From openssh at roumenpetrov.info Mon Oct 1 01:58:39 2012 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sun, 30 Sep 2012 18:58:39 +0300 Subject: OpenSSH with X.509 certificates support v7.3 Message-ID: <50686C2F.8030603@roumenpetrov.info> Dear All, Version 7.3 of X.509 certificates support for OpenSSH is published. Main updates: - enable AES cipher in CRT mode for FIPS build Build with FIPS enabled OpenSSL now use openssl implementation - initialization of OpenSSL engines Engine initialization is improved and now OpenSSL static engines are initialized only once. Double initialization lead to application crash in engine cleanup, even without use of engines. Note that dynamic engines are not impacted. - exclude X.509 regression test If SSH_X509TESTS is set to skip, X.509 regression test will not be run when is requested regression tests to be run as example: make check SSH_X509TESTS=skip - fips regression test Standard regression tests are enhanced with connect-privsep and try-ciphers test run in fips mode. Tests could be executed only manually as example: make FIPS_LTESTS=[name_of_test] REGRESS_TARGETS=f-exec Yours sincerely, Roumen Petrov From dkg at fifthhorseman.net Mon Oct 1 07:11:32 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 30 Sep 2012 17:11:32 -0400 Subject: limiting authentication mechanisms [was: Re: Restrict extranet connection to a group] In-Reply-To: <20120929212544.21733.qmail@stuge.se> References: <20120929202443.GJ6197@koocotte.org> <20120929212544.21733.qmail@stuge.se> Message-ID: <5068B584.7020907@fifthhorseman.net> On 09/29/2012 05:25 PM, Peter Stuge wrote: > I don't allow password or challenge+response (kbdint). fwiw, ChallengeResponseAuthentication is actually a different setting from KbdInteractiveAuthentication. I usually do: PasswordAuthentication no KbdInteractiveAuthentication no ChallengeResponseAuthentication no To limit authentication to saner mechanisms like pubkey or GSSAPI (when patched in). --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From dauntless at dauntless.be Mon Oct 1 08:30:22 2012 From: dauntless at dauntless.be (Jeroen Beckers) Date: Mon, 1 Oct 2012 00:30:22 +0200 Subject: User can't use SFTP after chroot Message-ID: Hi, I've posted this question on ServerFault, but no answer has been found (http://serverfault.com/questions/431329/user-cant-sftp-after-chroot). I have version 1:5.3p1-3ubuntu7 To sum up: I want to chroot the user sam. Things I have done: - add user 'sam' to group 'users' - added Subsystem sftp internal-sftp to /etc/ssh/sshd_config (at the bottom) - added a Match : -- Match group users ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no -- - changed permission of /home to be owned by root:root and not writable by anyone else - restarted ssh When I try to sftp with sam, I get this: -- $ sftp sam at localhost Connecting to localhost... sam at localhost's password: Couldn't read packet: Connection reset by peer -- If I remove sam from the users group, he can SFTP fine, but isn't chrooted. Using -vvv, I get the following: ----- sam at localhost's password: debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64) debug2: we sent a password packet, wait for reply debug3: Wrote 144 bytes for a total of 1639 debug1: Authentication succeeded (password). debug2: fd 4 setting O_NONBLOCK debug3: fd 5 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug3: Wrote 128 bytes for a total of 1767 debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending environment. debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env SSH_CLIENT debug3: Ignored env SSH_TTY debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env PWD debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LOGNAME debug3: Ignored env SSH_CONNECTION debug3: Ignored env LESSOPEN debug3: Ignored env LESSCLOSE debug3: Ignored env _ debug1: Sending subsystem: sftp debug2: channel 0: request subsystem confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug3: Wrote 64 bytes for a total of 1831 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: subsystem request accepted on channel 0 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e 6 c -1 debug3: Wrote 32 bytes for a total of 1863 debug3: Wrote 64 bytes for a total of 1927 debug1: fd 0 clearing O_NONBLOCK debug3: fd 1 is not O_NONBLOCK Transferred: sent 1744, received 2008 bytes, in 0.0 seconds Bytes per second: sent 627347.0, received 722312.4 debug1: Exit status 1 Couldn't read packet: Connection reset by peer ------ And if I change LogLevel to DEBUG2, I get this in /var/log/auth.log: ------ ct 1 00:28:27 163-73-23 sshd[17728]: Accepted password for sam from 127.0.0.1 port 36128 ssh2 Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: monitor_child_preauth: sam has been authenticated by privileged process Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 Oct 1 00:28:27 163-73-23 sshd[17731]: debug1: SELinux support disabled Oct 1 00:28:27 163-73-23 sshd[17728]: User child is on pid 17731 Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: do_cleanup ------ What is going wrong? What else can I give you to troubleshoot? Thanks! From bostjan at a2o.si Mon Oct 1 10:25:16 2012 From: bostjan at a2o.si (Bostjan Skufca) Date: Mon, 1 Oct 2012 02:25:16 +0200 Subject: User can't use SFTP after chroot In-Reply-To: References: Message-ID: Do you chroot to a directory which is writtable by non-root? Or any of it's parents all the way up to the root (/)? If so, chroot (and connection) will fail. b. On 1 October 2012 00:30, Jeroen Beckers wrote: > Hi, > > I've posted this question on ServerFault, but no answer has been found > (http://serverfault.com/questions/431329/user-cant-sftp-after-chroot). > I have version 1:5.3p1-3ubuntu7 > > To sum up: I want to chroot the user sam. Things I have done: > - add user 'sam' to group 'users' > - added Subsystem sftp internal-sftp to /etc/ssh/sshd_config (at the > bottom) > - added a Match : > > -- > Match group users > ChrootDirectory %h > ForceCommand internal-sftp > AllowTcpForwarding no > -- > > - changed permission of /home to be owned by root:root and not > writable by anyone else > - restarted ssh > > When I try to sftp with sam, I get this: > -- > $ sftp sam at localhost > Connecting to localhost... > sam at localhost's password: > Couldn't read packet: Connection reset by peer > -- > > If I remove sam from the users group, he can SFTP fine, but isn't chrooted. > > Using -vvv, I get the following: > > ----- > sam at localhost's password: > debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug3: Wrote 144 bytes for a total of 1639 > debug1: Authentication succeeded (password). > debug2: fd 4 setting O_NONBLOCK > debug3: fd 5 is O_NONBLOCK > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug2: channel 0: send open > debug1: Requesting no-more-sessions at openssh.com > debug1: Entering interactive session. > debug3: Wrote 128 bytes for a total of 1767 > debug2: callback start > debug2: client_session2_setup: id 0 > debug1: Sending environment. > debug3: Ignored env TERM > debug3: Ignored env SHELL > debug3: Ignored env SSH_CLIENT > debug3: Ignored env SSH_TTY > debug3: Ignored env USER > debug3: Ignored env LS_COLORS > debug3: Ignored env MAIL > debug3: Ignored env PATH > debug3: Ignored env PWD > debug3: Ignored env SHLVL > debug3: Ignored env HOME > debug3: Ignored env LOGNAME > debug3: Ignored env SSH_CONNECTION > debug3: Ignored env LESSOPEN > debug3: Ignored env LESSCLOSE > debug3: Ignored env _ > debug1: Sending subsystem: sftp > debug2: channel 0: request subsystem confirm 1 > debug2: fd 3 setting TCP_NODELAY > debug2: callback done > debug2: channel 0: open confirm rwindow 0 rmax 32768 > debug3: Wrote 64 bytes for a total of 1831 > debug2: channel 0: rcvd adjust 2097152 > debug2: channel_input_status_confirm: type 99 id 0 > debug2: subsystem request accepted on channel 0 > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 > debug2: channel 0: rcvd eow > debug2: channel 0: close_read > debug2: channel 0: input open -> closed > debug2: channel 0: rcvd eof > debug2: channel 0: output open -> drain > debug2: channel 0: obuf empty > debug2: channel 0: close_write > debug2: channel 0: output drain -> closed > debug2: channel 0: rcvd close > debug3: channel 0: will not send data after close > debug2: channel 0: almost dead > debug2: channel 0: gc: notify user > debug2: channel 0: gc: user detached > debug2: channel 0: send close > debug2: channel 0: is dead > debug2: channel 0: garbage collecting > debug1: channel 0: free: client-session, nchannels 1 > debug3: channel 0: status: The following connections are open: > #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) > > debug3: channel 0: close_fds r -1 w -1 e 6 c -1 > debug3: Wrote 32 bytes for a total of 1863 > debug3: Wrote 64 bytes for a total of 1927 > debug1: fd 0 clearing O_NONBLOCK > debug3: fd 1 is not O_NONBLOCK > Transferred: sent 1744, received 2008 bytes, in 0.0 seconds > Bytes per second: sent 627347.0, received 722312.4 > debug1: Exit status 1 > Couldn't read packet: Connection reset by peer > ------ > > And if I change LogLevel to DEBUG2, I get this in /var/log/auth.log: > > ------ > ct 1 00:28:27 163-73-23 sshd[17728]: Accepted password for sam from > 127.0.0.1 port 36128 ssh2 > Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: monitor_child_preauth: > sam has been authenticated by privileged process > Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 > Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 > Oct 1 00:28:27 163-73-23 sshd[17731]: debug1: SELinux support disabled > Oct 1 00:28:27 163-73-23 sshd[17728]: User child is on pid 17731 > Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: do_cleanup > ------ > > What is going wrong? What else can I give you to troubleshoot? > > Thanks! > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From dauntless at dauntless.be Mon Oct 1 21:33:21 2012 From: dauntless at dauntless.be (Jeroen Beckers) Date: Mon, 1 Oct 2012 13:33:21 +0200 Subject: User can't use SFTP after chroot In-Reply-To: References: Message-ID: No, it's owned by root:root and not writable for anyone else: $ ls -la /home drwxr-xr-x 10 root root 4096 Sep 30 18:03 . drwxr-xr-x 22 root root 4096 Sep 23 16:10 .. drwxr-xr-x 11 root root 4096 Sep 23 16:12 sam On Mon, Oct 1, 2012 at 2:25 AM, Bostjan Skufca wrote: > Do you chroot to a directory which is writtable by non-root? Or any of it's > parents all the way up to the root (/)? If so, chroot (and connection) will > fail. > > b. > > > > On 1 October 2012 00:30, Jeroen Beckers wrote: > >> Hi, >> >> I've posted this question on ServerFault, but no answer has been found >> (http://serverfault.com/questions/431329/user-cant-sftp-after-chroot). >> I have version 1:5.3p1-3ubuntu7 >> >> To sum up: I want to chroot the user sam. Things I have done: >> - add user 'sam' to group 'users' >> - added Subsystem sftp internal-sftp to /etc/ssh/sshd_config (at the >> bottom) >> - added a Match : >> >> -- >> Match group users >> ChrootDirectory %h >> ForceCommand internal-sftp >> AllowTcpForwarding no >> -- >> >> - changed permission of /home to be owned by root:root and not >> writable by anyone else >> - restarted ssh >> >> When I try to sftp with sam, I get this: >> -- >> $ sftp sam at localhost >> Connecting to localhost... >> sam at localhost's password: >> Couldn't read packet: Connection reset by peer >> -- >> >> If I remove sam from the users group, he can SFTP fine, but isn't chrooted. >> >> Using -vvv, I get the following: >> >> ----- >> sam at localhost's password: >> debug3: packet_send2: adding 64 (len 56 padlen 8 extra_pad 64) >> debug2: we sent a password packet, wait for reply >> debug3: Wrote 144 bytes for a total of 1639 >> debug1: Authentication succeeded (password). >> debug2: fd 4 setting O_NONBLOCK >> debug3: fd 5 is O_NONBLOCK >> debug1: channel 0: new [client-session] >> debug3: ssh_session2_open: channel_new: 0 >> debug2: channel 0: send open >> debug1: Requesting no-more-sessions at openssh.com >> debug1: Entering interactive session. >> debug3: Wrote 128 bytes for a total of 1767 >> debug2: callback start >> debug2: client_session2_setup: id 0 >> debug1: Sending environment. >> debug3: Ignored env TERM >> debug3: Ignored env SHELL >> debug3: Ignored env SSH_CLIENT >> debug3: Ignored env SSH_TTY >> debug3: Ignored env USER >> debug3: Ignored env LS_COLORS >> debug3: Ignored env MAIL >> debug3: Ignored env PATH >> debug3: Ignored env PWD >> debug3: Ignored env SHLVL >> debug3: Ignored env HOME >> debug3: Ignored env LOGNAME >> debug3: Ignored env SSH_CONNECTION >> debug3: Ignored env LESSOPEN >> debug3: Ignored env LESSCLOSE >> debug3: Ignored env _ >> debug1: Sending subsystem: sftp >> debug2: channel 0: request subsystem confirm 1 >> debug2: fd 3 setting TCP_NODELAY >> debug2: callback done >> debug2: channel 0: open confirm rwindow 0 rmax 32768 >> debug3: Wrote 64 bytes for a total of 1831 >> debug2: channel 0: rcvd adjust 2097152 >> debug2: channel_input_status_confirm: type 99 id 0 >> debug2: subsystem request accepted on channel 0 >> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 >> debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 >> debug2: channel 0: rcvd eow >> debug2: channel 0: close_read >> debug2: channel 0: input open -> closed >> debug2: channel 0: rcvd eof >> debug2: channel 0: output open -> drain >> debug2: channel 0: obuf empty >> debug2: channel 0: close_write >> debug2: channel 0: output drain -> closed >> debug2: channel 0: rcvd close >> debug3: channel 0: will not send data after close >> debug2: channel 0: almost dead >> debug2: channel 0: gc: notify user >> debug2: channel 0: gc: user detached >> debug2: channel 0: send close >> debug2: channel 0: is dead >> debug2: channel 0: garbage collecting >> debug1: channel 0: free: client-session, nchannels 1 >> debug3: channel 0: status: The following connections are open: >> #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) >> >> debug3: channel 0: close_fds r -1 w -1 e 6 c -1 >> debug3: Wrote 32 bytes for a total of 1863 >> debug3: Wrote 64 bytes for a total of 1927 >> debug1: fd 0 clearing O_NONBLOCK >> debug3: fd 1 is not O_NONBLOCK >> Transferred: sent 1744, received 2008 bytes, in 0.0 seconds >> Bytes per second: sent 627347.0, received 722312.4 >> debug1: Exit status 1 >> Couldn't read packet: Connection reset by peer >> ------ >> >> And if I change LogLevel to DEBUG2, I get this in /var/log/auth.log: >> >> ------ >> ct 1 00:28:27 163-73-23 sshd[17728]: Accepted password for sam from >> 127.0.0.1 port 36128 ssh2 >> Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: monitor_child_preauth: >> sam has been authenticated by privileged process >> Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 >> Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 >> Oct 1 00:28:27 163-73-23 sshd[17731]: debug1: SELinux support disabled >> Oct 1 00:28:27 163-73-23 sshd[17728]: User child is on pid 17731 >> Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: do_cleanup >> ------ >> >> What is going wrong? What else can I give you to troubleshoot? >> >> Thanks! >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From peter at stuge.se Mon Oct 1 22:31:14 2012 From: peter at stuge.se (Peter Stuge) Date: Mon, 1 Oct 2012 14:31:14 +0200 Subject: User can't use SFTP after chroot In-Reply-To: References: Message-ID: <20121001123114.10858.qmail@stuge.se> Jeroen Beckers wrote: > What is going wrong? What else can I give you to troubleshoot? Try running sshd -ddd on the server side and see what you get. //Peter From sebastiano.dipaola at gmail.com Tue Oct 2 23:58:39 2012 From: sebastiano.dipaola at gmail.com (Sebastiano Di Paola) Date: Tue, 2 Oct 2012 15:58:39 +0200 Subject: patch proposal for ssh-copy-id script Message-ID: Hello everybody, I write an update version of ssh-copy-id script in order to support sshd non running on standard port 22. So I added another parameter to the script to allow user to specify the daemon port. I've also changed the way the command line parameter are retrieved in order to have a more "robust" way of getting them using getopts. Due to this change host name must be preceeded by -h parameter. Anyway attached there is the patch for the script and the manual page as well derived from openssh6.1p1 Any comments are welcomed and appreciated :) Kind regards. Sebastiano Di Paola From sebastiano.dipaola at gmail.com Wed Oct 3 00:01:16 2012 From: sebastiano.dipaola at gmail.com (Sebastiano Di Paola) Date: Tue, 2 Oct 2012 16:01:16 +0200 Subject: patch proposal for ssh-copy-id script In-Reply-To: References: Message-ID: -- BEGIN PATCH CUT AFTER THIS LINE -- diff -rupN d/openssh-6.1p1/contrib/ssh-copy-id c/openssh-6.1p1/contrib/ssh-copy-id --- d/openssh-6.1p1/contrib/ssh-copy-id 2011-08-17 04:05:49.000000000 +0200 +++ c/openssh-6.1p1/contrib/ssh-copy-id 2012-10-02 15:41:44.000000000 +0200 @@ -7,21 +7,39 @@ ID_FILE="${HOME}/.ssh/id_rsa.pub" -if [ "-i" = "$1" ]; then - shift - # check if we have 2 parameters left, if so the first is the new ID file - if [ -n "$2" ]; then - if expr "$1" : ".*\.pub" > /dev/null ; then - ID_FILE="$1" - else - ID_FILE="$1.pub" +# help function +usage() { + echo "Usage: $0 [-i [identity_file]] [-p [port]] -h [user@]machine" >&2; +} + +while getopts "i:p:h:" option; do + case "$option" in + i) ID_FILE="$OPTARG" + ;; + p) PORT="$OPTARG" + ;; + h) HOST="$OPTARG" + ;; + ?) usage + exit 1 + ;; + esac +done + +if [ -z "$HOST" ]; then + echo "$0: ERROR: No destination host specified" >&2 + usage + exit 1 +fi + +if [ -n "$ID_FILE" ]; then + if ! expr "$ID_FILE" : ".*\.pub" > /dev/null ; then + ID_FILE="$ID_FILE.pub" fi - shift # and this should leave $1 as the target name - fi else - if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then - GET_ID="$GET_ID ssh-add -L" - fi + if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then + GET_ID="$GET_ID ssh-add -L" + fi fi if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then @@ -33,15 +51,16 @@ if [ -z "`eval $GET_ID`" ]; then exit 1 fi -if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then - echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 - exit 1 +# set the ssh server port to use it also on port != 22 if not set $PORT_STRING +# will be unset so no problem to refer to it in the ssh command +if [ -n "$PORT" ]; then + PORT_STRING="-p $PORT" fi # strip any trailing colon -host=`echo $1 | sed 's/:$//'` +HOST=`echo $HOST | sed 's/:$//'` -{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 +{ eval "$GET_ID" ; } | ssh $PORT_STRING $HOST "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 cat < References: Message-ID: On Tue, Sep 25, 2012 at 9:12 PM, balu chandra wrote: > I also found little information inthe changelog on why strnvis() was > introduced in input_userauth_banner. Is it added to address any > security vulnerability. I believe the intent was to prevent a malicious server from sending a banner containing a terminal answerback command sequence. I'm not aware of any UTF-8 aware equivalent of strnvis, though (if someone knows of one we'll look at using it). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From robert.harley at gmail.com Sat Oct 6 23:48:19 2012 From: robert.harley at gmail.com (Rob H) Date: Sat, 6 Oct 2012 09:48:19 -0400 Subject: SFTP ls directory listing incorrect Message-ID: This is from one up-to-date Fedora 17 system to another, using openssh RPMs version 5.9p1-26.fc17.x86_64. Listing a directory from a terminal opened via ssh is shown below, but listing the same directory from sftp is slightly wrong i.e., file sizes/flags/timestamps of two files are swapped. dan at localhost:/tmp> ls -l peers.* -rw-r--r--. 1 rob users 2176 Oct 4 15:12 peers.awk -rw-r-----. 1 dan traders 1311410 Oct 4 16:49 peers.res2 -rw-r-----. 1 dan traders 66799654 Oct 4 16:59 peers.res3 -rw-r--r--. 1 rob users 8900 Oct 4 16:56 peers.txt sftp> ls -l peers.* -rw-r--r-- 0 500 100 2176 Oct 4 15:12 peers.awk -rw-r----- 0 505 502 1311410 Oct 4 16:49 peers.res2 -rw-r--r-- 0 500 100 8900 Oct 4 16:56 peers.res3 -rw-r----- 0 505 502 66799654 Oct 4 16:59 peers.txt From pal.ankita.ankita at gmail.com Tue Oct 9 21:34:34 2012 From: pal.ankita.ankita at gmail.com (ankita pal) Date: Tue, 9 Oct 2012 16:04:34 +0530 Subject: make install errors in openssh(when openpam is to be integrated with openssh) Message-ID: Hi, I want to integrate openpam with openssh in our server (which uses QNX632 operating system). I am facing some problems in the "make install" part of openssh. Following are the steps I followed to build zlib, openssl, openpam and openssh. *NOTE*: Since I want the sshd and ssh binaries in my server(using QNX), I had to cross compile the packages for QNX (environment was set to x86) *1. zlib(1.2.7)*: CC=qcc CFLAGS+=-Vgcc_ntox86 ./configure --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal make clean make make install *2. openssl(1.0.1c):* CC=qcc CXX=qcc AR=ntox86-ar LD=qcc RANLIB=ntox86-ranlib CFLAGS+="-Vgcc_ntox86 -fPIC" LDFLAGS+="-Vgcc_ntox86 -shared" ./Configure zlib-dynamic QNX6-i386 --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal make clean make make install *3. openpam(20120526 Micrampelis)(with some modifications- added source codes of vasprintf and asprintf):* ./configure --enable-shared --without-doc --with-pamtest --host=i386-pc-linux-gnu --enable-debug --enable-debugging-symbols CC=qcc CFLAGS="-Vgcc_ntox86" --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal make clean make make install *The libraries were installed in /home/mpal/ws2/dawn_v1/3dParty/build_apal/lib * *4. openssh:* CC=qcc CFLAGS="-Vgcc_ntox86 -I${INF_WRK_AREA_FWD}/../3dParty/openpam/include -L${INF_WRK_AREA_FWD}/../3dParty/openpam/lib/.libs -L${INF_WRK_AREA_FWD}/../3dParty/build_apal/lib" LD=qcc LDFLAGS+=-Vgcc_ntox86 CXX=qcc CPPFLAGS+="-DMISSING_HOWMANY -DMISSING_NFDBITS -DMISSING_NFDMASK" ./configure --with-pam=${INF_WRK_AREA_FWD}/../3dParty/openpam --disable-lastlog --host=i386 --with-ssl-dir=${INF_WRK_AREA_FWD}/../3dParty/openssl --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal --datarootdir=/home/mpal/ws2/dawn_v1/3dParty/build_apal --datadir=/home/mpal/ws2/dawn_v1/3dParty/ --with-privsep-path=/home/mpal/ws2/dawn_v1/3dParty/build_apal --with-pid-dir=/home/mpal/ws2/dawn_v1/3dParty/build_apal ------------------------------------------------------------------------------------------------------------------ *message got after doing configure:* OpenSSH has been configured with the following options: User binaries: /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin System binaries: /home/mpal/ws2/dawn_v1/3dParty/build_apal/sbin Configuration files: /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc Askpass program: /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/ssh-askpass Manual pages: /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/manX PID file: /home/mpal/ws2/dawn_v1/3dParty/build_apal Privilege separation chroot path: /home/mpal/ws2/dawn_v1/3dParty/build_apal sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/home/mpal/ws2/dawn_v1/3dParty/build_apal/bin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: i386-pc-none Compiler: qcc Compiler flags: -Vgcc_ntox86 -I/home/mpal/ws2/dawn_v1/main/../3dParty/openpam/include -L/home/mpal/ws2/dawn_v1/main/../3dParty/openpam/lib/.libs -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -fno-builtin-memset Preprocessor flags: -I/home/mpal/ws2/dawn_v1/main/../3dParty/openssl/include -DMISSING_HOWMANY -DMISSING_NFDBITS -DMISSING_NFDMASK Linker flags: -L/home/mpal/ws2/dawn_v1/main/../3dParty/openssl -Vgcc_ntox86 Libraries: -lcrypto -lz -lsocket +for sshd: -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory WARNING: the operating system that you are using does not appear to support getpeereid(), getpeerucred() or the SO_PEERCRED getsockopt() option. These facilities are used to enforce security checks to prevent unauthorised connections to ssh-agent. Their absence increases the risk that a malicious user can connect to your agent. --------------------------------------------------------------------------------------------------------------------- *vim config.h:* #define MISSING_FD_MASK 1 //in line 1276 #undef HAVE_SYS_POL_H //in line 1016 #undef HAVE_POLL //in line 710 *vim Makefile*: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- SSHDLIBS= -lpam //line 48 LDFLAGS=-L. -Lopenbsd-compat/ -L/home/mpal/ws2/dawn_v1/main/../3dParty/openssl -Vgcc_ntox86 -L/home/mpal/ws2/dawn_v1/3dParty/build_apal/lib -L/home/mpal/ws2/dawn_v1/3dParty/openpam/lib/.libs //line 58 CFLAGS=-Vgcc_ntox86 -I/home/mpal/ws2/dawn_v1/main/../3dParty/openpam/include -L/home/mpal/ws2/dawn_v1/main/../3dParty/build_apal/lib -L/home/mpal/ws2/dawn_v1/3dParty/openpam/lib/.libs -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -fno-builtin-memset //line 44 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- make clean make *make INSTALL_PREFIX="/home/mpal/ws2/dawn_v1/3dParty/build_openssh" install* ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *message got after doing make install:* IN-NeAppsLnxBld3:openssh-5.9p1[x86-main]$make INSTALL_PREFIX="/home/mpal/ws2/dawn_v1/3dParty/build_apal" install (cd openbsd-compat && make) make[1]: Entering directory `/home/mpal/ws2/dawn_v1/3dParty/openssh-5.9p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/mpal/ws2/dawn_v1/3dParty/openssh-5.9p1/openbsd-compat' ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/sbin ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1 ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5 ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8 ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec (umask 022 ; ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal) /usr/bin/install -c -m 0755 -s ssh /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh /usr/bin/install -c -m 0755 -s scp /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/scp /usr/bin/install -c -m 0755 -s ssh-add /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-add /usr/bin/install -c -m 0755 -s ssh-agent /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-agent /usr/bin/install -c -m 0755 -s ssh-keygen /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-keygen /usr/bin/install -c -m 0755 -s ssh-keyscan /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-keyscan /usr/bin/install -c -m 0755 -s sshd /home/mpal/ws2/dawn_v1/3dParty/build_apal/sbin/sshd /usr/bin/install -c -m 4711 -s ssh-keysign /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/ssh-keysign /usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/ssh-pkcs11-helper /usr/bin/install -c -m 0755 -s sftp /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/sftp /usr/bin/install -c -m 0755 -s sftp-server /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/sftp-server /usr/bin/install -c -m 644 ssh.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh.1 /usr/bin/install -c -m 644 scp.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/scp.1 /usr/bin/install -c -m 644 ssh-add.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-add.1 /usr/bin/install -c -m 644 ssh-agent.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-agent.1 /usr/bin/install -c -m 644 ssh-keygen.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-keygen.1 /usr/bin/install -c -m 644 ssh-keyscan.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-keyscan.1 /usr/bin/install -c -m 644 moduli.5.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5/moduli.5 /usr/bin/install -c -m 644 sshd_config.5.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5/sshd_config.5 /usr/bin/install -c -m 644 ssh_config.5.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5/ssh_config.5 /usr/bin/install -c -m 644 sshd.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/sshd.8 /usr/bin/install -c -m 644 sftp.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/sftp.1 /usr/bin/install -c -m 644 sftp-server.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/sftp-server.8 /usr/bin/install -c -m 644 ssh-keysign.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/ssh-keysign.8 /usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/ssh-pkcs11-helper.8 rm -f /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/slogin ln -s ./ssh /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/slogin rm -f /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/slogin.1 ln -s ./ssh.1 /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/slogin.1 if [ ! -d /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc ]; then \ ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc; \ fi /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc/ssh_config already exists, install will not overwrite /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc/sshd_config already exists, install will not overwrite /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc/moduli already exists, install will not overwrite */bin/sh: ./ssh-keygen: not found /bin/sh: ./ssh-keygen: not found /bin/sh: ./ssh-keygen: not found /bin/sh: ./ssh-keygen: not found make: *** [host-key] Error 127* ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is the error I am getting (during make install of openssh). How can I remove it? ssh-keygen binary is been created in: /usr/bin/install -c -m 0755 -s ssh-keygen /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-keygen still it says ./ssh-keygen: not found Can you suggest some trick to get this correct. Regards, Ankita From peter at stuge.se Tue Oct 9 21:53:41 2012 From: peter at stuge.se (Peter Stuge) Date: Tue, 9 Oct 2012 12:53:41 +0200 Subject: make install errors in openssh(when openpam is to be integrated with openssh) In-Reply-To: References: Message-ID: <20121009105341.17406.qmail@stuge.se> ankita pal wrote: > CC=qcc CFLAGS="-Vgcc_ntox86 > -I${INF_WRK_AREA_FWD}/../3dParty/openpam/include > -L${INF_WRK_AREA_FWD}/../3dParty/openpam/lib/.libs > -L${INF_WRK_AREA_FWD}/../3dParty/build_apal/lib" LD=qcc > LDFLAGS+=-Vgcc_ntox86 CXX=qcc CPPFLAGS+="-DMISSING_HOWMANY > -DMISSING_NFDBITS -DMISSING_NFDMASK" ./configure > --with-pam=${INF_WRK_AREA_FWD}/../3dParty/openpam --disable-lastlog > --host=i386 --with-ssl-dir=${INF_WRK_AREA_FWD}/../3dParty/openssl So far so good. > --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal > --datarootdir=/home/mpal/ws2/dawn_v1/3dParty/build_apal > --datadir=/home/mpal/ws2/dawn_v1/3dParty/ > --with-privsep-path=/home/mpal/ws2/dawn_v1/3dParty/build_apal > --with-pid-dir=/home/mpal/ws2/dawn_v1/3dParty/build_apal But these options are all wrong. Please study what the meaning of each option is so that you can set them correctly. You must of course pay special attention to differences between build system layout and the host where the binaries will be used. Hint: The above options are not for using some random subdirectory as destination at make install time. > Can you suggest some trick to get this correct. Unfortunately no trick. Study autotools, it will allow you to "get this correct." //Peter From pal.ankita.ankita at gmail.com Tue Oct 9 23:24:31 2012 From: pal.ankita.ankita at gmail.com (ankita pal) Date: Tue, 9 Oct 2012 17:54:31 +0530 Subject: make install errors in openssh(when openpam is to be integrated with openssh) In-Reply-To: References: Message-ID: should I use the option "--with-skey " (something like --with-skey[=/home/mpal/ws2/dawn_v1/3dParty/build_apal] ) , since the error mentions ssh-keygen? On Tue, Oct 9, 2012 at 4:04 PM, ankita pal wrote: > > Hi, > > I want to integrate openpam with openssh in our server (which uses QNX632 operating system). I am facing some problems in the "make install" part of openssh. Following are the steps I followed to build zlib, openssl, openpam and openssh. > > NOTE: Since I want the sshd and ssh binaries in my server(using QNX), I had to cross compile the packages for QNX (environment was set to x86) > > > 1. zlib(1.2.7): > > CC=qcc CFLAGS+=-Vgcc_ntox86 ./configure --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > make clean > make > make install > > > 2. openssl(1.0.1c): > > CC=qcc CXX=qcc AR=ntox86-ar LD=qcc RANLIB=ntox86-ranlib CFLAGS+="-Vgcc_ntox86 -fPIC" LDFLAGS+="-Vgcc_ntox86 -shared" ./Configure zlib-dynamic QNX6-i386 --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > make clean > make > make install > > 3. openpam(20120526 Micrampelis)(with some modifications- added source codes of vasprintf and asprintf): > > ./configure --enable-shared --without-doc --with-pamtest --host=i386-pc-linux-gnu --enable-debug --enable-debugging-symbols CC=qcc CFLAGS="-Vgcc_ntox86" --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > make clean > make > make install > > The libraries were installed in /home/mpal/ws2/dawn_v1/3dParty/build_apal/lib > > > > 4. openssh: > > CC=qcc CFLAGS="-Vgcc_ntox86 -I${INF_WRK_AREA_FWD}/../3dParty/openpam/include -L${INF_WRK_AREA_FWD}/../3dParty/openpam/lib/.libs -L${INF_WRK_AREA_FWD}/../3dParty/build_apal/lib" LD=qcc LDFLAGS+=-Vgcc_ntox86 CXX=qcc CPPFLAGS+="-DMISSING_HOWMANY -DMISSING_NFDBITS -DMISSING_NFDMASK" ./configure --with-pam=${INF_WRK_AREA_FWD}/../3dParty/openpam --disable-lastlog --host=i386 --with-ssl-dir=${INF_WRK_AREA_FWD}/../3dParty/openssl --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal --datarootdir=/home/mpal/ws2/dawn_v1/3dParty/build_apal --datadir=/home/mpal/ws2/dawn_v1/3dParty/ --with-privsep-path=/home/mpal/ws2/dawn_v1/3dParty/build_apal --with-pid-dir=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > ------------------------------------------------------------------------------------------------------------------ > message got after doing configure: > OpenSSH has been configured with the following options: > User binaries: /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin > System binaries: /home/mpal/ws2/dawn_v1/3dParty/build_apal/sbin > Configuration files: /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc > Askpass program: /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/ssh-askpass > Manual pages: /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/manX > PID file: /home/mpal/ws2/dawn_v1/3dParty/build_apal > Privilege separation chroot path: /home/mpal/ws2/dawn_v1/3dParty/build_apal > sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/home/mpal/ws2/dawn_v1/3dParty/build_apal/bin > Manpage format: doc > PAM support: yes > OSF SIA support: no > KerberosV support: no > SELinux support: no > Smartcard support: > S/KEY support: no > TCP Wrappers support: no > MD5 password support: no > libedit support: no > Solaris process contract support: no > Solaris project support: no > IP address in $DISPLAY hack: no > Translate v4 in v6 hack: no > BSD Auth support: no > Random number source: OpenSSL internal ONLY > Privsep sandbox style: rlimit > > Host: i386-pc-none > Compiler: qcc > Compiler flags: -Vgcc_ntox86 -I/home/mpal/ws2/dawn_v1/main/../3dParty/openpam/include -L/home/mpal/ws2/dawn_v1/main/../3dParty/openpam/lib/.libs -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -fno-builtin-memset > Preprocessor flags: -I/home/mpal/ws2/dawn_v1/main/../3dParty/openssl/include -DMISSING_HOWMANY -DMISSING_NFDBITS -DMISSING_NFDMASK > Linker flags: -L/home/mpal/ws2/dawn_v1/main/../3dParty/openssl -Vgcc_ntox86 > Libraries: -lcrypto -lz -lsocket > +for sshd: -lpam > > PAM is enabled. You may need to install a PAM control file > for sshd, otherwise password authentication may fail. > Example PAM control files can be found in the contrib/ > subdirectory > > WARNING: the operating system that you are using does not > appear to support getpeereid(), getpeerucred() or the > SO_PEERCRED getsockopt() option. These facilities are used to > enforce security checks to prevent unauthorised connections to > ssh-agent. Their absence increases the risk that a malicious > user can connect to your agent. > --------------------------------------------------------------------------------------------------------------------- > > vim config.h: > > #define MISSING_FD_MASK 1 //in line 1276 > #undef HAVE_SYS_POL_H //in line 1016 > #undef HAVE_POLL //in line 710 > > > > vim Makefile: > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > SSHDLIBS= -lpam //line 48 > > LDFLAGS=-L. -Lopenbsd-compat/ -L/home/mpal/ws2/dawn_v1/main/../3dParty/openssl -Vgcc_ntox86 -L/home/mpal/ws2/dawn_v1/3dParty/build_apal/lib -L/home/mpal/ws2/dawn_v1/3dParty/openpam/lib/.libs //line 58 > > CFLAGS=-Vgcc_ntox86 -I/home/mpal/ws2/dawn_v1/main/../3dParty/openpam/include -L/home/mpal/ws2/dawn_v1/main/../3dParty/build_apal/lib -L/home/mpal/ws2/dawn_v1/3dParty/openpam/lib/.libs -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -fno-builtin-memset //line 44 > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > make clean > make > make INSTALL_PREFIX="/home/mpal/ws2/dawn_v1/3dParty/build_openssh" install > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > message got after doing make install: > > IN-NeAppsLnxBld3:openssh-5.9p1[x86-main]$make INSTALL_PREFIX="/home/mpal/ws2/dawn_v1/3dParty/build_apal" install > (cd openbsd-compat && make) > make[1]: Entering directory `/home/mpal/ws2/dawn_v1/3dParty/openssh-5.9p1/openbsd-compat' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/home/mpal/ws2/dawn_v1/3dParty/openssh-5.9p1/openbsd-compat' > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/sbin > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1 > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5 > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8 > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec > (umask 022 ; ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal) > /usr/bin/install -c -m 0755 -s ssh /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh > /usr/bin/install -c -m 0755 -s scp /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/scp > /usr/bin/install -c -m 0755 -s ssh-add /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-add > /usr/bin/install -c -m 0755 -s ssh-agent /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-agent > /usr/bin/install -c -m 0755 -s ssh-keygen /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-keygen > /usr/bin/install -c -m 0755 -s ssh-keyscan /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-keyscan > /usr/bin/install -c -m 0755 -s sshd /home/mpal/ws2/dawn_v1/3dParty/build_apal/sbin/sshd > /usr/bin/install -c -m 4711 -s ssh-keysign /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/ssh-keysign > /usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/ssh-pkcs11-helper > /usr/bin/install -c -m 0755 -s sftp /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/sftp > /usr/bin/install -c -m 0755 -s sftp-server /home/mpal/ws2/dawn_v1/3dParty/build_apal/libexec/sftp-server > /usr/bin/install -c -m 644 ssh.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh.1 > /usr/bin/install -c -m 644 scp.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/scp.1 > /usr/bin/install -c -m 644 ssh-add.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-add.1 > /usr/bin/install -c -m 644 ssh-agent.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-agent.1 > /usr/bin/install -c -m 644 ssh-keygen.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-keygen.1 > /usr/bin/install -c -m 644 ssh-keyscan.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/ssh-keyscan.1 > /usr/bin/install -c -m 644 moduli.5.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5/moduli.5 > /usr/bin/install -c -m 644 sshd_config.5.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5/sshd_config.5 > /usr/bin/install -c -m 644 ssh_config.5.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man5/ssh_config.5 > /usr/bin/install -c -m 644 sshd.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/sshd.8 > /usr/bin/install -c -m 644 sftp.1.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/sftp.1 > /usr/bin/install -c -m 644 sftp-server.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/sftp-server.8 > /usr/bin/install -c -m 644 ssh-keysign.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/ssh-keysign.8 > /usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man8/ssh-pkcs11-helper.8 > rm -f /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/slogin > ln -s ./ssh /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/slogin > rm -f /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/slogin.1 > ln -s ./ssh.1 /home/mpal/ws2/dawn_v1/3dParty/build_apal/man/man1/slogin.1 > if [ ! -d /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc ]; then \ > ./mkinstalldirs /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc; \ > fi > /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc/ssh_config already exists, install will not overwrite > /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc/sshd_config already exists, install will not overwrite > /home/mpal/ws2/dawn_v1/3dParty/build_apal/etc/moduli already exists, install will not overwrite > /bin/sh: ./ssh-keygen: not found > /bin/sh: ./ssh-keygen: not found > /bin/sh: ./ssh-keygen: not found > /bin/sh: ./ssh-keygen: not found > make: *** [host-key] Error 127 > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > This is the error I am getting (during make install of openssh). How can I remove it? > ssh-keygen binary is been created in: > > /usr/bin/install -c -m 0755 -s ssh-keygen /home/mpal/ws2/dawn_v1/3dParty/build_apal/bin/ssh-keygen > > still it says ./ssh-keygen: not found > > Can you suggest some trick to get this correct. > > Regards, > Ankita > From highc at us.ibm.com Wed Oct 10 01:02:10 2012 From: highc at us.ibm.com (Chris High) Date: Tue, 9 Oct 2012 10:02:10 -0400 Subject: AUTO: Chris High/Endicott/IBM is out of the office until 07/08/2002. (returning 10/15/2012) Message-ID: I am out of the office until 10/15/2012. On vacation, access to LN will be spotty at best. Will be out Friday AFTERNOON 10/5 through 10/14, returning to the office Monday 10/15. Specific issue coverage: Eliminate Synchronized Passwords (ESP) - Diane Moos/Long Beach/IBM Topics related to IAM's picking up of Pre-production ID Provisioning from SSO-SMD - Doug Barlett/Rochester/IBM Topics related to the 'Self Enablement of APC' - Lisa Kinney/Albuquerque/IBM Questions regard AG sudo deployment, including questions about sudo templates? Sudo Deployment AG/Hartford/IBM, SA & D 'ownership of items' items for L2 SA teams can best be directed to: Jeannie Carlson/Chicago/IBM, Issues requiring immediate management attention may be referred to my manager, Harish Dindigal/Whippany/IBM Note: This is an automated response to your message "openssh-unix-dev Digest, Vol 114, Issue 3" sent on 10/09/2012 6:40:08. This is the only notification you will receive while this person is away. From tim at multitalents.net Wed Oct 10 02:40:10 2012 From: tim at multitalents.net (Tim Rice) Date: Tue, 9 Oct 2012 08:40:10 -0700 (PDT) Subject: make install errors in openssh(when openpam is to be integrated with openssh) In-Reply-To: <20121009105341.17406.qmail@stuge.se> References: <20121009105341.17406.qmail@stuge.se> Message-ID: On Tue, 9 Oct 2012, Peter Stuge wrote: > ankita pal wrote: > > --prefix=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > --datarootdir=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > --datadir=/home/mpal/ws2/dawn_v1/3dParty/ > > --with-privsep-path=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > --with-pid-dir=/home/mpal/ws2/dawn_v1/3dParty/build_apal > > But these options are all wrong. Please study what the meaning of > each option is so that you can set them correctly. You must of course > pay special attention to differences between build system layout and > the host where the binaries will be used. > > Hint: The above options are not for using some random subdirectory as > destination at make install time. > > > > Can you suggest some trick to get this correct. > > Unfortunately no trick. Study autotools, it will allow you to > "get this correct." That and use the "install-nokeys" target. > > //Peter -- Tim Rice Multitalents tim at multitalents.net From meyerchr at us.ibm.com Wed Oct 10 03:30:13 2012 From: meyerchr at us.ibm.com (Christopher Meyer) Date: Tue, 9 Oct 2012 10:30:13 -0600 Subject: AUTO: [auto] Chris Meyer is out of the office on vacation (returning 10/10/2012) Message-ID: I am out of the office until 10/10/2012. I am out of the office and will not have access to e-mail or voice mail. I will respond to your e-mail after I return. Thanks, Chris Meyer Note: This is an automated response to your message "Re: make install errors in openssh(when openpam is to be integrated with openssh)" sent on 10/09/2012 9:40:10. This is the only notification you will receive while this person is away. From m.a.oliveira at usit.uio.no Wed Oct 10 19:10:43 2012 From: m.a.oliveira at usit.uio.no (Miguel Oliveira) Date: Wed, 10 Oct 2012 10:10:43 +0200 Subject: process_rename assumes hard links? Message-ID: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> Hi, My name is Miguel Oliveira and I work at the University of Oslo where we just deployed a new high performance compute cluster. Our current parallel filesystem is FhGFS and we started having complaints about problems with file transfers? We managed to diagnose this to particular ssh clients that do not support the new posix rename extension. Bottom line our filesystem does not support hard links and I think the problem is that process_rename assumes link(old path,newpath) will always return one. Shouldn't this situation, i.e., link returning a symlink, be contemplated in the code? For the time being we changed the code so that posix rename is the default but shouldn't this be addressed? All the best, MAO -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1448 bytes Desc: not available URL: From gert at greenie.muc.de Wed Oct 10 20:03:35 2012 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 10 Oct 2012 11:03:35 +0200 Subject: process_rename assumes hard links? In-Reply-To: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> References: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> Message-ID: <20121010090335.GG742@greenie.muc.de> Hi, On Wed, Oct 10, 2012 at 10:10:43AM +0200, Miguel Oliveira wrote: > Bottom line our filesystem does not support hard links and I think the problem is that process_rename assumes link(old path,newpath) will always return > one. Shouldn't this situation, i.e., link returning a symlink, be contemplated in the code? I think that a link() implementation that creates a symlink is fundamentally broken and needs to die. Programs can reasonably expect that a link() call that returns success has created hard links, and it is *safe* to then call unlink(old path) - which is standard practice to atomically test-and-set lock files, for example. If you return a symlink instead, you have now made an unsuspecting program destroy its lock file, and created a dangling symlink instead. If link() cannot create a hardlink, it must return an error code (EOPNOTSUPP is what the FreeBSD manpage documents for this case). (Of course this is outside the scope for the question you asked, but I know that a filesystem with the semantics you have described will cause problems for *lots* of programs) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From vinschen at redhat.com Thu Oct 11 00:39:48 2012 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 10 Oct 2012 15:39:48 +0200 Subject: process_rename assumes hard links? In-Reply-To: <20121010090335.GG742@greenie.muc.de> References: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> <20121010090335.GG742@greenie.muc.de> Message-ID: <20121010133947.GA19713@calimero.vinschen.de> On Oct 10 11:03, Gert Doering wrote: > Hi, > > On Wed, Oct 10, 2012 at 10:10:43AM +0200, Miguel Oliveira wrote: > > Bottom line our filesystem does not support hard links and I think the problem is that process_rename assumes link(old path,newpath) will always return > > one. Shouldn't this situation, i.e., link returning a symlink, be contemplated in the code? > > I think that a link() implementation that creates a symlink is fundamentally > broken and needs to die. > > Programs can reasonably expect that a link() call that returns success > has created hard links, and it is *safe* to then call unlink(old path) - > which is standard practice to atomically test-and-set lock files, for > example. > > If you return a symlink instead, you have now made an unsuspecting program > destroy its lock file, and created a dangling symlink instead. > > If link() cannot create a hardlink, it must return an error code > (EOPNOTSUPP is what the FreeBSD manpage documents for this case). ... or EPERM on Linux and Cygwin. > (Of course this is outside the scope for the question you asked, but I > know that a filesystem with the semantics you have described will cause > problems for *lots* of programs) Indeed. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From ed.peschko at gmail.com Thu Oct 11 07:22:22 2012 From: ed.peschko at gmail.com (Edward Peschko) Date: Wed, 10 Oct 2012 13:22:22 -0700 Subject: ssh over udp (or: -L option listening for traffic with a UDP service?) Message-ID: All, A bit of background: I work on a QA API on a network that is very choppy (a lot of network interrupts), and we use ssh to do a large part of this automation. This leads to some problems: ssh connections seem to be sensitive to network state, becoming unusable if the choppiness reaches a certain threshold, and either timing out or disconnecting if this happens. Anyways, I stumbled across mosh (mobile open shell at http://mosh.mit.edu/) which is *very* usable over choppy links. In fact you can disconnect altogether, and reconnect hours after the fact and still be connected to your host. This led me to thinking - it has this flexibility because it uses a very relaxed UDP policy for its connections - and for automation's sake I'd like to use the same policy for sshd. Because everything is automated through expect, there are no issues with responsiveness, or choppiness, so a large buffer could compensate for a bad network. At first I tried services like duat and tcpoverudp, which transparently portforward traffic from udp to tcp. But these don't work because it looks like the udp sessions don't hold the ssh connection well. Which lead me to what I hope is a workable design. I'd like to setup something that looks like the following: Process 1: udp:local <=> Process 2: udp:remote (forwards to) tcp:ssh_client <=> tcp:ssh_server Where the ssh communication is all local to the server, and the commands are sent over a local UDP client to a UDP remote. The purpose of the ssh client/server connection is to avoid the network choppiness and keep the connection alive, and the purpose of the udp connection is to actually handle the traffic and network choppiness. So a couple of questions: 1. Is this doable? 2. Has anybody done it? I see the '-L' option to ssh, so it looks like that's a hook to do this, but AFAICT, the listening port is TCP and TCP only. Is it possible to make it UDP and UDP only, and to put hooks in to have the traffic be handled by a UDP protocol of the user's choosing. Any help would be greatly appreciated, it is exceedingly frustrating to have an automation that takes hours to setup to basically die because of a network hiccup, and we are in dire need of a more robust mechanism for communication. Thanks much, Ed From peter at stuge.se Thu Oct 11 08:19:21 2012 From: peter at stuge.se (Peter Stuge) Date: Wed, 10 Oct 2012 23:19:21 +0200 Subject: ssh over udp (or: -L option listening for traffic with a UDP service?) In-Reply-To: References: Message-ID: <20121010211921.24075.qmail@stuge.se> Edward Peschko wrote: > 2. Has anybody done it? openvpn implements a UDP transport which is very reliable. > I see the '-L' option to ssh, so it looks like that's a hook to do this, > but AFAICT, the listening port is TCP and TCP only. Is it possible to make > it UDP and UDP only, and to put hooks in to have the traffic be handled by > a UDP protocol of the user's choosing. How would that help? Your problem seems to be to get SSH working at all. Since that doesn't work I guess it's difficult to use anything that exists *on top of* SSH? //Peter From djm at mindrot.org Thu Oct 11 09:50:59 2012 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Oct 2012 09:50:59 +1100 (EST) Subject: process_rename assumes hard links? In-Reply-To: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> References: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> Message-ID: On Wed, 10 Oct 2012, Miguel Oliveira wrote: > Hi, > > My name is Miguel Oliveira and I work at the University of Oslo > where we just deployed a new high performance compute cluster. Our > current parallel filesystem is FhGFS and we started having complaints > about problems with file transfers? We managed to diagnose this to > particular ssh clients that do not support the new posix rename > extension. > > Bottom line our filesystem does not support hard links and I think the > problem is that process_rename assumes link(old path,newpath) will > always return one. Shouldn't this situation, i.e., link returning a > symlink, be contemplated in the code? link() shouldn't return a symlink(), it is a fundamentally different operation. It should return a hard link or errno=EOPNOTSUPP. > For the time being we changed the code so that posix rename is the > default but shouldn't this be addressed? process_rename() already does the right thing when the underlying operating system tell the truth and returns errno=EOPNOTSUPP when it doesn't support link(). It can hardly be blamed for getting it wrong when the OS or FS lies... All that being said, I don't think you'll suffer much for your local change. I've never seen anything that actually depends on the silly sftp rename semantics over the POSIX ones. -d From keisial at gmail.com Thu Oct 11 10:23:06 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Thu, 11 Oct 2012 01:23:06 +0200 Subject: ssh over udp (or: -L option listening for traffic with a UDP service?) In-Reply-To: <20121010211921.24075.qmail@stuge.se> References: <20121010211921.24075.qmail@stuge.se> Message-ID: <5076035A.4090405@gmail.com> On 10/10/12 23:19, Peter Stuge wrote: >> I see the '-L' option to ssh, so it looks like that's a hook to do this, >> but AFAICT, the listening port is TCP and TCP only. Is it possible to make >> it UDP and UDP only, and to put hooks in to have the traffic be handled by >> a UDP protocol of the user's choosing. > How would that help? Your problem seems to be to get SSH working at > all. Since that doesn't work I guess it's difficult to use anything > that exists *on top of* SSH? > > > //Peter Well, his problems are getting things to work on top of TCP, so he proposes using UDP instead. It shouldn't be needed (TCP has automatic retransmissions and so on), but I have seen that behavior with ssh with a "lossy" network. If you were fast, you could start a session and get to the file list, but as soon as it started losing packets, it froze. Tweaking the TCP options with more aggressive resending should help. From peter at stuge.se Thu Oct 11 10:55:18 2012 From: peter at stuge.se (Peter Stuge) Date: Thu, 11 Oct 2012 01:55:18 +0200 Subject: ssh over udp (or: -L option listening for traffic with a UDP service?) In-Reply-To: <5076035A.4090405@gmail.com> References: <20121010211921.24075.qmail@stuge.se> <5076035A.4090405@gmail.com> Message-ID: <20121010235518.4200.qmail@stuge.se> ?ngel Gonz?lez wrote: > On 10/10/12 23:19, Peter Stuge wrote: > >> I see the '-L' option to ssh, so it looks like that's a hook to do this, > >> but AFAICT, the listening port is TCP and TCP only. Is it possible to make > >> it UDP and UDP only, and to put hooks in to have the traffic be handled by > >> a UDP protocol of the user's choosing. > > How would that help? Your problem seems to be to get SSH working at > > all. Since that doesn't work I guess it's difficult to use anything > > that exists *on top of* SSH? > > Well, his problems are getting things to work on top of TCP, Yes, that is also my understanding. > so he proposes using UDP instead. No, in his text (which I quoted, and which you included) there is discussion of a -L mechanism to forward UDP. As I am sure you know this is an SSH channel, so I ask how that would help, when the problem is with the TCP underneath the SSH transport. //Peter From dan at doxpara.com Thu Oct 11 11:16:54 2012 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 10 Oct 2012 17:16:54 -0700 Subject: ssh over udp (or: -L option listening for traffic with a UDP service?) In-Reply-To: References: Message-ID: <9F4469AC-A0B3-4A9B-B68D-BD167E6CE3A6@doxpara.com> ssh has support for ProxyCommand, which allows you to swap out the underlying TCP transport for "something else" (in my case, DNS). There used to be a really nice tool for reliable UDP comms over GPRS, but I can't find it. Probably something could be build with UDT or ENET... Sent from my iPhone On Oct 10, 2012, at 1:22 PM, Edward Peschko wrote: > All, > > A bit of background: I work on a QA API on a network that is very choppy (a > lot of network interrupts), and we use ssh to do a large part of this > automation. > > This leads to some problems: ssh connections seem to be sensitive to > network state, becoming unusable if the choppiness reaches a certain > threshold, and either timing out or disconnecting if this happens. > > Anyways, I stumbled across mosh (mobile open shell at http://mosh.mit.edu/) > which is *very* usable over choppy links. In fact you can disconnect > altogether, and reconnect hours after the fact and still be connected to > your host. > > This led me to thinking - it has this flexibility because it uses a very > relaxed UDP policy for its connections - and for automation's sake I'd like > to use the same policy for sshd. Because everything is automated through > expect, there are no issues with responsiveness, or choppiness, so a large > buffer could compensate for a bad network. > > At first I tried services like duat and tcpoverudp, which transparently > portforward traffic from udp to tcp. But these don't work because it looks > like the udp sessions don't hold the ssh connection well. > > Which lead me to what I hope is a workable design. I'd like to setup > something that looks like the following: > > Process 1: udp:local <=> Process 2: udp:remote (forwards to) > tcp:ssh_client <=> tcp:ssh_server > > Where the ssh communication is all local to the server, and the commands > are sent over a local UDP client to a UDP remote. The purpose of the ssh > client/server connection is to avoid the network choppiness and keep the > connection alive, and the purpose of the udp connection is to actually > handle the traffic and network choppiness. > > So a couple of questions: > > 1. Is this doable? > 2. Has anybody done it? > > I see the '-L' option to ssh, so it looks like that's a hook to do this, > but AFAICT, the listening port is TCP and TCP only. Is it possible to make > it UDP and UDP only, and to put hooks in to have the traffic be handled by > a UDP protocol of the user's choosing. > > Any help would be greatly appreciated, it is exceedingly frustrating to > have an automation that takes hours to setup to basically die because of a > network hiccup, and we are in dire need of a more robust mechanism for > communication. > > Thanks much, > > Ed > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From vinschen at redhat.com Thu Oct 11 19:37:19 2012 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 11 Oct 2012 10:37:19 +0200 Subject: process_rename assumes hard links? In-Reply-To: References: <1E411861-4AD0-4096-85FF-E86893E170F6@usit.uio.no> Message-ID: <20121011083719.GA18294@calimero.vinschen.de> Hi Damien, On Oct 11 09:50, Damien Miller wrote: > On Wed, 10 Oct 2012, Miguel Oliveira wrote: > > > Hi, > > > > My name is Miguel Oliveira and I work at the University of Oslo > > where we just deployed a new high performance compute cluster. Our > > current parallel filesystem is FhGFS and we started having complaints > > about problems with file transfers? We managed to diagnose this to > > particular ssh clients that do not support the new posix rename > > extension. > > > > Bottom line our filesystem does not support hard links and I think the > > problem is that process_rename assumes link(old path,newpath) will > > always return one. Shouldn't this situation, i.e., link returning a > > symlink, be contemplated in the code? > > link() shouldn't return a symlink(), it is a fundamentally different > operation. It should return a hard link or errno=EOPNOTSUPP. I just had a look into this piece of code, and due to this discussion I realize that EPERM is not handled. Linux as well as Cygwin return EPERM if the underlying filesystem doesn't support hardlinks. Any chance to apply this patch? Index: sftp-server.c =================================================================== RCS file: /cvs/openssh/sftp-server.c,v retrieving revision 1.111 diff -u -p -r1.111 sftp-server.c --- sftp-server.c 20 Jun 2011 04:42:52 -0000 1.111 +++ sftp-server.c 11 Oct 2012 08:24:55 -0000 @@ -1079,6 +1079,7 @@ process_rename(void) /* Race-free rename of regular files */ if (link(oldpath, newpath) == -1) { if (errno == EOPNOTSUPP || errno == ENOSYS + || errno == EPERM #ifdef EXDEV || errno == EXDEV #endif Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From jeremy.guthrie at cdw.com Thu Oct 18 06:11:34 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 14:11:34 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? Message-ID: <507F02E6.8040407@cdw.com> I have a system in place where it appears that TCP will make a massive change in behavior mid-stream with existing SSH sessions. We noticed the issue first with an application using an SSH forward. However, we were able to rule that out by generating the same TCP characteristics by having a perl script dump text out to a terminal simulating a large data flow from the far end(ssh server) back to us(ssh client). The issue manifests roughly as follows: 1. Generate a bunch of terminal output(500k) 2. Sleep 15 seconds 3. Go back to step 1 After repeating steps 1-3 for some random amount of time(sometimes 3 minutes, sometimes 50+), the SSH server will go from streaming the output back to the client @ 4-4.5 mbps(normal-behavior.png), down to 30-40kbps(bad-behavior.png). Most of the time, SSH stays in this 30-40kbps state for as long as their is data in the TCP queue. ie. during peaks, netstat will show the queue having 90-100k of data waiting to be transmitted. We think that Nagle may be taking effect randomly for some reason. When I 'strace -f ssh user at hostname', I don't see the TCP_NODELAY flag being set so that could certainly be true. I look in the ssh docs and I don't see anything about NoDelay but there use to be something according to O'Reilly docs. When I examine the source code, it looks like setting the TCP_NODELAY is some kind of default. The odd thing is that I have hundreds of boxes running this same release of software and no one else is exhibiting this issue. Does anyone have any ideas? -- *Jeremy Guthrie* From jeremy.guthrie at cdw.com Thu Oct 18 06:14:27 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 14:14:27 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F02E6.8040407@cdw.com> References: <507F02E6.8040407@cdw.com> Message-ID: <507F0393.4060600@cdw.com> Correction, when looking at debug, I see: debug2: channel 0: request shell confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done Nagle isn't our issue. Any other ideas on what might be causing the different behavior out of SSH/TCP? On 10/17/12 2:11 PM, Jeremy Guthrie wrote: > I have a system in place where it appears that TCP will make a massive > change in behavior mid-stream with existing SSH sessions. We noticed > the issue first with an application using an SSH forward. However, we > were able to rule that out by generating the same TCP characteristics > by having a perl script dump text out to a terminal simulating a large > data flow from the far end(ssh server) back to us(ssh client). > > The issue manifests roughly as follows: > 1. Generate a bunch of terminal output(500k) > 2. Sleep 15 seconds > 3. Go back to step 1 > > After repeating steps 1-3 for some random amount of time(sometimes 3 > minutes, sometimes 50+), the SSH server will go from streaming the > output back to the client @ 4-4.5 mbps(normal-behavior.png), down to > 30-40kbps(bad-behavior.png). Most of the time, SSH stays in this > 30-40kbps state for as long as their is data in the TCP queue. ie. > during peaks, netstat will show the queue having 90-100k of data > waiting to be transmitted. > > We think that Nagle may be taking effect randomly for some reason. > When I 'strace -f ssh user at hostname', I don't see the TCP_NODELAY flag > being set so that could certainly be true. I look in the ssh docs and > I don't see anything about NoDelay but there use to be something > according to O'Reilly docs. When I examine the source code, it looks > like setting the TCP_NODELAY is some kind of default. > > The odd thing is that I have hundreds of boxes running this same > release of software and no one else is exhibiting this issue. > > Does anyone have any ideas? > > -- > *Jeremy Guthrie* -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From scott_n at xypro.com Thu Oct 18 06:47:58 2012 From: scott_n at xypro.com (Scott Neugroschl) Date: Wed, 17 Oct 2012 12:47:58 -0700 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F02E6.8040407@cdw.com> References: <507F02E6.8040407@cdw.com> Message-ID: <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> [redacted] > The odd thing is that I have hundreds of boxes running this same > release of software and no one else is exhibiting this issue. > > Does anyone have any ideas? Flaky NIC? I had two identical boxes and one would crawl on the network. Turned out it was a bad NIC. From keisial at gmail.com Thu Oct 18 06:57:17 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Wed, 17 Oct 2012 21:57:17 +0200 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F02E6.8040407@cdw.com> References: <507F02E6.8040407@cdw.com> Message-ID: <507F0D9D.5030008@gmail.com> I guess you attached two graphics of the behavior. The mailing list stripped them. You can post a link if you wish. Providing the script you used may help other people to reproduce it and, hopefully, find/fix the source. Regards From jeremy.guthrie at cdw.com Thu Oct 18 07:20:54 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 15:20:54 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> References: <507F02E6.8040407@cdw.com> <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> Message-ID: <507F1326.8060500@cdw.com> I do not think so. I have two boxes at the site and both boxes exhibit the same issue. I forgot to point out that the problem appears to be on a per-flow basis. One flow can be performing poorly, and another ssh session/flow to/from the same host will be just fine and flying at 4mbps. On 10/17/12 2:47 PM, Scott Neugroschl wrote: > [redacted] >> The odd thing is that I have hundreds of boxes running this same >> release of software and no one else is exhibiting this issue. >> >> Does anyone have any ideas? > Flaky NIC? I had two identical boxes and one would crawl on the > network. > Turned out it was a bad NIC. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From jeremy.guthrie at cdw.com Thu Oct 18 07:22:34 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 15:22:34 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F0D9D.5030008@gmail.com> References: <507F02E6.8040407@cdw.com> <507F0D9D.5030008@gmail.com> Message-ID: <507F138A.1050502@cdw.com> I will see what I can do about getting the text from the screen shots out there. As for the test script, it is below: #!/usr/bin/perl use Time::HiRes qw( gettimeofday tv_interval ); open(TIMER,">timer.txt") ; select(TIMER) ; $|=1 ; select(STDERR) ; $|=1 ; select(STDOUT) ; $|=1 ; while (1) { my $t0 = [gettimeofday]; print "f"x1000000; my $get_interval = tv_interval($t0); my $block = scalar(localtime(time())) . " " . $get_interval . "\n" ; print TIMER $block ; print STDERR "\n$block\n" ; sleep 15; } BTW, thanks for the help on this everyone! On 10/17/12 2:57 PM, ?ngel Gonz?lez wrote: > I guess you attached two graphics of the behavior. The mailing list > stripped them. You can post a link if you wish. > > Providing the script you used may help other people to reproduce it and, > hopefully, find/fix the source. > > Regards > > > > -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From jeremy.guthrie at cdw.com Thu Oct 18 07:28:23 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 15:28:23 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> References: <507F02E6.8040407@cdw.com> <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> Message-ID: <507F14E7.40106@cdw.com> One node: packet lengths > 1500 are TSO taking affect, if I turn off TSO, I see under normal conditions the appropriate size/sequence of packets. Example of the connection performing correctly: 450 1.746243 SSH 2642 Encrypted response packet len=2576 clientend -> headend 451 1.746347 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074656266 Win=16666 Len=0 TSval=1456827748 TSecr=798139682 headend -> clientend 452 1.746369 SSH 3930 Encrypted response packet len=3864 clientend -> headend 453 1.746386 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074657554 Win=16666 Len=0 TSval=1456827748 TSecr=798139682 headend -> clientend 454 1.746396 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074654978 Win=16666 Len=0 TSval=1456827748 TSecr=798139682 headend -> clientend 455 1.791951 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074660130 Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend 456 1.791973 SSH 5218 Encrypted response packet len=5152 clientend -> headend 457 1.792501 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074662706 Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend 458 1.792692 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074665282 Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend 459 1.792718 SSH 5218 Encrypted response packet len=5152 clientend -> headend 460 1.792741 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074667858 Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend 461 1.849577 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074670434 Win=16666 Len=0 TSval=1456827774 TSecr=798139706 headend -> clientend 462 1.849600 SSH 5218 Encrypted response packet len=5152 clientend -> headend 463 1.849620 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074673010 Win=16666 Len=0 TSval=1456827774 TSecr=798139706 headend -> clientend 464 1.849746 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074675586 Win=16666 Len=0 TSval=1456827774 TSecr=798139706 headend -> clientend 465 1.849764 SSH 6506 Encrypted response packet len=6440 clientend -> headend Example of the connection showing a ping-ponging effect using only 1288 byte packets 1288 41.112341 TCP 66 43269 > 22 [ACK] Seq=555193638 Ack=3075980138 Win=16666 Len=0 TSval=1456837590 TSecr=798149524 headend -> clientend 1289 41.386131 SSH 1354 Encrypted response packet len=1288 clientend -> headend 1290 41.432684 TCP 66 43269 > 22 [ACK] Seq=555193638 Ack=3075981426 Win=16666 Len=0 TSval=1456837670 TSecr=798149604 headend -> clientend 1291 41.702157 SSH 1354 Encrypted response packet len=1288 clientend -> headend 1292 41.753245 TCP 66 43269 > 22 [ACK] Seq=555193638 Ack=3075982714 Win=16666 Len=0 TSval=1456837750 TSecr=798149683 headend -> clientend 1293 42.022128 SSH 1354 Encrypted response packet len=1288 clientend -> headend -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From jeremy.guthrie at cdw.com Thu Oct 18 07:50:08 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 15:50:08 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F14E7.40106@cdw.com> References: <507F02E6.8040407@cdw.com> <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> <507F14E7.40106@cdw.com> Message-ID: <507F1A00.6060601@cdw.com> I have another bit of detail, I think SSH keepalives are part of the issue. This test didn't have me using the same values for keepalives that I use in production so I am going to re-conduct the test with matching SSH settings like in production. When things look good: debug2: channel 0: window 1966046 sent adjust 131106 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1998272 sent adjust 98880 debug2: channel 0: window 1982464 sent adjust 114688 debug2: channel 0: rcvd ext data 36 Wed Oct 17 15:26:19 2012 0.004193 debug2: channel 0: written 36 to e d 6 debug2: channel 0: window 1966044 sent adjust 131108 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1998272 sent adjust 98880 debug2: channel 0: window 1982464 sent adjust 114688 debug2: channel 0: rcvd ext data 36 Wed Oct 17 15:26:34 2012 0.004004 debug2: channel 0: written 36 to e When things are slow: debug2: channel 0: window 1998812 sent adjust 98340 debug1: client_input_channel_req: channel 0 rtype keepalive at openssh.com reply 1 debug1: client_input_channel_req: channel 0 rtype keepalive at openssh.com reply 1 debug2: channel 0: window 1966080 sent adjust 131072 debug1: client_input_channel_req: channel 0 rtype keepalive at openssh.com reply 1 debug2: channel 0: window 1966080 sent adjust 131072 debug1: client_input_channel_req: channel 0 rtype keepalive at openssh.com reply 1 debug2: channel 0: window 1966080 sent adjust 131072 debug1: client_input_channel_req: channel 0 rtype keepalive at openssh.com reply 1 debug2: channel 0: window 1966080 sent adjust 131072 debug1: client_input_channel_req: channel 0 rtype keepalive at openssh.com reply 1 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: window 1966080 sent adjust 131072 debug2: channel 0: rcvd ext data 37 Wed Oct 17 15:30:21 2012 196.41162 On 10/17/12 3:28 PM, Jeremy Guthrie wrote: > One node: packet lengths > 1500 are TSO taking affect, if I turn off > TSO, I see under normal conditions the appropriate size/sequence of > packets. > > Example of the connection performing correctly: > 450 1.746243 SSH 2642 Encrypted response packet len=2576 clientend > -> headend > 451 1.746347 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074656266 > Win=16666 Len=0 TSval=1456827748 TSecr=798139682 headend -> clientend > 452 1.746369 SSH 3930 Encrypted response packet len=3864 clientend > -> headend > 453 1.746386 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074657554 > Win=16666 Len=0 TSval=1456827748 TSecr=798139682 headend -> clientend > 454 1.746396 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074654978 > Win=16666 Len=0 TSval=1456827748 TSecr=798139682 headend -> clientend > 455 1.791951 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074660130 > Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend > 456 1.791973 SSH 5218 Encrypted response packet len=5152 clientend > -> headend > 457 1.792501 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074662706 > Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend > 458 1.792692 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074665282 > Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend > 459 1.792718 SSH 5218 Encrypted response packet len=5152 clientend > -> headend > 460 1.792741 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074667858 > Win=16666 Len=0 TSval=1456827760 TSecr=798139694 headend -> clientend > 461 1.849577 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074670434 > Win=16666 Len=0 TSval=1456827774 TSecr=798139706 headend -> clientend > 462 1.849600 SSH 5218 Encrypted response packet len=5152 clientend > -> headend > 463 1.849620 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074673010 > Win=16666 Len=0 TSval=1456827774 TSecr=798139706 headend -> clientend > 464 1.849746 TCP 66 43269 > 22 [ACK] Seq=555192630 Ack=3074675586 > Win=16666 Len=0 TSval=1456827774 TSecr=798139706 headend -> clientend > 465 1.849764 SSH 6506 Encrypted response packet len=6440 clientend > -> headend > > Example of the connection showing a ping-ponging effect using only > 1288 byte packets > 1288 41.112341 TCP 66 43269 > 22 [ACK] Seq=555193638 Ack=3075980138 > Win=16666 Len=0 TSval=1456837590 TSecr=798149524 headend -> clientend > 1289 41.386131 SSH 1354 Encrypted response packet len=1288 clientend > -> headend > 1290 41.432684 TCP 66 43269 > 22 [ACK] Seq=555193638 Ack=3075981426 > Win=16666 Len=0 TSval=1456837670 TSecr=798149604 headend -> clientend > 1291 41.702157 SSH 1354 Encrypted response packet len=1288 clientend > -> headend > 1292 41.753245 TCP 66 43269 > 22 [ACK] Seq=555193638 Ack=3075982714 > Win=16666 Len=0 TSval=1456837750 TSecr=798149683 headend -> clientend > 1293 42.022128 SSH 1354 Encrypted response packet len=1288 clientend > -> headend > > > -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From jeremy.guthrie at cdw.com Thu Oct 18 08:13:27 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Wed, 17 Oct 2012 16:13:27 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F1A00.6060601@cdw.com> References: <507F02E6.8040407@cdw.com> <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> <507F14E7.40106@cdw.com> <507F1A00.6060601@cdw.com> Message-ID: <507F1F77.3010207@cdw.com> I am able to reproduce this issue(randomly). Everytime it happens, I do see ssh keepalives show up. The command I ran: ssh -o "ServerAliveInterval 15" -o "ServerAliveCountMax 4" -o "Cipher aes256-ctr" -v -v -v -v -v -v -v -v -v -v x.x.x.x ./test.pl If I run... ssh -o "ServerAliveInterval 15" -o "ServerAliveCountMax 4" -o "Cipher aes256-ctr" -v -v -v -v -v -v -v -v -v -v x.x.x.x and type in no output.... I see ssh keepalives after ~ 15 seconds. However, in this case, I ran it for six minutes(was an hour last time), as soon as I see keep alive messages show up, my throughput tanks. On 10/17/12 3:50 PM, Jeremy Guthrie wrote: > I have another bit of detail, I think SSH keepalives are part of the > issue. This test didn't have me using the same values for keepalives > that I use in production so I am going to re-conduct the test with > matching SSH settings like in production. > > When things look good: > debug2: channel 0: window 1966046 sent adjust 131106 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1998272 sent adjust 98880 > debug2: channel 0: window 1982464 sent adjust 114688 > debug2: channel 0: rcvd ext data 36 > Wed Oct 17 15:26:19 2012 0.004193 > debug2: channel 0: written 36 to e > d 6 > debug2: channel 0: window 1966044 sent adjust 131108 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1998272 sent adjust 98880 > debug2: channel 0: window 1982464 sent adjust 114688 > debug2: channel 0: rcvd ext data 36 > Wed Oct 17 15:26:34 2012 0.004004 > debug2: channel 0: written 36 to e > > When things are slow: > debug2: channel 0: window 1998812 sent adjust 98340 > debug1: client_input_channel_req: channel 0 rtype > keepalive at openssh.com reply 1 > debug1: client_input_channel_req: channel 0 rtype > keepalive at openssh.com reply 1 > debug2: channel 0: window 1966080 sent adjust 131072 > debug1: client_input_channel_req: channel 0 rtype > keepalive at openssh.com reply 1 > debug2: channel 0: window 1966080 sent adjust 131072 > debug1: client_input_channel_req: channel 0 rtype > keepalive at openssh.com reply 1 > debug2: channel 0: window 1966080 sent adjust 131072 > debug1: client_input_channel_req: channel 0 rtype > keepalive at openssh.com reply 1 > debug2: channel 0: window 1966080 sent adjust 131072 > debug1: client_input_channel_req: channel 0 rtype > keepalive at openssh.com reply 1 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: window 1966080 sent adjust 131072 > debug2: channel 0: rcvd ext data 37 > Wed Oct 17 15:30:21 2012 196.41162 > > > -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From jeremy.guthrie at cdw.com Fri Oct 19 05:40:35 2012 From: jeremy.guthrie at cdw.com (Jeremy Guthrie) Date: Thu, 18 Oct 2012 13:40:35 -0500 Subject: SuSE Linux Enterprise Server OpenSSH 5.1p1 nagle issue? In-Reply-To: <507F1F77.3010207@cdw.com> References: <507F02E6.8040407@cdw.com> <78DD71C304F38B41885A242996B96F7303DC71DA@xyservd.XYPRO-23.LOCAL> <507F14E7.40106@cdw.com> <507F1A00.6060601@cdw.com> <507F1F77.3010207@cdw.com> Message-ID: <50804D23.9050507@cdw.com> I updated the client to the latest Openssh 6.1p1, and that made no difference. I am still seeing the same problem. I am going to try and update the server and see if it causes this to go away. On 10/17/12 4:13 PM, Jeremy Guthrie wrote: > I am able to reproduce this issue(randomly). Everytime it happens, I > do see ssh keepalives show up. > > The command I ran: > ssh -o "ServerAliveInterval 15" -o "ServerAliveCountMax 4" -o "Cipher > aes256-ctr" -v -v -v -v -v -v -v -v -v -v x.x.x.x ./test.pl > > If I run... > ssh -o "ServerAliveInterval 15" -o "ServerAliveCountMax 4" -o "Cipher > aes256-ctr" -v -v -v -v -v -v -v -v -v -v x.x.x.x > and type in no output.... I see ssh keepalives after ~ 15 seconds. > However, in this case, I ran it for six minutes(was an hour last > time), as soon as I see keep alive messages show up, my throughput tanks. > > On 10/17/12 3:50 PM, Jeremy Guthrie wrote: >> I have another bit of detail, I think SSH keepalives are part of the >> issue. This test didn't have me using the same values for keepalives >> that I use in production so I am going to re-conduct the test with >> matching SSH settings like in production. >> >> When things look good: >> debug2: channel 0: window 1966046 sent adjust 131106 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1998272 sent adjust 98880 >> debug2: channel 0: window 1982464 sent adjust 114688 >> debug2: channel 0: rcvd ext data 36 >> Wed Oct 17 15:26:19 2012 0.004193 >> debug2: channel 0: written 36 to e >> d 6 >> debug2: channel 0: window 1966044 sent adjust 131108 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1998272 sent adjust 98880 >> debug2: channel 0: window 1982464 sent adjust 114688 >> debug2: channel 0: rcvd ext data 36 >> Wed Oct 17 15:26:34 2012 0.004004 >> debug2: channel 0: written 36 to e >> >> When things are slow: >> debug2: channel 0: window 1998812 sent adjust 98340 >> debug1: client_input_channel_req: channel 0 rtype >> keepalive at openssh.com reply 1 >> debug1: client_input_channel_req: channel 0 rtype >> keepalive at openssh.com reply 1 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug1: client_input_channel_req: channel 0 rtype >> keepalive at openssh.com reply 1 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug1: client_input_channel_req: channel 0 rtype >> keepalive at openssh.com reply 1 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug1: client_input_channel_req: channel 0 rtype >> keepalive at openssh.com reply 1 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug1: client_input_channel_req: channel 0 rtype >> keepalive at openssh.com reply 1 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: window 1966080 sent adjust 131072 >> debug2: channel 0: rcvd ext data 37 >> Wed Oct 17 15:30:21 2012 196.41162 >> >> >> > -- *Jeremy Guthrie* Technical Architect - Orchestration | *CDW* 5520 Research Park | Madison, WI 53711 Phone: 608.298.1061 | Fax: 608.288.3007 | NOC: 608.298.1102 | Toll Free: 866.202.1807 From arthurmesh at gmail.com Sat Oct 20 04:13:40 2012 From: arthurmesh at gmail.com (Arthur Mesh) Date: Fri, 19 Oct 2012 10:13:40 -0700 Subject: OpenSSH and Galois/Counter mode i.e. GCM Message-ID: <20121019171340.GC33524@x96.org> Hello, Are there any known efforts to implement RFC 5647 i.e. AES Galois Counter Mode for the Secure Shell Transport Layer Protocol for OpenSSH? If not, would OpenSSH project be interested in such feature? Thanks. From djm at mindrot.org Sun Oct 21 08:13:24 2012 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 Oct 2012 08:13:24 +1100 (EST) Subject: OpenSSH and Galois/Counter mode i.e. GCM In-Reply-To: <20121019171340.GC33524@x96.org> References: <20121019171340.GC33524@x96.org> Message-ID: On Fri, 19 Oct 2012, Arthur Mesh wrote: > Hello, > > Are there any known efforts to implement RFC 5647 i.e. AES Galois > Counter Mode for the Secure Shell Transport Layer Protocol for > OpenSSH? Combined confidentiality/integrity modes are a bit subtle to integrate into the SSH protocol, as it was designed to negotiate them independently. This leads to annoying corner-cases, e.g. if the combined mode was selected as the symmetric cipher by something else was selected as the MAC. Futher complications arise because the combined modes require some alteration to the packet code, and might even affect what is sent in the clear and what isn't. There's an RFC for AES-GCM, but unfortunately it seems to have been written by someone at the NSA who ignored much of the discussion that took place on the ietf-secsh mailing list and it has some problems with regards to the cipher/MAC selection difficulty I mentioned above. I'm not sure we'd want to implement that RFC, but we might be open to integrating AES-GCM in a way that doesn't break the negotiation system so much. -d From kjackie at gmail.com Mon Oct 22 18:13:21 2012 From: kjackie at gmail.com (Kai-Chieh Ku) Date: Mon, 22 Oct 2012 15:13:21 +0800 Subject: [PATCH] Implement remote dynamic TCP forwarding Message-ID: <1350890001-7299-1-git-send-email-kjackie@gmail.com> Hi all, This is a client side only implementation of reversed dynamic (SOCKS) TCP forwarding, which means it is compatible with any existing servers have 'remote forward' capability. To establish such forward, use "ssh -R [BIND_ADDRESS:]PORT ...". The server will listen on that port and address and accept SOCKS traffics. Hope this will be useful for you. There was an implementation which need to patch the server, too: https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-January/028122.html Please CC me while replying because I do not subscribe the list. This patch is based on openssh-6.1p1. Regards, Kai-Chieh Ku --- channels.c | 222 +++++++++++++++++++++++++++++++++++++++++++++++++------------ channels.h | 3 +- ssh.c | 3 +- 3 files changed, 183 insertions(+), 45 deletions(-) diff --git a/channels.c b/channels.c index 7791feb..6e46229 100644 --- a/channels.c +++ b/channels.c @@ -172,6 +172,7 @@ static void port_open_helper(Channel *c, char *rtype); /* non-blocking connect helpers */ static int connect_next(struct channel_connect *); static void channel_connect_ctx_free(struct channel_connect *); +static int connect_to_helper(const char *host, u_short port, struct channel_connect *cctx); /* -- channel core */ @@ -209,6 +210,7 @@ channel_lookup(int id) case SSH_CHANNEL_LARVAL: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC: case SSH_CHANNEL_OPENING: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_INPUT_DRAINING: @@ -534,6 +536,7 @@ channel_still_open(void) case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_ZOMBIE: continue; @@ -573,6 +576,7 @@ channel_find_open(void) switch (c->type) { case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: case SSH_CHANNEL_RPORT_LISTENER: @@ -635,6 +639,7 @@ channel_open_message(void) case SSH_CHANNEL_OPENING: case SSH_CHANNEL_CONNECTING: case SSH_CHANNEL_DYNAMIC: + case SSH_CHANNEL_RDYNAMIC: case SSH_CHANNEL_OPEN: case SSH_CHANNEL_X11_OPEN: case SSH_CHANNEL_INPUT_DRAINING: @@ -1033,14 +1038,23 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) u_int16_t dest_port; struct in_addr dest_addr; } s4_req, s4_rsp; + Buffer *input, *output; + + if (c->type == SSH_CHANNEL_RDYNAMIC) { + input = &c->output; + output = &c->input; + } else { + input = &c->input; + output = &c->output; + } debug2("channel %d: decode socks4", c->self); - have = buffer_len(&c->input); + have = buffer_len(input); len = sizeof(s4_req); if (have < len) return 0; - p = buffer_ptr(&c->input); + p = buffer_ptr(input); need = 1; /* SOCKS4A uses an invalid IP address 0.0.0.x */ @@ -1065,12 +1079,12 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) } if (found < need) return 0; - buffer_get(&c->input, (char *)&s4_req.version, 1); - buffer_get(&c->input, (char *)&s4_req.command, 1); - buffer_get(&c->input, (char *)&s4_req.dest_port, 2); - buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); - have = buffer_len(&c->input); - p = buffer_ptr(&c->input); + buffer_get(input, (char *)&s4_req.version, 1); + buffer_get(input, (char *)&s4_req.command, 1); + buffer_get(input, (char *)&s4_req.dest_port, 2); + buffer_get(input, (char *)&s4_req.dest_addr, 4); + have = buffer_len(input); + p = buffer_ptr(input); len = strlen(p); debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); len++; /* trailing '\0' */ @@ -1078,7 +1092,7 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) fatal("channel %d: decode socks4: len %d > have %d", c->self, len, have); strlcpy(username, p, sizeof(username)); - buffer_consume(&c->input, len); + buffer_consume(input, len); if (c->path != NULL) { xfree(c->path); @@ -1088,8 +1102,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) host = inet_ntoa(s4_req.dest_addr); c->path = xstrdup(host); } else { /* SOCKS4A: two strings */ - have = buffer_len(&c->input); - p = buffer_ptr(&c->input); + have = buffer_len(input); + p = buffer_ptr(input); len = strlen(p); debug2("channel %d: decode socks4a: host %s/%d", c->self, p, len); @@ -1103,7 +1117,7 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) return -1; } c->path = xstrdup(p); - buffer_consume(&c->input, len); + buffer_consume(input, len); } c->host_port = ntohs(s4_req.dest_port); @@ -1119,7 +1133,7 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) s4_rsp.command = 90; /* cd: req granted */ s4_rsp.dest_port = 0; /* ignored */ s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ - buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); + buffer_append(output, &s4_rsp, sizeof(s4_rsp)); return 1; } @@ -1145,12 +1159,21 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) u_int16_t dest_port; u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; u_int have, need, i, found, nmethods, addrlen, af; + Buffer *input, *output; + + if (c->type == SSH_CHANNEL_RDYNAMIC) { + input = &c->output; + output = &c->input; + } else { + input = &c->input; + output = &c->output; + } debug2("channel %d: decode socks5", c->self); - p = buffer_ptr(&c->input); + p = buffer_ptr(input); if (p[0] != 0x05) return -1; - have = buffer_len(&c->input); + have = buffer_len(input); if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { /* format: ver | nmethods | methods */ if (have < 2) @@ -1170,10 +1193,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) c->self); return -1; } - buffer_consume(&c->input, nmethods + 2); - buffer_put_char(&c->output, 0x05); /* version */ - buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ - FD_SET(c->sock, writeset); + buffer_consume(input, nmethods + 2); + buffer_put_char(output, 0x05); /* version */ + buffer_put_char(output, SSH_SOCKS5_NOAUTH); /* method */ + if (c->sock >= 0) + FD_SET(c->sock, writeset); c->flags |= SSH_SOCKS5_AUTHDONE; debug2("channel %d: socks5 auth done", c->self); return 0; /* need more */ @@ -1210,11 +1234,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) need++; if (have < need) return 0; - buffer_consume(&c->input, sizeof(s5_req)); + buffer_consume(input, sizeof(s5_req)); if (s5_req.atyp == SSH_SOCKS5_DOMAIN) - buffer_consume(&c->input, 1); /* host string length */ - buffer_get(&c->input, (char *)&dest_addr, addrlen); - buffer_get(&c->input, (char *)&dest_port, 2); + buffer_consume(input, 1); /* host string length */ + buffer_get(input, (char *)&dest_addr, addrlen); + buffer_get(input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; if (c->path != NULL) { xfree(c->path); @@ -1244,9 +1268,9 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; dest_port = 0; /* ignored */ - buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); - buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); - buffer_append(&c->output, &dest_port, sizeof(dest_port)); + buffer_append(output, &s5_rsp, sizeof(s5_rsp)); + buffer_append(output, &dest_addr, sizeof(struct in_addr)); + buffer_append(output, &dest_port, sizeof(dest_port)); return 1; } @@ -1317,6 +1341,92 @@ channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) } } +static void +channel_pre_rdynamic(Channel *c, fd_set *readset, fd_set *writeset) +{ + u_char *p; + u_int have; + int ret; + + if (c->sock >= 0) { + /* SOCKS session was established. */ + FD_SET(c->sock, writeset); + return; + } + + have = buffer_len(&c->output); + debug2("channel %d: pre_rdynamic: have %d", c->self, have); + /* buffer_dump(&c->input); */ + /* check if the fixed size part of the packet is in buffer. */ + if (have < 3) { + /* need more */ + return; + } + /* try to guess the protocol */ + p = buffer_ptr(&c->output); + switch (p[0]) { + case 0x04: + ret = channel_decode_socks4(c, readset, writeset); + break; + case 0x05: + ret = channel_decode_socks5(c, readset, writeset); + break; + default: + ret = -1; + break; + } + if (ret < 0) { + chan_mark_dead(c); + } else if (ret == 0) { + debug2("channel %d: pre_rdynamic: need more", c->self); + /* need more */ + } else { + /* switch to the next state */ + struct channel_connect cctx; + int sock; + + sock = connect_to_helper(c->path, c->host_port, &cctx); + if (sock < 0) { + chan_mark_dead(c); + return; + } + + channel_register_fds(c, sock, sock, -1, 0, 1, 0); + c->connect_ctx = cctx; + + FD_SET(c->sock, writeset); + } +} + +static void +channel_post_rdynamic(Channel *c, fd_set *readset, fd_set *writeset) +{ + if (c->sock < 0) + return; + if (FD_ISSET(c->sock, writeset)) { + int err = 0; + socklen_t sz = sizeof(err); + + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { + err = errno; + error("getsockopt SO_ERROR failed"); + } + if (err == 0) + c->type = SSH_CHANNEL_OPEN; + else { + /* Try next address, if any */ + int sock; + if ((sock = connect_next(&c->connect_ctx)) > 0) { + close(c->sock); + c->sock = c->rfd = c->wfd = sock; + channel_max_fd = channel_find_maxfd(); + return; + } + chan_mark_dead(c); + } + } +} + /* This is our fake X11 server socket. */ /* ARGSUSED */ static void @@ -1984,6 +2094,7 @@ channel_handler_init_20(void) channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; + channel_pre[SSH_CHANNEL_RDYNAMIC] = &channel_pre_rdynamic; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; @@ -1994,6 +2105,7 @@ channel_handler_init_20(void) channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; } static void @@ -2008,6 +2120,7 @@ channel_handler_init_13(void) channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; + channel_pre[SSH_CHANNEL_RDYNAMIC] = &channel_pre_rdynamic; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; @@ -2016,6 +2129,7 @@ channel_handler_init_13(void) channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; } static void @@ -2028,6 +2142,7 @@ channel_handler_init_15(void) channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; + channel_pre[SSH_CHANNEL_RDYNAMIC] = &channel_pre_rdynamic; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; @@ -2035,6 +2150,7 @@ channel_handler_init_15(void) channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; } static void @@ -2190,10 +2306,12 @@ channel_output_poll(void) */ if (compat13) { if (c->type != SSH_CHANNEL_OPEN && - c->type != SSH_CHANNEL_INPUT_DRAINING) + c->type != SSH_CHANNEL_INPUT_DRAINING && + c->type != SSH_CHANNEL_RDYNAMIC) continue; } else { - if (c->type != SSH_CHANNEL_OPEN) + if (c->type != SSH_CHANNEL_OPEN && + c->type != SSH_CHANNEL_RDYNAMIC) continue; } if (compat20 && @@ -2318,7 +2436,8 @@ channel_input_data(int type, u_int32_t seq, void *ctxt) /* Ignore any data for non-open channels (might happen on close) */ if (c->type != SSH_CHANNEL_OPEN && - c->type != SSH_CHANNEL_X11_OPEN) + c->type != SSH_CHANNEL_X11_OPEN && + c->type != SSH_CHANNEL_RDYNAMIC) return; /* Get the data. */ @@ -3301,38 +3420,51 @@ channel_connect_ctx_free(struct channel_connect *cctx) cctx->ai = cctx->aitop = NULL; } -/* Return CONNECTING channel to remote host, port */ -static Channel * -connect_to(const char *host, u_short port, char *ctype, char *rname) +static int +connect_to_helper(const char *host, u_short port, struct channel_connect *cctx) { struct addrinfo hints; int gaierr; int sock = -1; char strport[NI_MAXSERV]; - struct channel_connect cctx; - Channel *c; - memset(&cctx, 0, sizeof(cctx)); + memset(cctx, 0, sizeof(*cctx)); memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; snprintf(strport, sizeof strport, "%d", port); - if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { + if ((gaierr = getaddrinfo(host, strport, &hints, &cctx->aitop)) != 0) { error("connect_to %.100s: unknown host (%s)", host, ssh_gai_strerror(gaierr)); - return NULL; + return -1; } - cctx.host = xstrdup(host); - cctx.port = port; - cctx.ai = cctx.aitop; + cctx->host = xstrdup(host); + cctx->port = port; + cctx->ai = cctx->aitop; - if ((sock = connect_next(&cctx)) == -1) { + if ((sock = connect_next(cctx)) == -1) { error("connect to %.100s port %d failed: %s", host, port, strerror(errno)); - channel_connect_ctx_free(&cctx); - return NULL; + channel_connect_ctx_free(cctx); + return -1; } + + return sock; +} + +/* Return CONNECTING channel to remote host, port */ +static Channel * +connect_to(const char *host, u_short port, char *ctype, char *rname) +{ + int sock; + struct channel_connect cctx; + Channel *c; + + sock = connect_to_helper(host, port, &cctx); + if (sock == -1) + return NULL; + c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); c->connect_ctx = cctx; @@ -3347,6 +3479,10 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) for (i = 0; i < num_permitted_opens; i++) { if (permitted_opens[i].host_to_connect != NULL && port_match(permitted_opens[i].listen_port, listen_port)) { + if (permitted_opens[i].port_to_connect == FWD_PERMIT_ANY_PORT) + return channel_new(ctype, SSH_CHANNEL_RDYNAMIC, -1, -1, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); + return connect_to( permitted_opens[i].host_to_connect, permitted_opens[i].port_to_connect, ctype, rname); diff --git a/channels.h b/channels.h index d75b800..cf6553e 100644 --- a/channels.h +++ b/channels.h @@ -55,7 +55,8 @@ #define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ #define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ #define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ -#define SSH_CHANNEL_MAX_TYPE 17 +#define SSH_CHANNEL_RDYNAMIC 17 /* reversed SSH_CHANNEL_DYNAMIC */ +#define SSH_CHANNEL_MAX_TYPE 18 #define CHANNEL_CANCEL_PORT_STATIC -1 diff --git a/ssh.c b/ssh.c index 3f61eb0..a407aaa 100644 --- a/ssh.c +++ b/ssh.c @@ -549,7 +549,8 @@ main(int ac, char **av) break; case 'R': - if (parse_forward(&fwd, optarg, 0, 1)) { + if (parse_forward(&fwd, optarg, 1, 1) || + parse_forward(&fwd, optarg, 0, 1)) { add_remote_forward(&options, &fwd); } else { fprintf(stderr, -- 1.7.12.3 From isabellf at sympatico.ca Tue Oct 23 06:21:06 2012 From: isabellf at sympatico.ca (=?utf-8?B?RnJhbsOnb2lzIElzYWJlbGxl?=) Date: Mon, 22 Oct 2012 15:21:06 -0400 Subject: SCP support for -o StrictHostKeyChecking=no broken Message-ID: Hi. With SCP, it seems like the option precedence is ignored. Although this seems to work well with SSH. $ scp -oStrictHostKeyChecking=no hs21-dev04:/tmp/1 hs21-dev02:/tmp/2 The authenticity of host 'hs21-dev04 (192.168.12.11)' can't be established. RSA key fingerprint is ec:0f:eb:b2:fa:6f:50:ef:89:64:01:5e:c9:cc:54:20. Are you sure you want to continue connecting (yes/no)? $ ssh -oStrictHostKeyChecking=no hs21-dev04 Warning: Permanently added 'hs21-dev04,192.168.12.11' (RSA) to the list of known hosts. user at hs21-dev04's password: $ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 My current workaround is to run SSH first to store the key, than SSH. But I believe this is a bug. Fran?ois From dtucker at zip.com.au Tue Oct 23 08:06:20 2012 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Oct 2012 08:06:20 +1100 Subject: SCP support for -o StrictHostKeyChecking=no broken In-Reply-To: References: Message-ID: <20121022210620.GA809@gate.dtucker.net> On Mon, Oct 22, 2012 at 03:21:06PM -0400, Fran?ois Isabelle wrote: > With SCP, it seems like the option precedence is ignored. > Although this seems to work well with SSH. [...] > $ssh -V > OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 Can you reproduce this with a current version? Works for me: $ scp -o stricthostkeychecking=yes /tmp/a localhost:/tmp/b No RSA host key is known for doesnotexist and you have requested strict checking. Host key verification failed. lost connection $ scp -o stricthostkeychecking=no /tmp/a localhost:/tmp/b Warning: Permanently added 'doesnotexist' (RSA) to the list of known hosts. a 100% 0 0.0KB/s 00:00 $ ssh -V OpenSSH_6.1, OpenSSL 1.0.1c 10 May 2012 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From isabellf at sympatico.ca Tue Oct 23 10:17:54 2012 From: isabellf at sympatico.ca (Francois Isabelle) Date: Mon, 22 Oct 2012 19:17:54 -0400 Subject: SCP support for -o StrictHostKeyChecking=no broken Message-ID: Yeah, I should have tried this before but I only checked the bug list and didn't find any report. One thing to note though is that my system wide configuration has 'ask' set for this option. I'll try to reproduce on recent versions soon. Thank you Frank Darren Tucker a ?crit?: >On Mon, Oct 22, 2012 at 03:21:06PM -0400, Fran?ois Isabelle wrote: >> With SCP, it seems like the option precedence is ignored. >> Although this seems to work well with SSH. >[...] >> $ssh -V >> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > >Can you reproduce this with a current version? Works for me: > >$ scp -o stricthostkeychecking=yes /tmp/a localhost:/tmp/b >No RSA host key is known for doesnotexist and you have requested strict >checking. >Host key verification failed. >lost connection > >$ scp -o stricthostkeychecking=no /tmp/a localhost:/tmp/b >Warning: Permanently added 'doesnotexist' (RSA) to the list of known >hosts. >a 100% 0 0.0KB/s 00:00 > >$ ssh -V >OpenSSH_6.1, OpenSSL 1.0.1c 10 May 2012 > >-- >Darren Tucker (dtucker at zip.com.au) >GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience >usually comes from bad judgement. > From josef at josefassad.com Tue Oct 23 21:50:01 2012 From: josef at josefassad.com (Josef Assad) Date: Tue, 23 Oct 2012 12:50:01 +0200 Subject: possible error in ssh-copy-id man page Message-ID: <50867659.9070307@josefassad.com> The man page for ssh-copy-id says: If the .B -i option is given then the identity file (defaults to .BR ~/.ssh/id_rsa.pub ) Than a few lines later it says: If the .B -i option is used, or the .B ssh-add produced no output, then it uses the contents of the identity file. Shouldn't the former line say "If the -i option is _not_ given? Josef Assad From sebastiano.dipaola at gmail.com Tue Oct 23 22:27:27 2012 From: sebastiano.dipaola at gmail.com (Sebastiano Di Paola) Date: Tue, 23 Oct 2012 13:27:27 +0200 Subject: possible error in ssh-copy-id man page In-Reply-To: <50867659.9070307@josefassad.com> References: <50867659.9070307@josefassad.com> Message-ID: It seems to me to be correct. The last line just clarify that if "-i? is used then keys eventually present in ssh-agent are not used, but the content of identity file is used instead. Kind regards. Sebastiano On Tue, Oct 23, 2012 at 12:50 PM, Josef Assad wrote: > The man page for ssh-copy-id says: > > If the > .B -i > option is given then the identity file (defaults to > .BR ~/.ssh/id_rsa.pub ) > > Than a few lines later it says: > > If the > .B -i > option is used, or the > .B ssh-add > produced no output, then it uses the contents of the identity > file. > > Shouldn't the former line say "If the -i option is _not_ given? > > > > Josef Assad > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From az1fantastic at gmail.com Tue Oct 23 23:48:26 2012 From: az1fantastic at gmail.com (Ahmad Zayed) Date: Tue, 23 Oct 2012 15:48:26 +0300 Subject: Disable rm on sftp Message-ID: Hi, Thanks a lot for this great software :) I'm trying to do something to secure my server. I need to disable removing file or removing directory using SFTP. In other words, the user can only write, move but not delete the file. This will be used to store logs so, I need to make sure once the logs written to my server the user cannot remove it. I tried doing this by changing the code of process_remove from: static void process_remove(void) { char *name; u_int32_t id; int status = SSH2_FX_FAILURE; int ret; id = get_int(); name = get_string(NULL); debug3("request %u: remove", id); logit("remove name \"%s\"", name); if (readonly) status = SSH2_FX_PERMISSION_DENIED; else { ret = unlink(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); xfree(name); } To : static void process_remove(void) { char *name; u_int32_t id; int status = SSH2_FX_FAILURE; int ret; id = get_int(); name = get_string(NULL); debug3("request %u: remove", id); logit("remove name \"%s\"", name); status = SSH2_FX_PERMISSION_DENIED; send_status(id, status); xfree(name); } Am I doing it right? because it's not working and I don't know why. Thanks a lot. -- Best Regards, Ahmad Zayed From josef at josefassad.com Wed Oct 24 01:40:06 2012 From: josef at josefassad.com (Josef Assad) Date: Tue, 23 Oct 2012 16:40:06 +0200 Subject: possible error in ssh-copy-id man page In-Reply-To: References: <50867659.9070307@josefassad.com> Message-ID: <5086AC46.60902@josefassad.com> On 10/23/2012 01:27 PM, Sebastiano Di Paola wrote: > It seems to me to be correct. > The last line just clarify that if "-i? is used then keys eventually > present in ssh-agent are not used, but the content of identity file is > used instead. > Kind regards. > Sebastiano > > On Tue, Oct 23, 2012 at 12:50 PM, Josef Assad wrote: >> The man page for ssh-copy-id says: >> >> If the >> .B -i >> option is given then the identity file (defaults to >> .BR ~/.ssh/id_rsa.pub ) >> >> Than a few lines later it says: >> >> If the >> .B -i >> option is used, or the >> .B ssh-add >> produced no output, then it uses the contents of the identity >> file. >> >> Shouldn't the former line say "If the -i option is _not_ given? Ah I see what you mean. Hm. It only made sense to me when I read the source though. If it's useful, here's an alternative wording: If the -i option is given and the identity_file parameter is provided, then ssh-copy-id will look in this file for the identities. If the -i option is given and the identity_file parameter is omitted, then ssh-copy-id will look in the default ~/.ssh/id_rsa.pub. If the -i option is omitted then ssh-copy-id will use the output of the command ssh-agent -L to obtain the identities. If ssh-add produces no output, then ssh-copy-id will fall back again to the default ~/.ssh/id_rsa.pub. Cheers, Josef Assad From lists at eitanadler.com Wed Oct 24 01:42:02 2012 From: lists at eitanadler.com (Eitan Adler) Date: Tue, 23 Oct 2012 10:42:02 -0400 Subject: Disable rm on sftp In-Reply-To: References: Message-ID: On 23 October 2012 08:48, Ahmad Zayed wrote: > I'm trying to do something to secure my server. I need to disable removing file or removing directory using SFTP. Set the "sappend" flag on the directory. -- Eitan Adler From josef at josefassad.com Wed Oct 24 01:53:19 2012 From: josef at josefassad.com (Josef Assad) Date: Tue, 23 Oct 2012 16:53:19 +0200 Subject: possible error in ssh-copy-id man page In-Reply-To: <5086AC46.60902@josefassad.com> References: <50867659.9070307@josefassad.com> <5086AC46.60902@josefassad.com> Message-ID: <5086AF5F.7050203@josefassad.com> On 10/23/2012 04:40 PM, Josef Assad wrote: > On 10/23/2012 01:27 PM, Sebastiano Di Paola wrote: >> It seems to me to be correct. >> The last line just clarify that if "-i? is used then keys eventually >> present in ssh-agent are not used, but the content of identity file is >> used instead. >> Kind regards. >> Sebastiano >> >> On Tue, Oct 23, 2012 at 12:50 PM, Josef Assad wrote: >>> The man page for ssh-copy-id says: >>> >>> If the >>> .B -i >>> option is given then the identity file (defaults to >>> .BR ~/.ssh/id_rsa.pub ) >>> >>> Than a few lines later it says: >>> >>> If the >>> .B -i >>> option is used, or the >>> .B ssh-add >>> produced no output, then it uses the contents of the identity >>> file. >>> >>> Shouldn't the former line say "If the -i option is _not_ given? > > > Ah I see what you mean. Hm. It only made sense to me when I read the > source though. If it's useful, here's an alternative wording: > > > > If the -i option is given and the identity_file parameter is provided, > then ssh-copy-id will look in this file for the identities. > > If the -i option is given and the identity_file parameter is omitted, > then ssh-copy-id will look in the default ~/.ssh/id_rsa.pub. > > If the -i option is omitted then ssh-copy-id will use the output of the > command ssh-agent -L to obtain the identities. If ssh-add produces no > output, then ssh-copy-id will fall back again to the default > ~/.ssh/id_rsa.pub. Bah, I meant ssh-add where I wrote ssh-agent. From az1fantastic at gmail.com Wed Oct 24 02:14:59 2012 From: az1fantastic at gmail.com (Ahmad Zayed) Date: Tue, 23 Oct 2012 18:14:59 +0300 Subject: Disable rm on sftp In-Reply-To: References: Message-ID: Hi Eitan, I google "sappend sun solaris" but I didn't find anything it seems this related to Linux Thanks for your help On Oct 23, 2012 5:42 PM, "Eitan Adler" wrote: > On 23 October 2012 08:48, Ahmad Zayed wrote: > > I'm trying to do something to secure my server. I need to disable > removing file or removing directory using SFTP. > > Set the "sappend" flag on the directory. > > > -- > Eitan Adler > From lists at eitanadler.com Wed Oct 24 02:26:14 2012 From: lists at eitanadler.com (Eitan Adler) Date: Tue, 23 Oct 2012 11:26:14 -0400 Subject: Disable rm on sftp In-Reply-To: References: Message-ID: On 23 October 2012 11:14, Ahmad Zayed wrote: > Hi Eitan, > > I google "sappend sun solaris" but I didn't find anything it seems this > related to Linux I know this exists in FreeBSD; I don't know about Linux. Sorry this wasn't helpful :( -- Eitan Adler From az1fantastic at gmail.com Wed Oct 24 02:31:11 2012 From: az1fantastic at gmail.com (Ahmad Zayed) Date: Tue, 23 Oct 2012 18:31:11 +0300 Subject: Disable rm on sftp In-Reply-To: References: Message-ID: No problem, thanks It will be helpful if you can guide me to remove the code related to remove file and remove directory in sftp-server.c so if user execute rm it give him permission denied Thanks On Oct 23, 2012 6:26 PM, "Eitan Adler" wrote: > On 23 October 2012 11:14, Ahmad Zayed wrote: > > Hi Eitan, > > > > I google "sappend sun solaris" but I didn't find anything it seems this > > related to Linux > > I know this exists in FreeBSD; I don't know about Linux. Sorry this > wasn't helpful :( > > -- > Eitan Adler > From djm at mindrot.org Thu Oct 25 03:03:43 2012 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Oct 2012 03:03:43 +1100 (EST) Subject: Disable rm on sftp In-Reply-To: References: Message-ID: On Tue, 23 Oct 2012, Ahmad Zayed wrote: > Am I doing it right? because it's not working and I don't know why. Thanks > a lot. Your change looks fine, so I guess you either forgot to install it, installed it in the wrong location, or are using internal-sftp and forgot to restart sshd -d From az1fantastic at gmail.com Thu Oct 25 03:17:31 2012 From: az1fantastic at gmail.com (Ahmad Zayed) Date: Wed, 24 Oct 2012 19:17:31 +0300 Subject: Disable rm on sftp In-Reply-To: References: Message-ID: Dear Damien, Good day Thanks for your reply This is what I found, the modified version of sftp-server is working but the user I tried is configure under chroot environment and I am using the internal-sftp as force command. Today I tried to find out where I can modify this so I can clean out do_rm & do_rmdir functions Thanks for help On Oct 24, 2012 7:03 PM, "Damien Miller" wrote: > On Tue, 23 Oct 2012, Ahmad Zayed wrote: > > > Am I doing it right? because it's not working and I don't know why. > Thanks > > a lot. > > Your change looks fine, so I guess you either forgot to install it, > installed it in the wrong location, or are using internal-sftp and forgot > to restart sshd > > -d > From mouring at eviladmin.org Thu Oct 25 03:56:38 2012 From: mouring at eviladmin.org (Ben Lindstrom) Date: Wed, 24 Oct 2012 11:56:38 -0500 Subject: Disable rm on sftp In-Reply-To: References: Message-ID: <6CBFE920-31F1-4473-B920-419A3AC1ED82@eviladmin.org> On Oct 24, 2012, at 11:17 AM, Ahmad Zayed wrote: > Dear Damien, > Good day > > Thanks for your reply > > This is what I found, the modified version of sftp-server is working but > the user I tried is configure under chroot environment and I am using the > internal-sftp as force command. > > Today I tried to find out where I can modify this so I can clean out do_rm > & do_rmdir functions The existing code change will work, but you need to recompile the sshd and run that instead of the one that comes with the base OS. As you are using internal-sftp which takes that code and compiles it directly into the sshd. - Ben From az1fantastic at gmail.com Thu Oct 25 05:03:24 2012 From: az1fantastic at gmail.com (Ahmad Zayed) Date: Wed, 24 Oct 2012 21:03:24 +0300 Subject: Disable rm on sftp In-Reply-To: <6CBFE920-31F1-4473-B920-419A3AC1ED82@eviladmin.org> References: <6CBFE920-31F1-4473-B920-419A3AC1ED82@eviladmin.org> Message-ID: Hi Ben, Thanks for reply, So to make it work I have to recompile open ssh package after changing sftp.c file and edit do_rm & do_rmdir functions? Thanks On Oct 24, 2012 7:56 PM, "Ben Lindstrom" wrote: > > On Oct 24, 2012, at 11:17 AM, Ahmad Zayed wrote: > > > Dear Damien, > > Good day > > > > Thanks for your reply > > > > This is what I found, the modified version of sftp-server is working but > > the user I tried is configure under chroot environment and I am using the > > internal-sftp as force command. > > > > Today I tried to find out where I can modify this so I can clean out > do_rm > > & do_rmdir functions > > > The existing code change will work, but you need to recompile the sshd and > run > that instead of the one that comes with the base OS. As you are using > internal-sftp > which takes that code and compiles it directly into the sshd. > > - Ben From scott_n at xypro.com Thu Oct 25 06:50:38 2012 From: scott_n at xypro.com (Scott Neugroschl) Date: Wed, 24 Oct 2012 12:50:38 -0700 Subject: Disable rm on sftp In-Reply-To: References: <6CBFE920-31F1-4473-B920-419A3AC1ED82@eviladmin.org><78DD71C304F38B41885A242996B96F7303DC7B7A@xyservd.XYPRO-23.LOCAL> Message-ID: <78DD71C304F38B41885A242996B96F7303DC7BB7@xyservd.XYPRO-23.LOCAL> From: Ahmad Zayed [mailto:az1fantastic at gmail.com] Sent: Wednesday, October 24, 2012 11:42 AM To: Scott Neugroschl Subject: RE: Disable rm on sftp Hi Scott, Thanks for reply, for the record I tried to compile after changing sftp.c file and I moved sftp binary file to /usr/local/bin but nothing change As you recommend I might need to recompile all open ssh package Thanks On Oct 24, 2012 9:19 PM, "Scott Neugroschl" wrote: [[SAN]] Ahmad, You have to reinstall sshd after recompiling. This is a server function. From mfriedl at gmail.com Mon Oct 29 05:26:13 2012 From: mfriedl at gmail.com (Markus Friedl) Date: Sun, 28 Oct 2012 19:26:13 +0100 Subject: [PATCH] Implement remote dynamic TCP forwarding In-Reply-To: <1350890001-7299-1-git-send-email-kjackie@gmail.com> References: <1350890001-7299-1-git-send-email-kjackie@gmail.com> Message-ID: Thanks! i'll try to have a look into this.... On Mon, Oct 22, 2012 at 9:13 AM, Kai-Chieh Ku wrote: > Hi all, > > This is a client side only implementation of reversed dynamic (SOCKS) TCP > forwarding, which means it is compatible with any existing servers > have 'remote forward' capability. > > To establish such forward, use "ssh -R [BIND_ADDRESS:]PORT ...". > The server will listen on that port and address and accept SOCKS > traffics. > > Hope this will be useful for you. > > There was an implementation which need to patch the server, too: > https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-January/028122.html > > Please CC me while replying because I do not subscribe the list. > > This patch is based on openssh-6.1p1. > > Regards, > > Kai-Chieh Ku > --- > channels.c | 222 +++++++++++++++++++++++++++++++++++++++++++++++++------------ > channels.h | 3 +- > ssh.c | 3 +- > 3 files changed, 183 insertions(+), 45 deletions(-) > > diff --git a/channels.c b/channels.c > index 7791feb..6e46229 100644 > --- a/channels.c > +++ b/channels.c > @@ -172,6 +172,7 @@ static void port_open_helper(Channel *c, char *rtype); > /* non-blocking connect helpers */ > static int connect_next(struct channel_connect *); > static void channel_connect_ctx_free(struct channel_connect *); > +static int connect_to_helper(const char *host, u_short port, struct channel_connect *cctx); > > /* -- channel core */ > > @@ -209,6 +210,7 @@ channel_lookup(int id) > case SSH_CHANNEL_LARVAL: > case SSH_CHANNEL_CONNECTING: > case SSH_CHANNEL_DYNAMIC: > + case SSH_CHANNEL_RDYNAMIC: > case SSH_CHANNEL_OPENING: > case SSH_CHANNEL_OPEN: > case SSH_CHANNEL_INPUT_DRAINING: > @@ -534,6 +536,7 @@ channel_still_open(void) > case SSH_CHANNEL_CLOSED: > case SSH_CHANNEL_AUTH_SOCKET: > case SSH_CHANNEL_DYNAMIC: > + case SSH_CHANNEL_RDYNAMIC: > case SSH_CHANNEL_CONNECTING: > case SSH_CHANNEL_ZOMBIE: > continue; > @@ -573,6 +576,7 @@ channel_find_open(void) > switch (c->type) { > case SSH_CHANNEL_CLOSED: > case SSH_CHANNEL_DYNAMIC: > + case SSH_CHANNEL_RDYNAMIC: > case SSH_CHANNEL_X11_LISTENER: > case SSH_CHANNEL_PORT_LISTENER: > case SSH_CHANNEL_RPORT_LISTENER: > @@ -635,6 +639,7 @@ channel_open_message(void) > case SSH_CHANNEL_OPENING: > case SSH_CHANNEL_CONNECTING: > case SSH_CHANNEL_DYNAMIC: > + case SSH_CHANNEL_RDYNAMIC: > case SSH_CHANNEL_OPEN: > case SSH_CHANNEL_X11_OPEN: > case SSH_CHANNEL_INPUT_DRAINING: > @@ -1033,14 +1038,23 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) > u_int16_t dest_port; > struct in_addr dest_addr; > } s4_req, s4_rsp; > + Buffer *input, *output; > + > + if (c->type == SSH_CHANNEL_RDYNAMIC) { > + input = &c->output; > + output = &c->input; > + } else { > + input = &c->input; > + output = &c->output; > + } > > debug2("channel %d: decode socks4", c->self); > > - have = buffer_len(&c->input); > + have = buffer_len(input); > len = sizeof(s4_req); > if (have < len) > return 0; > - p = buffer_ptr(&c->input); > + p = buffer_ptr(input); > > need = 1; > /* SOCKS4A uses an invalid IP address 0.0.0.x */ > @@ -1065,12 +1079,12 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) > } > if (found < need) > return 0; > - buffer_get(&c->input, (char *)&s4_req.version, 1); > - buffer_get(&c->input, (char *)&s4_req.command, 1); > - buffer_get(&c->input, (char *)&s4_req.dest_port, 2); > - buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); > - have = buffer_len(&c->input); > - p = buffer_ptr(&c->input); > + buffer_get(input, (char *)&s4_req.version, 1); > + buffer_get(input, (char *)&s4_req.command, 1); > + buffer_get(input, (char *)&s4_req.dest_port, 2); > + buffer_get(input, (char *)&s4_req.dest_addr, 4); > + have = buffer_len(input); > + p = buffer_ptr(input); > len = strlen(p); > debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); > len++; /* trailing '\0' */ > @@ -1078,7 +1092,7 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) > fatal("channel %d: decode socks4: len %d > have %d", > c->self, len, have); > strlcpy(username, p, sizeof(username)); > - buffer_consume(&c->input, len); > + buffer_consume(input, len); > > if (c->path != NULL) { > xfree(c->path); > @@ -1088,8 +1102,8 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) > host = inet_ntoa(s4_req.dest_addr); > c->path = xstrdup(host); > } else { /* SOCKS4A: two strings */ > - have = buffer_len(&c->input); > - p = buffer_ptr(&c->input); > + have = buffer_len(input); > + p = buffer_ptr(input); > len = strlen(p); > debug2("channel %d: decode socks4a: host %s/%d", > c->self, p, len); > @@ -1103,7 +1117,7 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) > return -1; > } > c->path = xstrdup(p); > - buffer_consume(&c->input, len); > + buffer_consume(input, len); > } > c->host_port = ntohs(s4_req.dest_port); > > @@ -1119,7 +1133,7 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) > s4_rsp.command = 90; /* cd: req granted */ > s4_rsp.dest_port = 0; /* ignored */ > s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ > - buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); > + buffer_append(output, &s4_rsp, sizeof(s4_rsp)); > return 1; > } > > @@ -1145,12 +1159,21 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) > u_int16_t dest_port; > u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; > u_int have, need, i, found, nmethods, addrlen, af; > + Buffer *input, *output; > + > + if (c->type == SSH_CHANNEL_RDYNAMIC) { > + input = &c->output; > + output = &c->input; > + } else { > + input = &c->input; > + output = &c->output; > + } > > debug2("channel %d: decode socks5", c->self); > - p = buffer_ptr(&c->input); > + p = buffer_ptr(input); > if (p[0] != 0x05) > return -1; > - have = buffer_len(&c->input); > + have = buffer_len(input); > if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { > /* format: ver | nmethods | methods */ > if (have < 2) > @@ -1170,10 +1193,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) > c->self); > return -1; > } > - buffer_consume(&c->input, nmethods + 2); > - buffer_put_char(&c->output, 0x05); /* version */ > - buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ > - FD_SET(c->sock, writeset); > + buffer_consume(input, nmethods + 2); > + buffer_put_char(output, 0x05); /* version */ > + buffer_put_char(output, SSH_SOCKS5_NOAUTH); /* method */ > + if (c->sock >= 0) > + FD_SET(c->sock, writeset); > c->flags |= SSH_SOCKS5_AUTHDONE; > debug2("channel %d: socks5 auth done", c->self); > return 0; /* need more */ > @@ -1210,11 +1234,11 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) > need++; > if (have < need) > return 0; > - buffer_consume(&c->input, sizeof(s5_req)); > + buffer_consume(input, sizeof(s5_req)); > if (s5_req.atyp == SSH_SOCKS5_DOMAIN) > - buffer_consume(&c->input, 1); /* host string length */ > - buffer_get(&c->input, (char *)&dest_addr, addrlen); > - buffer_get(&c->input, (char *)&dest_port, 2); > + buffer_consume(input, 1); /* host string length */ > + buffer_get(input, (char *)&dest_addr, addrlen); > + buffer_get(input, (char *)&dest_port, 2); > dest_addr[addrlen] = '\0'; > if (c->path != NULL) { > xfree(c->path); > @@ -1244,9 +1268,9 @@ channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) > ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; > dest_port = 0; /* ignored */ > > - buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); > - buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); > - buffer_append(&c->output, &dest_port, sizeof(dest_port)); > + buffer_append(output, &s5_rsp, sizeof(s5_rsp)); > + buffer_append(output, &dest_addr, sizeof(struct in_addr)); > + buffer_append(output, &dest_port, sizeof(dest_port)); > return 1; > } > > @@ -1317,6 +1341,92 @@ channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) > } > } > > +static void > +channel_pre_rdynamic(Channel *c, fd_set *readset, fd_set *writeset) > +{ > + u_char *p; > + u_int have; > + int ret; > + > + if (c->sock >= 0) { > + /* SOCKS session was established. */ > + FD_SET(c->sock, writeset); > + return; > + } > + > + have = buffer_len(&c->output); > + debug2("channel %d: pre_rdynamic: have %d", c->self, have); > + /* buffer_dump(&c->input); */ > + /* check if the fixed size part of the packet is in buffer. */ > + if (have < 3) { > + /* need more */ > + return; > + } > + /* try to guess the protocol */ > + p = buffer_ptr(&c->output); > + switch (p[0]) { > + case 0x04: > + ret = channel_decode_socks4(c, readset, writeset); > + break; > + case 0x05: > + ret = channel_decode_socks5(c, readset, writeset); > + break; > + default: > + ret = -1; > + break; > + } > + if (ret < 0) { > + chan_mark_dead(c); > + } else if (ret == 0) { > + debug2("channel %d: pre_rdynamic: need more", c->self); > + /* need more */ > + } else { > + /* switch to the next state */ > + struct channel_connect cctx; > + int sock; > + > + sock = connect_to_helper(c->path, c->host_port, &cctx); > + if (sock < 0) { > + chan_mark_dead(c); > + return; > + } > + > + channel_register_fds(c, sock, sock, -1, 0, 1, 0); > + c->connect_ctx = cctx; > + > + FD_SET(c->sock, writeset); > + } > +} > + > +static void > +channel_post_rdynamic(Channel *c, fd_set *readset, fd_set *writeset) > +{ > + if (c->sock < 0) > + return; > + if (FD_ISSET(c->sock, writeset)) { > + int err = 0; > + socklen_t sz = sizeof(err); > + > + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { > + err = errno; > + error("getsockopt SO_ERROR failed"); > + } > + if (err == 0) > + c->type = SSH_CHANNEL_OPEN; > + else { > + /* Try next address, if any */ > + int sock; > + if ((sock = connect_next(&c->connect_ctx)) > 0) { > + close(c->sock); > + c->sock = c->rfd = c->wfd = sock; > + channel_max_fd = channel_find_maxfd(); > + return; > + } > + chan_mark_dead(c); > + } > + } > +} > + > /* This is our fake X11 server socket. */ > /* ARGSUSED */ > static void > @@ -1984,6 +2094,7 @@ channel_handler_init_20(void) > channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; > channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; > channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; > + channel_pre[SSH_CHANNEL_RDYNAMIC] = &channel_pre_rdynamic; > > channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; > channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; > @@ -1994,6 +2105,7 @@ channel_handler_init_20(void) > channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; > channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; > channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; > + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; > } > > static void > @@ -2008,6 +2120,7 @@ channel_handler_init_13(void) > channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; > channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; > channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; > + channel_pre[SSH_CHANNEL_RDYNAMIC] = &channel_pre_rdynamic; > > channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; > channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; > @@ -2016,6 +2129,7 @@ channel_handler_init_13(void) > channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; > channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; > channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; > + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; > } > > static void > @@ -2028,6 +2142,7 @@ channel_handler_init_15(void) > channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; > channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; > channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; > + channel_pre[SSH_CHANNEL_RDYNAMIC] = &channel_pre_rdynamic; > > channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; > channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; > @@ -2035,6 +2150,7 @@ channel_handler_init_15(void) > channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; > channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; > channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; > + channel_post[SSH_CHANNEL_RDYNAMIC] = &channel_post_rdynamic; > } > > static void > @@ -2190,10 +2306,12 @@ channel_output_poll(void) > */ > if (compat13) { > if (c->type != SSH_CHANNEL_OPEN && > - c->type != SSH_CHANNEL_INPUT_DRAINING) > + c->type != SSH_CHANNEL_INPUT_DRAINING && > + c->type != SSH_CHANNEL_RDYNAMIC) > continue; > } else { > - if (c->type != SSH_CHANNEL_OPEN) > + if (c->type != SSH_CHANNEL_OPEN && > + c->type != SSH_CHANNEL_RDYNAMIC) > continue; > } > if (compat20 && > @@ -2318,7 +2436,8 @@ channel_input_data(int type, u_int32_t seq, void *ctxt) > > /* Ignore any data for non-open channels (might happen on close) */ > if (c->type != SSH_CHANNEL_OPEN && > - c->type != SSH_CHANNEL_X11_OPEN) > + c->type != SSH_CHANNEL_X11_OPEN && > + c->type != SSH_CHANNEL_RDYNAMIC) > return; > > /* Get the data. */ > @@ -3301,38 +3420,51 @@ channel_connect_ctx_free(struct channel_connect *cctx) > cctx->ai = cctx->aitop = NULL; > } > > -/* Return CONNECTING channel to remote host, port */ > -static Channel * > -connect_to(const char *host, u_short port, char *ctype, char *rname) > +static int > +connect_to_helper(const char *host, u_short port, struct channel_connect *cctx) > { > struct addrinfo hints; > int gaierr; > int sock = -1; > char strport[NI_MAXSERV]; > - struct channel_connect cctx; > - Channel *c; > > - memset(&cctx, 0, sizeof(cctx)); > + memset(cctx, 0, sizeof(*cctx)); > memset(&hints, 0, sizeof(hints)); > hints.ai_family = IPv4or6; > hints.ai_socktype = SOCK_STREAM; > snprintf(strport, sizeof strport, "%d", port); > - if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { > + if ((gaierr = getaddrinfo(host, strport, &hints, &cctx->aitop)) != 0) { > error("connect_to %.100s: unknown host (%s)", host, > ssh_gai_strerror(gaierr)); > - return NULL; > + return -1; > } > > - cctx.host = xstrdup(host); > - cctx.port = port; > - cctx.ai = cctx.aitop; > + cctx->host = xstrdup(host); > + cctx->port = port; > + cctx->ai = cctx->aitop; > > - if ((sock = connect_next(&cctx)) == -1) { > + if ((sock = connect_next(cctx)) == -1) { > error("connect to %.100s port %d failed: %s", > host, port, strerror(errno)); > - channel_connect_ctx_free(&cctx); > - return NULL; > + channel_connect_ctx_free(cctx); > + return -1; > } > + > + return sock; > +} > + > +/* Return CONNECTING channel to remote host, port */ > +static Channel * > +connect_to(const char *host, u_short port, char *ctype, char *rname) > +{ > + int sock; > + struct channel_connect cctx; > + Channel *c; > + > + sock = connect_to_helper(host, port, &cctx); > + if (sock == -1) > + return NULL; > + > c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, > CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); > c->connect_ctx = cctx; > @@ -3347,6 +3479,10 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) > for (i = 0; i < num_permitted_opens; i++) { > if (permitted_opens[i].host_to_connect != NULL && > port_match(permitted_opens[i].listen_port, listen_port)) { > + if (permitted_opens[i].port_to_connect == FWD_PERMIT_ANY_PORT) > + return channel_new(ctype, SSH_CHANNEL_RDYNAMIC, -1, -1, -1, > + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); > + > return connect_to( > permitted_opens[i].host_to_connect, > permitted_opens[i].port_to_connect, ctype, rname); > diff --git a/channels.h b/channels.h > index d75b800..cf6553e 100644 > --- a/channels.h > +++ b/channels.h > @@ -55,7 +55,8 @@ > #define SSH_CHANNEL_ZOMBIE 14 /* Almost dead. */ > #define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */ > #define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */ > -#define SSH_CHANNEL_MAX_TYPE 17 > +#define SSH_CHANNEL_RDYNAMIC 17 /* reversed SSH_CHANNEL_DYNAMIC */ > +#define SSH_CHANNEL_MAX_TYPE 18 > > #define CHANNEL_CANCEL_PORT_STATIC -1 > > diff --git a/ssh.c b/ssh.c > index 3f61eb0..a407aaa 100644 > --- a/ssh.c > +++ b/ssh.c > @@ -549,7 +549,8 @@ main(int ac, char **av) > break; > > case 'R': > - if (parse_forward(&fwd, optarg, 0, 1)) { > + if (parse_forward(&fwd, optarg, 1, 1) || > + parse_forward(&fwd, optarg, 0, 1)) { > add_remote_forward(&options, &fwd); > } else { > fprintf(stderr, > -- > 1.7.12.3 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Wed Oct 31 11:16:00 2012 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 Oct 2012 11:16:00 +1100 (EST) Subject: AuthorizedKeysCommand support added Message-ID: Hi, I just commited the patch on https://bugzilla.mindrot.org/b/1663 It adds an AuthorizedKeysCommand option to sshd_config to use helper program to fetch a user's authorized keys. Quite a few people have asked for this to allow storage of public keys in LDAP or other databases. The program is executed (directly, not via the shell) with a single argument of the user being logged in. It produces on stdout zero or more lines in authorized_keys format. The program must terminate normally and with a zero exit status or its output is disregarded. The program is executed as the user being logged in, unless a different user is specified using AuthorizedKeysCommandUser. A facility like this grants a large opportunity to shoot oneself in the foot. We try to prevent obvious mistakes (like having the command writable by others), but the best approach is to use a well-audited helper, owned and writable only by root, that runs under a dedicated account that is not used by anything else. Portable OpenSSH snapshots with this change will be available tomorrow (dated 20121101 or later). If you have an interest in this feature then please help review and test it before out next release. It would be handy if there were a good selection of helper commands ready then for common backends (LDAP at least). The patch was mostly written by Jan Chadima from Redhat, and I apologise for taking too long to polish and integrate it. -d From philipp.marek at linbit.com Wed Oct 31 17:48:02 2012 From: philipp.marek at linbit.com (Philipp Marek) Date: Wed, 31 Oct 2012 07:48:02 +0100 Subject: AuthorizedKeysCommand support added In-Reply-To: References: Message-ID: <201210310748.03009.philipp.marek@linbit.com> Hello Damien, > I just commited the patch on https://bugzilla.mindrot.org/b/1663 It adds > an AuthorizedKeysCommand option to sshd_config to use helper program to > fetch a user's authorized keys. Quite a few people have asked for this > to allow storage of public keys in LDAP or other databases. thank you very much! I've been looking forward for that for a long time now. > The program is executed (directly, not via the shell) with a single > argument of the user being logged in. It produces on stdout zero or more > lines in authorized_keys format. The program must terminate normally and > with a zero exit status or its output is disregarded. Reading the patch I see that STDERR is redirected to /dev/null; that might be interesting to know. (Perhaps it would be better to allow some logfile, or even syslog, as destination for that output?) Furthermore, how about setting alarm(60) or some similar timeout, and perhaps a CPU limit in the child handler, so that it doesn't run forever? TBH, I can see the point that having a simple shell script inbetween - that can do all of this, too. Well, thanks a lot! Hoping for a new release soon, so that the distributions get the new feature, too... Regards, Phil From alex at alex.org.uk Wed Oct 31 18:42:01 2012 From: alex at alex.org.uk (Alex Bligh) Date: Wed, 31 Oct 2012 07:42:01 +0000 Subject: AuthorizedKeysCommand support added In-Reply-To: References: Message-ID: <2241E4D3-5360-4811-AE77-7F1CB0E35A78@alex.org.uk> On 31 Oct 2012, at 00:16, Damien Miller wrote: > A facility like this grants a large opportunity to shoot oneself in > the foot One potential anti-foot-shooting-device would be a configurable regexp of usernames passed to such a command. Or have you by this time checked the username is in some way sane? -- Alex Bligh From djm at mindrot.org Wed Oct 31 18:59:12 2012 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 Oct 2012 18:59:12 +1100 (EST) Subject: AuthorizedKeysCommand support added In-Reply-To: <201210310748.03009.philipp.marek@linbit.com> References: <201210310748.03009.philipp.marek@linbit.com> Message-ID: On Wed, 31 Oct 2012, Philipp Marek wrote: > > The program is executed (directly, not via the shell) with a single > > argument of the user being logged in. It produces on stdout zero or more > > lines in authorized_keys format. The program must terminate normally and > > with a zero exit status or its output is disregarded. > Reading the patch I see that STDERR is redirected to /dev/null; that might > be interesting to know. > (Perhaps it would be better to allow some logfile, or even syslog, as > destination for that output?) I want to keep this code simple, and don't want to have to implement yet another select() loop to handle multiple fds from the helper's stderr and stdout. I don't think it unreasonable for them to do their own logging to syslog for errors. > Furthermore, how about setting alarm(60) or some similar timeout, and > perhaps a CPU limit in the child handler, so that it doesn't run forever? The helper is subject to the global login grace timeout (sshd_config LoginGraceTime). > TBH, I can see the point that having a simple shell script inbetween - that > can do all of this, too. No - the shell environment is too complicated for something that can be triggered before authentication. -d From djm at mindrot.org Wed Oct 31 19:01:39 2012 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 Oct 2012 19:01:39 +1100 (EST) Subject: AuthorizedKeysCommand support added In-Reply-To: <2241E4D3-5360-4811-AE77-7F1CB0E35A78@alex.org.uk> References: <2241E4D3-5360-4811-AE77-7F1CB0E35A78@alex.org.uk> Message-ID: On Wed, 31 Oct 2012, Alex Bligh wrote: > > On 31 Oct 2012, at 00:16, Damien Miller wrote: > > > A facility like this grants a large opportunity to shoot oneself in > > the foot > > One potential anti-foot-shooting-device would be a configurable > regexp of usernames passed to such a command. If you want to limit this to particular users, then you can do that already using Match blocks. Match group maybetrustworthy AuthorizedKeysCommand /usr/libexec/authorized_keys_ldap > Or have you by this time checked the username is in some way sane? It is only invoked if the user actually has an account on the host, so there is no risk of bad usernames percolating through to the helper. -d From alex at alex.org.uk Wed Oct 31 19:27:57 2012 From: alex at alex.org.uk (Alex Bligh) Date: Wed, 31 Oct 2012 08:27:57 +0000 Subject: AuthorizedKeysCommand support added In-Reply-To: References: <2241E4D3-5360-4811-AE77-7F1CB0E35A78@alex.org.uk> Message-ID: <2DBD0E67-B9AA-48F7-91A3-275BAF6C6ECF@alex.org.uk> On 31 Oct 2012, at 08:01, Damien Miller wrote: >> >> Or have you by this time checked the username is in some way sane? > > It is only invoked if the user actually has an account on the host, so > there is no risk of bad usernames percolating through to the helper. My concern was partly the LDAP case where (at least with the ldap patches) it lets you if there is an account on the LDAP server. I'm not sure whether there is some form of escalation opportunity here. I think with the Match group thing, perhaps not. Can we guarantee that the username is a string for which getpwnam returns an entry? If so, perhaps this isn't a problem, as if admins permit users with | `` < > $ {} etc in, then they deserve all they get if they don't write safe scripts. It would be useful to document that the script can rely on the fact that $1 is a username for which getpwnam returned something sometime in the recent past. -- Alex Bligh From Roman.Fiedler at ait.ac.at Wed Oct 31 19:58:26 2012 From: Roman.Fiedler at ait.ac.at (Fiedler Roman) Date: Wed, 31 Oct 2012 08:58:26 +0000 Subject: AW: AuthorizedKeysCommand support added In-Reply-To: References: Message-ID: <2ECE9D9EEF1F524185270138AE2326590179CF@S0MSMAIL112.arc.local> Hi, Just curious: > ... > The program is executed (directly, not via the shell) with a single > argument of the user being logged in. It produces on stdout zero or more > lines in authorized_keys format. The program must terminate normally and > with a zero exit status or its output is disregarded. > > The program is executed as the user being logged in, unless a different > user is specified using AuthorizedKeysCommandUser. Does this allow: * Login as user x * Fork a daemon process to stay alive after logout * Logout * Login again * Let the daemon process running as x attach to the key-fetch-script running as x, take over fds, .. * Let key-fetch-script return something nice This would of course only work, if e.g. ptrace-attach to non-children with same UID is allowed, which is OK on older kernels/distros, new ones should block that. Roman From philipp.marek at linbit.com Wed Oct 31 21:18:01 2012 From: philipp.marek at linbit.com (Philipp Marek) Date: Wed, 31 Oct 2012 11:18:01 +0100 Subject: AuthorizedKeysCommand support added In-Reply-To: References: <201210310748.03009.philipp.marek@linbit.com> Message-ID: <201210311118.01858.philipp.marek@linbit.com> Hello Damien, thank you for your answer! > > Reading the patch I see that STDERR is redirected to /dev/null; that > > might be interesting to know. > > (Perhaps it would be better to allow some logfile, or even syslog, as > > destination for that output?) > > I want to keep this code simple, and don't want to have to implement > yet another select() loop to handle multiple fds from the helper's > stderr and stdout. I don't think it unreasonable for them to do their own > logging to syslog for errors. Yes, of course. See my shell-script remark below. > > Furthermore, how about setting alarm(60) or some similar timeout, and > > perhaps a CPU limit in the child handler, so that it doesn't run > > forever? > > The helper is subject to the global login grace timeout (sshd_config > LoginGraceTime). But I see no code that would kill the process then - only the authentication would fail, right? > > TBH, I can see the point that having a simple shell script inbetween - > > that can do all of this, too. > > No - the shell environment is too complicated for something that can > be triggered before authentication. Sorry for being unclear, I meant setting CPU (and other) ulimits, STDERR redirection and so on - these things can be done by a shell script. (Even syslog, by using logger(1).) Regards, Phil