From olecom at gmail.com Mon Aug 1 15:46:36 2011 From: olecom at gmail.com (Oleg Verych) Date: Mon, 1 Aug 2011 08:46:36 +0300 Subject: =?UTF-8?Q?Re=3A_sshd=E2=80=99s_ForceCommand_and_ssh=E2=80=99s_=22=E2=80=93N_Do_not_e?= =?UTF-8?Q?xecute_a_remote_command=22?= In-Reply-To: References: Message-ID: Hi, 2011/7/29 Oleg Verych : > If `sshd` is configured to have a ForceCommand, no `ssh ?N` must skip > this *forced* server?s setup, isn?t it? > > But it isn?t so. Thus, admin may think that the command is forced by a server, > but user can skip that. > > In such case only port forwarding is available, but anyway *force* is > meaningless, IMHO. there is more info about this, in case you don't know: *** Can server disallow -N option? http://groups.google.com/group/comp.security.ssh/browse_thread/thread/ea54d720ca056c99/11a67bc5f2eac619 *** ________ From djm at mindrot.org Tue Aug 2 04:22:21 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 Aug 2011 04:22:21 +1000 (EST) Subject: =?UTF-8?Q?Re=3A_sshd=E2=80=99s_ForceCommand_and_ssh=E2=80=99s_=22=E2=80=93N_Do_not_execute_a_remote_command=22?= In-Reply-To: References: Message-ID: No, our sshd can't refuse -N. Such a thing is hackish to implement (how do you distinguish between a client that doesn't open a cmd/shell channel from one that is merely slow in doing so? what about multiplexing?) and mostly nonsensical too. On Mon, 1 Aug 2011, Oleg Verych wrote: > Hi, > > 2011/7/29 Oleg Verych : > > > If `sshd` is configured to have a ForceCommand, no `ssh ?N` must skip > > this *forced* server?s setup, isn?t it? > > > > But it isn?t so. Thus, admin may think that the command is forced by a server, > > but user can skip that. > > > > In such case only port forwarding is available, but anyway *force* is > > meaningless, IMHO. > > there is more info about this, in case you don't know: > *** > Can server disallow -N option? > http://groups.google.com/group/comp.security.ssh/browse_thread/thread/ea54d720ca056c99/11a67bc5f2eac619 > *** > ________ > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From olecom at gmail.com Tue Aug 2 15:34:55 2011 From: olecom at gmail.com (Oleg Verych) Date: Tue, 2 Aug 2011 08:34:55 +0300 Subject: =?UTF-8?Q?Re=3A_sshd=E2=80=99s_ForceCommand_and_ssh=E2=80=99s_=22=E2=80=93N_Do_not_e?= =?UTF-8?Q?xecute_a_remote_command=22?= In-Reply-To: References: Message-ID: 2011/8/1 Damien Miller : Hi, Damien. > No, our sshd can't refuse -N. Such a thing is hackish to implement > (how do you distinguish between a client that doesn't open a cmd/shell channel > from one that is merely slow in doing so? what about multiplexing?) If "sshd_config" has 'ForceCommand', `sshd` must not wait anything: 1) "$SSH_ORIGINAL_COMMAND" 2) `ssh -N` It just runs 'ForceCommand' with stdio <>/dev/null until connection alive... _______ From morty at frakir.org Tue Aug 2 15:51:06 2011 From: morty at frakir.org (Morty Abzug) Date: Tue, 2 Aug 2011 01:51:06 -0400 Subject: openssh PTY allocation In-Reply-To: References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> Message-ID: <20110802055106.GV1290@red-sonja> Thanks. I tried this. It only works for one of the two devices I've been testing with. The device that works runs ScreenOS 6.3.0r7.0. The device that's still broken runs ScreenOS 5.3.0r3.0. Knocking the threshold down from 256 to 128, though, yields joy with both devices. 129 and 130 work, while 131 doesn't; presumably the success of 129 and 130 is due to fenceposts. Presumably the earlier version of ScreenOS had a version with a 128 limit; ScreenOS ran into interop problems at the time; ScreenOS coders bumped it to 256; and now they/we are having interop problems again. Maybe some even-older version of ScreenOS had an even lower limit. Hence why I'm thinking that it might be better to make PTY allocation failure a non-fatal error rather than trying to guess the other side's worst case buffer len. Note that this doesn't do anything for scp. The compat hack stuff does not seem to be available within scp.c, probably because it doesn't look directly at the ssh banner. Combining your compat concept with my earlier patch yields: diff -ur openssh-5.8p2-orig/clientloop.c openssh-5.8p2-morty-p4/clientloop.c --- openssh-5.8p2-orig/clientloop.c Sun Jan 16 12:18:35 2011 +++ openssh-5.8p2-morty-p4/clientloop.c Tue Aug 2 05:35:36 2011 @@ -1982,7 +1982,11 @@ memset(&ws, 0, sizeof(ws)); channel_request_start(id, "pty-req", 1); - client_expect_confirm(id, "PTY allocation", 1); + if (datafellows & SSH_BUG_SCREENOS_PTY) { + client_expect_confirm(id, "PTY allocation", 0); + } else { + client_expect_confirm(id, "PTY allocation", 1); + } packet_put_cstring(term != NULL ? term : ""); packet_put_int((u_int)ws.ws_col); packet_put_int((u_int)ws.ws_row); diff -ur openssh-5.8p2-orig/compat.c openssh-5.8p2-morty-p4/compat.c --- openssh-5.8p2-orig/compat.c Mon Nov 3 08:20:14 2008 +++ openssh-5.8p2-morty-p4/compat.c Tue Aug 2 05:35:36 2011 @@ -148,6 +148,8 @@ SSH_BUG_IGNOREMSG }, { "*SSH Compatible Server*", /* Netscreen */ SSH_BUG_PASSWORDPAD }, + { "NetScreen", + SSH_BUG_SCREENOS_PTY }, { "*OSU_0*," "OSU_1.0*," "OSU_1.1*," diff -ur openssh-5.8p2-orig/compat.h openssh-5.8p2-morty-p4/compat.h --- openssh-5.8p2-orig/compat.h Mon Nov 3 08:20:14 2008 +++ openssh-5.8p2-morty-p4/compat.h Tue Aug 2 05:35:36 2011 @@ -58,6 +58,7 @@ #define SSH_OLD_FORWARD_ADDR 0x01000000 #define SSH_BUG_RFWD_ADDR 0x02000000 #define SSH_NEW_OPENSSH 0x04000000 +#define SSH_BUG_SCREENOS_PTY 0x08000000 void enable_compat13(void); void enable_compat20(void); diff -ur openssh-5.8p2-orig/scp.c openssh-5.8p2-morty-p4/scp.c --- openssh-5.8p2-orig/scp.c Thu Jan 6 11:41:21 2011 +++ openssh-5.8p2-morty-p4/scp.c Tue Aug 2 05:35:36 2011 @@ -273,7 +273,6 @@ addargs(&args, "-l"); addargs(&args, "%s", remuser); } - addargs(&args, "--"); addargs(&args, "%s", host); addargs(&args, "%s", cmd); @@ -322,7 +321,6 @@ addargs(&args, "-l"); addargs(&args, "%s", remuser); } - addargs(&args, "--"); addargs(&args, "%s", host); addargs(&args, "%s", cmd); @@ -601,12 +599,12 @@ host = cleanhostname(argv[i]); suser = NULL; } - xasprintf(&bp, "%s -f -- %s", cmd, src); + xasprintf(&bp, "%s -f %s", cmd, src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) exit(1); (void) xfree(bp); host = cleanhostname(thost); - xasprintf(&bp, "%s -t -- %s", cmd, targ); + xasprintf(&bp, "%s -t %s", cmd, targ); if (do_cmd2(host, tuser, bp, remin, remout) < 0) exit(1); (void) xfree(bp); @@ -641,7 +639,6 @@ } else { host = cleanhostname(argv[i]); } - addargs(&alist, "--"); addargs(&alist, "%s", host); addargs(&alist, "%s", cmd); addargs(&alist, "%s", src); @@ -652,7 +649,7 @@ errs = 1; } else { /* local to remote */ if (remin == -1) { - xasprintf(&bp, "%s -t -- %s", cmd, targ); + xasprintf(&bp, "%s -t %s", cmd, targ); host = cleanhostname(thost); if (do_cmd(host, tuser, bp, &remin, &remout) < 0) @@ -685,7 +682,6 @@ addargs(&alist, "-r"); if (pflag) addargs(&alist, "-p"); - addargs(&alist, "--"); addargs(&alist, "%s", argv[i]); addargs(&alist, "%s", argv[argc-1]); if (do_local_cmd(&alist)) @@ -705,7 +701,7 @@ suser = pwd->pw_name; } host = cleanhostname(host); - xasprintf(&bp, "%s -f -- %s", cmd, src); + xasprintf(&bp, "%s -f %s", cmd, src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) { (void) xfree(bp); ++errs; On Fri, Jul 29, 2011 at 05:59:09PM +1000, Damien Miller wrote: > Try this compat hack: > > > Index: ttymodes.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ttymodes.c,v > retrieving revision 1.29 > diff -u -p -r1.29 ttymodes.c > --- ttymodes.c 2 Nov 2008 00:16:16 -0000 1.29 > +++ ttymodes.c 29 Jul 2011 07:58:29 -0000 > @@ -295,8 +295,11 @@ tty_make_modes(int fd, struct termios *t > put_arg(&buf, tio.c_cc[NAME]); > > #define TTYMODE(NAME, FIELD, OP) \ > - buffer_put_char(&buf, OP); \ > - put_arg(&buf, ((tio.FIELD & NAME) != 0)); > + if (!compat20 || (datafellows & SSH_BUG_SCREENOS_PTY) == 0 || \ > + buffer_len(&buf) < 256 - 5) { \ > + buffer_put_char(&buf, OP); \ > + put_arg(&buf, ((tio.FIELD & NAME) != 0)); \ > + } > > #include "ttymodes.h" > > Index: compat.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/compat.c,v > retrieving revision 1.78 > diff -u -p -r1.78 compat.c > --- compat.c 11 Sep 2008 14:22:37 -0000 1.78 > +++ compat.c 29 Jul 2011 07:58:29 -0000 > @@ -146,6 +146,8 @@ compat_datafellows(const char *version) > SSH_BUG_IGNOREMSG }, > { "*SSH Compatible Server*", /* Netscreen */ > SSH_BUG_PASSWORDPAD }, > + { "NetScreen", > + SSH_BUG_SCREENOS_PTY }, > { "*OSU_0*," > "OSU_1.0*," > "OSU_1.1*," > Index: compat.h > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/compat.h,v > retrieving revision 1.42 > diff -u -p -r1.42 compat.h > --- compat.h 11 Sep 2008 14:22:37 -0000 1.42 > +++ compat.h 29 Jul 2011 07:58:29 -0000 > @@ -58,6 +58,7 @@ > #define SSH_OLD_FORWARD_ADDR 0x01000000 > #define SSH_BUG_RFWD_ADDR 0x02000000 > #define SSH_NEW_OPENSSH 0x04000000 > +#define SSH_BUG_SCREENOS_PTY 0x08000000 > > void enable_compat13(void); > void enable_compat20(void); > > On Thu, 28 Jul 2011, Morty Abzug wrote: > > > On Thu, Jul 28, 2011 at 06:00:38PM +0200, Gert Doering wrote: > > > Hi, > > > > > > On Thu, Jul 28, 2011 at 11:52:47AM -0400, Morty Abzug wrote: > > > > On Wed, Jul 27, 2011 at 05:25:05PM +1000, Damien Miller wrote: > > > > > > > > > The problem is a bug in ScreenOS, it refuses pty-req channel requests > > > > > when the tty modes blob exceeds 256 bytes in length. If you want a > > > > > workaround that preserves the usability of the tty, then comment out > > > > > a couple of less-important modes in ttymodes.h and recompile > > > > > > > > Any suggestions on which modes are less important? > > > > > > In that context, I think CS7, PARENB, PARODDB, IXON, IXOFF, IXANY, IUCLC, > > > PARMRK would be the ones I'd skip, given that use of 7-bit and parity > > > terminals is unlikely, and that the netscreens are not going to honour > > > xon/xoff flow control (IXON/IXOFF/IXANY) anyway. > > > > Thanks. > > > > I tested with #ifdef all of the above (CS7, PARENB, PARODDB, IXON, > > IXOFF, IXANY, IUCLC, and PARMRK.) This worked to get to one of our > > firewalls (ScreenOS 6.3.0r7.0) but not another (ScreenOS 5.3.0r3.0). > > So the problem appears to depend to some extent on ScreenOS version or > > some other variable that is device-specific. > > > > Meanwhile, I have that other workaround, i.e. to make the ssh client > > not consider PTY allocation failure a fatal exit. It appears to work > > for all of our ScreenOS devices. > > > > Questions/comments: > > > > (1) From a patch perspective, which approach is preferable -- making > > PTY allocation failure not a fatal error, or commenting out a > > bunch of ttymodes? [Assuming a set of ttymodes can be found that > > makes this work, of course.] I would lean towards the former > > approach, since it seems inherently more robust/consistent. > > > > (2) Commenting out stuff in ttymodes.h thing appears to be a > > compile-time option. Is there a way to make it a run-time option? > > > > (3) What would be a good name for an option to workaround this? I > > lean towards ExitOnTTYFailure. > > > > (4) What would be a good name for an option to workaround the scp "--" > > problem? > > > > - Morty > > -- Mordechai T. Abzug Linux red-sonja 2.6.31-23-generic #75-Ubuntu SMP Fri Mar 18 18:16:06 UTC 2011 x86_64 GNU/Linux If you have any trouble sounding condescending, find a Unix user to show you how it's done. -Scott Adams (of Dilbert fame) From openssh at mikebell.org Tue Aug 2 14:36:24 2011 From: openssh at mikebell.org (Mike Bell) Date: Mon, 1 Aug 2011 21:36:24 -0700 Subject: Adding fflush() to ssh-agent so its output can be redirected to a file Message-ID: <20110802043624.GF6653@longvaio.internal> Without this patch "ssh-agent -d > ~/ssh-agent.sh" will produce a zero byte file. Obviously a corner case, but for what I'm doing it's a show-stopper, and it _seems_ like an obvious improvement to correctness, rather than relying on implicit newline flushing with TTYs and flush-on-exit with the forking mode. Not subscribed, so please CC me on any replies. --- ssh-agent.c.orig 2011-08-01 20:42:08.890134187 -0700 +++ ssh-agent.c 2011-08-01 21:13:08.995357974 -0700 @@ -1281,6 +1281,7 @@ printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name, SSH_AUTHSOCKET_ENV_NAME); printf("echo Agent pid %ld;\n", (long)parent_pid); + fflush(stdout); goto skip; } pid = fork(); From djm at mindrot.org Tue Aug 2 18:10:32 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 Aug 2011 18:10:32 +1000 (EST) Subject: =?UTF-8?Q?Re=3A_sshd=E2=80=99s_ForceCommand_and_ssh=E2=80=99s_=22=E2=80=93N_Do_not_execute_a_remote_command=22?= In-Reply-To: References: Message-ID: On Tue, 2 Aug 2011, Oleg Verych wrote: > 2011/8/1 Damien Miller : > > Hi, Damien. > > > No, our sshd can't refuse -N. Such a thing is hackish to implement > > (how do you distinguish between a client that doesn't open a cmd/shell channel > > from one that is merely slow in doing so? what about multiplexing?) > > If "sshd_config" has 'ForceCommand', `sshd` must not wait anything: > 1) "$SSH_ORIGINAL_COMMAND" > 2) `ssh -N` > It just runs 'ForceCommand' with stdio <>/dev/null until connection alive... the protocol doesn't work that way From djm at mindrot.org Tue Aug 2 18:16:14 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 Aug 2011 18:16:14 +1000 (EST) Subject: openssh PTY allocation In-Reply-To: <20110802055106.GV1290@red-sonja> References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> Message-ID: On Tue, 2 Aug 2011, Morty Abzug wrote: > Thanks. I tried this. It only works for one of the two devices I've > been testing with. The device that works runs ScreenOS 6.3.0r7.0. > The device that's still broken runs ScreenOS 5.3.0r3.0. I tested it with ns5gt.5.4.0r20.0. > Knocking the threshold down from 256 to 128, though, yields joy with > both devices. 129 and 130 work, while 131 doesn't; presumably the > success of 129 and 130 is due to fenceposts. Presumably the earlier > version of ScreenOS had a version with a 128 limit; ScreenOS ran into > interop problems at the time; ScreenOS coders bumped it to 256; and > now they/we are having interop problems again. Maybe some even-older > version of ScreenOS had an even lower limit. Hence why I'm thinking > that it might be better to make PTY allocation failure a non-fatal > error rather than trying to guess the other side's worst case buffer > len. That could be unpredictable, the ScreenOS end refuses the whole pty-req so it is working under the assumption of no PTY whereas the client would (by ignoring the failure) continue to expect one there. Really, I'd prefer that Juniper just fix the bug (it is probably trivial for them to do so) rather than peppering our tree with compat hacks that must be maintained in perpetuity. > Note that this doesn't do anything for scp. The compat hack stuff > does not seem to be available within scp.c, probably because it > doesn't look directly at the ssh banner. scp is inherently unfixable as a protocol. -d From olecom at gmail.com Tue Aug 2 18:18:32 2011 From: olecom at gmail.com (Oleg Verych) Date: Tue, 2 Aug 2011 11:18:32 +0300 Subject: =?UTF-8?Q?Re=3A_sshd=E2=80=99s_ForceCommand_and_ssh=E2=80=99s_=22=E2=80=93N_Do_not_e?= =?UTF-8?Q?xecute_a_remote_command=22?= In-Reply-To: References: Message-ID: >> 1) "$SSH_ORIGINAL_COMMAND" >> 2) `ssh -N` >> It just runs 'ForceCommand' with stdio <>/dev/null until connection alive... > > the protocol doesn't work that way The only thing left is to force user to do or to do not something. A crutch: Reject all services (port forwarding), if 'ForceCommand' is set and user has `ssh -N`. _______ From morty at frakir.org Tue Aug 2 19:06:47 2011 From: morty at frakir.org (Morty Abzug) Date: Tue, 2 Aug 2011 05:06:47 -0400 Subject: openssh PTY allocation In-Reply-To: References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> Message-ID: <20110802090647.GP24801@red-sonja> On Tue, Aug 02, 2011 at 06:16:14PM +1000, Damien Miller wrote: > On Tue, 2 Aug 2011, Morty Abzug wrote: > > > Thanks. I tried this. It only works for one of the two devices I've > > been testing with. The device that works runs ScreenOS 6.3.0r7.0. > > The device that's still broken runs ScreenOS 5.3.0r3.0. > > I tested it with ns5gt.5.4.0r20.0. Then they must have increased the buffer between 5.3.0r3.0 and 5.4.0r20.0. > > Hence why I'm thinking > > that it might be better to make PTY allocation failure a non-fatal > > error rather than trying to guess the other side's worst case buffer > > len. > That could be unpredictable, the ScreenOS end refuses the whole > pty-req so it is working under the assumption of no PTY whereas the > client would (by ignoring the failure) continue to expect one there. ScreenOS isn't a *nix. In practice, even with a PTY allocation failure error, its command-line function acts as much like a PTY as it ever does. For example, you can do full command-line editing and scroll through command history even after getting a PTY allocation failure error. I suspect ScreenOS is making a bunch of hardcoded assumptions about terminal-like behaviors that completely violate normal *nix conventions, but make sense in a non-*nix environment that needs to play well with *nix. So the PTY allocation failure really does appear to be meaningless in the case of a ScreenOS device. > Really, I'd prefer that Juniper just fix the bug (it is probably > trivial for them to do so) rather than peppering our tree with > compat hacks that must be maintained in perpetuity. I've already reported this to our Juniper SE, who says he passed it on to their maintenance engineering. However, I'll echo what Chris Adams said in an earlier message: Unfortunately, there are a ton of ScreenOS devices out there, and even if Juniper fixed the SSH bugs tomorrow, all those devices won't be updated overnight (if ever). This will be a serious irritation for network admins as OS distributions update to newer OpenSSH versions (where most users get their OpenSSH). In a lot of environments, upgrading openssh is a whole lot easier than upgrading firewalls. Firewalls are customer-facing service devices with monetary repercussions for downtime, whereas openssh on a network engineering station is an internal application that customers don't care about. And for that matter, openssh is what changed -- older openssh worked fine with these same revisions of ScreenOS. This may be Juniper/Netscreen's mistake, but this is most easily patched on openssh's side. > > Note that this doesn't do anything for scp. The compat hack stuff > > does not seem to be available within scp.c, probably because it > > doesn't look directly at the ssh banner. > > scp is inherently unfixable as a protocol. Again, this formerly worked. I have scripts that were built around scp to ScreenOS devices. Older openssh worked fine. The addition of the "--" option to the remote scp invocation is what appears to have broken interop between openssh's scp and ScreenOS's scp. - Morty From christian.perone at gmail.com Thu Aug 4 02:31:00 2011 From: christian.perone at gmail.com (Christian S. Perone) Date: Wed, 3 Aug 2011 13:31:00 -0300 Subject: OpenSSH and FIPS 140-2 Message-ID: Does anyone knows why in some OpenSSH patches for FIPS we have something like: SSLeay_add_all_algorithms(); if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { fprintf(stderr, "FIPS integrity verification test failed.\n"); exit(3); } This block of code is always in main() soon after starting service/client. Why are they checking FIPS_mode() if the FIPS_mode_set() wasn't even called before that ? The SSLeay_add_all_algorithms() is supposed call FIPS_mode_set() ? Another question I have is why are they using FIPSCHECK_verify() from libfipscheck if the FIPS_mode_set() already check the incore fingerprint when called. Is this another requirement from FIPS 140-2 ? Great thanks ! -- "Forgive, O Lord, my little jokes on Thee, and I'll forgive Thy great big joke on me." http://pyevolve.sourceforge.net/wordpress/ From um at mutluit.com Thu Aug 4 09:05:15 2011 From: um at mutluit.com (U.Mutlu) Date: Thu, 04 Aug 2011 01:05:15 +0200 Subject: Anti-MITMA method of Samy Kamkar Message-ID: <4E39D42B.2090707@mutluit.com> Hi, I wonder if OpenSSH has the following method against MITMA already implemented or not: " Anti-MITMA: Preventing Man in the Middle Attacks Code at http://samy.pl/anti-mitma.pdf I've described a simple method for authentication based protocols (e.g., ssh) to prevent man in the middle attacks. Rather than establishing a potentially MITMA'd connection, then authenticating, you can authenticate the initial key exchange. More details in the pdf. posted on october 15, 2009 " (Found at http://samy.pl/code/ ) From nkadel at gmail.com Thu Aug 4 13:14:24 2011 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Wed, 3 Aug 2011 23:14:24 -0400 Subject: Anti-MITMA method of Samy Kamkar In-Reply-To: <4E39D42B.2090707@mutluit.com> References: <4E39D42B.2090707@mutluit.com> Message-ID: On Wed, Aug 3, 2011 at 7:05 PM, U.Mutlu wrote: > Hi, I wonder if OpenSSH has the following method > against MITMA already implemented or not: > > " > Anti-MITMA: Preventing Man in the Middle Attacks > > Code at http://samy.pl/anti-mitma.pdf > I've described a simple method for authentication based protocols > (e.g., ssh) to prevent man in the middle attacks. Rather than > establishing a potentially MITMA'd connection, then authenticating, > you can authenticate the initial key exchange. More details in the pdf. > posted on october 15, 2009 > " > (Found at http://samy.pl/code/ ) A lot of the more successful "man-in-the-middle" attacks against OpenSSH or SSH are based on stealing the host keys of the server. (This may be authorized in some environments.) And given the lack of any authentication, or even expiration, of host keys themselves, I'm unclear that this will prove a significant benefit in environments where the client does not already have a valid host key saved. Would they wind up being presented with an incorrect but consistent host key in such a situation, one that most users would accept by default? From samgandhi9 at gmail.com Sat Aug 6 04:56:37 2011 From: samgandhi9 at gmail.com (Sam Gandhi) Date: Fri, 5 Aug 2011 11:56:37 -0700 Subject: How does one download SSHredder? Message-ID: Hi, In doing some google search on SSH security verification came across mention of program called SSHredder. ( http://developers.slashdot.org/story/02/12/17/0030202/New-SSH-Vulnerabilities-Discovered#comments ) Does anybody know where one can get source/executable code for SSHredder? Actually we are using SSH implementation called dropbear and I want to see how it "secure" it is. Are there any other tools available to test/verify SSH implementations? -Sam From l.gautrot at free.fr Sat Aug 6 03:03:45 2011 From: l.gautrot at free.fr (Laurent GAUTROT) Date: Fri, 05 Aug 2011 19:03:45 +0200 Subject: Typo in a manpage Message-ID: <35ec67eb3a68e3fa72727bde7ca22211@mail.gautrot.org> Hello, There's a typo in moduli.5 manpage. I'm not quite sure it needs a patch. Anyway, the fix is: s/primaility/primality/ Regards -- ^L. From djm at mindrot.org Sat Aug 6 14:26:09 2011 From: djm at mindrot.org (Damien Miller) Date: Sat, 6 Aug 2011 14:26:09 +1000 (EST) Subject: openssh PTY allocation In-Reply-To: <20110802090647.GP24801@red-sonja> References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> <20110802090647.GP24801@red-sonja> Message-ID: FYI here is a diff that installs workarounds for all of the problems with ScreenOS that I'm aware of. These are: - PTY allocation - scp -- thing - keepalives killing the connection - multiplexing requests killing the connection Not sure whether I want to commit these. Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.236 diff -u -p -r1.236 clientloop.c --- clientloop.c 22 Jun 2011 22:08:42 -0000 1.236 +++ clientloop.c 6 Aug 2011 04:21:42 -0000 @@ -1375,7 +1375,11 @@ client_loop(int have_pty, int escape_cha char buf[100]; debug("Entering interactive session."); - + if ((datafellows & SSH_BUG_KEEPALIVE) != 0 && + options.server_alive_interval != 0) { + debug2("Disabling keepalives due to server bug"); + options.server_alive_interval = 0; + } start_time = get_current_time(); /* Initialize variables. */ Index: compat.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/compat.c,v retrieving revision 1.78 diff -u -p -r1.78 compat.c --- compat.c 11 Sep 2008 14:22:37 -0000 1.78 +++ compat.c 6 Aug 2011 04:21:42 -0000 @@ -146,6 +146,10 @@ compat_datafellows(const char *version) SSH_BUG_IGNOREMSG }, { "*SSH Compatible Server*", /* Netscreen */ SSH_BUG_PASSWORDPAD }, + { "NetScreen", + SSH_BUG_SCREENOS_PTY| + SSH_BUG_KEEPALIVE| + SSH_BUG_MULTIPLEX }, { "*OSU_0*," "OSU_1.0*," "OSU_1.1*," Index: compat.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/compat.h,v retrieving revision 1.42 diff -u -p -r1.42 compat.h --- compat.h 11 Sep 2008 14:22:37 -0000 1.42 +++ compat.h 6 Aug 2011 04:21:42 -0000 @@ -58,6 +58,9 @@ #define SSH_OLD_FORWARD_ADDR 0x01000000 #define SSH_BUG_RFWD_ADDR 0x02000000 #define SSH_NEW_OPENSSH 0x04000000 +#define SSH_BUG_SCREENOS_PTY 0x08000000 +#define SSH_BUG_KEEPALIVE 0x10000000 +#define SSH_BUG_MULTIPLEX 0x20000000 void enable_compat13(void); void enable_compat20(void); Index: scp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/scp.c,v retrieving revision 1.170 diff -u -p -r1.170 scp.c --- scp.c 9 Dec 2010 14:13:33 -0000 1.170 +++ scp.c 6 Aug 2011 04:21:42 -0000 @@ -580,12 +580,14 @@ toremote(char *targ, int argc, char **ar host = cleanhostname(argv[i]); suser = NULL; } - xasprintf(&bp, "%s -f -- %s", cmd, src); + xasprintf(&bp, "%s -f %s%s", cmd, + *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) exit(1); (void) xfree(bp); host = cleanhostname(thost); - xasprintf(&bp, "%s -t -- %s", cmd, targ); + xasprintf(&bp, "%s -t %s%s", cmd, + *targ == '-' ? "-- " : "", targ); if (do_cmd2(host, tuser, bp, remin, remout) < 0) exit(1); (void) xfree(bp); @@ -631,7 +633,8 @@ toremote(char *targ, int argc, char **ar errs = 1; } else { /* local to remote */ if (remin == -1) { - xasprintf(&bp, "%s -t -- %s", cmd, targ); + xasprintf(&bp, "%s -t %s%s", cmd, + *targ == '-' ? "-- " : "", targ); host = cleanhostname(thost); if (do_cmd(host, tuser, bp, &remin, &remout) < 0) Index: serverloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/serverloop.c,v retrieving revision 1.160 diff -u -p -r1.160 serverloop.c --- serverloop.c 15 May 2011 08:09:01 -0000 1.160 +++ serverloop.c 6 Aug 2011 04:21:42 -0000 @@ -277,6 +277,11 @@ wait_until_can_do_something(fd_set **rea int ret; int client_alive_scheduled = 0; + if ((datafellows & SSH_BUG_KEEPALIVE) != 0 && + options.client_alive_interval != 0) { + debug2("Disabling keepalives due to client bug"); + options.client_alive_interval = 0; + } /* * if using client_alive, set the max timeout accordingly, * and indicate that this particular timeout was for client Index: ssh.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.364 diff -u -p -r1.364 ssh.c --- ssh.c 2 Aug 2011 23:15:03 -0000 1.364 +++ ssh.c 6 Aug 2011 04:21:42 -0000 @@ -890,6 +890,13 @@ main(int ac, char **av) } } + if ((datafellows & SSH_BUG_MULTIPLEX) != 0 && + options.control_path != NULL && + options.control_master != SSHCTL_MASTER_NO) { + debug("Disabling multiplexing due to server bugs"); + options.control_master = SSHCTL_MASTER_NO; + } + exit_status = compat20 ? ssh_session2() : ssh_session(); packet_close(); Index: ttymodes.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ttymodes.c,v retrieving revision 1.29 diff -u -p -r1.29 ttymodes.c --- ttymodes.c 2 Nov 2008 00:16:16 -0000 1.29 +++ ttymodes.c 6 Aug 2011 04:21:42 -0000 @@ -295,8 +295,11 @@ tty_make_modes(int fd, struct termios *t put_arg(&buf, tio.c_cc[NAME]); #define TTYMODE(NAME, FIELD, OP) \ - buffer_put_char(&buf, OP); \ - put_arg(&buf, ((tio.FIELD & NAME) != 0)); + if (!compat20 || (datafellows & SSH_BUG_SCREENOS_PTY) == 0 || \ + buffer_len(&buf) < 256 - 5) { \ + buffer_put_char(&buf, OP); \ + put_arg(&buf, ((tio.FIELD & NAME) != 0)); \ + } #include "ttymodes.h" From gert at greenie.muc.de Sat Aug 6 18:47:07 2011 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 6 Aug 2011 10:47:07 +0200 Subject: openssh PTY allocation In-Reply-To: References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> <20110802090647.GP24801@red-sonja> Message-ID: <20110806084707.GL8496@greenie.muc.de> Hi, On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote: > FYI here is a diff that installs workarounds for all of the problems > with ScreenOS that I'm aware of. These are: > > - PTY allocation > - scp -- thing > - keepalives killing the connection > - multiplexing requests killing the connection > > Not sure whether I want to commit these. As a pure user, not speaking for the developers, but having to SSH (and SCP!) to Netscreens regularily - these look quite reasonable to me, and I'd like to see something like this in the general code base. (Otherwise I'm happy that you have provided the patch and will use that to patch our local ssh installation) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From laurent at gautrot.org Sun Aug 7 22:39:53 2011 From: laurent at gautrot.org (Laurent GAUTROT) Date: Sun, 07 Aug 2011 14:39:53 +0200 Subject: Typo in sftp.1 manpage Message-ID: <7c4c2e4312e3ba2c74fe1d0418bb9c23@mail.gautrot.org> Hello, Just found a typo in sftp.1 manpage: s/ether/either/ Regards -- ^L. From dtucker at zip.com.au Sun Aug 7 22:55:54 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 7 Aug 2011 22:55:54 +1000 Subject: Typo in sftp.1 manpage In-Reply-To: <7c4c2e4312e3ba2c74fe1d0418bb9c23@mail.gautrot.org> References: <7c4c2e4312e3ba2c74fe1d0418bb9c23@mail.gautrot.org> Message-ID: On Sun, Aug 7, 2011 at 10:39 PM, Laurent GAUTROT wrote: > Hello, > > Just found a typo in sftp.1 manpage: > > s/ether/either/ Applies, thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Aug 7 23:03:55 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 7 Aug 2011 23:03:55 +1000 Subject: Typo in a manpage In-Reply-To: <35ec67eb3a68e3fa72727bde7ca22211@mail.gautrot.org> References: <35ec67eb3a68e3fa72727bde7ca22211@mail.gautrot.org> Message-ID: On Sat, Aug 6, 2011 at 3:03 AM, Laurent GAUTROT wrote: > There's a typo in moduli.5 manpage. > s/primaility/primality/ Thanks, this had previously been fixed on openbsd's page[1], we'll pull those changes in. [1] http://www.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/moduli.5.diff?r1=1.12;r2=1.13;f=h -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jkf at research.att.com Tue Aug 9 04:17:37 2011 From: jkf at research.att.com (FELLIN, JEFFREY K (JEFF)) Date: Mon, 8 Aug 2011 14:17:37 -0400 Subject: configure bug for HAVE_RES_EXTERN check Message-ID: The code used in configure.ac to check for struct __res_state _res is an extern, can fail. I'm porting the code to UWIN, (Unix on Windows, available at http://www2.research.att.com/~gsf/download) using Microsoft Visual Studio for the cc compiler. The code in lines 3483 - 3491 should include a reference to _res, to verify the compiler doesn't ignore non-referenced variables. I suggest line 3491 should be changed from: Int main() { return 0; } To Int main() { _res.retrans=0; return 0; } Thank you for your consideration. Jeff Fellin From morty at frakir.org Tue Aug 9 08:30:17 2011 From: morty at frakir.org (Morty Abzug) Date: Mon, 8 Aug 2011 18:30:17 -0400 Subject: openssh PTY allocation In-Reply-To: References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> <20110802090647.GP24801@red-sonja> Message-ID: <20110808223017.GD6596@red-sonja> On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote: > FYI here is a diff that installs workarounds for all of the problems > with ScreenOS that I'm aware of. These are: > > - PTY allocation > - scp -- thing > - keepalives killing the connection > - multiplexing requests killing the connection Thanks for the patch. In my testing, it has the following issues: (1) ssh still doesn't work for some of our devices. I think this is because the ttymodes.c portion of your patch has "256" when it should be "128". (2) scp didn't actually work to any of my test netscreens for scp $device:ns_sys_config /tmp. I tried scp -v $device:ns_sys_config /tmp to see what the command was. I got: debug1: Sending command: scp -v -f -- ns_sys_config As you can see, "--" is still there. - Morty From djm at mindrot.org Tue Aug 9 16:17:05 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 Aug 2011 16:17:05 +1000 (EST) Subject: openssh PTY allocation In-Reply-To: <20110808223017.GD6596@red-sonja> References: <20110723184718.GF24801@red-sonja> <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> <20110802090647.GP24801@red-sonja> <20110808223017.GD6596@red-sonja> Message-ID: On Mon, 8 Aug 2011, Morty Abzug wrote: > On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote: > > FYI here is a diff that installs workarounds for all of the problems > > with ScreenOS that I'm aware of. These are: > > > > - PTY allocation > > - scp -- thing > > - keepalives killing the connection > > - multiplexing requests killing the connection > > Thanks for the patch. In my testing, it has the following issues: > > (1) ssh still doesn't work for some of our devices. I think this is > because the ttymodes.c portion of your patch has "256" when it should > be "128". Even if I do commit something like this diff (which is not guaranteed), it certainly won't truncate the ttymodes at 128 bytes - fixed versions of ScreenOS already exist for this problem and chopping so much off is likely to leave a messed up TTY anyway. > (2) scp didn't actually work to any of my test netscreens for scp > $device:ns_sys_config /tmp. I tried scp -v $device:ns_sys_config /tmp > to see what the command was. I got: > > debug1: Sending command: scp -v -f -- ns_sys_config > > As you can see, "--" is still there. oops, I missed a case: Index: scp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/scp.c,v retrieving revision 1.170 diff -u -p -r1.170 scp.c --- scp.c 9 Dec 2010 14:13:33 -0000 1.170 +++ scp.c 9 Aug 2011 06:10:08 -0000 @@ -580,12 +580,14 @@ toremote(char *targ, int argc, char **ar host = cleanhostname(argv[i]); suser = NULL; } - xasprintf(&bp, "%s -f -- %s", cmd, src); + xasprintf(&bp, "%s -f %s%s", cmd, + *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) exit(1); (void) xfree(bp); host = cleanhostname(thost); - xasprintf(&bp, "%s -t -- %s", cmd, targ); + xasprintf(&bp, "%s -t %s%s", cmd, + *targ == '-' ? "-- " : "", targ); if (do_cmd2(host, tuser, bp, remin, remout) < 0) exit(1); (void) xfree(bp); @@ -631,7 +633,8 @@ toremote(char *targ, int argc, char **ar errs = 1; } else { /* local to remote */ if (remin == -1) { - xasprintf(&bp, "%s -t -- %s", cmd, targ); + xasprintf(&bp, "%s -t %s%s", cmd, + *targ == '-' ? "-- " : "", targ); host = cleanhostname(thost); if (do_cmd(host, tuser, bp, &remin, &remout) < 0) @@ -664,7 +667,8 @@ tolocal(int argc, char **argv) addargs(&alist, "-r"); if (pflag) addargs(&alist, "-p"); - addargs(&alist, "--"); + if (*(argv[i]) == '-' || *(argv[argc-1]) == '-') + addargs(&alist, "--"); addargs(&alist, "%s", argv[i]); addargs(&alist, "%s", argv[argc-1]); if (do_local_cmd(&alist)) @@ -684,7 +688,8 @@ tolocal(int argc, char **argv) suser = pwd->pw_name; } host = cleanhostname(host); - xasprintf(&bp, "%s -f -- %s", cmd, src); + xasprintf(&bp, "%s -f %s%s", + cmd, *src == '-' ? "-- " : "", src); if (do_cmd(host, suser, bp, &remin, &remout) < 0) { (void) xfree(bp); ++errs; From morty at frakir.org Wed Aug 10 10:50:50 2011 From: morty at frakir.org (Morty Abzug) Date: Tue, 9 Aug 2011 20:50:50 -0400 Subject: openssh PTY allocation In-Reply-To: References: <20110728155247.GL1290@red-sonja> <20110728160038.GC8496@greenie.muc.de> <20110728183407.GM1290@red-sonja> <20110802055106.GV1290@red-sonja> <20110802090647.GP24801@red-sonja> <20110808223017.GD6596@red-sonja> Message-ID: <20110810005050.GG6596@red-sonja> On Tue, Aug 09, 2011 at 04:17:05PM +1000, Damien Miller wrote: > Even if I do commit something like this diff (which is not > guaranteed), it certainly won't truncate the ttymodes at 128 bytes - > fixed versions of ScreenOS already exist for this problem and > chopping so much off is likely to leave a messed up TTY anyway. In my testing, setting the threshold to 128 didn't cause any TTY problems in practice. A lot of the older versions are in the field. Is there any chance that you could set the number to 128? > > As you can see, "--" is still there. > oops, I missed a case: Thanks! - Morty From djm at mindrot.org Sun Aug 14 10:30:10 2011 From: djm at mindrot.org (Damien Miller) Date: Sun, 14 Aug 2011 10:30:10 +1000 (EST) Subject: Call for testing: OpenSSH-5.9 Message-ID: Hi, OpenSSH 5.9 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains a couple of new features and changes and bug fixes. Testing of the new sandboxed privilege separation mode (see below) would be particularly appreciated. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Mercurial at http://hg.mindrot.org/openssh Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. ------------------------------- Features: * Introduce sandboxing of the pre-auth privsep child using a new sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. This intention is to prevent a compromised privsep child from being used to attack other hosts (by opening sockets and proxying) or probing local kernel attack surface. Three concrete sandbox implementation are provided (selected at configure time): systrace, seatbelt and rlimit. The systrace sandbox uses systrace(4) in unsupervised "fast-path" mode, where a list of permitted syscalls is supplied. Any syscall not on the list results in SIGKILL being sent to the privsep child. Note that this requires a kernel with the new SYSTR_POLICY_KILL option (only OpenBSD has this mode at present). The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a strict (kSBXProfilePureComputation) policy that disables access to filesystem and network resources. The rlimit sandbox is a fallback choice for platforms that don't support a better one; it uses setrlimit() to reset the hard-limit of file descriptors and processes to zero, which should prevent the privsep child from forking or opening new network connections. Sandboxing of the privilege separated child process will become the default in a future release. We'd also like to include native sandboxes for other platforms. * Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96, and are available by default in ssh(1) and sshd(8) * The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot. * ssh(1) now warns when a server refuses X11 forwarding * sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by space. The undocumented AuthorizedKeysFile2 option is deprecated (though the default for AuthorizedKeysFile includes .ssh/authorized_keys2) * sshd_config(5): similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile and GlobalKnownHostsFile accept multiple options and default to include known_hosts2 * retain key comments when loading v.2 keys. These will be visible in "ssh-add -l" and other places. bz#439 * ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). bz#1855 * ssh_config(5)'s ControlPath option now expands %L to the host portion of the destination host name. * ssh_config(5) "Host" options now support negated Host matching, e.g. Host *.example.org !c.example.org User mekmitasdigoat Will match "a.example.org", "b.example.org", but not "c.example.org" * ssh_config(5): a new RequestTTY option provides control over when a TTY is requested for a connection, similar to the existing -t/-tt/-T ssh(1) commandline options. * sshd(8): allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries; bz#1244 * ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is useful for system initialisation scripts. * ssh(1): Allow graceful shutdown of multiplexing: request that a mux server removes its listener socket and refuse future multiplexing requests but don't kill existing connections. This may be requested using "ssh -O stop ..." * ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" * ssh-keysign(8) now signs hostbased authentication challenges correctly using ECDSA keys; bz#1858 Portable OpenSSH Bugfixes: * Fix a compilation error in the SELinux support code. bz#1851 * This release removes support for ssh-rand-helper. OpenSSH now obtains its random numbers directly from OpenSSL or from a PRNGd/EGD instance specified at configure time. * sshd(8) now resets the SELinux process execution context before executing passwd for password changes; bz#1891 * Since gcc >= 4.x ignores all -Wno-options options, test only the corresponding -W-option when trying to determine whether it is accepted. bz#1900, bz#1901 selinux code. Patch from Leonardo Chiquitto * Add ECDSA key generation to the Cygwin ssh-{host,user}-config scripts. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From vinschen at redhat.com Mon Aug 15 21:41:37 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 15 Aug 2011 13:41:37 +0200 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: <20110815114137.GM4098@calimero.vinschen.de> On Aug 14 10:30, Damien Miller wrote: > Hi, > > OpenSSH 5.9 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests Current CVS builds fine and all tests pass on Cygwin. > Sandboxing of the privilege separated child process will become the > default in a future release. We'd also like to include native > sandboxes for other platforms. I'm still thinking about how to do that for Cygwin. There's no way on Windows to remove user permission to create files in a generic way. But maybe the UAC feature since Vista is a way to accomplish sandboxing at least on Vista and later by starting the process as a low integrity process. I have to take a closer look into this stuff. While I was at it, it occured to me that there's another piece of Cygwin-specific code which can go away. Pipes are always created as binary pipes for quite some time now. There's no supported version of Cygwin left which allowed to create textmode pipes. Therefore, the binary_pipe code can go away. Here's the patch: Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.22 diff -u -p -r1.22 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 27 Feb 2010 16:29:33 -0000 1.22 +++ openbsd-compat/bsd-cygwin_util.c 15 Aug 2011 10:59:57 -0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2001, Corinna Vinschen + * Copyright (c) 2000, 2001, 2011 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -34,9 +34,6 @@ #if defined(open) && open == binary_open # undef open #endif -#if defined(pipe) && open == binary_pipe -# undef pipe -#endif #include @@ -57,18 +54,6 @@ binary_open(const char *filename, int fl mode = va_arg(ap, mode_t); va_end(ap); return (open(filename, flags | O_BINARY, mode)); -} - -int -binary_pipe(int fd[2]) -{ - int ret = pipe(fd); - - if (!ret) { - setmode(fd[0], O_BINARY); - setmode(fd[1], O_BINARY); - } - return (ret); } int Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.12 diff -u -p -r1.12 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 8 Mar 2009 00:40:28 -0000 1.12 +++ openbsd-compat/bsd-cygwin_util.h 15 Aug 2011 10:59:57 -0000 @@ -1,7 +1,7 @@ /* $Id: bsd-cygwin_util.h,v 1.12 2009/03/08 00:40:28 dtucker Exp $ */ /* - * Copyright (c) 2000, 2001, Corinna Vinschen + * Copyright (c) 2000, 2001, 2011 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -41,13 +41,11 @@ #include int binary_open(const char *, int , ...); -int binary_pipe(int fd[2]); int check_ntsec(const char *); char **fetch_windows_environment(void); void free_windows_environment(char **); #define open binary_open -#define pipe binary_pipe #endif /* HAVE_CYGWIN */ Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From fredports at mufley.com Mon Aug 15 22:25:29 2011 From: fredports at mufley.com (Frederico Costa (Ports)) Date: Mon, 15 Aug 2011 13:25:29 +0100 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: Hi there... Just downloaded openssh-SNAP-20110815.tar.gz and run the usual $ ./configure && make tests And i get the usual "all tests passed", no errors reported. I have runned this on a FreeBSD 8.2 Release #0 amd64. Regards Fred --- Frederico Costa fredports at mufley.com On Sun, 14 Aug 2011 10:30:10 +1000 (EST), Damien Miller wrote: > Hi, > > OpenSSH 5.9 is almost ready for release, so we would appreciate > testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the > ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Features: > > * Introduce sandboxing of the pre-auth privsep child using a new > sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables > mandatory restrictions on the syscalls the privsep child can > perform. > This intention is to prevent a compromised privsep child from > being > used to attack other hosts (by opening sockets and proxying) or > probing > local kernel attack surface. > > Three concrete sandbox implementation are provided (selected at > configure time): systrace, seatbelt and rlimit. > > The systrace sandbox uses systrace(4) in unsupervised "fast-path" > mode, where a list of permitted syscalls is supplied. Any syscall > not > on the list results in SIGKILL being sent to the privsep child. > Note > that this requires a kernel with the new SYSTR_POLICY_KILL option > (only OpenBSD has this mode at present). > > The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a > strict (kSBXProfilePureComputation) policy that disables access to > filesystem and network resources. > > The rlimit sandbox is a fallback choice for platforms that don't > support a better one; it uses setrlimit() to reset the hard-limit > of file descriptors and processes to zero, which should prevent > the privsep child from forking or opening new network connections. > > Sandboxing of the privilege separated child process will become > the > default in a future release. We'd also like to include native > sandboxes for other platforms. > > * Add new SHA256-based HMAC transport integrity modes from > http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt > These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, > and hmac-sha2-512-96, and are available by default in ssh(1) and > sshd(8) > > * The pre-authentication sshd(8) privilege separation slave process > now logs via a socket shared with the master process, avoiding the > need to maintain /dev/log inside the chroot. > > * ssh(1) now warns when a server refuses X11 forwarding > > * sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, > separated by space. The undocumented AuthorizedKeysFile2 option is > deprecated (though the default for AuthorizedKeysFile includes > .ssh/authorized_keys2) > > * sshd_config(5): similarly deprecate UserKnownHostsFile2 and > GlobalKnownHostsFile2 by making UserKnownHostsFile and > GlobalKnownHostsFile accept multiple options and default to > include > known_hosts2 > > * retain key comments when loading v.2 keys. These will be visible > in > "ssh-add -l" and other places. bz#439 > > * ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as > IPv4 ToS/DSCP). bz#1855 > > * ssh_config(5)'s ControlPath option now expands %L to the host > portion of the destination host name. > > * ssh_config(5) "Host" options now support negated Host matching, > e.g. > > Host *.example.org !c.example.org > User mekmitasdigoat > > Will match "a.example.org", "b.example.org", but not > "c.example.org" > > * ssh_config(5): a new RequestTTY option provides control over when > a > TTY is requested for a connection, similar to the existing > -t/-tt/-T > ssh(1) commandline options. > > * sshd(8): allow GSSAPI authentication to detect when a server-side > failure causes authentication failure and don't count such > failures > against MaxAuthTries; bz#1244 > > * ssh-keygen(1): Add -A option. For each of the key types (rsa1, > rsa, > dsa and ecdsa) for which host keys do not exist, generate the host > keys with the default key file path, an empty passphrase, default > bits for the key type, and default comment. This is useful for > system initialisation scripts. > > * ssh(1): Allow graceful shutdown of multiplexing: request that a > mux > server removes its listener socket and refuse future multiplexing > requests but don't kill existing connections. This may be > requested > using "ssh -O stop ..." > > * ssh-add(1) now accepts keys piped from standard input. E.g. > "ssh-add - < /path/to/key" > > * ssh-keysign(8) now signs hostbased authentication > challenges correctly using ECDSA keys; bz#1858 > > Portable OpenSSH Bugfixes: > > * Fix a compilation error in the SELinux support code. bz#1851 > > * This release removes support for ssh-rand-helper. OpenSSH now > obtains its random numbers directly from OpenSSL or from > a PRNGd/EGD instance specified at configure time. > > * sshd(8) now resets the SELinux process execution context before > executing passwd for password changes; bz#1891 > > * Since gcc >= 4.x ignores all -Wno-options options, test only the > corresponding -W-option when trying to determine whether it is > accepted. bz#1900, bz#1901 > selinux code. Patch from Leonardo Chiquitto > > * Add ECDSA key generation to the Cygwin ssh-{host,user}-config > scripts. > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice > and > Ben Lindstrom. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From nkadel at gmail.com Tue Aug 16 00:22:22 2011 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Mon, 15 Aug 2011 10:22:22 -0400 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: <20110815114137.GM4098@calimero.vinschen.de> References: <20110815114137.GM4098@calimero.vinschen.de> Message-ID: On Mon, Aug 15, 2011 at 7:41 AM, Corinna Vinschen wrote: > While I was at it, it occured to me that there's another piece of > Cygwin-specific code which can go away. ?Pipes are always created as > binary pipes for quite some time now. ?There's no supported version of > Cygwin left which allowed to create textmode pipes. ?Therefore, the > binary_pipe code can go away. ?Here's the patch: How long have CygWin pipes always been created as binary? From andyb1 at andy-t.org Tue Aug 16 01:38:35 2011 From: andyb1 at andy-t.org (Andy Tsouladze) Date: Mon, 15 Aug 2011 10:38:35 -0500 (CDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: Compiled SNAP-20110816 on x86 slackware-13.0.0 x86 slackware-13.37.0 x86_64 slackware-13.37.0 Default configuration results in sandbox=rlimit, and with this option, all tests work on both verions of slackware. I also compiled it with --with-sandbox=no, with no problems. Now for the problems. 1. ./configure --help --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY --with-default-path= Specify default \$PATH environment for server Is there a reason to escape dollar signs here? 2. ./configure --help --with-sandbox=style Specify privilege separation sandbox (no, rlimit, systrace) This is different from option stated in the mail (systrace, seatbelt and rlimit), and may be misleading. > Three concrete sandbox implementation are provided (selected at > configure time): systrace, seatbelt and rlimit. 3. I did try, just out of curiosity, to configure with --with-sandbox=seatbelt option, and got the following error: configure: error: unsupported -with-sandbox There is a typo here (-with as opposed to --with) and (probably) user-supplied option is omitted. 4. Attempt to run `./configure --with-sandbox=systrace' succeeds, but compilation of sandbox-systrace.c fails as follows (on slackware-13.37.0 x86 and x86_64): gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sandbox-systrace.c sandbox-systrace.c:28:26: fatal error: dev/systrace.h: No such file or directory compilation terminated. make: *** [sandbox-systrace.o] Error 1 It is true that my machine does not have systrace.h header file, but maybe this should be caught at configuration time? On slackware-13.0.0, compilation also fails but in a somewhat different manner: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -std=gnu99 -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sandbox-systrace.c sandbox-systrace.c:28:26: error: dev/systrace.h: No such file or directory sandbox-systrace.c:51: error: 'SYSTR_POLICY_NEVER' undeclared here (not in a function) sandbox-systrace.c:53: error: 'SYS___sysctl' undeclared here (not in a function) sandbox-systrace.c:53: error: 'SYSTR_POLICY_PERMIT' undeclared here (not in a function) sandbox-systrace.c: In function 'ssh_sandbox_parent': sandbox-systrace.c:118: error: storage size of 'policy' isn't known sandbox-systrace.c:132: error: 'STRIOCCLONE' undeclared (first use in this function) sandbox-systrace.c:132: error: (Each undeclared identifier is reported only once sandbox-systrace.c:132: error: for each function it appears in.) sandbox-systrace.c:132: warning: passing argument 2 of 'ioctl' makes integer from pointer without a cast sandbox-systrace.c:137: error: 'STRIOCATTACH' undeclared (first use in this function) sandbox-systrace.c:137: warning: passing argument 2 of 'ioctl' makes integer from pointer without a cast sandbox-systrace.c:142: warning: passing argument 2 of 'bzero' makes integer from pointer without a cast sandbox-systrace.c:143: error: request for member 'strp_op' in something not a structure or union sandbox-systrace.c:143: error: 'SYSTR_POLICY_NEW' undeclared (first use in this function) sandbox-systrace.c:143: warning: statement with no effect sandbox-systrace.c:144: error: request for member 'strp_maxents' in something not a structure or union sandbox-systrace.c:144: error: 'SYS_MAXSYSCALL' undeclared (first use in this function) sandbox-systrace.c:144: warning: statement with no effect sandbox-systrace.c:145: error: 'STRIOCPOLICY' undeclared (first use in this function) sandbox-systrace.c:145: warning: passing argument 2 of 'ioctl' makes integer from pointer without a cast sandbox-systrace.c:149: error: request for member 'strp_op' in something not a structure or union sandbox-systrace.c:149: error: 'SYSTR_POLICY_ASSIGN' undeclared (first use in this function) sandbox-systrace.c:149: warning: statement with no effect sandbox-systrace.c:150: error: request for member 'strp_pid' in something not a structure or union sandbox-systrace.c:150: warning: statement with no effect sandbox-systrace.c:151: warning: passing argument 2 of 'ioctl' makes integer from pointer without a cast sandbox-systrace.c:156: warning: comparison between pointer and integer sandbox-systrace.c:164: error: request for member 'strp_op' in something not a structure or union sandbox-systrace.c:164: error: 'SYSTR_POLICY_MODIFY' undeclared (first use in this function) sandbox-systrace.c:164: warning: statement with no effect sandbox-systrace.c:165: error: request for member 'strp_code' in something not a structure or union sandbox-systrace.c:165: warning: statement with no effect sandbox-systrace.c:166: error: request for member 'strp_policy' in something not a structure or union sandbox-systrace.c:167: error: 'SYSTR_POLICY_KILL' undeclared (first use in this function) sandbox-systrace.c:167: warning: pointer/integer type mismatch in conditional expression sandbox-systrace.c:167: warning: statement with no effect sandbox-systrace.c:170: warning: passing argument 2 of 'ioctl' makes integer from pointer without a cast sandbox-systrace.c:118: warning: unused variable 'policy' make: *** [sandbox-systrace.o] Error 1 Regards, Andy Dr Andy Tsouladze Sr Unix/Storage SysAdmin From vinschen at redhat.com Tue Aug 16 01:49:31 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 15 Aug 2011 17:49:31 +0200 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110815114137.GM4098@calimero.vinschen.de> Message-ID: <20110815154931.GA28052@calimero.vinschen.de> On Aug 15 10:22, Nico Kadel-Garcia wrote: > On Mon, Aug 15, 2011 at 7:41 AM, Corinna Vinschen wrote: > > > While I was at it, it occured to me that there's another piece of > > Cygwin-specific code which can go away. ?Pipes are always created as > > binary pipes for quite some time now. ?There's no supported version of > > Cygwin left which allowed to create textmode pipes. ?Therefore, the > > binary_pipe code can go away. ?Here's the patch: > > How long have CygWin pipes always been created as binary? Since 2008-07-18. Btw., it's Cygwin, not CygWin. Please note the lowercase 'w'. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From bisson at archlinux.org Tue Aug 16 16:26:51 2011 From: bisson at archlinux.org (Gaetan Bisson) Date: Mon, 15 Aug 2011 23:26:51 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: <20110816062651.GB4024@aji.vesath.org> [2011-08-14 00:30:10 -0000] Damien Miller: > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. It looks like ssh-copy-id misses a backslash on line 28: GET_ID="cat "${ID_FILE}\"" should be: GET_ID="cat \"${ID_FILE}\"" Apart from that, I detected no issue on an up-to-date Arch Linux x86_64 system; everything works as expected. Cheers. -- Gaetan From suryasantu at gmail.com Wed Aug 17 01:51:55 2011 From: suryasantu at gmail.com (Surya Santosh) Date: Tue, 16 Aug 2011 21:21:55 +0530 Subject: MaxSessions option in sshd_config Message-ID: Hi, I need information regarding MaxSessions option in sshd_config. As i understand, it defines the maximum number of channels that can be opened at any point of time between two hosts that are connected over SSH. The default value for this option is 10 in openSSH. What all needs to be considered if i want to increase this value? Are there any security concerns with increase of this value or does memory usage of SSHD increases? Please help. -- Thanks in Advance, Surya From djm at mindrot.org Wed Aug 17 10:20:11 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Aug 2011 10:20:11 +1000 (EST) Subject: MaxSessions option in sshd_config In-Reply-To: References: Message-ID: On Tue, 16 Aug 2011, Surya Santosh wrote: > Hi, > > I need information regarding MaxSessions option in sshd_config. As > i understand, it defines the maximum number of channels that can be > opened at any point of time between two hosts that are connected over > SSH. The default value for this option is 10 in openSSH. What all > needs to be considered if i want to increase this value? Are there any > security concerns with increase of this value or does memory usage of > SSHD increases? Please help. I'm not aware of any security considerations, but if you increase the limit too far then you might run out of file descriptors in the sshd that is serving the connection. sshd tries to do the right thing in this case, but it might cause the whole connection to terminate if it gets it wrong. Each session may use up to five fds, and you will need more a handful more file descriptors for the network connection and housekeeping. Also remember that each port-, X11 and agent forwarding session requires at least two more. -d From djm at mindrot.org Wed Aug 17 11:31:35 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Aug 2011 11:31:35 +1000 (EST) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: <20110815114137.GM4098@calimero.vinschen.de> References: <20110815114137.GM4098@calimero.vinschen.de> Message-ID: On Mon, 15 Aug 2011, Corinna Vinschen wrote: > While I was at it, it occured to me that there's another piece of > Cygwin-specific code which can go away. Pipes are always created as > binary pipes for quite some time now. There's no supported version of > Cygwin left which allowed to create textmode pipes. Therefore, the > binary_pipe code can go away. Here's the patch: Applied - thanks From djm at mindrot.org Wed Aug 17 12:00:34 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Aug 2011 12:00:34 +1000 (EST) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Mon, 15 Aug 2011, Andy Tsouladze wrote: Thanks for the feedback! > Compiled SNAP-20110816 on > x86 slackware-13.0.0 > x86 slackware-13.37.0 x86_64 slackware-13.37.0 > > Default configuration results in sandbox=rlimit, and with this option, all > tests work on both verions of slackware. I also compiled it with > --with-sandbox=no, with no problems. > > Now for the problems. > > 1. ./configure --help > > --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY > --with-default-path= Specify default \$PATH environment for server > > Is there a reason to escape dollar signs here? I think this was needed for earlier autoconf versions. I think we should leave it for now as the slight ugliness must be balanced against not breaking people who patch configure.ac and rebuild with an older autoconf version. > 2. ./configure --help > > --with-sandbox=style Specify privilege separation sandbox (no, rlimit, > systrace) > > This is different from option stated in the mail (systrace, seatbelt and > rlimit), and may be misleading. The darwin (seatbelt) sandbox was missing from this list. I'll add it. > > Three concrete sandbox implementation are provided (selected at > > configure time): systrace, seatbelt and rlimit. > > 3. I did try, just out of curiosity, to configure with --with-sandbox=seatbelt > option, and got the following error: > > configure: error: unsupported -with-sandbox > > There is a typo here (-with as opposed to --with) and (probably) user-supplied > option is omitted. > > 4. Attempt to run `./configure --with-sandbox=systrace' succeeds, but > compilation of sandbox-systrace.c fails as follows (on slackware-13.37.0 x86 > and x86_64): > > gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare > -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing > -fno-builtin-memset -fstack-protector-all -I. -I. -DSSHDIR=\"/usr/local/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DHAVE_CONFIG_H -c sandbox-systrace.c > sandbox-systrace.c:28:26: fatal error: dev/systrace.h: No such file or > directory > compilation terminated. > make: *** [sandbox-systrace.o] Error 1 > > It is true that my machine does not have systrace.h header file, but maybe > this should be caught at configuration time? fixed From djm at mindrot.org Wed Aug 17 12:01:57 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Aug 2011 12:01:57 +1000 (EST) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: <20110816062651.GB4024@aji.vesath.org> References: <20110816062651.GB4024@aji.vesath.org> Message-ID: fixed - thanks! On Mon, 15 Aug 2011, Gaetan Bisson wrote: > [2011-08-14 00:30:10 -0000] Damien Miller: > > Live testing on suitable non-production systems is also > > appreciated. Please send reports of success or failure to > > openssh-unix-dev at mindrot.org. > > It looks like ssh-copy-id misses a backslash on line 28: > > GET_ID="cat "${ID_FILE}\"" > > should be: > > GET_ID="cat \"${ID_FILE}\"" > > Apart from that, I detected no issue on an up-to-date Arch Linux x86_64 > system; everything works as expected. > > Cheers. > > -- > Gaetan > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From loganaden at gmail.com Wed Aug 17 21:11:05 2011 From: loganaden at gmail.com (Loganaden Velvindron) Date: Wed, 17 Aug 2011 15:11:05 +0400 Subject: openssh-unix-dev Digest, Vol 100, Issue 3 In-Reply-To: References: Message-ID: Works on my netbsd tinkerbox. NetBSD 5.0.2 NetBSD 5.0.2 (GENERIC) It uses rlimit. Privsep sandbox style: rlimit I also get warnings during make. fmt_scaled.c: In function 'scan_scaled': fmt_scaled.c:84: warning: array subscript has type 'char' fmt_scaled.c:111: warning: array subscript has type 'char' fmt_scaled.c:155: warning: array subscript has type 'char' fmt_scaled.c:158: warning: array subscript has type 'char' readpassphrase.c: In function 'readpassphrase': readpassphrase.c:134: warning: array subscript has type 'char' readpassphrase.c:136: warning: array subscript has type 'char' readpassphrase.c:138: warning: array subscript has type 'char' /usr/bin/ar: creating libopenbsd-compat.a canohost.c: In function 'get_remote_hostname': canohost.c:107: warning: array subscript has type 'char' canohost.c:108: warning: array subscript has type 'char' match.c: In function 'match_pattern_list': match.c:143: warning: array subscript has type 'char' match.c:144: warning: array subscript has type 'char' /usr/bin/ar: creating libssh.a ssh.c: In function 'main': ssh.c:760: warning: array subscript has type 'char' ssh.c:761: warning: array subscript has type 'char' If you need any more info, let me know. //Logan C-x-C-c On Sun, Aug 14, 2011 at 4:30 AM, wrote: > Send openssh-unix-dev mailing list submissions to > openssh-unix-dev at mindrot.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > or, via email, send a message with subject or body 'help' to > openssh-unix-dev-request at mindrot.org > > You can reach the person managing the list at > openssh-unix-dev-owner at mindrot.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssh-unix-dev digest..." > > > Today's Topics: > > 1. Re: openssh PTY allocation (Gert Doering) > 2. Typo in sftp.1 manpage (Laurent GAUTROT) > 3. Re: Typo in sftp.1 manpage (Darren Tucker) > 4. Re: Typo in a manpage (Darren Tucker) > 5. configure bug for HAVE_RES_EXTERN check (FELLIN, JEFFREY K (JEFF)) > 6. Re: openssh PTY allocation (Morty Abzug) > 7. Re: openssh PTY allocation (Damien Miller) > 8. Re: openssh PTY allocation (Morty Abzug) > 9. Call for testing: OpenSSH-5.9 (Damien Miller) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 6 Aug 2011 10:47:07 +0200 > From: Gert Doering > To: Damien Miller > Cc: Morty Abzug , Gert Doering > , openssh-unix-dev at mindrot.org > Subject: Re: openssh PTY allocation > Message-ID: <20110806084707.GL8496 at greenie.muc.de> > Content-Type: text/plain; charset=us-ascii > > Hi, > > On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote: > > FYI here is a diff that installs workarounds for all of the problems > > with ScreenOS that I'm aware of. These are: > > > > - PTY allocation > > - scp -- thing > > - keepalives killing the connection > > - multiplexing requests killing the connection > > > > Not sure whether I want to commit these. > > As a pure user, not speaking for the developers, but having to SSH (and > SCP!) to Netscreens regularily - these look quite reasonable to me, and > I'd like to see something like this in the general code base. > > (Otherwise I'm happy that you have provided the patch and will use that > to patch our local ssh installation) > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > > ------------------------------ > > Message: 2 > Date: Sun, 07 Aug 2011 14:39:53 +0200 > From: Laurent GAUTROT > To: > Subject: Typo in sftp.1 manpage > Message-ID: <7c4c2e4312e3ba2c74fe1d0418bb9c23 at mail.gautrot.org> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Hello, > > Just found a typo in sftp.1 manpage: > > s/ether/either/ > > Regards > > -- > ^L. > > > ------------------------------ > > Message: 3 > Date: Sun, 7 Aug 2011 22:55:54 +1000 > From: Darren Tucker > To: Laurent GAUTROT > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Typo in sftp.1 manpage > Message-ID: > > > Content-Type: text/plain; charset=ISO-8859-1 > > On Sun, Aug 7, 2011 at 10:39 PM, Laurent GAUTROT > wrote: > > Hello, > > > > Just found a typo in sftp.1 manpage: > > > > s/ether/either/ > > Applies, thanks. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 > ? ? Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > > ------------------------------ > > Message: 4 > Date: Sun, 7 Aug 2011 23:03:55 +1000 > From: Darren Tucker > To: Laurent GAUTROT > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Typo in a manpage > Message-ID: > > > Content-Type: text/plain; charset=ISO-8859-1 > > On Sat, Aug 6, 2011 at 3:03 AM, Laurent GAUTROT wrote: > > There's a typo in moduli.5 manpage. > > s/primaility/primality/ > > Thanks, this had previously been fixed on openbsd's page[1], we'll > pull those changes in. > > [1] > http://www.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/moduli.5.diff?r1=1.12;r2=1.13;f=h > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 > ? ? Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > > ------------------------------ > > Message: 5 > Date: Mon, 8 Aug 2011 14:17:37 -0400 > From: "FELLIN, JEFFREY K (JEFF)" > To: "openssh-unix-dev at mindrot.org" > Subject: configure bug for HAVE_RES_EXTERN check > Message-ID: > < > DE13570BD8A23F4FA2139E596105E040DBDA8F2D9D at njfpsrvexg1.research.att.com> > > Content-Type: text/plain; charset="us-ascii" > > The code used in configure.ac to check for struct __res_state _res is an > extern, can fail. I'm porting the code to UWIN, (Unix on Windows, available > at http://www2.research.att.com/~gsf/download) using Microsoft Visual > Studio for the cc compiler. The code in lines 3483 - 3491 should include a > reference to _res, to verify the compiler doesn't ignore non-referenced > variables. > > I suggest line 3491 should be changed from: > Int main() { return 0; } > To > Int main() { _res.retrans=0; return 0; } > > Thank you for your consideration. > > Jeff Fellin > > > ------------------------------ > > Message: 6 > Date: Mon, 8 Aug 2011 18:30:17 -0400 > From: Morty Abzug > To: Damien Miller > Cc: Gert Doering , openssh-unix-dev at mindrot.org > Subject: Re: openssh PTY allocation > Message-ID: <20110808223017.GD6596 at red-sonja> > Content-Type: text/plain; charset=us-ascii > > On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote: > > FYI here is a diff that installs workarounds for all of the problems > > with ScreenOS that I'm aware of. These are: > > > > - PTY allocation > > - scp -- thing > > - keepalives killing the connection > > - multiplexing requests killing the connection > > Thanks for the patch. In my testing, it has the following issues: > > (1) ssh still doesn't work for some of our devices. I think this is > because the ttymodes.c portion of your patch has "256" when it should > be "128". > > (2) scp didn't actually work to any of my test netscreens for scp > $device:ns_sys_config /tmp. I tried scp -v $device:ns_sys_config /tmp > to see what the command was. I got: > > debug1: Sending command: scp -v -f -- ns_sys_config > > As you can see, "--" is still there. > > - Morty > > > ------------------------------ > > Message: 7 > Date: Tue, 9 Aug 2011 16:17:05 +1000 (EST) > From: Damien Miller > To: Morty Abzug > Cc: Gert Doering , openssh-unix-dev at mindrot.org > Subject: Re: openssh PTY allocation > Message-ID: > Content-Type: TEXT/PLAIN; charset=US-ASCII > > On Mon, 8 Aug 2011, Morty Abzug wrote: > > > On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote: > > > FYI here is a diff that installs workarounds for all of the problems > > > with ScreenOS that I'm aware of. These are: > > > > > > - PTY allocation > > > - scp -- thing > > > - keepalives killing the connection > > > - multiplexing requests killing the connection > > > > Thanks for the patch. In my testing, it has the following issues: > > > > (1) ssh still doesn't work for some of our devices. I think this is > > because the ttymodes.c portion of your patch has "256" when it should > > be "128". > > Even if I do commit something like this diff (which is not guaranteed), > it certainly won't truncate the ttymodes at 128 bytes - fixed versions > of ScreenOS already exist for this problem and chopping so much off is > likely to leave a messed up TTY anyway. > > > (2) scp didn't actually work to any of my test netscreens for scp > > $device:ns_sys_config /tmp. I tried scp -v $device:ns_sys_config /tmp > > to see what the command was. I got: > > > > debug1: Sending command: scp -v -f -- ns_sys_config > > > > As you can see, "--" is still there. > > oops, I missed a case: > > Index: scp.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/scp.c,v > retrieving revision 1.170 > diff -u -p -r1.170 scp.c > --- scp.c 9 Dec 2010 14:13:33 -0000 1.170 > +++ scp.c 9 Aug 2011 06:10:08 -0000 > @@ -580,12 +580,14 @@ toremote(char *targ, int argc, char **ar > host = cleanhostname(argv[i]); > suser = NULL; > } > - xasprintf(&bp, "%s -f -- %s", cmd, src); > + xasprintf(&bp, "%s -f %s%s", cmd, > + *src == '-' ? "-- " : "", src); > if (do_cmd(host, suser, bp, &remin, &remout) < 0) > exit(1); > (void) xfree(bp); > host = cleanhostname(thost); > - xasprintf(&bp, "%s -t -- %s", cmd, targ); > + xasprintf(&bp, "%s -t %s%s", cmd, > + *targ == '-' ? "-- " : "", targ); > if (do_cmd2(host, tuser, bp, remin, remout) < 0) > exit(1); > (void) xfree(bp); > @@ -631,7 +633,8 @@ toremote(char *targ, int argc, char **ar > errs = 1; > } else { /* local to remote */ > if (remin == -1) { > - xasprintf(&bp, "%s -t -- %s", cmd, targ); > + xasprintf(&bp, "%s -t %s%s", cmd, > + *targ == '-' ? "-- " : "", targ); > host = cleanhostname(thost); > if (do_cmd(host, tuser, bp, &remin, > &remout) < 0) > @@ -664,7 +667,8 @@ tolocal(int argc, char **argv) > addargs(&alist, "-r"); > if (pflag) > addargs(&alist, "-p"); > - addargs(&alist, "--"); > + if (*(argv[i]) == '-' || *(argv[argc-1]) == '-') > + addargs(&alist, "--"); > addargs(&alist, "%s", argv[i]); > addargs(&alist, "%s", argv[argc-1]); > if (do_local_cmd(&alist)) > @@ -684,7 +688,8 @@ tolocal(int argc, char **argv) > suser = pwd->pw_name; > } > host = cleanhostname(host); > - xasprintf(&bp, "%s -f -- %s", cmd, src); > + xasprintf(&bp, "%s -f %s%s", > + cmd, *src == '-' ? "-- " : "", src); > if (do_cmd(host, suser, bp, &remin, &remout) < 0) { > (void) xfree(bp); > ++errs; > > > ------------------------------ > > Message: 8 > Date: Tue, 9 Aug 2011 20:50:50 -0400 > From: Morty Abzug > To: Damien Miller > Cc: Gert Doering , openssh-unix-dev at mindrot.org > Subject: Re: openssh PTY allocation > Message-ID: <20110810005050.GG6596 at red-sonja> > Content-Type: text/plain; charset=us-ascii > > On Tue, Aug 09, 2011 at 04:17:05PM +1000, Damien Miller wrote: > > > Even if I do commit something like this diff (which is not > > guaranteed), it certainly won't truncate the ttymodes at 128 bytes - > > fixed versions of ScreenOS already exist for this problem and > > chopping so much off is likely to leave a messed up TTY anyway. > > In my testing, setting the threshold to 128 didn't cause any TTY > problems in practice. A lot of the older versions are in the field. > Is there any chance that you could set the number to 128? > > > > As you can see, "--" is still there. > > > oops, I missed a case: > > Thanks! > > - Morty > > > ------------------------------ > > Message: 9 > Date: Sun, 14 Aug 2011 10:30:10 +1000 (EST) > From: Damien Miller > To: openssh-unix-dev at mindrot.org > Subject: Call for testing: OpenSSH-5.9 > Message-ID: > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Hi, > > OpenSSH 5.9 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains a > couple of new features and changes and bug fixes. Testing of the new > sandboxed privilege separation mode (see below) would be particularly > appreciated. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Mercurial at http://hg.mindrot.org/openssh > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Features: > > * Introduce sandboxing of the pre-auth privsep child using a new > sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables > mandatory restrictions on the syscalls the privsep child can perform. > This intention is to prevent a compromised privsep child from being > used to attack other hosts (by opening sockets and proxying) or probing > local kernel attack surface. > > Three concrete sandbox implementation are provided (selected at > configure time): systrace, seatbelt and rlimit. > > The systrace sandbox uses systrace(4) in unsupervised "fast-path" > mode, where a list of permitted syscalls is supplied. Any syscall not > on the list results in SIGKILL being sent to the privsep child. Note > that this requires a kernel with the new SYSTR_POLICY_KILL option > (only OpenBSD has this mode at present). > > The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a > strict (kSBXProfilePureComputation) policy that disables access to > filesystem and network resources. > > The rlimit sandbox is a fallback choice for platforms that don't > support a better one; it uses setrlimit() to reset the hard-limit > of file descriptors and processes to zero, which should prevent > the privsep child from forking or opening new network connections. > > Sandboxing of the privilege separated child process will become the > default in a future release. We'd also like to include native > sandboxes for other platforms. > > * Add new SHA256-based HMAC transport integrity modes from > http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt > These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, > and hmac-sha2-512-96, and are available by default in ssh(1) and > sshd(8) > > * The pre-authentication sshd(8) privilege separation slave process > now logs via a socket shared with the master process, avoiding the > need to maintain /dev/log inside the chroot. > > * ssh(1) now warns when a server refuses X11 forwarding > > * sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, > separated by space. The undocumented AuthorizedKeysFile2 option is > deprecated (though the default for AuthorizedKeysFile includes > .ssh/authorized_keys2) > > * sshd_config(5): similarly deprecate UserKnownHostsFile2 and > GlobalKnownHostsFile2 by making UserKnownHostsFile and > GlobalKnownHostsFile accept multiple options and default to include > known_hosts2 > > * retain key comments when loading v.2 keys. These will be visible in > "ssh-add -l" and other places. bz#439 > > * ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as > IPv4 ToS/DSCP). bz#1855 > > * ssh_config(5)'s ControlPath option now expands %L to the host > portion of the destination host name. > > * ssh_config(5) "Host" options now support negated Host matching, e.g. > > Host *.example.org !c.example.org > User mekmitasdigoat > > Will match "a.example.org", "b.example.org", but not "c.example.org" > > * ssh_config(5): a new RequestTTY option provides control over when a > TTY is requested for a connection, similar to the existing -t/-tt/-T > ssh(1) commandline options. > > * sshd(8): allow GSSAPI authentication to detect when a server-side > failure causes authentication failure and don't count such failures > against MaxAuthTries; bz#1244 > > * ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa, > dsa and ecdsa) for which host keys do not exist, generate the host > keys with the default key file path, an empty passphrase, default > bits for the key type, and default comment. This is useful for > system initialisation scripts. > > * ssh(1): Allow graceful shutdown of multiplexing: request that a mux > server removes its listener socket and refuse future multiplexing > requests but don't kill existing connections. This may be requested > using "ssh -O stop ..." > > * ssh-add(1) now accepts keys piped from standard input. E.g. > "ssh-add - < /path/to/key" > > * ssh-keysign(8) now signs hostbased authentication > challenges correctly using ECDSA keys; bz#1858 > > Portable OpenSSH Bugfixes: > > * Fix a compilation error in the SELinux support code. bz#1851 > > * This release removes support for ssh-rand-helper. OpenSSH now > obtains its random numbers directly from OpenSSL or from > a PRNGd/EGD instance specified at configure time. > > * sshd(8) now resets the SELinux process execution context before > executing passwd for password changes; bz#1891 > > * Since gcc >= 4.x ignores all -Wno-options options, test only the > corresponding -W-option when trying to determine whether it is > accepted. bz#1900, bz#1901 > selinux code. Patch from Leonardo Chiquitto > > * Add ECDSA key generation to the Cygwin ssh-{host,user}-config > scripts. > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > > ------------------------------ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > End of openssh-unix-dev Digest, Vol 100, Issue 3 > ************************************************ > -- `` Real men run current !'' From apb at cequrux.com Thu Aug 18 04:09:36 2011 From: apb at cequrux.com (Alan Barrett) Date: Wed, 17 Aug 2011 20:09:36 +0200 Subject: openssh-unix-dev Digest, Vol 100, Issue 3 In-Reply-To: References: Message-ID: <20110817180936.GB1542@apb-laptoy.apb.alt.za> On Wed, 17 Aug 2011, Loganaden Velvindron wrote: >I also get warnings during make. > >fmt_scaled.c: In function 'scan_scaled': >fmt_scaled.c:84: warning: array subscript has type 'char' This warning, along with many others like it, is due to calling the ctype(3) functions with a (char) argument. You should cast to (unsigned char). I sent a patch relative to an openssh-5.6 preprelease on 12 August 2010, but it was ignored. --apb (Alan Barrett) From kevin.brott at gmail.com Thu Aug 18 06:06:41 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Wed, 17 Aug 2011 13:06:41 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: Using openssh-SNAP-20110818.tar.gz ./configure && make tests OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================ ================= ===== ====================== RH 6.2 i686-pc-linux-gnu egcs 2.91.66 0.9.8j YES all tests passed RH 8.0 i686-pc-linux-gnu gcc 3.2.2-5 0.9.7a YES all tests passed RHEL 2.1 i686-pc-linux-gnu gcc 2.96-116.7.2 0.9.6b YES all tests passed RHEL 3.0 tu6 i686-pc-linux-gnu gcc 3.2.3-53 0.9.7a YES all tests passed RHEL 4.0 tu6 i686-pc-linux-gnu gcc 3.4.6 0.9.7a YES all tests passed RHEL 4.0 nu8 x86_64-unknown-linux-gnu gcc 3.4.6-8 0.9.7a YES all tests passed RHEL 4.0 nu7 powerpc64-unknown-linux-gnu gcc 3.4.6 0.9.7a YES all tests passed RHEL 5.1 x86_64-redhat-linux gcc 4.1.2-14 0.9.8b YES all tests passed RHEL 5.3 x86_64-redhat-linux gcc 4.1.2-44 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2-46 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.4 x86_64-redhat-linux gcc 4.1.2-46 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2-48 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2-50 0.9.8e-fips-rhel5 YES all tests passed RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8e-fips-rhel5 YES all tests passed RHEL 6.x x86_64-unknown-linux-gnu gcc 4.4.4 1.0.0d YES all tests passwd Fedora Core r2 i686-pc-linux-gnu gcc 3.3.3-7 0.9.7a YES all tests passed Ubuntu 8.04 i686-pc-linux-gnu gcc 4.2.4-1ubuntu4 0.9.8g YES all tests passwd Ubuntu 10.10 x86_64-linux-gnu gcc 4.4.4-14ubuntu5 0.9.8o YES all tests passwd AIX 5200-10-04 powerpc-ibm-aix5.2.0.0 gcc 3.3.2 0.9.8f YES all tests passwd AIX 5300-07-02 powerpc-ibm-aix5.3.0.0 gcc 4.2.0 0.9.8k YES all tests passed AIX 6100-04-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8k YES all tests passed AIX 7100-00-03 powerpc-ibm-aix7.1.0.0 xlc 11.1.0.6 0.9.8m YES all tests passwd HP-UX 11.11 hppa2.0w-hp-hpux11.11 gcc 3.4.3 0.9.7m YES privsep FAIL 1* HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8o YES privsep FAIL 1* HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.3.3 0.9.8n YES privsep FAIL 1* HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ A.06.20 0.9.8n YES privsep FAIL 1* *1 - all HPUX builds failed 'make tests' at the same point: run test connect-privsep.sh ... Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 failed failed proxy connect with privsep gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 -- # include /* Kevin Brott */ From djm at mindrot.org Thu Aug 18 11:56:52 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Aug 2011 11:56:52 +1000 (EST) Subject: openssh-unix-dev Digest, Vol 100, Issue 3 In-Reply-To: <20110817180936.GB1542@apb-laptoy.apb.alt.za> References: <20110817180936.GB1542@apb-laptoy.apb.alt.za> Message-ID: On Wed, 17 Aug 2011, Alan Barrett wrote: > On Wed, 17 Aug 2011, Loganaden Velvindron wrote: > > I also get warnings during make. > > > > fmt_scaled.c: In function 'scan_scaled': > > fmt_scaled.c:84: warning: array subscript has type 'char' > > This warning, along with many others like it, is due to calling the ctype(3) > functions with a (char) argument. You should cast to (unsigned char). I sent > a patch relative to an openssh-5.6 preprelease on 12 August 2010, but it was > ignored. Sorry. We ask people to attach patches to bugs in https://bugzilla.mindrot.org so they don't get lost. -d From andyb1 at andy-t.org Thu Aug 18 14:33:50 2011 From: andyb1 at andy-t.org (Andy Tsouladze) Date: Wed, 17 Aug 2011 23:33:50 -0500 (CDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: Recompiled SNAP-20110818 on the same platforms. >> Compiled SNAP-20110816 on >> x86 slackware-13.0.0 >> x86 slackware-13.37.0 x86_64 slackware-13.37.0 >> 3. I did try, just out of curiosity, to configure with --with-sandbox=seatbelt >> option, and got the following error: >> >> configure: error: unsupported -with-sandbox >> >> There is a typo here (-with as opposed to --with) and (probably) user-supplied >> option is omitted. Seems you missed this one, although it is just a typo... And a newly discovered thing. By accident, I specified a non-existent configure option. Configuration finished, and I did not see any errors or warnings. Since I knew I made a mistake, I scrolled up, and yes, the warning was there, 39 lines up from the end of `configure' output. This is too far for people to see. If there is an easy way to print warnings in the very end of the output, after the summary of configured options, that would be useful. Regards, Andy Dr Andy Tsouladze Sr Unix/Storage SysAdmin From tim at multitalents.net Thu Aug 18 14:50:44 2011 From: tim at multitalents.net (Tim Rice) Date: Wed, 17 Aug 2011 21:50:44 -0700 (PDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Wed, 17 Aug 2011, Andy Tsouladze wrote: > > > configure: error: unsupported -with-sandbox > > > > > > There is a typo here (-with as opposed to --with) and (probably) > > > user-supplied > > > option is omitted. > > Seems you missed this one, although it is just a typo... Typo fixed. Thanks. -- Tim Rice Multitalents tim at multitalents.net From morty at frakir.org Thu Aug 18 16:08:40 2011 From: morty at frakir.org (Morty Abzug) Date: Thu, 18 Aug 2011 02:08:40 -0400 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: <20110818060840.GB26471@red-sonja> On Sun, Aug 14, 2011 at 10:30:10AM +1000, Damien Miller wrote: > OpenSSH 5.9 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible. This release > contains a couple of new features and changes and bug fixes. Testing > of the new sandboxed privilege separation mode (see below) would be > particularly appreciated. On Solaris 9, make tests failed. The last few lines are: run test connect.sh ... ok simple connect run test proxy-connect.sh ... ok proxy connect run test connect-privsep.sh ... Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 failed failed proxy connect with privsep make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/export/home/morty/src/openssh/regress' make: *** [tests] Error 2 On Solaris 10, same failure: run test connect.sh ... ok simple connect run test proxy-connect.sh ... ok proxy connect run test connect-privsep.sh ... Write failed: Broken pipe ssh privsep/sandbox+proxyconnect protocol 1 failed Write failed: Broken pipe ssh privsep/sandbox+proxyconnect protocol 2 failed failed proxy connect with privsep make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/export/home/morty/src/openssh/regress' make: *** [tests] Error 2 Both are with openssh-SNAP-20110818.tar.gz, ./configure --with-pam. On the plus side, ssh to various ScreenOS versions succeeds. Presumably this is due to RequestTTY=auto making PTY allocation failure non-fatal again. scp to ScreenOS is still broken. - Morty From kevin.brott at gmail.com Thu Aug 18 16:29:15 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Wed, 17 Aug 2011 23:29:15 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: <20110818060840.GB26471@red-sonja> References: <20110818060840.GB26471@red-sonja> Message-ID: On Wed, Aug 17, 2011 at 23:08, Morty Abzug wrote: > On Sun, Aug 14, 2011 at 10:30:10AM +1000, Damien Miller wrote: > > > OpenSSH 5.9 is almost ready for release, so we would appreciate > > testing on as many platforms and systems as possible. This release > > contains a couple of new features and changes and bug fixes. Testing > > of the new sandboxed privilege separation mode (see below) would be > > particularly appreciated. > > On Solaris 9, make tests failed. The last few lines are: > > run test connect.sh ... > ok simple connect > run test proxy-connect.sh ... > ok proxy connect > run test connect-privsep.sh ... > Connection closed by UNKNOWN > ssh privsep/sandbox+proxyconnect protocol 2 failed > failed proxy connect with privsep > make[1]: *** [t-exec] Error 1 > make[1]: Leaving directory `/export/home/morty/src/openssh/regress' > make: *** [tests] Error 2 > > On Solaris 10, same failure: > > run test connect.sh ... > ok simple connect > run test proxy-connect.sh ... > ok proxy connect > run test connect-privsep.sh ... > Write failed: Broken pipe > ssh privsep/sandbox+proxyconnect protocol 1 failed > Write failed: Broken pipe > ssh privsep/sandbox+proxyconnect protocol 2 failed > failed proxy connect with privsep > make[1]: *** [t-exec] Error 1 > make[1]: Leaving directory `/export/home/morty/src/openssh/regress' > make: *** [tests] Error 2 > > Both are with openssh-SNAP-20110818.tar.gz, ./configure --with-pam. > > On the plus side, ssh to various ScreenOS versions succeeds. > Presumably this is due to RequestTTY=auto making PTY allocation > failure non-fatal again. > > scp to ScreenOS is still broken. > > Got the same 'make tests' error on all versions of HP-UX from 11.11 to 11.31 on IA64 & PA-RISC, but not RH/Ubuntu Linux or AIX. Given that 5.8 didn't have this problem, odds-on it's a recent change in privsep (or the test for it) that's maybe making an assumption not valid on HP-UX/Solaris. -- # include /* Kevin Brott */ From morty at frakir.org Thu Aug 18 17:32:10 2011 From: morty at frakir.org (Morty Abzug) Date: Thu, 18 Aug 2011 03:32:10 -0400 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: <20110818073210.GA19218@red-sonja> On Wed, Aug 17, 2011 at 11:29:15PM -0700, Kevin Brott wrote: > Got the same 'make tests' error on all versions of HP-UX from 11.11 to 11.31 > on IA64 & PA-RISC, but not RH/Ubuntu Linux or AIX. Given that 5.8 didn't > have this problem, odds-on it's a recent change in privsep (or the test for > it) that's maybe making an assumption not valid on HP-UX/Solaris. Also not working on Solaris 9 or 10 with just ./configure && make tests. Working great under Debian 6.0.2. - Morty From jchadima at redhat.com Thu Aug 18 21:21:04 2011 From: jchadima at redhat.com (Jan Chadima) Date: Thu, 18 Aug 2011 07:21:04 -0400 (EDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: <20110818073210.GA19218@red-sonja> Message-ID: <482219816.2768093.1313666464607.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Hi the snapshot openssh-SNAP-20110818.tar.gz positively tested on RHEL5, RHEL6 and Fedora15. There is still problem with the fips mode. Please include patch from https://bugzilla.mindrot.org/show_bug.cgi?id=1872 to make first step towards the full fips-140 compliance. There is another error in the last development version of the Fedora, I'll investigate it later. -- JFCh -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS d- s:++> a++ C+++> UBLHS+++@> P+ L++$> E--- W++ N o? K? w---(++) O- M+(++) V PS--(-) PE+ Y+ PGP t-- 5? X-- R-- !tv b+(+++) DI- !D G e+++ h--- r+++ y? ------END GEEK CODE BLOCK------ From rapier at psc.edu Fri Aug 19 01:20:15 2011 From: rapier at psc.edu (rapier) Date: Thu, 18 Aug 2011 11:20:15 -0400 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: <4E4D2DAF.4060300@psc.edu> All tests passed under OS X 10.6.8 Darwin xxxxxxx.xxx.xxx 10.8.0 Darwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386 i386 From christian.perone at gmail.com Fri Aug 19 02:47:55 2011 From: christian.perone at gmail.com (Christian S. Perone) Date: Thu, 18 Aug 2011 13:47:55 -0300 Subject: RSA_public_decrypt and FIPS Message-ID: Does anyone knows if there is a patch for OpenSSH in order to make it work with 0.9.8r OpenSSL in FIPS Mode ? I'm having problem with the RSA_public_decrypt() function that is failing in FIPS Mode, I changed it to use RSA_verify instead and setting the flag "RSA_FLAG_NON_FIPS_ALLOW", and it's working fine now, but I'm not sure if this is allowed in FIPS Mode, does anyone knows something about that ? I read something about the use of EVP_Verify* functions, is there any patch for this ? Great thanks ! -- "Forgive, O Lord, my little jokes on Thee, and I'll forgive Thy great big joke on me." http://pyevolve.sourceforge.net/wordpress/ From jw at raven.inka.de Fri Aug 19 05:17:25 2011 From: jw at raven.inka.de (Josef Wolf) Date: Thu, 18 Aug 2011 21:17:25 +0200 Subject: secureshell@securityfocus.com list dead? Message-ID: <20110818191725.GB22995@raven.wolf.lan> Hello, anybody knows what happened to the ssh user mailing list on secureshell at securityfocus.com? it seems to be dead for more than two months now. I tried to post, but my postings never appeared on the list. Unfortunately, there's no administrative contact given on the subscription page, so I post to the dev list in the hope that somebody knows what's going on. Sorry for being OT. From kb at open.ch Fri Aug 19 16:29:11 2011 From: kb at open.ch (Konrad Bucheli) Date: Fri, 19 Aug 2011 08:29:11 +0200 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: <4E4E02B7.5070808@open.ch> Successful "./configure" and "make tests" under Ubuntu 11.04 From kevin.brott at gmail.com Sat Aug 20 05:49:38 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 19 Aug 2011 12:49:38 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: using: openssh-SNAP-20110820.tar.gz HP-UX (11.11 -> 11.31) using both gcc and HP C/C++ still failing 'make tests' here *ok proxy connect* *run test connect-privsep.sh ...* *Connection closed by UNKNOWN* *ssh privsep/sandbox+proxyconnect protocol 1 failed* *Connection closed by UNKNOWN* *ssh privsep/sandbox+proxyconnect protocol 2 failed* All other tested systems (RH 6.2, 8.0, RHEL 2.1->6.0, FC2, Ubuntu 8.04,10.10, AIX 5.2->7.1) are OK. From matthew.nygard.dodd at gmail.com Sun Aug 21 05:52:57 2011 From: matthew.nygard.dodd at gmail.com (Matthew N. Dodd) Date: Sat, 20 Aug 2011 15:52:57 -0400 Subject: authorized_credentials patch. Message-ID: <4E501099.6050607@gmail.com> Gives GSSAPI-MIC the same options capability currently provided for public key logins by the AuthorizedKeysFile. Uses krb5_principal_match() to support widcard matches. Uses percent_expand() to expand tokens for: credential USER[/INSTANCE]@REALM homedir /home/user username user cred name USER cred instance INSTANCE cred realm REALM My intended application: # cat ~svn/.ssh/authorized_credentials command="/usr/bin/svnserve -t -r /var/svn/ --tunnel-user=%n" */svn@%r Enjoy. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-authorized_credentials.patch URL: From matthew.nygard.dodd at gmail.com Sun Aug 21 13:43:11 2011 From: matthew.nygard.dodd at gmail.com (Matthew N. Dodd) Date: Sat, 20 Aug 2011 23:43:11 -0400 Subject: authorized_credentials patch. In-Reply-To: <4E501099.6050607@gmail.com> References: <4E501099.6050607@gmail.com> Message-ID: <4E507ECF.5060503@gmail.com> Naturally right after I sent this out I found a problem involving quoted strings. Updated patch to follow. On 8/20/11 3:52 PM, Matthew N. Dodd wrote: > Gives GSSAPI-MIC the same options capability currently provided for > public key logins by the AuthorizedKeysFile. > > Uses krb5_principal_match() to support widcard matches. > > Uses percent_expand() to expand tokens for: > > credential USER[/INSTANCE]@REALM > homedir /home/user > username user > cred name USER > cred instance INSTANCE > cred realm REALM > > My intended application: > > # cat ~svn/.ssh/authorized_credentials > command="/usr/bin/svnserve -t -r /var/svn/ --tunnel-user=%n" */svn@%r > > Enjoy. From tim at multitalents.net Sun Aug 21 15:31:08 2011 From: tim at multitalents.net (Tim Rice) Date: Sat, 20 Aug 2011 22:31:08 -0700 (PDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Fri, 19 Aug 2011, Kevin Brott wrote: > using: openssh-SNAP-20110820.tar.gz > > HP-UX (11.11 -> 11.31) using both gcc and HP C/C++ still failing 'make > tests' here > *ssh privsep/sandbox+proxyconnect protocol 2 failed* > > All other tested systems (RH 6.2, 8.0, RHEL 2.1->6.0, FC2, Ubuntu > 8.04,10.10, AIX 5.2->7.1) are OK. Please send the output of 'grep "#define SANDBOX" config.h' from each of your test machines. And please test the following patch. ---------------- --- sandbox-rlimit.c.old 2011-06-23 06:58:32.529017003 -0700 +++ sandbox-rlimit.c 2011-08-20 19:09:35.780772002 -0700 @@ -61,13 +61,15 @@ ssh_sandbox_child(struct ssh_sandbox *box) { struct rlimit rl_zero; + struct rlimit rl_one; rl_zero.rlim_cur = rl_zero.rlim_max = 0; + rl_one.rlim_cur = rl_one.rlim_max = 1; if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); - if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); #ifdef HAVE_RLIMIT_NPROC ---------------- Thanks -- Tim Rice Multitalents (707) 456-1146 tim at multitalents.net (707) 887-1469 From matthew.nygard.dodd at gmail.com Sun Aug 21 23:52:36 2011 From: matthew.nygard.dodd at gmail.com (Matthew N. Dodd) Date: Sun, 21 Aug 2011 09:52:36 -0400 Subject: authorized_credentials patch. In-Reply-To: <4E507ECF.5060503@gmail.com> References: <4E501099.6050607@gmail.com> <4E507ECF.5060503@gmail.com> Message-ID: <4E510DA4.5000408@gmail.com> On 8/20/11 11:43 PM, Matthew N. Dodd wrote: > Updated patch to follow. Attached. A version of strcspn(3) that dealt with quoted strings would be useful here. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-authorized_credentials_1.patch URL: From djm at mindrot.org Mon Aug 22 09:22:13 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Aug 2011 09:22:13 +1000 (EST) Subject: authorized_credentials patch. In-Reply-To: <4E510DA4.5000408@gmail.com> References: <4E501099.6050607@gmail.com> <4E507ECF.5060503@gmail.com> <4E510DA4.5000408@gmail.com> Message-ID: On Sun, 21 Aug 2011, Matthew N. Dodd wrote: > On 8/20/11 11:43 PM, Matthew N. Dodd wrote: > > Updated patch to follow. > > Attached. > > A version of strcspn(3) that dealt with quoted strings would be useful here. Could you please create a bug on https://bugzilla.mindrot.org/ and attach your patch? I like the idea but won't be able to review it immediately and don't want it to slip through the cracks. -d From djm at mindrot.org Mon Aug 22 12:22:50 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Aug 2011 12:22:50 +1000 (EST) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Fri, 19 Aug 2011, Kevin Brott wrote: > using: openssh-SNAP-20110820.tar.gz > > HP-UX (11.11 -> 11.31) using both gcc and HP C/C++ still failing 'make so HP-UX, Solaris and a couple of other platforms seem broken with the sandbox turned on. Could people who are seeing failures in these tests please try to run a sshd manually in debug mode and setting -oUsePrivilegeSeparation=sendbox on the command-line. E.g. /path/to/sshd -dddp2222 -oUsePrivilegeSeparation=sendbox Please try to connect to it and see where it crashes :) Thanks, Damien From dennis.grevenstein at gmail.com Mon Aug 22 21:17:23 2011 From: dennis.grevenstein at gmail.com (Dennis Grevenstein) Date: Mon, 22 Aug 2011 13:17:23 +0200 Subject: OpenSSH on ULTRIX Message-ID: Hi, not sure if this is considered news, but I have been able to build OpenSSH 5.8p2 on mips-dec-ultrix4.5. On my system I have ULTRIX 4.5 with the latest Y2K patch kit as well as zlib-1.2.5, openssl-0.9.8m and prngd-0.9.29, several GNU utilities and gcc-3.0.4. To build openssh one has to check in various files if and/or are multiply defined, because of "includes.h". edit config.h to #define BROKEN_READV_COMPARISON #undef HAVE_TYPE_IN_UTMP #define DISABLE_UTMPX #undef ENABLE_PKCS11 in ssh-keygen.c remove references to pkcs11_init and pkcs11_terminate on lines 1410 and 1493. to get sshd working one has to either set "UsePrivilegeSeparation no" or "Compression no" in sshd_config. I finally went with "Compression no". I hope this report is helpful for some people, although I am quite sure that the number of ULTRIX users out there is very, very small at best. Please CC: me if you want to reply, because I am not subscribed to this list. regards, Dennis ------------------- $ ssh -l root ttpux2 root at ttpux2's password: Last login: Mon Aug 22 05:02:55 2011 from 192.168.2.11 ULTRIX V4.5 (Rev. 47) System #3: Sat Jan 1 09:01:31 MET 2000 UWS V4.5 (Rev. 6) Digital Equipment Corporation Nashua, New Hampshire # bash root at ttpux2:/# uname -a ULTRIX ttpux2 4.5 0 RISC root at ttpux2:/# ssh -V OpenSSH_5.8p2, OpenSSL 0.9.8m 25 Feb 2010 root at ttpux2:/# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.8 Protocol mismatch. Connection closed by foreign host. -- Don't suffer from insanity. enjoy every minute of it. From kevin.brott at gmail.com Wed Aug 24 03:37:00 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 23 Aug 2011 10:37:00 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Sat, Aug 20, 2011 at 22:31, Tim Rice wrote: > On Fri, 19 Aug 2011, Kevin Brott wrote: > > > using: openssh-SNAP-20110820.tar.gz > > > > HP-UX (11.11 -> 11.31) using both gcc and HP C/C++ still failing 'make > > tests' here > > *ssh privsep/sandbox+proxyconnect protocol 2 failed* > > > > All other tested systems (RH 6.2, 8.0, RHEL 2.1->6.0, FC2, Ubuntu > > 8.04,10.10, AIX 5.2->7.1) are OK. > > Please send the output of 'grep "#define SANDBOX" config.h' from > each of your test machines. > > HP-UX 11.11 - 11.31 all the same: ---BEGIN--- #define SANDBOX_RLIMIT 1 ---END--- > And please test the following patch. > ---------------- > --- sandbox-rlimit.c.old 2011-06-23 06:58:32.529017003 -0700 > +++ sandbox-rlimit.c 2011-08-20 19:09:35.780772002 -0700 > @@ -61,13 +61,15 @@ > ssh_sandbox_child(struct ssh_sandbox *box) > { > struct rlimit rl_zero; > + struct rlimit rl_one; > > rl_zero.rlim_cur = rl_zero.rlim_max = 0; > + rl_one.rlim_cur = rl_one.rlim_max = 1; > > if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) > fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", > __func__, strerror(errno)); > - if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) > + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) > fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", > __func__, strerror(errno)); > #ifdef HAVE_RLIMIT_NPROC > ---------------- > Manually applied patched lines - 'make tests' still fails in same place on all three systems. Note: I had to manually apply the patched lines - as this segment gets rejected applying against the 20110820 and 20110824 SNAPs. -- # include /* Kevin Brott */ From kevin.brott at gmail.com Wed Aug 24 03:56:49 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 23 Aug 2011 10:56:49 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Sun, Aug 21, 2011 at 19:22, Damien Miller wrote: > On Fri, 19 Aug 2011, Kevin Brott wrote: > > > using: openssh-SNAP-20110820.tar.gz > > > > HP-UX (11.11 -> 11.31) using both gcc and HP C/C++ still failing 'make > > so HP-UX, Solaris and a couple of other platforms seem broken with > the sandbox turned on. Could people who are seeing failures in these > tests please try to run a sshd manually in debug mode and setting > -oUsePrivilegeSeparation=sendbox on the command-line. E.g. > > /path/to/sshd -dddp2222 -oUsePrivilegeSeparation=sendbox > > Please try to connect to it and see where it crashes :) > > Fixing invalid 'sendbox' to 'sandbox' ... and running configure to match the currently installed ssh location so I don't have to actually install the snapshot to get the daemon up and running ... ---BEGIN--- debug2: load_server_config: filename /var/tmp/ssh/openssh/sshd_config debug2: load_server_config: done config len = 200 debug2: parse_server_config: config /var/tmp/ssh/openssh/sshd_config len 200 debug3: /var/tmp/ssh/openssh/sshd_config:50 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /var/tmp/ssh/openssh/sshd_config:115 setting Subsystem sftp /usr/libexec/sftp-server debug1: sshd version OpenSSH_5.9p2-snap20110824 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: could not open key file '/opt/ssh/etc/ssh_host_ecdsa_key': No such file or directory Could not load host key: /opt/ssh/etc/ssh_host_ecdsa_key debug1: rexec_argv[0]='/var/tmp/ssh/openssh/sshd' debug1: rexec_argv[1]='-f' debug1: rexec_argv[2]='/var/tmp/ssh/openssh/sshd_config' debug1: rexec_argv[3]='-dddp2222' debug1: rexec_argv[4]='-oUsePrivilegeSeparation=sandbox' debug2: fd 4 setting O_NONBLOCK debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug2: fd 5 setting O_NONBLOCK debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. debug3: fd 6 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 9 config len 200 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 debug1: inetd sockets after dupping: 4, 4 Connection from x.x.x.x port 64701 debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7 debug1: match: OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9 debug2: fd 4 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing rlimit sandbox debug2: Network child is on pid 1392 debug3: preauth child monitor started debug3: privsep user:group 106:103 [preauth] debug1: permanently_set_uid: 106/103 [preauth] ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid argument [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup ---END--- -- # include /* Kevin Brott */ From tim at multitalents.net Wed Aug 24 06:02:51 2011 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Aug 2011 13:02:51 -0700 (PDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: Message-ID: On Tue, 23 Aug 2011, Kevin Brott wrote: > On Sat, Aug 20, 2011 at 22:31, Tim Rice wrote: > > > On Fri, 19 Aug 2011, Kevin Brott wrote: > > > > > All other tested systems (RH 6.2, 8.0, RHEL 2.1->6.0, FC2, Ubuntu > > > 8.04,10.10, AIX 5.2->7.1) are OK. > > > > Please send the output of 'grep "#define SANDBOX" config.h' from > > each of your test machines. > > > > > HP-UX 11.11 - 11.31 all the same: > ---BEGIN--- > #define SANDBOX_RLIMIT 1 > ---END--- Thanks for confirming my guess that HP was SANDBOX_RLIMIT. I was also interested in your other tested machines. Especially the AIX. I'm trying to figure out if any SANDBOX_RLIMIT platforms do work. > > And please test the following patch. > > ---------------- > > --- sandbox-rlimit.c.old 2011-06-23 06:58:32.529017003 -0700 > > +++ sandbox-rlimit.c 2011-08-20 19:09:35.780772002 -0700 > > @@ -61,13 +61,15 @@ > > ssh_sandbox_child(struct ssh_sandbox *box) > > { > > struct rlimit rl_zero; > > + struct rlimit rl_one; > > > > rl_zero.rlim_cur = rl_zero.rlim_max = 0; > > + rl_one.rlim_cur = rl_one.rlim_max = 1; > > > > if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) > > fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", > > __func__, strerror(errno)); > > - if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) > > + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) > > fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", > > __func__, strerror(errno)); > > #ifdef HAVE_RLIMIT_NPROC > > ---------------- > > > > Manually applied patched lines - 'make tests' still fails in same place on > all three systems. Not what I expected. The patch works on Solaris and UnixWare. I don't have access HP-UX so someone that does will have to figure this out. Your post with the debog log shows ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid argument [preauth] Play around with sandbox-rlimit.c to see if you can figure out why the setrlimit call is failing. > Note: I had to manually apply the patched lines - as this segment gets > rejected applying against the 20110820 and 20110824 SNAPs. Not suprising, somewhere along the way tabs got changed to spaces. -- Tim Rice Multitalents (707) 456-1146 tim at multitalents.net (707) 887-1469 From thakkerdhawal at gmail.com Thu Aug 25 20:52:07 2011 From: thakkerdhawal at gmail.com (dhawal) Date: Thu, 25 Aug 2011 03:52:07 -0700 (PDT) Subject: Fwd: PAM module: To analyse if user is using password or passwordless authentication In-Reply-To: <6a90b97f-4762-4130-bf35-13fb727fe20f@x11g2000yqx.googlegroups.com> References: <6a90b97f-4762-4130-bf35-13fb727fe20f@x11g2000yqx.googlegroups.com> Message-ID: <51d1c822-ab1c-457a-bce2-66a559d89a06@l7g2000vbz.googlegroups.com> I am writing a PAM module for ssh service. I would like to know how can I determine within the PAM module if user is using password or password-less (KEY) method to authenticate themself. Thanks for your help From jchadima at redhat.com Fri Aug 26 05:52:15 2011 From: jchadima at redhat.com (Jan F. Chadima) Date: Thu, 25 Aug 2011 21:52:15 +0200 Subject: RSA_public_decrypt and FIPS In-Reply-To: References: Message-ID: <72222439-8910-410F-9E7F-5D86A93F993A@redhat.com> On Aug 18, 2011, at 6:47 PM, Christian S. Perone wrote: > Does anyone knows if there is a patch for OpenSSH in order to make it work > with 0.9.8r OpenSSL in FIPS Mode ? > I'm having problem with the RSA_public_decrypt() function that is failing in > FIPS Mode, I changed it to use RSA_verify instead and setting the flag > "RSA_FLAG_NON_FIPS_ALLOW", and it's working fine now, but I'm not sure if > this is allowed in FIPS Mode, does anyone knows something about that ? I > read something about the use of EVP_Verify* functions, is there any patch > for this ? > > Great thanks ! > -- > "Forgive, O Lord, my little jokes on Thee, and I'll forgive Thy great big > joke on me." > http://pyevolve.sourceforge.net/wordpress/ > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev we have the patch in all red hat distributions including fedora Jan F. Chadima jchadima at redhat.com From duclare at guu.fi Fri Aug 26 05:31:40 2011 From: duclare at guu.fi (Henri Kemppainen) Date: Thu, 25 Aug 2011 22:31:40 +0300 (EEST) Subject: Add missing -o options in ssh(1) manual Message-ID: <5644878523610559139.enqueue@guu.fi> A few options appear to be missing from the list in ssh's manual. The one I didn't add is EnableSSHKeysign, whose description implies it is only effective when placed in the system-wide config file. Index: ssh.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.1,v retrieving revision 1.319 diff -u -p -r1.319 ssh.1 --- ssh.1 7 May 2011 23:20:25 -0000 1.319 +++ ssh.1 25 Aug 2011 19:24:29 -0000 @@ -419,11 +419,13 @@ For full details of the options listed b .It ConnectTimeout .It ControlMaster .It ControlPath +.It ControlPersist .It DynamicForward .It EscapeChar .It ExitOnForwardFailure .It ForwardAgent .It ForwardX11 +.It ForwardX11Timeout .It ForwardX11Trusted .It GatewayPorts .It GlobalKnownHostsFile @@ -438,6 +440,7 @@ For full details of the options listed b .It IdentityFile .It IdentitiesOnly .It IPQoS +.It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms .It LocalCommand From djm at mindrot.org Fri Aug 26 11:45:44 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Aug 2011 11:45:44 +1000 (EST) Subject: Add missing -o options in ssh(1) manual In-Reply-To: <5644878523610559139.enqueue@guu.fi> References: <5644878523610559139.enqueue@guu.fi> Message-ID: applied - thanks. This missed the branch for 5.9, but it will be in the 6.0 release in a few months. On Thu, 25 Aug 2011, Henri Kemppainen wrote: > A few options appear to be missing from the list in ssh's manual. > The one I didn't add is EnableSSHKeysign, whose description implies > it is only effective when placed in the system-wide config file. > > Index: ssh.1 > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ssh.1,v > retrieving revision 1.319 > diff -u -p -r1.319 ssh.1 > --- ssh.1 7 May 2011 23:20:25 -0000 1.319 > +++ ssh.1 25 Aug 2011 19:24:29 -0000 > @@ -419,11 +419,13 @@ For full details of the options listed b > .It ConnectTimeout > .It ControlMaster > .It ControlPath > +.It ControlPersist > .It DynamicForward > .It EscapeChar > .It ExitOnForwardFailure > .It ForwardAgent > .It ForwardX11 > +.It ForwardX11Timeout > .It ForwardX11Trusted > .It GatewayPorts > .It GlobalKnownHostsFile > @@ -438,6 +440,7 @@ For full details of the options listed b > .It IdentityFile > .It IdentitiesOnly > .It IPQoS > +.It KbdInteractiveAuthentication > .It KbdInteractiveDevices > .It KexAlgorithms > .It LocalCommand > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From mramakishore at gmail.com Fri Aug 26 22:45:45 2011 From: mramakishore at gmail.com (mramakishore at gmail.com) Date: Fri, 26 Aug 2011 18:15:45 +0530 Subject: Unable to execute the commands at remote machine after RSA handshake Message-ID: HI, I am succeeded to do the password less authonitication but unable to execute the command and get the command OUTPUT/ERROR message. Below is the ssh command trace. please let me know what is the problem: debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending command: ping -help debug2: channel 0: request exec confirm 0 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: rcvd close debug2: channel 0: close_read debug2: channel 0: input open -> closed debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e 7 c -1 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 255 Thanks in advance, kishore. From dtucker at zip.com.au Mon Aug 29 14:18:11 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Aug 2011 21:18:11 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: <20110818060840.GB26471@red-sonja> References: <20110818060840.GB26471@red-sonja> Message-ID: On Wed, Aug 17, 2011 at 11:08 PM, Morty Abzug wrote: [...] > On Solaris 10, same failure: > > run test connect.sh ... > ok simple connect > run test proxy-connect.sh ... > ok proxy connect > run test connect-privsep.sh ... > Write failed: Broken pipe > ssh privsep/sandbox+proxyconnect protocol 1 failed > Write failed: Broken pipe > ssh privsep/sandbox+proxyconnect protocol 2 failed > failed proxy connect with privsep > make[1]: *** [t-exec] Error 1 > make[1]: Leaving directory `/export/home/morty/src/openssh/regress' > make: *** [tests] Error 2 I trussed an sshd (on Solaris 10 x86) and the failure seems to be polling FDs: sudo truss -f `pwd`/sshd -D -e -p 2022 -o useprivilegeseparation=sandbox [...] 1788: write(5, "\0\003\f\n1414 ND4 % 5 [".., 784) = 784 21788: pollsys(0x080457C0, 1, 0x00000000, 0x00000000) Err#22 EINVAL 21788: read(5, "\0\002AC\n14A8F8B912 D".., 8192) = 688 21788: pollsys(0x080456F0, 1, 0x00000000, 0x00000000) Err#22 EINVAL 21788: read(5, 0x080457C0, 8192) Err#11 EAGAIN 21788: write(9, "\0\0\0 A\0\0\001\0\0\0 9".., 69) = 69 I'm wondering if pollsys uses a descriptor under the covers (eg for /dev/poll). Not sure what can be done about it though. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Aug 29 14:48:11 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Aug 2011 21:48:11 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Sun, Aug 28, 2011 at 9:18 PM, Darren Tucker wrote: [...] > I trussed an sshd (on Solaris 10 x86) and the failure seems to be polling FDs: confirmed: it's poll. Still not sure what to do about it, it's used in atomicio. $ cat polltest.c #include #include #include #include #include int main(int argc, char **argv) { struct rlimit rl_zero; struct pollfd pfd; int fd, r, enforce_limit = 0; if (argc == 2 && strcmp(argv[1], "limit") == 0) enforce_limit = 1; fd = open("/dev/null", "r"); if (enforce_limit) { rl_zero.rlim_cur = rl_zero.rlim_max = 0; setrlimit(RLIMIT_FSIZE, &rl_zero); setrlimit(RLIMIT_NOFILE, &rl_zero); } pfd.fd = fd; pfd.events = POLLOUT; r = poll(&pfd, 1, -1); printf("poll = %d, error: %s\n", r, strerror(errno)); } $ gcc polltest.c && ./a.out poll = 1, error: Error 0 $ ./a.out limit poll = -1, error: Invalid argument -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Mon Aug 29 15:34:05 2011 From: tim at multitalents.net (Tim Rice) Date: Sun, 28 Aug 2011 22:34:05 -0700 (PDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Sun, 28 Aug 2011, Darren Tucker wrote: > On Sun, Aug 28, 2011 at 9:18 PM, Darren Tucker wrote: > [...] > > I trussed an sshd (on Solaris 10 x86) and the failure seems to be polling FDs: > > confirmed: it's poll. Still not sure what to do about it, it's used > in atomicio. Cool. Now we have a way to test. Add your test program to configure.ac and define somehing like POLL_USES_FD if it fails. Then we use something like this. ....... --- sandbox-rlimit.c.old 2011-06-23 06:58:32.529017003 -0700 +++ sandbox-rlimit.c 2011-08-28 22:28:49.561109001 -0700 @@ -61,13 +61,19 @@ ssh_sandbox_child(struct ssh_sandbox *box) { struct rlimit rl_zero; + struct rlimit rl_one; rl_zero.rlim_cur = rl_zero.rlim_max = 0; + rl_one.rlim_cur = rl_one.rlim_max = 1; if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", __func__, strerror(errno)); +#ifdef POLL_USES_FD + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) +#else if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) +#endif fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", __func__, strerror(errno)); #ifdef HAVE_RLIMIT_NPROC ....... BTW. What dows your polltest say on AIX? > $ cat polltest.c > #include > #include > #include > #include > #include > > int main(int argc, char **argv) > { > struct rlimit rl_zero; > struct pollfd pfd; > int fd, r, enforce_limit = 0; > > if (argc == 2 && strcmp(argv[1], "limit") == 0) > enforce_limit = 1; > > fd = open("/dev/null", "r"); > if (enforce_limit) { > rl_zero.rlim_cur = rl_zero.rlim_max = 0; > setrlimit(RLIMIT_FSIZE, &rl_zero); > setrlimit(RLIMIT_NOFILE, &rl_zero); > } > > pfd.fd = fd; > pfd.events = POLLOUT; > r = poll(&pfd, 1, -1); > printf("poll = %d, error: %s\n", r, strerror(errno)); > } > > $ gcc polltest.c && ./a.out > poll = 1, error: Error 0 > $ ./a.out limit > poll = -1, error: Invalid argument > > -- Tim Rice Multitalents (707) 456-1146 tim at multitalents.net (707) 887-1469 From dtucker at zip.com.au Mon Aug 29 15:43:49 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Aug 2011 22:43:49 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Sun, Aug 28, 2011 at 9:48 PM, Darren Tucker wrote: > On Sun, Aug 28, 2011 at 9:18 PM, Darren Tucker wrote: > ?[...] >> I trussed an sshd (on Solaris 10 x86) and the failure seems to be polling FDs: > > confirmed: it's poll. ?Still not sure what to do about it, it's used > in atomicio. ... and on Solaris, select() is a wrapper around poll(), so even if we do get rid of the poll calls in atomicio and fall back to busy-waiting on EAGAIN, it still doesn't help. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Aug 29 16:19:46 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 29 Aug 2011 16:19:46 +1000 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Mon, Aug 29, 2011 at 3:34 PM, Tim Rice wrote: [...] > +#ifdef POLL_USES_FD > + ? ? ? if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) > +#else > ? ? ? ?if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) > +#endif Problem is this destroys a lot of the value of the rlimit sandbox, since a compromised slave can close all descriptors and open a single new one with connect() and, eg, use it to probe serves on localhost or beyond the machine in question. One thing we could do to mitigate this is to have the monitoring SIGKILL the slave if the socketpair closes. It's racy so there's a window where a compromised slave could potentially make a connection. Unless someone who knows Solaris internals can tell us how to make poll work with NFILES=0, I don't see any better solution. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Mon Aug 29 16:30:37 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 29 Aug 2011 16:30:37 +1000 (EST) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Mon, 29 Aug 2011, Darren Tucker wrote: > On Mon, Aug 29, 2011 at 3:34 PM, Tim Rice wrote: > [...] > > +#ifdef POLL_USES_FD > > + if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) > > +#else > > if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) > > +#endif > > Problem is this destroys a lot of the value of the rlimit sandbox, > since a compromised slave can close all descriptors and open a single > new one with connect() and, eg, use it to probe serves on localhost or > beyond the machine in question. > > One thing we could do to mitigate this is to have the monitoring > SIGKILL the slave if the socketpair closes. It's racy so there's a > window where a compromised slave could potentially make a connection. The below diff does this. IMO it would be better to turn the sandbox off for the platforms that don't support it for this release. Index: sshd.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd.c,v retrieving revision 1.385 diff -u -p -r1.385 sshd.c --- sshd.c 23 Jun 2011 09:34:13 -0000 1.385 +++ sshd.c 29 Aug 2011 06:29:32 -0000 @@ -222,6 +222,7 @@ int startup_pipe; /* in child */ /* variables used for privilege separation */ int use_privsep = -1; struct monitor *pmonitor = NULL; +int privsep_is_preauth = 1; /* global authentication context */ Authctxt *the_authctxt = NULL; @@ -637,10 +638,13 @@ privsep_preauth(Authctxt *authctxt) /* Wait for the child's exit status */ while (waitpid(pid, &status, 0) < 0) { + pmonitor->m_pid = -1; if (errno != EINTR) fatal("%s: waitpid: %s", __func__, strerror(errno)); } + pmonitor->m_pid = -1; + privsep_is_preauth = 0; if (WIFEXITED(status)) { if (WEXITSTATUS(status) != 0) fatal("%s: preauth child exited with status %d", @@ -2217,7 +2221,14 @@ do_ssh2_kex(void) void cleanup_exit(int i) { - if (the_authctxt) + if (the_authctxt) { do_cleanup(the_authctxt); + if (privsep_is_preauth && pmonitor->m_pid > 1) { + debug("Killing privsep child %d", pmonitor->m_pid); + if (kill(SIGKILL, pmonitor->m_pid) != 0) + error("%s: kill(%d): %s", __func__, + pmonitor->m_pid, strerror(errno)); + } + } _exit(i); } From dtucker at zip.com.au Mon Aug 29 18:31:20 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 29 Aug 2011 18:31:20 +1000 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Mon, Aug 29, 2011 at 2:48 PM, Darren Tucker wrote: [...] > confirmed: it's poll. Actually now I'm not sure about that. Or rather I still think it's poll, but maybe not in the place I originally thought. While trying to convert the testcase into a configure test, I found that my testcase also fails on Linux where the sandbox (appears to) work and now I'm confused. Here's what I'm currently using: $ cat polltest.c #include #include #include #include #include #include int main(int argc, char **argv) { struct rlimit rl_zero; struct pollfd pfd; int r, enforce_limit = 0; if (argc == 2 && strcmp(argv[1], "limit") == 0) enforce_limit = 1; pfd.fd = open("/dev/null", O_RDONLY); pfd.events = POLLIN; if (enforce_limit) { rl_zero.rlim_cur = rl_zero.rlim_max = 0; setrlimit(RLIMIT_FSIZE, &rl_zero); setrlimit(RLIMIT_NOFILE, &rl_zero); } r = poll(&pfd, 1, -1); printf("poll = %d, error: %s\n", r, strerror(errno)); } $ gcc polltest.c && ./a.out ; ./a.out limit poll = 1, error: Success poll = -1, error: Invalid argument -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Tue Aug 30 01:15:44 2011 From: tim at multitalents.net (Tim Rice) Date: Mon, 29 Aug 2011 08:15:44 -0700 (PDT) Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Mon, 29 Aug 2011, Darren Tucker wrote: > On Mon, Aug 29, 2011 at 3:34 PM, Tim Rice wrote: > [...] > > +#ifdef POLL_USES_FD > > + ? ? ? if (setrlimit(RLIMIT_NOFILE, &rl_one) == -1) > > +#else > > ? ? ? ?if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) > > +#endif > > Problem is this destroys a lot of the value of the rlimit sandbox, > since a compromised slave can close all descriptors and open a single > new one with connect() and, eg, use it to probe serves on localhost or > beyond the machine in question. True, but it's better than no sandbox. And right now we can't use sandbox on Solaris or UnixWare. HP-UX does not work ethier but it looks like that is a different issue. > One thing we could do to mitigate this is to have the monitoring > SIGKILL the slave if the socketpair closes. It's racy so there's a > window where a compromised slave could potentially make a connection. Hmm. > Unless someone who knows Solaris internals can tell us how to make > poll work with NFILES=0, I don't see any better solution. I'll ask the engineers at UnXis if they have any ideas. -- Tim Rice Multitalents (707) 456-1146 tim at multitalents.net (707) 887-1469 From bostjan at a2o.si Tue Aug 30 01:50:01 2011 From: bostjan at a2o.si (Bostjan Skufca) Date: Mon, 29 Aug 2011 17:50:01 +0200 Subject: Auth forwarding socket for single auth Message-ID: Hi all, authentication forwarding depends much on the environment it is used in, but generally on shared hosts it is considered insecure, as this documentation and common sense tell us: http://unixwiz.net/techtips/ssh-agent-forwarding.html Anyway, I have an auth forwarding security enhancement proposal. I hope I am not duplicating someone else's words/thoughts, please notify me if this is the case. How about if we make the auth socket configurable in such way, that it can be used for just SINGLE authentication, and then it gets closed automatically? Let me illustrate host sequence: MyHost ---> IntermediateHost ---> FinalHost ------------------------------------------------ a) Usual session initialization flow: ------------------------------------------------ a.1 On MyHost, I execute: - $ ssh IntermediateHost -A - (this connects me to intermediate host and creates /tmp/ssh-... socket for authentication forwarding) a.2 Once on Intermediate host, I execute: - $ ssh FinalHost - (this gets me to final host with authentication via auth socket which leads back to MyHost) a.3 I do things on the FinalHost, but socket is still open op intermediate host ------------------------------------------------ b) Proposed session initialization flow: ------------------------------------------------ b.1 - $ ssh IntermediateHost -A --auth-single - (--auth-single is made up) b.2 - $ ssh FinalHost - (As soon as 1 auth try is consumed (does not matter whether it fails or succeeds) socket gets closed.) b.3 I do things on FinalHost, BUT auth socket does not exist anymore on Intermediate Host ------------------------------------------------ c) Speedup of proposed flow: ------------------------------------------------ c.1 - $ ssh IntermediateHost -A --auth-single -t "ssh FinalHost" Annotations to proposed (b and c) flows: - I understand that in example b) for a limited timeframe there is still insecure socket available at Intermediate host, which can be exploited by powerful-enough user on intermediate host - In example c) this timeframe gets really down to minimum, which leaves this scheme vulnerable only to a really dedicated and determined cracker, but it should be admin's decision whether he wants to use this or not in systems which can't afford such risk. Please comment on this "proposal". Best regards, b. From kevin.brott at gmail.com Tue Aug 30 09:54:45 2011 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 29 Aug 2011 16:54:45 -0700 Subject: Call for testing: OpenSSH-5.9 In-Reply-To: References: <20110818060840.GB26471@red-sonja> Message-ID: On Mon, Aug 29, 2011 at 01:31, Darren Tucker wrote: > On Mon, Aug 29, 2011 at 2:48 PM, Darren Tucker wrote: > [...] > > confirmed: it's poll. > > Actually now I'm not sure about that. Or rather I still think it's > poll, but maybe not in the place I originally thought. > > While trying to convert the testcase into a configure test, I found > that my testcase also fails on Linux where the sandbox (appears to) > work and now I'm confused. > > Here's what I'm currently using: > > $ cat polltest.c > #include > #include > #include > #include > #include > #include > > int main(int argc, char **argv) > { > struct rlimit rl_zero; > struct pollfd pfd; > int r, enforce_limit = 0; > > if (argc == 2 && strcmp(argv[1], "limit") == 0) > enforce_limit = 1; > > pfd.fd = open("/dev/null", O_RDONLY); > pfd.events = POLLIN; > > if (enforce_limit) { > rl_zero.rlim_cur = rl_zero.rlim_max = 0; > setrlimit(RLIMIT_FSIZE, &rl_zero); > setrlimit(RLIMIT_NOFILE, &rl_zero); > } > > r = poll(&pfd, 1, -1); > printf("poll = %d, error: %s\n", r, strerror(errno)); > } > > $ gcc polltest.c && ./a.out ; ./a.out limit > poll = 1, error: Success > poll = -1, error: Invalid argument > > On AIX 5.3-7.1 for this test I get these results - and 'make tests' seemed to work fine $ xlc polltest.c && ./a.out ; ./a.out limit poll = 1, error: Error 0 poll = 1, error: Error 0 HP-UX 11.31 + HP Ansi C/C++ $ cc polltest.c && ./a.out ; ./a.out limit "polltest.c", line 27: warning #2181-D: argument is incompatible with corresponding format string conversion printf("poll = %d, error: %s\n", r, strerror(errno)); ^ poll = 1, error: Error 0 poll = 1, error: Invalid argument HP-UX 11.11-11.31 + gcc $ gcc polltest.c && ./a.out ; ./a.out limit poll = 1, error: Error 0 poll = 1, error: Invalid argument -- # include /* Kevin Brott */ From dtucker at zip.com.au Tue Aug 30 10:17:37 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 30 Aug 2011 10:17:37 +1000 Subject: Auth forwarding socket for single auth In-Reply-To: References: Message-ID: On Tue, Aug 30, 2011 at 1:50 AM, Bostjan Skufca wrote: [...] > How about if we make the auth socket configurable in such way, that it > can be used for just SINGLE authentication, and then it gets closed > automatically? A while ago I implemented an escape code (~a I think) that toggled whether or not the client would accept forwarded agent requests, but only as a local change. You could possibly implement this policy as an external SSH_ASKPASS program, however... > Let me illustrate host sequence: > MyHost ---> IntermediateHost ---> FinalHost If you don't trust IntermediateHost and it has tcp port forwarding enabled, you can also do something like this: Host FinalHost ProxyCommand ssh -W %h:%p IntermediateHost ForwardAgent no ForwardX11 no This will create an end-to-end encrypted connection between MyHost and FinalHost and won't require agent forwarding on IntermediateHost. (I call this "stacked" connections, as opposed to "chained" connections which is what you're currently doing). It'll also prevent the possibility of the traffic being compromised on IintermediateHost (since in your scheme it's decrypted and reencrypted on IntermediateHost, and thus subject to monitoring and/or change). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.