1p1 from He would be required to install openssl- 0.9.7d-2 as a prereq to install this version of OpenSSH. Customer also needs to install the latest version of kerberos 1.4.0.3(NAS package). After setting up the kerberos server and client, he needs to edit sshd_config file in "/etc/ssh" to set "KerberosAuthentication yes". Now he's all set to useOpenSSH with kerberos. Instead of linking the libraries directly using cc or using -l option in the Makefile, we have used "dlopen" and "dlsym" in the source code to dynamically load the kerberos library. This way we can do away with supporting two versions of OpenSSH one with kerberos support and the other without the support. ------------------------------------------------------------------------ I'll try to build openssh against the MIT kerberos in first step. For the second point, about using "dlopen" and "dlsym" it's an Herculean task for a system administrator which is not a C developper. I'll kept you in touch. I think that's can be useful for any people who have same issue one days and look for in the forum archive. Regards, Frphoebus ________________________________ De : phoebus phoebus ? : Darren Tucker Cc : openssh-unix-dev at mindrot.org Envoy? le : Mar 23 F?vrier 2010, 17 h 15 min 32 s Objet?: Re : Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Hi Darren, I opended a PMR to IBM support to find the libraries. The first IBM answer was: "There is no support for the packages of the AIX Toolbox, neither for OpenSSL not for any other package. Please refer to the following document that explicitly mentions this:???????????????????????????????????? ?????????????????????????????????????????????????????????????????????????? http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.html ????????????????????????????????? As this document states the issue needs to be reported by eMail?to the following address: aixtoolbox-list at ists.sourceforge.net".??? After asked one more times my question because the first answer, it's not the answer of my question. Kerberos is part of the media "Expansion pack" and not?"AIX Toolbox". I had a second answer: "The libraries are not part of the regular AIX delivery.????????????????????????????????????????????????????????????????????? Please make sure the problem is reported to the eMail address I mentioned in my previous update". I push one more time to have more information from IBM support. I'll kept you in touch. Regards, Thierry Bertaud ----- Message d'origine ---- De : phoebus phoebus ? : Darren Tucker Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 13 h 57 min 00 s Objet?: Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Darren, ca06:/#? lslpp -L -b'Kerberos_5' ? Fileset????????????????????? Level? State? Type? Description (Uninstaller) ? ---------------------------------------------------------------------------- ? krb5.client.rte??????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Client ca06:/# lslpp -L? krb5.* ? Fileset????????????????????? Level? State? Type? Description (Uninstaller) ? ---------------------------------------------------------------------------- ? krb5.client.rte??????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Client ? krb5.client.samples??????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? Samples ? krb5.doc.en_US.html??????? 1.4.0.8??? C???? F??? Network Auth Service HTML ?????????????????????????????????????????????????? Documentation - U.S. English ? krb5.doc.en_US.pdf???????? 1.4.0.8??? C???? F??? Network Auth Service PDF ?????????????????????????????????????????????????? Documentation - U.S. English ? krb5.msg.en_US.client.rte? 1.4.0.8??? C???? F??? Network Auth Service Client ?????????????????????????????????????????????????? Msgs - U.S. English ? krb5.toolkit.adt?????????? 1.4.0.8??? C???? F??? Network Authentication Service ?????????????????????????????????????????????????? App. Dev. Toolkit I don't find these library. There aren't included in the fileset kbr5.server.rte. In attachement the listing of the filesets (filesetKbr5.txt) installed. FYI: packages inclsdes in the AIX Expansion pack are listed in the file??ExpansionPackAix53-112008.txt (screen copy from smit). I don't know how to find the IBM libraries and i don't?sure is possible to use MIT kb5 library for the compilation in AIX platfrom. Regards, Frphoebus ----- Message d'origine ---- De : Darren Tucker ? : phoebus phoebus Cc : openssh-unix-dev at mindrot.org Envoy? le : Ven 19 F?vrier 2010, 12 h 39 min 43 s Objet?: Re: Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 phoebus phoebus wrote: > Dareen, > > I use openssl version: OpenSSL 0.9.7l 28 Sep 2006. Openss is from? 2 rpm packages openssl-0.9.7l-2, openssl-devel-0.9.7l-2 from the Linux tool box for AIX 5.3 > [...] > When i run make, i have the following erros: > > include -I/usr/local/include/gssapi -DSSHDIR=\"/usr/local/etc/ssh\"? -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"? -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"? -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"? -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"? -D_PATH_SSH_PIDDIR=\"/var/run\"? -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"? -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c roaming_common.c > "roaming_common.c", line 58.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. > "roaming_common.c", line 70.60: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. >? ? ? ? cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o? sshconnect.o sshconnect1.o sshconnect2.o mux.o? roaming_common.o -L. -Lopenbsd-compat/ -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib -L/opt/freeware/lib/ -L/usr/local/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib -lssh -lopenbsd-compat -lcrypto -lz? -lkrb5 -lk5crypto -lcom_err > ld: 0706-006 Cannot find or open library file: -l k5crypto >? ? ? ? ld:open(): A file or directory in the path name does not exist. > ld: 0706-006 Cannot find or open library file: -l com_err >? ? ? ? ld:open(): A file or directory in the path name does not exist. > make: 1254-004 The error code from the last command is 255. > > Thanks for advices. I'm looking for the libraries k5crypto and com_err. I installed kerberos5 filesets but not improvement. > I 'm now continuing my investigation. I would guess either the native kerberos doesn't have the library files openssh is looking for, or they're located someplace the linker can't find them.? Can you list the files in the kerberos filesets (I vaguely recall "lslpp -l" but it's been a while) and does it contain the libk5crypto and libcom_err files?? If so, where? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. ? ? ? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev http://sourceforge.net/projects/openssh-aixhttp://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.ht From deutschem at gmx.de Fri Feb 26 02:52:57 2010 From: deutschem at gmx.de (Deutschem) Date: Thu, 25 Feb 2010 16:52:57 +0100 Subject: secure Xapps tunnel Message-ID: <1267113177.4137.23.camel@wmdcs009> hi, eventually newbie: i want to show remote X-apps on my desktop. now, i know from google that xhost and xauth is not the way to so that very secure. now, i have a ssh_config with X forwarding enabled and a server with forwarding enabled, too. now when i connect to server i read that ssh creates automaticaly a Xauthory file. So i know that this is the xauth way with supercookies etc. but i dont want to use the xauth way, i want only tunnel xapps through ssh. so, i try to connect theses information in my brain to really understand theses things. ok, now, how can i securely show xapps on my xserver with ssh ? thx From c.brian.boyle at lmco.com Thu Feb 25 11:01:49 2010 From: c.brian.boyle at lmco.com (Boyle, C Brian) Date: Wed, 24 Feb 2010 17:01:49 -0700 Subject: sftp Batchmode command level error suppression does not work? Message-ID: <8257A864518A7A48AC9DF26E96B78AD65D33C69FAE@HDXMSP1.us.lmco.com> Hi guys - OpenSSH sftp (on solaris) >From man page Termination on error can be suppressed on a command by command basis by prefixing the command with a `-' character (for example, -rm /tmp/blah* ). This does not seem to work - instead the server seems to fail to recognize the command from the batchfile. Consider this batchfile mkdir tmp cd tmp put rpt.list bye We want to make sure we have a ./tmp dir - if it exists that's ok We want the ftp to fail if it can't cd tmp Run as is (second round) sftp> mkdir tmp Couldn't create directory: Failure (which is expected - directory exists) Run with -mkdir prefix sftp> -mkdir tmp Invalid command. sftp> cd tmp sftp> put rpt.list Uploading rpt.list to /home/bboyle/tmp/rpt.list sftp> bye Note, the line -mkdir tmp is not recognized as a command If I change the script to -mkdir xtmp (new dir) sftp> -mkdir xtmp Invalid command. sftp> cd xtmp Couldn't canonicalise: No such file or directory Does not mkdir - ignores the entire command Cd fails (as we would expect) Any ideas? C. Brian Boyle PCVM / EWI / HS [cid:image001.jpg at 01CAB573.0C60AFD0] [cid:image002.jpg at 01CAB573.0C60AFD0] Enterprise Business Services phone : 303 . 688 . 6008 cell : 303 . 898 . 5483 email : c.brian.boyle at lmco.com From imorgan at nas.nasa.gov Fri Feb 26 04:32:05 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 25 Feb 2010 09:32:05 -0800 Subject: sftp Batchmode command level error suppression does not work? In-Reply-To: <8257A864518A7A48AC9DF26E96B78AD65D33C69FAE@HDXMSP1.us.lmco.com> References: <8257A864518A7A48AC9DF26E96B78AD65D33C69FAE@HDXMSP1.us.lmco.com> Message-ID: <20100225173205.GE17027@linux55.nas.nasa.gov> On Wed, Feb 24, 2010 at 18:01:49 -0600, Boyle, C Brian wrote: > Hi guys - > > OpenSSH sftp (on solaris) > > >From man page > > Termination on error can be suppressed on a command by command basis by prefixing the command with a `-' character (for example, -rm /tmp/blah* ). > > This does not seem to work - instead the server seems to fail to recognize the command from the batchfile. > > Consider this batchfile > mkdir tmp > cd tmp > put rpt.list > bye > > We want to make sure we have a ./tmp dir - if it exists that's ok > We want the ftp to fail if it can't cd tmp > > Run as is (second round) > sftp> mkdir tmp > Couldn't create directory: Failure > > (which is expected - directory exists) > > Run with -mkdir prefix > > sftp> -mkdir tmp > Invalid command. > sftp> cd tmp > sftp> put rpt.list > Uploading rpt.list to /home/bboyle/tmp/rpt.list > sftp> bye > > Note, the line -mkdir tmp is not recognized as a command > > If I change the script to -mkdir xtmp (new dir) > > sftp> -mkdir xtmp > Invalid command. > sftp> cd xtmp > Couldn't canonicalise: No such file or directory > > Does not mkdir - ignores the entire command > Cd fails (as we would expect) > > Any ideas? > > > C. Brian Boyle PCVM / EWI / HS > [cid:image001.jpg at 01CAB573.0C60AFD0] [cid:image002.jpg at 01CAB573.0C60AFD0] > Enterprise Business Services > > phone : 303 . 688 . 6008 > cell : 303 . 898 . 5483 > email : c.brian.boyle at lmco.com > > > Which version of OpenSSH? And are you quite sure it is not Sun's derivative of OpenSSH? Note also that whether -mkdir is recognized or not is a function of the client not of the server. -- Iain Morgan From sayan.chaliha at webyog.com Fri Feb 26 17:07:50 2010 From: sayan.chaliha at webyog.com (Sayan Chaliha) Date: Fri, 26 Feb 2010 11:37:50 +0530 Subject: ClientAliveInterval Message-ID: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> Hi, I am having some trouble with the ClientAliveInterval server setting. My (C++) application fails to start an SSH channel to an OpensSSH server within this time-out period if it doesn't reply correctly to this 'keep-alive' no-op that is sent by the server. How is this no-op handled? I am using the libssh client library, and I could find no references on how to handle this. I'll be really grateful if you guys help me out with this! -- Regards, Sayan Chaliha Webyog Softworks Private Limited 2nd Floor, Novel Team Building #10, 100 Feet Ring Road BTM Layout 1st Stage Bangalore - 560068 +91-9743357501 From djm at mindrot.org Fri Feb 26 18:10:43 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Feb 2010 18:10:43 +1100 (EST) Subject: ClientAliveInterval In-Reply-To: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> Message-ID: On Fri, 26 Feb 2010, Sayan Chaliha wrote: > Hi, > > I am having some trouble with the ClientAliveInterval server setting. My > (C++) application fails to start an SSH channel to an OpensSSH server within > this time-out period if it doesn't reply correctly to this 'keep-alive' > no-op that is sent by the server. How is this no-op handled? I am using the > libssh client library, and I could find no references on how to handle this. Client aliver interval is implemented by sending a global or channel request of type "keepalive at openssh.com" with want-reply turned on. You shouldn't need to implement anything for this to work - a client should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this request type and that should be enough to reset the keepalive watchdog timer. If you would like to explicitly support it, you can just send an approprate SSH2_MSG_REQUEST_SUCCESS (global request) or SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely optional. -d From jmknoble at pobox.com Fri Feb 26 18:42:14 2010 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 26 Feb 2010 02:42:14 -0500 Subject: secure Xapps tunnel In-Reply-To: <1267113177.4137.23.camel@wmdcs009> References: <1267113177.4137.23.camel@wmdcs009> Message-ID: <20100226074214.GB19421@crawfish.ais.com> On 2010-02-25 10:52, Deutschem wrote: : i want to show remote X-apps on my desktop. : : now, i know from google that xhost and xauth is not the way to : so that very secure. : : now, i have a ssh_config with X forwarding enabled and a server with : forwarding enabled, too. : : now when i connect to server i read that ssh creates automaticaly a : Xauthory file. : So i know that this is the xauth way with supercookies etc. : : but i dont want to use the xauth way, i want only tunnel xapps through : ssh. [...] : ok, now, how can i securely show xapps on my xserver with ssh ? When X11 forwarding is turned on, OpenSSH does the following: (1) Create a local X11 display on the remote host (usually the first free display beginning with "DISPLAY=:10"). This display is tunneled back to the originating host's display. (2) Create a cookie in an XAUTHORITY file (usually ~/.Xauthority) on the remote host which allows access to the display it created on the remote host. For example: -------------------- localhost$ echo $DISPLAY :0.0 localhost$ ssh -X -Y remotehost remotehost$ echo $DISPLAY :10.0 remotehost$ xauth list $DISPLAY remotehost/unix:10 MIT-MAGIC-COOKIE-1 0d599f0ec05c3bda8c3b8a68c32a1b47 remotehost$ xterm & (xterm appears on localhost's display ":0.0") -------------------- The manual page explains more about '-X' and '-Y'. (Falls das Vorgehende nicht ganz klar ist, bitte schreiben Sie mir persoenlich, dann koennen wir auf deutsch versuchen.) -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) From jmknoble at pobox.com Fri Feb 26 18:14:07 2010 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 26 Feb 2010 02:14:07 -0500 Subject: Priv Sep SSH has / as CWD In-Reply-To: References: <4B781DCB.2000805@aset.com> <4B788F86.2070609@aset.com> Message-ID: <20100226071407.GA19421@crawfish.ais.com> On 2010-02-14 19:32, Damien Miller wrote: : On Sun, 14 Feb 2010, Jon Kibler wrote: : : > Regarding the sshd listener running in "/" and world readable core : > files... unfortunately, that is the way that RHEL/CentOS is configured. : > In the "functions" for init (/etc/init.d/functions), one of the first : > steps is to set 'umask 022'. I have tried to change this in the past : > only to have stuff break. I have also tried setting permissions on "/" : > to 751 and also broke stuff. Thus, for daemons that run with "/" as : > their home directory, we can get core files in "/" that are world : > readable. I do not like it, but that is the RHEL environment I have to : > live with. :-( : : If RHEL drops core files from privileged processes that are world-readable : then the system has a major security vulnerability independent of sshd. : Any system daemon that calls getpw* that can be tricked into segfaulting : would likely leak password hashes from /etc/shadow (or worse). Have you : confirmed that core files are indeed world-readable? Under RHEL (and CentOS) v4 and v5, any service whose initscript uses the 'daemon' function to start the service has 'ulimit -S -c 0' turned on by default; this sets the softlimit for the size of corefiles to zero. You're much better off turning off the generation of corefiles to begin with rather than merely relying on umasks. Large corefiles can fill filesystems if enough of them appear. You can use 'ulimit -S -c 0' in sshd's initscript with no problems. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) From sayan.chaliha at webyog.com Fri Feb 26 23:25:07 2010 From: sayan.chaliha at webyog.com (Sayan Chaliha) Date: Fri, 26 Feb 2010 17:55:07 +0530 Subject: ClientAliveInterval In-Reply-To: References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> Message-ID: <9515bbd41002260425ge517880r4e3035dc0d9683f8@mail.gmail.com> Thanks for the info. I couldn't find this anywhere. So the version of libssh I am using is outdated I think. Anyway, thanks again! On Fri, Feb 26, 2010 at 12:40 PM, Damien Miller wrote: > On Fri, 26 Feb 2010, Sayan Chaliha wrote: > > > Hi, > > > > I am having some trouble with the ClientAliveInterval server setting. My > > (C++) application fails to start an SSH channel to an OpensSSH server > within > > this time-out period if it doesn't reply correctly to this 'keep-alive' > > no-op that is sent by the server. How is this no-op handled? I am using > the > > libssh client library, and I could find no references on how to handle > this. > > Client aliver interval is implemented by sending a global or channel > request of type "keepalive at openssh.com" with want-reply turned on. > You shouldn't need to implement anything for this to work - a client > should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this request > type and that should be enough to reset the keepalive watchdog timer. > > If you would like to explicitly support it, you can just send an > approprate SSH2_MSG_REQUEST_SUCCESS (global request) or > SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely > optional. > > -d > -- Regards, Sayan Chaliha Webyog Softworks Private Limited 2nd Floor, Novel Team Building #10, 100 Feet Ring Road BTM Layout 1st Stage Bangalore - 560068 +91-9743357501 From sayan.chaliha at webyog.com Sat Feb 27 00:38:51 2010 From: sayan.chaliha at webyog.com (Sayan Chaliha) Date: Fri, 26 Feb 2010 19:08:51 +0530 Subject: ClientAliveInterval In-Reply-To: References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> Message-ID: <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> @Damien, could you also tell me what would happen if the client didn't respond to that request, and instead tried to create new session and channel afresh? Would the server send the same message again? On Fri, Feb 26, 2010 at 12:40 PM, Damien Miller wrote: > On Fri, 26 Feb 2010, Sayan Chaliha wrote: > > > Hi, > > > > I am having some trouble with the ClientAliveInterval server setting. My > > (C++) application fails to start an SSH channel to an OpensSSH server > within > > this time-out period if it doesn't reply correctly to this 'keep-alive' > > no-op that is sent by the server. How is this no-op handled? I am using > the > > libssh client library, and I could find no references on how to handle > this. > > Client aliver interval is implemented by sending a global or channel > request of type "keepalive at openssh.com" with want-reply turned on. > You shouldn't need to implement anything for this to work - a client > should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this request > type and that should be enough to reset the keepalive watchdog timer. > > If you would like to explicitly support it, you can just send an > approprate SSH2_MSG_REQUEST_SUCCESS (global request) or > SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely > optional. > > -d > -- Regards, Sayan Chaliha Webyog Softworks Private Limited 2nd Floor, Novel Team Building #10, 100 Feet Ring Road BTM Layout 1st Stage Bangalore - 560068 +91-9743357501 From peter at stuge.se Sat Feb 27 03:13:54 2010 From: peter at stuge.se (Peter Stuge) Date: Fri, 26 Feb 2010 17:13:54 +0100 Subject: ClientAliveInterval In-Reply-To: <9515bbd41002260425ge517880r4e3035dc0d9683f8@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260425ge517880r4e3035dc0d9683f8@mail.gmail.com> Message-ID: <20100226161354.15989.qmail@stuge.se> Sayan Chaliha wrote: > Thanks for the info. I couldn't find this anywhere. So the version > of libssh I am using is outdated I think. Did you talk to the libssh developers and investigate if this is a known problem? I might add that libssh2 can handle keepalive and has seen many (all? let's hope! :p) critical bugfixes lately, so it might be an alternative worth considering. //Peter From djm at mindrot.org Sat Feb 27 11:29:29 2010 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Feb 2010 11:29:29 +1100 (EST) Subject: ClientAliveInterval In-Reply-To: <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> Message-ID: On Fri, 26 Feb 2010, Sayan Chaliha wrote: > @Damien, could you also tell me what would happen if the client didn't > respond to that request, and instead tried to create new session and channel > afresh? Would the server send the same message again? A client that is compliant with the protocol _must_ respond, even just to say "I have no idea what this command is". Any response will reset the keepalive timer. > On Fri, Feb 26, 2010 at 12:40 PM, Damien Miller wrote: > > > On Fri, 26 Feb 2010, Sayan Chaliha wrote: > > > > > Hi, > > > > > > I am having some trouble with the ClientAliveInterval server setting. My > > > (C++) application fails to start an SSH channel to an OpensSSH server > > within > > > this time-out period if it doesn't reply correctly to this 'keep-alive' > > > no-op that is sent by the server. How is this no-op handled? I am using > > the > > > libssh client library, and I could find no references on how to handle > > this. > > > > Client aliver interval is implemented by sending a global or channel > > request of type "keepalive at openssh.com" with want-reply turned on. > > You shouldn't need to implement anything for this to work - a client > > should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this request > > type and that should be enough to reset the keepalive watchdog timer. > > > > If you would like to explicitly support it, you can just send an > > approprate SSH2_MSG_REQUEST_SUCCESS (global request) or > > SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely > > optional. > > > > -d > > > > > > -- > Regards, > Sayan Chaliha > Webyog Softworks Private Limited > 2nd Floor, Novel Team Building > #10, 100 Feet Ring Road > BTM Layout 1st Stage > Bangalore - 560068 > > +91-9743357501 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Sat Feb 27 18:25:38 2010 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Feb 2010 18:25:38 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 Message-ID: Hi, OpenSSH 5.4 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a big release, with a number of major new features and many bug fixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. ------------------------------- Changes since OpenSSH 5.3 ========================= Features: * After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. * Deprecate the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. PKCS#11 support is automatically enabled on all platforms that support dlopen(3) and was inspired by patches written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages * Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (not X.509). Certificates contain a public key, identity information and some validity constraints and are signed with a standard SSH public key using ssh-keygen(1). CA keys may be marked as trusted in authorized_keys (for user authentication) or known_hosts (for host authentication). Documentation for certificate support may be found in ssh-keygen(1), sshd(8) and ssh(1) and a description of the protocol changes in PROTOCOL.certkeys. * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618 * Rewrite the ssh(1) multiplexing support to support non-blocking operation of the mux master, improve the resilience of the master to malformed messages sent to it by the slave and add support for requesting port- forwardings via the multiplex protocol. The new stdio-to-local forward mode ("ssh -W host:port ...") is also supported. The revised multiplexing protocol is documented in the file PROTOCOL.mux in the source distribution. * Add a 'read-only' mode to sftp-server(8) that disables open in write mode and all other fs-modifying protocol methods. bz#430 * Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has. bz#1229 * Many improvements to the sftp(1) client, many of which were implemented by Carlos Silva through the Google Summer of Code program: - Support the "-h" (human-readable units) flag for ls - Implement tab-completion of commands, local and remote filenames - Support most of scp(1)'s commandline arguments in sftp(1), as a first step towards making sftp(1) a drop-in replacement for scp(1). Note that the rarely-used "-P sftp_server_path" option has been moved to "-D sftp_server_path" to make way for "-P port" to match scp(1). - Add recursive transfer support for get/put and on the commandline * New RSA keys will be generated with a public exponent of RSA_F4 == (2**16)+1 == 65537 instead of the previous value 35. * Passphrase-protected SSH protocol 2 private keys are now protected with AES-128 instead of 3DES. This applied to freshly-generated keys as well as keys that are reencrypted (e.g. by changing their passphrase). Bugfixes: * When using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot and not outside (bz#1679) * Cache user and group name lookups in sftp-server using user_from_[ug]id(3) to improve performance on hosts where these operations are slow (e.g. NIS or LDAP). bz#1495 * Fix problem that prevented passphrase reading from being interrupted in some circumstances; bz#1590 * Ignore and log any Protocol 1 keys where the claimed size is not equal to the actual size. * Make HostBased authentication work with a ProxyCommand. bz#1569 * Avoid run-time failures when specifying hostkeys via a relative path by prepending the current working directory in these cases. bz#1290 * Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug. bz#1693 * Document that the PubkeyAuthentication directive is allowed in a sshd_config(5) Match block. bz#1577 * When converting keys, truncate key comments at 72 chars as per RFC4716. bz#1630 * Do not allow logins if /etc/nologin exists but is not readable by the user logging in. * Output a debug log if sshd(8) can't open an existing authorized_keys. bz#1694 * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we usually don't actually have a tty to read/set; bz#1686 * Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-". bz#1691 * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs itself. Prevents two HUPs in quick succession from resulting in sshd dying. bz#1692 * Clarify in sshd_config(5) that StrictModes does not apply to ChrootDirectory. Permissions and ownership are always checked when chrooting. bz#1532 * Set close-on-exec on various descriptors so they don't get leaked to child processes. bz#1643 * Fix very rare race condition in x11/agent channel allocation: don't read after the end of the select read/write fdset and make sure a reused FD is not touched before the pre-handlers are called. * Fix incorrect exit status when multiplexing and channel ID 0 is recycled. bz#1570 * Fail with an error when an attempt is made to connect to a server with ForceCommand=internal-sftp with a shell session (i.e. not a subsystem session). Avoids stuck client when attempting to ssh to such a service. bz#1606: * Warn but do not fail if stat()ing the subsystem binary fails. This helps with chrootdirectory+forcecommand=sftp-server and restricted shells. bz #1599 * Change "Connecting to host..." message to "Connected to host." and delay it until after the sftp protocol connection has been established. Avoids confusing sequence of messages when the underlying ssh connection experiences problems. bz#1588 * Use the HostKeyAlias rather than the hostname specified on the commandline when prompting for passwords. bz#1039 * Correct off-by-one in percent_expand(): we would fatal() when trying to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 * Fix passing of empty options from scp(1) and sftp(1) to the underlying ssh(1). Also add support for the stop option "--". * Fix an incorrect magic number and typo in PROTOCOL; bz#1688 * Don't escape backslashes when displaying the SSH2 banner. bz#1533 * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 * Force use of the correct hash function for random-art signature display as it was inheriting the wrong one when bubblebabble signatures were activated. bz#1611 * Do not fall back to adding keys without contraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. bz#1612 * Fix a race condition in ssh-agent that could result in a wedged or spinning agent. bz#1633 * Flush stdio before exec() to ensure that everying (motd in particular) has made it out before the streams go away. bz#1596 * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 Portable OpenSSH Bugfixes: * Use system's kerberos principal name on AIX if it's available. bz#1583 * Disable OOM-killing of the listening sshd on Linux. bz#1740 * Use pkg-config for opensc config if it's available. bz#1160 * Unbreak Redhat spec to allow building without askpass. bz#1677 * If PidFile is set in sshd_config, use it in SMF init file. bz#1628 * Print error and usage() when ssh-rand-helper is passed command- line arguments as none are supported. bz#1568 * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. bz#1648 * Make GNOME 2 askpass dialog desktop-modal. bz#1645 * If SELinux is enabled set the security context to "sftpd_t" before running the internal sftp server. bz#1637 * Correctly check libselinux for necessary SELinux functions; bz#1713 From vinschen at redhat.com Sat Feb 27 21:10:48 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 27 Feb 2010 11:10:48 +0100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100227101048.GA20834@calimero.vinschen.de> Hi Damien, On Feb 27 18:25, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. Can you please check in the patch from http://marc.info/?l=openssh-unix-dev&m=126660110606035&w=2 for 5.4? And what about http://marc.info/?l=openssh-unix-dev&m=126505289206175&w=2 After the first mail, none of the core developers replied to this issue. There were several suggestions to fix the problem, but without feedback it's hard to come to a sufficient solution. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From lists at spuddy.org Sat Feb 27 23:08:19 2010 From: lists at spuddy.org (Stephen Harris) Date: Sat, 27 Feb 2010 07:08:19 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100227120819.GA2665@mercury.spuddy.org> On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller wrote: > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. It's been a number of years since I've done this, so please excuse me if I'm lacking information in my report On CentOS 5.4 32bit Linux mercury 2.6.18-164.11.1.el5PAE #1 SMP Wed Jan 20 08:16:13 EST 2010 i686 i686 i386 GNU/Linux % gcc -v Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=i386-redhat-linux Thread model: posix gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 Preprocessor flags: Linker flags: -fstack-protector-all Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt Commands to reproduce: cvs get openssh cd openssh autoreconf ./configure make tests [....] gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -std=gnu99 -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-pkcs11-helper.c gcc -o ssh-pkcs11-helper ssh-pkcs11-helper.o ssh-pkcs11.o -L. -Lopenbsd-compat/ -fstack-protector-all -lssh -lopenbsd-compat -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o): In function `arc4random': /home/sweh/ssh_testing/openssh/openbsd-compat/bsd-arc4random.c:50: undefined reference to `seed_rng' collect2: ld returned 1 exit status make: *** [ssh-pkcs11-helper] Error 1 -- rgds Stephen From djm at mindrot.org Sun Feb 28 03:26:01 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 28 Feb 2010 03:26:01 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100227120819.GA2665@mercury.spuddy.org> References: <20100227120819.GA2665@mercury.spuddy.org> Message-ID: On Sat, 27 Feb 2010, Stephen Harris wrote: > On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller wrote: > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a big release, > > with a number of major new features and many bug fixes. > > It's been a number of years since I've done this, so please excuse me if > I'm lacking information in my report Please try this patch: Index: ssh-pkcs11-helper.c =================================================================== RCS file: /var/cvs/openssh/ssh-pkcs11-helper.c,v retrieving revision 1.4 diff -u -r1.4 ssh-pkcs11-helper.c --- ssh-pkcs11-helper.c 24 Feb 2010 06:16:08 -0000 1.4 +++ ssh-pkcs11-helper.c 27 Feb 2010 16:25:26 -0000 @@ -280,6 +280,8 @@ extern char *optarg; extern char *__progname; + init_rng(); + seed_rng(); __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); From djm at mindrot.org Sun Feb 28 03:39:11 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 28 Feb 2010 03:39:11 +1100 (EST) Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100218155921.GS5683@calimero.vinschen.de> References: <20100202113902.GA19205@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> <20100218155921.GS5683@calimero.vinschen.de> Message-ID: On Thu, 18 Feb 2010, Corinna Vinschen wrote: > This sounds like a good idea. Alternatively: > > Index: auth2.c > =================================================================== > RCS file: /cvs/openssh/auth2.c,v > retrieving revision 1.151 > diff -u -p -r1.151 auth2.c > --- auth2.c 22 Jun 2009 06:11:07 -0000 1.151 > +++ auth2.c 18 Feb 2010 15:58:02 -0000 > @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32 > /* setup auth context */ > authctxt->pw = PRIVSEP(getpwnamallow(user)); > authctxt->user = xstrdup(user); > - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { > + if (authctxt->pw && strcmp(service, "ssh-connection")==0 > + && !strcmp (user, authctxt->pw->pw_name)) { > authctxt->valid = 1; > debug2("input_userauth_request: setting up authctxt for %s", user); > } else { > > This would disallow any login using the username in a case which > differs from the case used in /etc/passwd. And it wouldn't hurt > any casesensitive system either. > > Damien, would that be ok? Unfortunately, that patch only deals with SSHv2 connections. How about this? Index: auth.c =================================================================== RCS file: /var/cvs/openssh/auth.c,v retrieving revision 1.136 diff -u -r1.136 auth.c --- auth.c 11 Feb 2010 22:25:29 -0000 1.136 +++ auth.c 27 Feb 2010 16:36:25 -0000 @@ -535,6 +535,13 @@ get_canonical_hostname(options.use_dns), get_remote_ipaddr()); pw = getpwnam(user); +#if HAVE_CYGWIN + if (strcmp(user, pw->pw_name) != 0) { + logit("Login name %.100s does not match stored username %.100s", + user, pw->pw_name); + pw = NULL; + } +#endif if (pw == NULL) { logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); I'm a little worried about enabling this outside of Cygwin, since I'm not sure whether multiple UID-sharing accounts are guaranteed to deterministically return the username that was used to look them up. -d From Zube at CS.ColoState.EDU Sun Feb 28 03:15:28 2010 From: Zube at CS.ColoState.EDU (Zube) Date: Sat, 27 Feb 2010 09:15:28 -0700 Subject: build failure 20100228, Solaris 9 sparc, gcc 3.4.6 Message-ID: <20100227161528.GA11992@mozart.cs.colostate.edu> Failure on Solaris 9 sparc: Undefined first referenced symbol in file seed_rng openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o) ld: fatal: Symbol referencing errors. No output written to ssh-pkcs11-helper collect2: ld returned 1 exit status gmake: *** [ssh-pkcs11-helper] Error 1 From lists at spuddy.org Sun Feb 28 04:18:24 2010 From: lists at spuddy.org (Stephen Harris) Date: Sat, 27 Feb 2010 12:18:24 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100227120819.GA2665@mercury.spuddy.org> Message-ID: <20100227171824.GA12458@mercury.spuddy.org> On Sun, Feb 28, 2010 at 03:26:01AM +1100, Damien Miller wrote: > On Sat, 27 Feb 2010, Stephen Harris wrote: > > > On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller wrote: > > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > > > on as many platforms and systems as possible. This is a big release, > > > with a number of major new features and many bug fixes. > > > > It's been a number of years since I've done this, so please excuse me if > > I'm lacking information in my report > > Please try this patch: Compilation completed, last line of "make tests" is "all tests passed". (sudo required tests appeared to have been skipped) Complete test output follows in case it helps you. (Again, for record, CentOS 5.4 32bit) BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ TEST_SHELL="sh"; \ TEST_SSH_SSH="${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \ TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \ TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \ TEST_SSH_SSHPKCS11HELPER="${BUILDDIR}/ssh-pkcs11-helper"; \ TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \ TEST_SSH_SFTP="${BUILDDIR}/sftp"; \ TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \ TEST_SSH_PLINK="plink"; \ TEST_SSH_PUTTYGEN="puttygen"; \ TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="yes" ; \ cd ./regress || exit $?; \ make \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_SHELL="${TEST_SHELL}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHPKCS11HELPER="${TEST_SSH_SSHPKCS11HELPER}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ TEST_SSH_PLINK="${TEST_SSH_PLINK}" \ TEST_SSH_PUTTYGEN="${TEST_SSH_PUTTYGEN}" \ TEST_SSH_CONCH="${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="yes" \ EXEEXT="" \ tests && echo all tests passed make[1]: Entering directory `/datadisk/home/sweh/ssh_testing/openssh/regress' ssh-keygen -if /home/sweh/ssh_testing/openssh/regress/rsa_ssh2.prv | diff - /home/sweh/ssh_testing/openssh/regress/rsa_openssh.prv cat /home/sweh/ssh_testing/openssh/regress/rsa_openssh.prv > /home/sweh/ssh_testing/openssh/regress//t2.out chmod 600 /home/sweh/ssh_testing/openssh/regress//t2.out ssh-keygen -yf /home/sweh/ssh_testing/openssh/regress//t2.out | diff - /home/sweh/ssh_testing/openssh/regress/rsa_openssh.pub ssh-keygen -ef /home/sweh/ssh_testing/openssh/regress/rsa_openssh.pub >/home/sweh/ssh_testing/openssh/regress//rsa_secsh.pub ssh-keygen -if /home/sweh/ssh_testing/openssh/regress//rsa_secsh.pub | diff - /home/sweh/ssh_testing/openssh/regress/rsa_openssh.pub rm -f /home/sweh/ssh_testing/openssh/regress/rsa_secsh.pub ssh-keygen -lf /home/sweh/ssh_testing/openssh/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /home/sweh/ssh_testing/openssh/regress/t4.ok ssh-keygen -Bf /home/sweh/ssh_testing/openssh/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /home/sweh/ssh_testing/openssh/regress/t5.ok ssh-keygen -if /home/sweh/ssh_testing/openssh/regress/dsa_ssh2.prv > /home/sweh/ssh_testing/openssh/regress//t6.out1 ssh-keygen -if /home/sweh/ssh_testing/openssh/regress/dsa_ssh2.pub > /home/sweh/ssh_testing/openssh/regress//t6.out2 chmod 600 /home/sweh/ssh_testing/openssh/regress//t6.out1 ssh-keygen -yf /home/sweh/ssh_testing/openssh/regress//t6.out1 | diff - /home/sweh/ssh_testing/openssh/regress//t6.out2 ssh-keygen -q -t rsa -N '' -f /home/sweh/ssh_testing/openssh/regress//t7.out ssh-keygen -lf /home/sweh/ssh_testing/openssh/regress//t7.out > /dev/null ssh-keygen -Bf /home/sweh/ssh_testing/openssh/regress//t7.out > /dev/null run test connect.sh ... ok simple connect run test proxy-connect.sh ... ok proxy connect run test connect-privsep.sh ... ok proxy connect with privsep run test proto-version.sh ... ok sshd version with different protocol combinations run test proto-mismatch.sh ... ok protocol version mismatch run test exit-status.sh ... test remote exit status: proto 1 status 0 test remote exit status: proto 1 status 1 test remote exit status: proto 1 status 4 test remote exit status: proto 1 status 5 test remote exit status: proto 1 status 44 test remote exit status: proto 2 status 0 test remote exit status: proto 2 status 1 test remote exit status: proto 2 status 4 test remote exit status: proto 2 status 5 test remote exit status: proto 2 status 44 ok remote exit status run test envpass.sh ... test environment passing: pass env, don't accept test environment passing: don't pass env, accept test environment passing: pass single env, accept single env test environment passing: pass multiple env, accept multiple env ok environment passing run test transfer.sh ... transfer data: proto 1 transfer data: proto 2 ok transfer data run test banner.sh ... test banner: missing banner file test banner: size 0 test banner: size 10 test banner: size 100 test banner: size 1000 test banner: size 10000 test banner: size 100000 test banner: suppress banner (-q) ok banner run test rekey.sh ... ok rekey during transfer data run test stderr-data.sh ... test stderr data transfer: proto 1 () test stderr data transfer: proto 2 () test stderr data transfer: proto 1 (-n) test stderr data transfer: proto 2 (-n) ok stderr data transfer run test stderr-after-eof.sh ... ok stderr data after eof run test broken-pipe.sh ... ok broken pipe test run test try-ciphers.sh ... test try ciphers: proto 2 cipher aes128-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes128-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes128-cbc mac umac-64 at openssh.com test try ciphers: proto 2 cipher aes128-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes128-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher 3des-cbc mac hmac-sha1 test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5 test try ciphers: proto 2 cipher 3des-cbc mac umac-64 at openssh.com test try ciphers: proto 2 cipher 3des-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-sha1 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-md5 test try ciphers: proto 2 cipher blowfish-cbc mac umac-64 at openssh.com test try ciphers: proto 2 cipher blowfish-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher cast128-cbc mac hmac-sha1 test try ciphers: proto 2 cipher cast128-cbc mac hmac-md5 test try ciphers: proto 2 cipher cast128-cbc mac umac-64 at openssh.com test try ciphers: proto 2 cipher cast128-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher cast128-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher arcfour128 mac hmac-sha1 test try ciphers: proto 2 cipher arcfour128 mac hmac-md5 test try ciphers: proto 2 cipher arcfour128 mac umac-64 at openssh.com test try ciphers: proto 2 cipher arcfour128 mac hmac-sha1-96 test try ciphers: proto 2 cipher arcfour128 mac hmac-md5-96 test try ciphers: proto 2 cipher arcfour256 mac hmac-sha1 test try ciphers: proto 2 cipher arcfour256 mac hmac-md5 test try ciphers: proto 2 cipher arcfour256 mac umac-64 at openssh.com test try ciphers: proto 2 cipher arcfour256 mac hmac-sha1-96 test try ciphers: proto 2 cipher arcfour256 mac hmac-md5-96 test try ciphers: proto 2 cipher arcfour mac hmac-sha1 test try ciphers: proto 2 cipher arcfour mac hmac-md5 test try ciphers: proto 2 cipher arcfour mac umac-64 at openssh.com test try ciphers: proto 2 cipher arcfour mac hmac-sha1-96 test try ciphers: proto 2 cipher arcfour mac hmac-md5-96 test try ciphers: proto 2 cipher aes192-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes192-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes192-cbc mac umac-64 at openssh.com test try ciphers: proto 2 cipher aes192-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes192-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher aes256-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes256-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes256-cbc mac umac-64 at openssh.com test try ciphers: proto 2 cipher aes256-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes256-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-sha1 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-md5 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac umac-64 at openssh.com test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-sha1-96 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-md5-96 test try ciphers: proto 2 cipher aes128-ctr mac hmac-sha1 test try ciphers: proto 2 cipher aes128-ctr mac hmac-md5 test try ciphers: proto 2 cipher aes128-ctr mac umac-64 at openssh.com test try ciphers: proto 2 cipher aes128-ctr mac hmac-sha1-96 test try ciphers: proto 2 cipher aes128-ctr mac hmac-md5-96 test try ciphers: proto 2 cipher aes192-ctr mac hmac-sha1 test try ciphers: proto 2 cipher aes192-ctr mac hmac-md5 test try ciphers: proto 2 cipher aes192-ctr mac umac-64 at openssh.com test try ciphers: proto 2 cipher aes192-ctr mac hmac-sha1-96 test try ciphers: proto 2 cipher aes192-ctr mac hmac-md5-96 test try ciphers: proto 2 cipher aes256-ctr mac hmac-sha1 test try ciphers: proto 2 cipher aes256-ctr mac hmac-md5 test try ciphers: proto 2 cipher aes256-ctr mac umac-64 at openssh.com test try ciphers: proto 2 cipher aes256-ctr mac hmac-sha1-96 test try ciphers: proto 2 cipher aes256-ctr mac hmac-md5-96 test try ciphers: proto 1 cipher 3des test try ciphers: proto 1 cipher blowfish test try ciphers: proto 2 cipher acss at openssh.org mac hmac-sha1 test try ciphers: proto 2 cipher acss at openssh.org mac hmac-md5 test try ciphers: proto 2 cipher acss at openssh.org mac umac-64 at openssh.com test try ciphers: proto 2 cipher acss at openssh.org mac hmac-sha1-96 test try ciphers: proto 2 cipher acss at openssh.org mac hmac-md5-96 ok try ciphers run test yes-head.sh ... ok yes pipe head run test login-timeout.sh ... ok connect after login grace timeout run test agent.sh ... ok simple agent test run test agent-getpeereid.sh ... skipped: need SUDO to switch to uid nobody run test agent-timeout.sh ... ok agent timeout test run test agent-ptrace.sh ... skipped (SUDO not set) run test keyscan.sh ... ok keyscan run test keygen-change.sh ... ok change passphrase for key run test keygen-convert.sh ... ok convert keys run test key-options.sh ... key option proto 1 command="echo bar" key option proto 1 no-pty,command="echo bar" key option proto 2 command="echo bar" key option proto 2 no-pty,command="echo bar" key option proto 1 no-pty key option proto 2 no-pty key option proto 1 environment key option proto 2 environment key option proto 1 from="127.0.0.1" key option proto 1 from="127.0.0.0/8" key option proto 2 from="127.0.0.1" key option proto 2 from="127.0.0.0/8" ok key options run test scp.sh ... scp: simple copy local file to local file scp: simple copy local file to remote file scp: simple copy remote file to local file scp: simple copy local file to remote dir scp: simple copy local file to local dir scp: simple copy remote file to local dir scp: recursive local dir to remote dir scp: recursive local dir to local dir scp: recursive remote dir to local dir scp: shell metacharacters scp: disallow bad server #0 scp: disallow bad server #1 scp: disallow bad server #2 scp: disallow bad server #3 scp: disallow bad server #4 scp: detect non-directory target /home/sweh/ssh_testing/openssh/regress/copy2: Not a directory ok scp run test sftp.sh ... test basic sftp put/get: buffer_size 5 num_requests 1 test basic sftp put/get: buffer_size 5 num_requests 2 test basic sftp put/get: buffer_size 5 num_requests 10 test basic sftp put/get: buffer_size 1000 num_requests 1 test basic sftp put/get: buffer_size 1000 num_requests 2 test basic sftp put/get: buffer_size 1000 num_requests 10 test basic sftp put/get: buffer_size 32000 num_requests 1 test basic sftp put/get: buffer_size 32000 num_requests 2 test basic sftp put/get: buffer_size 32000 num_requests 10 test basic sftp put/get: buffer_size 64000 num_requests 1 test basic sftp put/get: buffer_size 64000 num_requests 2 test basic sftp put/get: buffer_size 64000 num_requests 10 ok basic sftp put/get run test sftp-cmds.sh ... rm: cannot remove `.' or `..' rm: cannot remove `.' or `..' sftp commands: lls sftp commands: lls w/path sftp commands: ls sftp commands: shell sftp commands: pwd sftp commands: lpwd sftp commands: quit sftp commands: help sftp commands: get sftp commands: get quoted sftp commands: get filename with quotes sftp commands: get filename with spaces sftp commands: get filename with glob metacharacters sftp commands: get to directory sftp commands: glob get to directory sftp commands: get to local dir sftp commands: glob get to local dir sftp commands: put sftp commands: put filename with quotes sftp commands: put filename with spaces sftp commands: put to directory sftp commands: glob put to directory sftp commands: put to local dir sftp commands: glob put to local dir sftp commands: rename sftp commands: rename directory sftp commands: ln sftp commands: mkdir sftp commands: chdir sftp commands: rmdir sftp commands: lmkdir sftp commands: lchdir rm: cannot remove `.' or `..' rm: cannot remove `.' or `..' ok sftp commands run test sftp-badcmds.sh ... sftp invalid commands: get nonexistent sftp invalid commands: glob get to nonexistent directory sftp invalid commands: put nonexistent sftp invalid commands: glob put to nonexistent directory sftp invalid commands: rename nonexistent sftp invalid commands: rename target exists (directory) sftp invalid commands: glob put files to local file ok sftp invalid commands run test sftp-batch.sh ... sftp batchfile: good commands sftp batchfile: bad commands sftp batchfile: comments and blanks sftp batchfile: junk command ok sftp batchfile run test sftp-glob.sh ... sftp glob: file glob sftp glob: dir glob sftp glob: quoted glob sftp glob: escaped glob sftp glob: escaped quote sftp glob: quoted quote sftp glob: single-quoted quote sftp glob: escaped slash sftp glob: quoted slash sftp glob: escaped slash at EOL sftp glob: quoted slash at EOL sftp glob: escaped slash+quote sftp glob: quoted slash+quote sftp glob: escaped space sftp glob: quoted space ok sftp glob run test reconfigure.sh ... ok simple connect after reconfigure run test dynamic-forward.sh ... ok dynamic forwarding run test forwarding.sh ... ok local and remote forwarding run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 Master running (pid=15820) Exit request sent. ok connection multiplexing run test reexec.sh ... test config passing reexec tests: proto 1 reexec tests: proto 2 test reexec fallback reexec tests: proto 1 reexec tests: proto 2 test reexec fallback without privsep reexec tests: proto 1 reexec tests: proto 2 ok reexec tests run test brokenkeys.sh ... ok broken keys run test cfgmatch.sh ... ok sshd_config match run test addrmatch.sh ... test permit, first entry for user 192.168.0.1 somehost test deny, negative match for user 192.168.30.1 somehost test deny, no match for user 19.0.0.1 somehost test permit, list middle for user 10.255.255.254 somehost test deny, faked IP in hostname for user 192.168.30.1 192.168.0.1 test permit, bare IP4 address for user 1.1.1.1 somehost.example.com test permit, bare IP6 address for user ::1 somehost.example.com test deny IPv6 for user ::2 somehost.exaple.com test deny IP6 negated for user ::3 somehost test deny, IP6 no match for user ::4 somehost test permit, IP6 network for user 2000::1 somehost test deny, IP6 network for user 2001::1 somehost ok address match run test localcommand.sh ... test localcommand: proto 1 localcommand test localcommand: proto 2 localcommand ok localcommand run test forcecommand.sh ... ok forced command run test portnum.sh ... port number parsing: invalid port 0 port number parsing: invalid port 65536 port number parsing: invalid port 131073 port number parsing: invalid port 2000blah port number parsing: invalid port blah2000 port number parsing: valid port 1 port number parsing: valid port 22 port number parsing: valid port 2222 port number parsing: valid port 22222 port number parsing: valid port 65535 ok port number parsing run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure certified host keys: test host cert connect cert expired expect failure certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key ok certified host keys run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes certified user keys: user dsa cert connect privsep yes certified user keys: user rsa cert connect privsep no certified user keys: user dsa cert connect privsep no certified user keys: ensure CA key does not authenticate user certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure ok certified user keys make[1]: Leaving directory `/datadisk/home/sweh/ssh_testing/openssh/regress' all tests passed -- rgds Stephen From Zube at CS.ColoState.EDU Sun Feb 28 04:59:15 2010 From: Zube at CS.ColoState.EDU (Zube) Date: Sat, 27 Feb 2010 10:59:15 -0700 Subject: Solaris 9 sparc success after posted patch Message-ID: <20100227175915.GA12129@mozart.cs.colostate.edu> After the patch recently posted, Solaris 9 sparc, gcc 3.4.6: "all tests passed" Thank you for the quick patch. Zube From dkg at fifthhorseman.net Sun Feb 28 07:03:53 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 27 Feb 2010 15:03:53 -0500 Subject: OpenSSH PKI [was: Re: Call for testing: OpenSSH-5.4] In-Reply-To: References: Message-ID: <4B897AA9.7080405@fifthhorseman.net> Hi Damien-- On 02/27/2010 02:25 AM, Damien Miller wrote: > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. This is exciting news, thanks! As a contributor to the Monkeysphere (OpenPGP certificates for SSH and TLS [0]), i'm particularly interested in this bit: > * Add support for certificate authentication of users and hosts using a > new, minimal OpenSSH certificate format (not X.509). Certificates > contain a public key, identity information and some validity > constraints and are signed with a standard SSH public key using > ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > (for user authentication) or known_hosts (for host authentication). > > Documentation for certificate support may be found in ssh-keygen(1), > sshd(8) and ssh(1) and a description of the protocol changes in > PROTOCOL.certkeys. My initial reaction is surprise -- i had no idea that this was in the works. Where would i have found out that this was being proposed if i wanted to contribute to the work here? I don't see any mention of it in the bug tracker, and if there was discussion about it on this list then i missed it somehow. Should i be subscribed to some other discussion list to get a heads-up about this sort of thing? Is there something else i should follow? I have some concerns about the model and the implementation, based on what i've read from PROTOCOL.certkeys and the various referenced man pages in cvs HEAD: 0) Yet another certificate format, introducing a novel PKI -- seems like this opens the door to a lot of potential trouble. Simplicity is a good reason to avoid PKI entirely, and OpenSSH has done right by this model so far. But the PKI-less model has its limitations, and when the need for a PKI seems apparent, there are at least two well-known PKIs (OpenPGP and X.509) with decent communities who can contribute insights on what might work and what might cause trouble down the line. The model proposed here is simpler than either existing PKI, but it also seems to have had far less scrutiny, and is OpenSSH-specific, as far as i can tell. OpenSSH doesn't rely on novel/unique asymmetric crypto algorithms, symmetric ciphers, or message digests. Why should certificate formats and PKI be different? 1) Revocations -- there is no room in the infrastructure i can see for revocations. What should a certificate authority do if it discovers that the private key belonging to a certificate has been compromised, and the certificate is not yet expired? What should a server operator do who knows this situation, but currently relies on other certifications from that CA? 2) Tight coupling of authentication and authorization -- there are sometimes good reasons to do this, but it makes certification more difficult, and makes policy much more inflexible for system administrators. One example of the added complexity the conflation creates is a combinatoric one: say i should be allowed to ssh to dkg at example.com to do whatever i want with my account. But i should *also* be allowed access to our organization's SVN repository over ssh at svn at example.com constrained by a ForceCommand that only allows certain subversion operations. i don't think that's representable in this certificate format. More generally, a local machine administrator might be fine relying on an external authority to identify remote parties, but might want to authorize different commands for local accounts based on that authentication. Having this tightly coupled model means those local administrators must either accept authorization information from the CAs, or not use certificates at all. 3) Multiple certs over the same key from different issuers -- Say i use the same key to identify myself to machines from multiple domains. if each of those domains runs their own internal certificate authority, i'll have two different versions of id_rsa_cert.pub, right? i see no documentation to indicate how to choose between them in ssh(1) or ssh_config(5). 4) definition of "valid principals" seems underdeveloped in PROTOCOL.certkeys -- For example, there was discussion on-list recently about case insensitivity on some systems (cygwin at least) -- are these expected to match the name of the remote account entirely? If i certify a key for "foo" does that work on all "foo" accounts on every machine that trusts my CA? Can user accounts be specified targetted to a specific machine (e.g. "foo at server3.example.net")? if so, how would sshd make authorization decisions based on the hostname part of the user name? 5) interaction with ssh-agent -- does the agent know about certificates? Can it offer them to a compatible ssh client process? If not, how should a user take advantage of both features? If so, is this a change in the ssh-agent protocol that compatible ssh-agent implementations should be made aware of? Anyway, these are my immediate reactions to this proposal of new certificate formats for OpenSSH. My current thinking is that this particular change should be pushed back to a later version for more discussion, but of course that's not my call to make. I'd appreciate any feedback on the thoughts and concerns raised above. As always, thanks for all the work on this excellent tool. Regards, --dkg [0] http://web.monkeysphere.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From petesea at bigfoot.com Sun Feb 28 07:03:52 2010 From: petesea at bigfoot.com (petesea at bigfoot.com) Date: Sat, 27 Feb 2010 12:03:52 -0800 (PST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: On Sat, 28 Feb 2010 Damien Miller wrote: > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. Is there any chance this could be fixed for 5.4? http://marc.info/?l=openssh-unix-dev&m=126533947629149&w=2 I just retested with the 20100228 SNAP and see the same results as in the above link. I've added a bug report: https://bugzilla.mindrot.org/show_bug.cgi?id=1719 From djm at mindrot.org Sun Feb 28 15:37:22 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 28 Feb 2010 15:37:22 +1100 (EST) Subject: build failure 20100228, Solaris 9 sparc, gcc 3.4.6 In-Reply-To: <20100227161528.GA11992@mozart.cs.colostate.edu> References: <20100227161528.GA11992@mozart.cs.colostate.edu> Message-ID: This should be fixed in the next snapshot, or already in CVS. -d On Sat, 27 Feb 2010, Zube wrote: > Failure on Solaris 9 sparc: > > Undefined first referenced > symbol in file > seed_rng openbsd-compat//libopenbsd-compat.a(bsd-arc4random.o) > ld: fatal: Symbol referencing errors. No output written to ssh-pkcs11-helper > collect2: ld returned 1 exit status > gmake: *** [ssh-pkcs11-helper] Error 1 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Sun Feb 28 16:16:16 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 28 Feb 2010 16:16:16 +1100 (EST) Subject: OpenSSH PKI [was: Re: Call for testing: OpenSSH-5.4] In-Reply-To: <4B897AA9.7080405@fifthhorseman.net> References: <4B897AA9.7080405@fifthhorseman.net> Message-ID: On Sat, 27 Feb 2010, Daniel Kahn Gillmor wrote: > Hi Damien-- > > On 02/27/2010 02:25 AM, Damien Miller wrote: > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a big release, > > with a number of major new features and many bug fixes. > > This is exciting news, thanks! > > As a contributor to the Monkeysphere (OpenPGP certificates for SSH and > TLS [0]), i'm particularly interested in this bit: > > > * Add support for certificate authentication of users and hosts using a > > new, minimal OpenSSH certificate format (not X.509). Certificates > > contain a public key, identity information and some validity > > constraints and are signed with a standard SSH public key using > > ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > > (for user authentication) or known_hosts (for host authentication). > > > > Documentation for certificate support may be found in ssh-keygen(1), > > sshd(8) and ssh(1) and a description of the protocol changes in > > PROTOCOL.certkeys. > > My initial reaction is surprise -- i had no idea that this was in the > works. Where would i have found out that this was being proposed if i > wanted to contribute to the work here? I don't see any mention of it in > the bug tracker, and if there was discussion about it on this list then > i missed it somehow. Should i be subscribed to some other discussion > list to get a heads-up about this sort of thing? Is there something > else i should follow? No, I discussed it privately with the other OpenSSH developers at the OpenBSD network hackathon a month ago and ran it past some of the cryptographers who are still speaking to me. > I have some concerns about the model and the implementation, based on > what i've read from PROTOCOL.certkeys and the various referenced man > pages in cvs HEAD: > > 0) Yet another certificate format, introducing a novel PKI -- seems > like this opens the door to a lot of potential trouble. Simplicity is a > good reason to avoid PKI entirely, and OpenSSH has done right by this > model so far. But the PKI-less model has its limitations, and when the > need for a PKI seems apparent, there are at least two well-known PKIs > (OpenPGP and X.509) with decent communities who can contribute insights > on what might work and what might cause trouble down the line. The > model proposed here is simpler than either existing PKI, but it also > seems to have had far less scrutiny, and is OpenSSH-specific, as far as > i can tell. OpenSSH doesn't rely on novel/unique asymmetric crypto > algorithms, symmetric ciphers, or message digests. Why should > certificate formats and PKI be different? I think the PROTOCOL.certkeys explains that already: these certificates are intended to be _very_ simple and add little attack surface to OpenSSH's critical preauth phase. They use the same wire encoding and the same signature algorithms and representation as traditional SSH public key authentication. Both OpenPGP and X.509 are way more complex. OpenPGP has IIRC four ways just to encode a length field and ASN.1 is much worse still. Apart from the encoding complexity, the semantics of authorization using X.509 and, particularly, OpenPGP are more complicated too. > 1) Revocations -- there is no room in the infrastructure i can see for > revocations. What should a certificate authority do if it discovers > that the private key belonging to a certificate has been compromised, > and the certificate is not yet expired? What should a server operator > do who knows this situation, but currently relies on other > certifications from that CA? Revocation is planned to be implemented as a simple file containing a list of banned keys. > 2) Tight coupling of authentication and authorization -- there are > sometimes good reasons to do this, but it makes certification more > difficult, and makes policy much more inflexible for system > administrators. One example of the added complexity the conflation > creates is a combinatoric one: say i should be allowed to ssh to > dkg at example.com to do whatever i want with my account. But i should > *also* be allowed access to our organization's SVN repository over ssh > at svn at example.com constrained by a ForceCommand that only allows > certain subversion operations. i don't think that's representable in > this certificate format. More generally, a local machine administrator > might be fine relying on an external authority to identify remote > parties, but might want to authorize different commands for local > accounts based on that authentication. Having this tightly coupled > model means those local administrators must either accept authorization > information from the CAs, or not use certificates at all. That's sort of the point - the CA is trusted to set authorisation policy for the administrative domain defined by the set of hosts that trust its key. This is fully optional too - all the authorized_keys and sshd_config authorization options apply too, so no functionality is lost if the CA wants to be authentication only. > 3) Multiple certs over the same key from different issuers -- Say i use > the same key to identify myself to machines from multiple domains. if > each of those domains runs their own internal certificate authority, > i'll have two different versions of id_rsa_cert.pub, right? i see no > documentation to indicate how to choose between them in ssh(1) or > ssh_config(5). I won't say that I have gone out of my way to make this difficult, but it doesn't make me sad that the human interface discourages key sharing between different trust domains. > 4) definition of "valid principals" seems underdeveloped in > PROTOCOL.certkeys -- For example, there was discussion on-list recently > about case insensitivity on some systems (cygwin at least) -- are these > expected to match the name of the remote account entirely? yes. > If i certify > a key for "foo" does that work on all "foo" accounts on every machine > that trusts my CA? yes. Remember that CA keys can be trusted on an account by account basis, so if there are subsets of hosts within a domain that use a different naming scheme then the users who trust the CA for login can be subsetted. I'm planning to add a sshd-wide (well, Match block wide) way to specify trusted CA keys too. > Can user accounts be specified targetted to a > specific machine (e.g. "foo at server3.example.net")? if so, how would > sshd make authorization decisions based on the hostname part of the user > name? The certificate format is extensible. I considered a SSH2_CERT_TYPE_USER_HOST certificate type, but punted on it for the initial revision precisely because I wasn't clear what semantics should be used to define the hostname and whether or not to include wildcards. Hosts on which a cert is valid could also be expressed as a certificate constraint, I'm not sure which is nicer. > 5) interaction with ssh-agent -- does the agent know about > certificates? Can it offer them to a compatible ssh client process? If > not, how should a user take advantage of both features? If so, is this > a change in the ssh-agent protocol that compatible ssh-agent > implementations should be made aware of? Yes, it will try to load the corresponding *-cert.pub files and should send them, just like other keys. > Anyway, these are my immediate reactions to this proposal of new > certificate formats for OpenSSH. My current thinking is that this > particular change should be pushed back to a later version for more > discussion, but of course that's not my call to make. I don't think there is any reason to remove it. If people don't like it they can not switch it on. The certificate format is extensible, and several of the things that you asked for above could be accomodated using the extension mechanisms already present (even without touching the "reserved" field in the cert). -d From vinschen at redhat.com Sun Feb 28 23:59:26 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 28 Feb 2010 13:59:26 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: References: <20100202113902.GA19205@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> <20100218155921.GS5683@calimero.vinschen.de> Message-ID: <20100228125926.GA30136@calimero.vinschen.de> Hi Damien, On Feb 28 03:39, Damien Miller wrote: > Unfortunately, that patch only deals with SSHv2 connections. How about > this? > > Index: auth.c > =================================================================== > RCS file: /var/cvs/openssh/auth.c,v > retrieving revision 1.136 > diff -u -r1.136 auth.c > --- auth.c 11 Feb 2010 22:25:29 -0000 1.136 > +++ auth.c 27 Feb 2010 16:36:25 -0000 > @@ -535,6 +535,13 @@ > get_canonical_hostname(options.use_dns), get_remote_ipaddr()); > > pw = getpwnam(user); > +#if HAVE_CYGWIN > + if (strcmp(user, pw->pw_name) != 0) { > + logit("Login name %.100s does not match stored username %.100s", > + user, pw->pw_name); > + pw = NULL; > + } > +#endif > if (pw == NULL) { > logit("Invalid user %.100s from %.100s", > user, get_remote_ipaddr()); Yes, that's better. There are just a few glitches. The test for pw == NULL should come first and the #if should be an #ifdef. And I think it wouldn't hurt to have a comment which explains why this is done. What about this? Index: auth.c =================================================================== RCS file: /cvs/openssh/auth.c,v retrieving revision 1.136 diff -u -p -r1.136 auth.c --- auth.c 11 Feb 2010 22:25:29 -0000 1.136 +++ auth.c 28 Feb 2010 12:52:25 -0000 @@ -547,6 +547,18 @@ getpwnamallow(const char *user) #endif /* SSH_AUDIT_EVENTS */ return (NULL); } +#ifdef HAVE_CYGWIN + /* Windows usernames are case-insensitive. To avoid later problems + * when trying to match the username, the user is only allowed to + * login if the username is given in the same case as stored in the + * user database. + */ + if (strcmp(user, pw->pw_name) != 0) { + logit("Login name %.100s does not match stored username %.100s", + user, pw->pw_name); + pw = NULL; + } +#endif if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP > I'm a little worried about enabling this outside of Cygwin, since > I'm not sure whether multiple UID-sharing accounts are guaranteed to > deterministically return the username that was used to look them up. This would affect Cygwin as well since nothing keeps an administrator to add two accounts using different usernames to /etc/passwd. However, since you're not searching by uid, but by name, it's incredibly unlikely that the returned entry is an entry not matching the name. Anyway, if you're happy to keep this code Cygwin-only, I'm happy as well. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat