From djm at mindrot.org Fri Mar 1 12:53:50 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 1 Mar 2013 12:53:50 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130228100259.DC1663E4041@sarantium.pelham.vpn.ucam.org> Message-ID: On Thu, 28 Feb 2013, Damien Miller wrote: > > On Ubuntu raring with Linux 3.8-rc6 and OpenSSL 1.0.1c, this builds fine > > but I get this test failure: FYI on Raring amd64 (in KVM) I get no errors. What architecture are you using? -d From kevin.brott at gmail.com Sat Mar 2 07:06:32 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 1 Mar 2013 12:06:32 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: SNAP: openssh-SNAP-20130302.tar.gz AIX: 7100-02-01-1245 Compiler: xlc IBM XL C/C++ for AIX, V11.1 (5724-X13) Version: 11.01.0000.0012 ./configure - OK make - OK make tests - FAIL (cd openbsd-compat && make) Target "all" is up to date. [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; cc -qlanglvl=extc89 -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c -L. -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz "/usr/include/sys/mman.h", line 148.25: 1506-343 (S) Redeclaration of mmap64 differs from previous declaration on line 143 of "/usr/include/sys/mman.h". "/usr/include/sys/mman.h", line 148.25: 1506-377 (I) The type "long long" of parameter 6 differs from the previous type "long". make: 1254-004 The error code from the last command is 1. -- # include /* Kevin Brott */ From kevin.brott at gmail.com Sat Mar 2 09:30:24 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 1 Mar 2013 14:30:24 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: Same results for AIX 5.3 and 6.1 using xlc_r or xlc versions 8-11 changing the compiler to gcc on any of our AIX boxes changes the error output to: $ gmake tests (cd openbsd-compat && gmake) gmake[1]: Entering directory `/var/tmp/ssh/openssh/openbsd-compat' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/var/tmp/ssh/openssh/openbsd-compat' [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ gcc -I. -I. -I/opt/phs/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe regress/modpipe.c \ -L. -Lopenbsd-compat/ -L/opt/phs/lib -Wl,-blibpath:/usr/lib:/lib -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz In file included from ./includes.h:100, from ./openbsd-compat/getopt.c:32, from regress/modpipe.c:26: /usr/include/sys/mman.h:148: error: conflicting types for 'mmap64' /usr/include/sys/mman.h:143: error: previous declaration of 'mmap64' was here gmake: *** [regress/modpipe] Error 1 openssh 6.1 builds perfectly on all these hosts - and 6.2 appears to build - but explodes on the very first bit of 'make tests' On Fri, Mar 1, 2013 at 12:06 PM, Kevin Brott wrote: > > SNAP: openssh-SNAP-20130302.tar.gz > AIX: 7100-02-01-1245 > Compiler: xlc IBM XL C/C++ for AIX, V11.1 (5724-X13) Version: > 11.01.0000.0012 > > ./configure - OK > make - OK > make tests - FAIL > > (cd openbsd-compat && make) > Target "all" is up to date. > [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; cc > -qlanglvl=extc89 -I. -I. -DSSHDIR=\"/usr/local/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c -L. > -Lopenbsd-compat/ -blibpath:/usr/lib:/lib -lopenbsd-compat -lssh > -lopenbsd-compat -lcrypto -lz > "/usr/include/sys/mman.h", line 148.25: 1506-343 (S) Redeclaration of > mmap64 differs from previous declaration on line 143 of > "/usr/include/sys/mman.h". > "/usr/include/sys/mman.h", line 148.25: 1506-377 (I) The type "long long" > of parameter 6 differs from the previous type "long". > make: 1254-004 The error code from the last command is 1. > -- > # include > /* Kevin Brott */ > > -- # include /* Kevin Brott */ From kevin.brott at gmail.com Sat Mar 2 11:59:47 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 1 Mar 2013 16:59:47 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130302.tar.gz OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================ ============ ===== ================= RHEL 2.1 i686-pc-linux-gnu gcc 2.96-129.7.2 0.9.6b-eng OK all tests passed RHL 8.0 i686-pc-linux-gnu gcc 3.2.2-5 0.9.7a OK all tests passed RHEL 3.0 i686-pc-linux-gnu gcc 3.2.3-20 0.9.7a OK all tests passed Fedora Core r2 i686-pc-linux-gnu gcc 3.3.3-7 0.9.7a OK*1 all tests passed RHEL 4.0 nu6 i686-pc-linux-gnu gcc 3.4.6 0.9.7a OK*1 all tests passed RHEL 4.0 nu8 x86_64-unknown-linux-gnu gcc 3.4.6-8 0.9.7a OK*1 all tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2-46 0.9.8e-fips OK all tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2-48 0.9.8x OK*2 all tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips OK all tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2-50 0.9.8e-fips OK all tests passed RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8x OK*2 all tests passed RHEL 5.7 i686-redhat-linux gcc 4.1.2-51 0.9.8e-fips OK all tests passed RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51 0.9.8x OK*4 all tests passed RHEL 5.8 i686-redhat-linux gcc 4.1.2-52 0.9.8e-fips OK all tests passed RHEL 5.8 x86_64-redhat-linux gcc 4.1.2-52 0.9.8x OK*2 all tests passed RHEL 5.9 x86_64-redhat-linux gcc 4.1.2-54 0.9.8x OK*4 all tests passed RHEL 6.2 i686-redhat-linux gcc 4.4.6-3 0.9.8x OK*2 all tests passed RHEL 6.2 x86_64-redhat-linux gcc 4.4.6-3 1.0.0-fips OK all tests passed Ubuntu 8.04.04 i686-pc-linux-gnu gcc 4.2.4-1ubuntu4 0.9.8g OK all tests passed Ubuntu 11.10 x86_64-linux-gnu gcc 4.6.1-2ubuntu5 1.0.0e OK FAIL *7 AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 gcc 4.0.0 0.9.8k OK FAIL *6 AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 08.00.0000.0016 0.9.8k OK FAIL *5 AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8x OK FAIL *6 AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 xlc 11.01.0000.0012 0.9.8x OK FAIL *5 AIX 7100-02-01 powerpc-ibm-aix7.1.0.0 xlc 11.01.0000.0012 0.9.8x OK FAIL *5 HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8w OK FAIL *8 HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2 0.9.8t OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 aCC A.06.20 0.9.8t OK all tests passed # RHL Red Hat Linux # RHEL Red Hat Enterprise Linux # *1 --without-zlib-version-check # *2 missing headers - so zlib 1.2.7 and openssl 0.9.8x in /var/tmp/ssh/ # *3 missing zlib.h - so zlib 1.2.7 /var/tmp/ssh/ # *4 missing openssl.h - so openssl 0.9.8x in /var/tmp/ssh/ # *5 make tests fails immediately - xlc_r "/usr/include/sys/mman.h", line 148.25: 1506-343 (S) Redeclaration of mmap64 differs from previous declaration on line 143 of "/usr/include/sys/mman.h". "/usr/include/sys/mman.h", line 148.25: 1506-377 (I) The type "long long" of parameter 6 differs from the previous type "long". make: 1254-004 The error code from the last command is 1. # *6 make tests fails immediately - gcc $ gmake tests (cd openbsd-compat && gmake) gmake[1]: Entering directory `/var/tmp/ssh/openssh/openbsd-compat' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/var/tmp/ssh/openssh/openbsd-compat' [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ gcc -I. -I. -I/opt/phs/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/modpipe regress/modpipe.c \ -L. -Lopenbsd-compat/ -L/opt/phs/lib -Wl,-blibpath:/usr/lib:/lib -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz In file included from ./includes.h:100, from ./openbsd-compat/getopt.c:32, from regress/modpipe.c:26: /usr/include/sys/mman.h:148: error: conflicting types for 'mmap64' /usr/include/sys/mman.h:143: error: previous declaration of 'mmap64' was here gmake: *** [regress/modpipe] Error 1 # *7 Make tests fails here: hangs forever run test forwarding.sh ... Warning: Could not request remote forwarding. ssh_exchange_identification: Connection closed by remote host cmp: EOF on /usr/src/UTILS/SSH/openssh/regress/ls.copy corrupted copy of /bin/ls Warning: remote port forwarding failed for listen port 3350 # *8 make test failes here: run test integrity.sh ... test integrity: hmac-sha1 @2900 Invalid modification spec "xor:2900:1" ssh_exchange_identification: Connection closed by remote host. unexpected error mac hmac-sha1 at 2900 .... failed integrity gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' GMake: *** [tests] Error 2 From keisial at gmail.com Sun Mar 3 05:02:29 2013 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Sat, 02 Mar 2013 19:02:29 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <874ngwisi6.fsf@poker.hands.com> References: <874ngwisi6.fsf@poker.hands.com> Message-ID: <51323EB5.2010706@gmail.com> On 28/02/13 12:32, Philip Hands wrote: > BTW if anyone's got access to systems with particularly ancient or > deranged shells, where they would realistically like to run this script, > then bug reports telling me that there are still people using shells > that don't understand $(...) and/or ${FOO:+BAR}, for instance, would be > interesting -- although if the machine in question is going to get > powered up for the first time this millennium in order to do the test, > then I'm less interested. ;-) Well, there's the usual offender of Solaris sh (fails with syntax error at line 36: `DEFAULT_PUB_ID_FILE=$', so not too bad, it also has a broken ${FOO:+BAR} syntax, printing BAR instead of $BAR) The first thing I notice of your script is the missing \n at the end of the usage (why are you using printf instead of echo?). Also, I'm seeing a ls stderr message of No such file or directory for ~/.ssh/id*.pub Finally, the error (usage parameters) given if you don't have an agent running is not helpful. From phil at hands.com Sun Mar 3 08:17:26 2013 From: phil at hands.com (Philip Hands) Date: Sat, 02 Mar 2013 21:17:26 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <51323EB5.2010706@gmail.com> References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> Message-ID: <87hakth57d.fsf@poker.hands.com> ?ngel Gonz?lez writes: > On 28/02/13 12:32, Philip Hands wrote: >> BTW if anyone's got access to systems with particularly ancient or >> deranged shells, where they would realistically like to run this script, >> then bug reports telling me that there are still people using shells >> that don't understand $(...) and/or ${FOO:+BAR}, for instance, would be >> interesting -- although if the machine in question is going to get >> powered up for the first time this millennium in order to do the test, >> then I'm less interested. ;-) > Well, there's the usual offender of Solaris sh > (fails with syntax error at line 36: `DEFAULT_PUB_ID_FILE=$', so not too > bad, "Not too bad" in the sense that it gets as far as the first line of the script before failing? ;-) So Solaris portability will require replacing $(...) with `...` *sigh* > it also has a broken ${FOO:+BAR} syntax, printing BAR instead of $BAR) That's correct behaviour -- you do ${FOO:+$BAR} if that's what you wanted. I'm using it to avoid adding an extra space to a list of options, thus: X="${X:+$X }..." ^ (so the space after the $X only gets added when $X is already set) > The first thing I notice of your script is the missing \n at the end of > the usage (why are you using printf instead of echo?). Well, echo is depressingly unportable, so I recently decided that I'd spent enough time thinking about whether each usage of echo was going to be portable, so why not avoid the problem completely. This lays out the problem: http://www.etalabs.net/sh_tricks.html of course, that's where the missing \n bug came from -- thanks for spotting that. Note to self: changes that are too trivial to introduce bugs ... aren't > Also, I'm seeing a ls stderr message of No such file or directory for > ~/.ssh/id*.pub Good point (I've obviously not tested it recently with no id files). > Finally, the error (usage parameters) given if you don't have an agent > running is not helpful. How are you getting that? Is this still somehow with Solaris? It _should_ spit out: ERROR: No identities found If you could describe what you did to get that, assuming that it still happens with the latest version, I'll see if I can work out what's going on. Perhaps you'd be kind enough to give this a go on solaris for me: http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris I have a suspicion that if it doesn't like $(...) it might not like $((maths)) much either. I take it that opinion is that we still care about Solaris? (please say no :-) ) Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From tim at multitalents.net Sun Mar 3 10:12:51 2013 From: tim at multitalents.net (Tim Rice) Date: Sat, 2 Mar 2013 15:12:51 -0800 (PST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <87hakth57d.fsf@poker.hands.com> References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> Message-ID: On Sat, 2 Mar 2013, Philip Hands wrote: > Perhaps you'd be kind enough to give this a go on solaris for me: > > http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris ......... $ sh -n /tmp/ssh-copy-id /tmp/ssh-copy-id: syntax error at line 205: `KEY_NO=$' unexpected ......... Use KEY_NO=`expr $KEY_NO + 1` > I have a suspicion that if it doesn't like $(...) it might not like > $((maths)) much either. > > I take it that opinion is that we still care about Solaris? > (please say no :-) ) Yes we still care about Solaris and a few other platforms that have older bourne shells. That said, I can't think of any of them that do not also have a current POSIX shell. I think all of the ones derived from the AT&T code base will have ksh too. Most will have added bash but not all. Now it would not be a good idea to do a "#!/bin/ksh" because some Linux distros do not have a ksh. Since ssh-copy-id is in contrib, it might be OK to use POSIX shell syntax and require users/packagers to configure the first line with the apropriate shell. My $.02, not speaking for the rest of the dev team. > > Cheers, Phil. > -- Tim Rice tim at multitalents.net From carson at taltos.org Sun Mar 3 10:52:13 2013 From: carson at taltos.org (Carson Gaspar) Date: Sat, 02 Mar 2013 15:52:13 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> Message-ID: <513290AD.1010206@taltos.org> On 3/2/13 3:12 PM, Tim Rice wrote: > On Sat, 2 Mar 2013, Philip Hands wrote: > > Yes we still care about Solaris and a few other platforms that have older > bourne shells. That said, I can't think of any of them that do not also > have a current POSIX shell. I think all of the ones derived from the AT&T > code base will have ksh too. Most will have added bash but not all. > Now it would not be a good idea to do a "#!/bin/ksh" because some Linux > distros do not have a ksh. > > Since ssh-copy-id is in contrib, it might be OK to use POSIX shell syntax > and require users/packagers to configure the first line with the > apropriate shell. We use autoconf already - why not use it to select a POSIX shell instead of playing guessing games or requiring the builder to manually fix things? -- Carson From phil at hands.com Mon Mar 4 07:19:06 2013 From: phil at hands.com (Philip Hands) Date: Sun, 03 Mar 2013 20:19:06 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> Message-ID: <87bob0grt1.fsf@poker.hands.com> Tim Rice writes: > On Sat, 2 Mar 2013, Philip Hands wrote: > >> Perhaps you'd be kind enough to give this a go on solaris for me: >> >> http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris > > ......... > $ sh -n /tmp/ssh-copy-id > /tmp/ssh-copy-id: syntax error at line 205: `KEY_NO=$' unexpected > ......... Thanks for checking. > Use > KEY_NO=`expr $KEY_NO + 1` quite >> I have a suspicion that if it doesn't like $(...) it might not like >> $((maths)) much either. >> >> I take it that opinion is that we still care about Solaris? >> (please say no :-) ) > > Yes we still care about Solaris and a few other platforms that have older > bourne shells. That said, I can't think of any of them that do not also > have a current POSIX shell. Well, avoiding $((...)) is no great hardship, once one's already having to suffer the unreadability of `` vs $(). Luckily the script had no nested $(), so didn't need any nasty escaping tricks to deal with that limitaion. > I think all of the ones derived from the AT&T code base will have ksh > too. Most will have added bash but not all. Now it would not be a > good idea to do a "#!/bin/ksh" because some Linux distros do not have > a ksh. > > Since ssh-copy-id is in contrib, it might be OK to use POSIX shell syntax > and require users/packagers to configure the first line with the > apropriate shell. Rather than complicating things for people installing it, I think I'd probably take the readability hit to maintain the widest portability. Especially if the latest version runs nicely (same URL). Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From g.esp at free.fr Mon Mar 4 09:43:07 2013 From: g.esp at free.fr (g.esp at free.fr) Date: Sun, 3 Mar 2013 23:43:07 +0100 (CET) Subject: [patch] fix schnorr vasprintf warnings on openssh-SNAP-20130304 In-Reply-To: <1369422281.1311068.1362350358453.JavaMail.root@zimbra33-e6.priv.proxad.net> Message-ID: <1103745101.1314751.1362350587926.JavaMail.root@zimbra33-e6.priv.proxad.net> Tested against openssh-SNAP-2013-03-04 Fix those 2 old warnings schnorr.c: In function 'debug3_bn': schnorr.c:494: warning: ignoring return value of 'vasprintf', declared with attribute warn_unused_result schnorr.c: In function 'debug3_buf': schnorr.c:519: warning: ignoring return value of 'vasprintf', declared with attribute warn_unused_result vasprintf return value should be checked. If an error happen, -1 is returned and first parameter is undefined --- openssh/schnorr.c.orig 2010-12-04 23:00:30.000000000 +0100 +++ openssh/schnorr.c 2013-03-03 23:35:11.000000000 +0100 @@ -491,10 +491,9 @@ out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); - va_end(args); - if (out == NULL) + if (vasprintf(&out, fmt, args) == -1) fatal("%s: vasprintf failed", __func__); + va_end(args); if (n == NULL) debug3("%s(null)", out); @@ -516,10 +515,9 @@ out = NULL; va_start(args, fmt); - vasprintf(&out, fmt, args); - va_end(args); - if (out == NULL) + if (vasprintf(&out, fmt, args) == -1) fatal("%s: vasprintf failed", __func__); + va_end(args); debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : ""); free(out); Gilles From djm at mindrot.org Mon Mar 4 10:32:38 2013 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Mar 2013 10:32:38 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: On Fri, 1 Mar 2013, Kevin Brott wrote: > SNAP: openssh-SNAP-20130302.tar.gz > AIX: 7100-02-01-1245 > Compiler: xlc IBM XL C/C++ for AIX, V11.1 (5724-X13) Version: > 11.01.0000.0012 Thanks again for your extensive testing. For this failure, could you try this patch? Index: regress/modpipe.c =================================================================== RCS file: /var/cvs/openssh/regress/modpipe.c,v retrieving revision 1.5 diff -u -p -r1.5 modpipe.c --- regress/modpipe.c 20 Feb 2013 10:16:09 -0000 1.5 +++ regress/modpipe.c 3 Mar 2013 23:26:08 -0000 @@ -16,6 +16,8 @@ /* $OpenBSD: modpipe.c,v 1.4 2013/02/20 08:29:27 djm Exp $ */ +#include "includes.h" + #include #include #include From djm at mindrot.org Mon Mar 4 10:45:14 2013 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Mar 2013 10:45:14 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: On Fri, 1 Mar 2013, Kevin Brott wrote: > # *5 make tests fails immediately - xlc_r > # *6 make tests fails immediately - gcc I suspect that the patch I just sent will avoid these. > # *7 Make tests fails here: hangs forever > run test forwarding.sh ... > Warning: Could not request remote forwarding. > ssh_exchange_identification: Connection closed by remote host > cmp: EOF on /usr/src/UTILS/SSH/openssh/regress/ls.copy > corrupted copy of /bin/ls > Warning: remote port forwarding failed for listen port 3350 This might be a spurious failure caused by the regress script picking a port that is already in use on the host running the tests. Could you check whether anything is using ports 3300-3399? You can adjust the leading digits of the ports that the test choses using the 'base=' variable at the start of regress/forwarding.sh > # *8 make test failes here: > run test integrity.sh ... > test integrity: hmac-sha1 @2900 Invalid modification spec "xor:2900:1" > ssh_exchange_identification: Connection closed by remote host. > unexpected error mac hmac-sha1 at 2900 This one is strange - the modpipe tool is not parsing its commandline properly. I suspect that HP/UX's sscanf(3) lacks the "hh" conversion. Could you try this patch? Index: regress/modpipe.c =================================================================== RCS file: /var/cvs/openssh/regress/modpipe.c,v retrieving revision 1.5 diff -u -p -r1.5 modpipe.c --- regress/modpipe.c 20 Feb 2013 10:16:09 -0000 1.5 +++ regress/modpipe.c 3 Mar 2013 23:44:12 -0000 @@ -74,20 +76,29 @@ static void parse_modification(const char *s, struct modification *m) { char what[16+1]; - int n; + int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%hhi%*[:]%hhi", - what, &m->offset, &m->m1, &m->m2)) < 3) + if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", + what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { - m->what = MOD_XOR; if (n > 3) errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid XOR modification value"); + m->what = MOD_XOR; + m->m1 = m1; } else if (strcasecmp(what, "andor") == 0) { - m->what = MOD_AND_OR; if (n != 4) errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid AND modification value"); + if (m2 < 0 || m2 > 0xff) + errx(1, "Invalid OR modification value"); + m->what = MOD_AND_OR; + m->m1 = m1; + m->m2 = m2; } else errx(1, "Invalid modification type \"%s\"", what); } From kulkarniamit at hp.com Tue Mar 5 00:11:46 2013 From: kulkarniamit at hp.com (Kulkarni, Amit (HP-UX Network Security)) Date: Mon, 4 Mar 2013 13:11:46 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: Hi, Used http://www.mindrot.org/openssh_snap/openssh-SNAP-20130304.tar.gz Applied the suggested patch for : regress/modpipe.c for test integrity.sh Results : OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================ ============ ===== ================= HP-UX 11.31 ia64-hp-hpux11.31 HP C/aC++ B3910B A.06.12 0.9.8w OK all tests passed HP-UX 11.31 PA-RISC-hp-hpux11.31 HP C/aC++ Developer's Bundle B9007AA 0.9.8x OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 HP C/aC++ B3910B A.06.25 0.9.8x OK all tests passed HP-UX 11.23 PA-RISC -hp-hpux11.23 HP C/aC++ Developer's Bundle B9007AA 0.9.8x OK all tests passed HP-UX 11.11 PA-RISC -hp-hpux11.11 HP C/aC++ Developer's Bundle B9007AA 0.9.8y FAIL *1 # *1 : cc -I. -I. -I/usr/local/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" CC=cc -DHAVE_CONFIG_H -o regress/modpipe ./regress/modpipe.c \ -L. -Lopenbsd-compat/ -L/usr/local/zlib/lib -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -lz -lnsl -lxnet -lsec /usr/ccs/bin/ld: Can't open CC=cc /usr/ccs/bin/ld: No such file or directory *** Error exit code 1 Stop. Regards, Amit Kulkarni -----Original Message----- From: openssh-unix-dev-bounces+kulkarniamit=hp.com at mindrot.org [mailto:openssh-unix-dev-bounces+kulkarniamit=hp.com at mindrot.org] On Behalf Of Damien Miller Sent: Monday, March 04, 2013 5:15 AM To: Kevin Brott Cc: openssh-unix-dev at mindrot.org Subject: Re: Call for testing: OpenSSH-6.2 On Fri, 1 Mar 2013, Kevin Brott wrote: > # *5 make tests fails immediately - xlc_r # *6 make tests fails > immediately - gcc I suspect that the patch I just sent will avoid these. > # *7 Make tests fails here: hangs forever > run test forwarding.sh ... > Warning: Could not request remote forwarding. > ssh_exchange_identification: Connection closed by remote host > cmp: EOF on /usr/src/UTILS/SSH/openssh/regress/ls.copy > corrupted copy of /bin/ls > Warning: remote port forwarding failed for listen port 3350 This might be a spurious failure caused by the regress script picking a port that is already in use on the host running the tests. Could you check whether anything is using ports 3300-3399? You can adjust the leading digits of the ports that the test choses using the 'base=' variable at the start of regress/forwarding.sh > # *8 make test failes here: > run test integrity.sh ... > test integrity: hmac-sha1 @2900 Invalid modification spec "xor:2900:1" > ssh_exchange_identification: Connection closed by remote host. > unexpected error mac hmac-sha1 at 2900 This one is strange - the modpipe tool is not parsing its commandline properly. I suspect that HP/UX's sscanf(3) lacks the "hh" conversion. Could you try this patch? Index: regress/modpipe.c =================================================================== RCS file: /var/cvs/openssh/regress/modpipe.c,v retrieving revision 1.5 diff -u -p -r1.5 modpipe.c --- regress/modpipe.c 20 Feb 2013 10:16:09 -0000 1.5 +++ regress/modpipe.c 3 Mar 2013 23:44:12 -0000 @@ -74,20 +76,29 @@ static void parse_modification(const char *s, struct modification *m) { char what[16+1]; - int n; + int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%hhi%*[:]%hhi", - what, &m->offset, &m->m1, &m->m2)) < 3) + if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", + what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { - m->what = MOD_XOR; if (n > 3) errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid XOR modification value"); + m->what = MOD_XOR; + m->m1 = m1; } else if (strcasecmp(what, "andor") == 0) { - m->what = MOD_AND_OR; if (n != 4) errx(1, "Invalid modification spec \"%s\"", s); + if (m1 < 0 || m1 > 0xff) + errx(1, "Invalid AND modification value"); + if (m2 < 0 || m2 > 0xff) + errx(1, "Invalid OR modification value"); + m->what = MOD_AND_OR; + m->m1 = m1; + m->m2 = m2; } else errx(1, "Invalid modification type \"%s\"", what); } _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From keisial at gmail.com Tue Mar 5 00:16:40 2013 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Mon, 04 Mar 2013 14:16:40 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <87hakth57d.fsf@poker.hands.com> References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> Message-ID: <51349EB8.6080405@gmail.com> Philip Hands writes: > ?ngel Gonz?lez writes: >> Well, there's the usual offender of Solaris sh >> (fails with syntax error at line 36: `DEFAULT_PUB_ID_FILE=$', so not too >> bad, > "Not too bad" in the sense that it gets as far as the first line of the > script before failing? ;-) > > So Solaris portability will require replacing $(...) with `...` *sigh* 'Not too bad' because it hasn't processed yet anything, so it's harmless. >> it also has a broken ${FOO:+BAR} syntax, printing BAR instead of $BAR) > That's correct behaviour -- you do ${FOO:+$BAR} if that's what you > wanted. I'm using it to avoid adding an extra space to a list of > options, thus: > > X="${X:+$X }..." > ^ > (so the space after the $X only gets added when $X is already set) Sorry, you're right. I thought I had tested it in bash, but apparently it was just its documentation what confused me: > `${PARAMETER:+WORD}' > If PARAMETER is null or unset, nothing is substituted, otherwise > the expansion of WORD is substituted. >> The first thing I notice of your script is the missing \n at the end of >> the usage (why are you using printf instead of echo?). > Well, echo is depressingly unportable, so I recently decided that I'd > spent enough time thinking about whether each usage of echo was going to > be portable, so why not avoid the problem completely. This lays out the > problem: > > http://www.etalabs.net/sh_tricks.html > > of course, that's where the missing \n bug came from -- thanks for > spotting that. > > Note to self: changes that are too trivial to introduce bugs ... aren't In this case, I think echo would be safe, as it'd be followed by a string literal ("Usage:"), but adding that newline to printf is also fine, of course :) >> Finally, the error (usage parameters) given if you don't have an agent >> running is not helpful. > How are you getting that? Is this still somehow with Solaris? > > It _should_ spit out: > > ERROR: No identities found > > If you could describe what you did to get that, assuming that it still > happens with the latest version, I'll see if I can work out what's going > on. With either no agent (just unset SSH_AUTH_SOCK and SSH_AGENT_PID) or an empty agent (you can overwrite your 'normal' agent with a new one in a shell instance) I get with the latest version (fdb4641): $ ./ssh-copy-id host ./ssh-copy-id: ERROR: failed to open ID file '/home/user/.ssh/id_rsa': No such file or directory The usage problem seems to be due to the getopt version that it is picking Solaris In Linux: $ getopt --options 'i::o:p:nh?' --name "ssh-copy-id" --quiet -- "hostname" -- 'hostname' In Solaris: $ getopt --options 'i::o:p:nh?' --name "ssh-copy-id" --quiet -- "host" -- i::o:p:nh? --name ssh-copy-id --quiet -- host So $# is 6, thus it enters the if [ $# != 1 ] path. Seems it's a traditional getopt, which only expects the options to be the first parameter and $@ the rest of the arguments. > Perhaps you'd be kind enough to give this a go on solaris for me: > > http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris > > I have a suspicion that if it doesn't like $(...) it might not like > $((maths)) much either. As expected, it doesn't. $ echo $((5 + 1)) syntax error: `(' unexpected For the two additions you use, expr is more than enough. It would also be interesting if we had some tests for ssh-copy-id which could then be run on the different systems, instead of making up them each time. From kevin.brott at gmail.com Tue Mar 5 04:28:05 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 4 Mar 2013 09:28:05 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: ?That appears to have done the trick. After applying that patch to openssh-SNAP-20130305.tar.gz - all of the AIX builds read 'all testss passed' with both xlc and gcc now. From kevin.brott at gmail.com Tue Mar 5 04:50:26 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 4 Mar 2013 09:50:26 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: On Sun, Mar 3, 2013 at 3:45 PM, Damien Miller wrote: > On Fri, 1 Mar 2013, Kevin Brott wrote: > > > # *5 make tests fails immediately - xlc_r > > # *6 make tests fails immediately - gcc > > I suspect that the patch I just sent will avoid these. > > *?Confirmed - solid fix for AIX builds so far.?* > > # *7 Make tests fails here: hangs forever > > run test forwarding.sh ... > > Warning: Could not request remote forwarding. > > ssh_exchange_identification: Connection closed by remote host > > cmp: EOF on /usr/src/UTILS/SSH/openssh/regress/ls.copy > > corrupted copy of /bin/ls > > Warning: remote port forwarding failed for listen port 3350 > > This might be a spurious failure caused by the regress script picking a > port that is already in use on the host running the tests. Could you > check whether anything is using ports 3300-3399? You can adjust the > leading digits of the ports that the test choses using the 'base=' > variable at the start of regress/forwarding.sh > > ?*Confirmed - xrdp was using that port - shutting it off during the build/test process gets 'all tests passed'. Disregard. Although a test for xrdp active might not hurt.?* * * *?xrdp-sesm 3558 root 6u IPv4 45542 0t0 TCP 127.0.0.1:3350(LISTEN) xrdp-sesm 3558 root 7u IPv4 97938 0t0 TCP 127.0.0.1:3350-> 127.0.0.1:52157 (ESTABLISHED) sshd 29009 root 32u IPv4 98454 0t0 TCP 127.0.0.1:52157 ->127.0.0.1:3350 (ESTABLISHED) * > > # *8 make test failes here: > > run test integrity.sh ... > > test integrity: hmac-sha1 @2900 Invalid modification spec > "xor:2900:1" > > ssh_exchange_identification: Connection closed by remote host. > > unexpected error mac hmac-sha1 at 2900 > > This one is strange - the modpipe tool is not parsing its commandline > properly. I suspect that HP/UX's sscanf(3) lacks the "hh" conversion. > > Could you try this patch? > > > Index: regress/modpipe.c > =================================================================== > RCS file: /var/cvs/openssh/regress/modpipe.c,v > retrieving revision 1.5 > diff -u -p -r1.5 modpipe.c > --- regress/modpipe.c 20 Feb 2013 10:16:09 -0000 1.5 > +++ regress/modpipe.c 3 Mar 2013 23:44:12 -0000 > @@ -74,20 +76,29 @@ static void > parse_modification(const char *s, struct modification *m) > { > char what[16+1]; > - int n; > + int n, m1, m2; > > bzero(m, sizeof(*m)); > - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%hhi%*[:]%hhi", > - what, &m->offset, &m->m1, &m->m2)) < 3) > + if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", > + what, &m->offset, &m1, &m2)) < 3) > errx(1, "Invalid modification spec \"%s\"", s); > if (strcasecmp(what, "xor") == 0) { > - m->what = MOD_XOR; > if (n > 3) > errx(1, "Invalid modification spec \"%s\"", s); > + if (m1 < 0 || m1 > 0xff) > + errx(1, "Invalid XOR modification value"); > + m->what = MOD_XOR; > + m->m1 = m1; > } else if (strcasecmp(what, "andor") == 0) { > - m->what = MOD_AND_OR; > if (n != 4) > errx(1, "Invalid modification spec \"%s\"", s); > + if (m1 < 0 || m1 > 0xff) > + errx(1, "Invalid AND modification value"); > + if (m2 < 0 || m2 > 0xff) > + errx(1, "Invalid OR modification value"); > + m->what = MOD_AND_OR; > + m->m1 = m1; > + m->m2 = m2; > } else > errx(1, "Invalid modification type \"%s\"", what); > } > * * *?This seems to have fixed the issue on hp-ux 11.23 - running regression tests against all builds using both modepipe.c patches applied to ?openssh-SNAP-20130305.tar.gz as openssh-SNAP-20130305-p2.tar.gz. Will report status when done.* -- # include /* Kevin Brott */ From kevin.brott at gmail.com Tue Mar 5 08:33:08 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 4 Mar 2013 13:33:08 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130305.tar.gz + modpipe.c patch #1 + modpipe.c patch #2 = openssh-SNAP-20130305-p2.tar.gz OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================ ============ ===== ================= RHEL 2.1 i686-pc-linux-gnu gcc 2.96-129.7.2 0.9.6b-eng OK all tests passed RHL 8.0 i686-pc-linux-gnu gcc 3.2.2-5 0.9.7a OK all tests passed RHEL 3.0 i686-pc-linux-gnu gcc 3.2.3-20 0.9.7a OK all tests passed Fedora Core r2 i686-pc-linux-gnu gcc 3.3.3-7 0.9.7a OK*1 all tests passed RHEL 4.0 nu6 i686-pc-linux-gnu gcc 3.4.6 0.9.7a OK*1 all tests passed RHEL 4.0 nu8 x86_64-unknown-linux-gnu gcc 3.4.6-8 0.9.7a OK*1 all tests passed RHEL 5.4 i686-pc-linux-gnu gcc 4.1.2-46 0.9.8e-fips OK all tests passed RHEL 5.5 i686-pc-linux-gnu gcc 4.1.2-48 0.9.8x OK*2 all tests passed RHEL 5.5 x86_64-redhat-linux gcc 4.1.2-48 0.9.8e-fips OK all tests passed RHEL 5.6 i686-pc-linux-gnu gcc 4.1.2-50 0.9.8e-fips OK all tests passed RHEL 5.6 x86_64-redhat-linux gcc 4.1.2-50 0.9.8x OK*2 all tests passed RHEL 5.7 i686-redhat-linux gcc 4.1.2-51 0.9.8e-fips OK all tests passed RHEL 5.7 x86_64-redhat-linux gcc 4.1.2-51 0.9.8x OK*4 all tests passed RHEL 5.8 i686-redhat-linux gcc 4.1.2-52 0.9.8e-fips OK all tests passed RHEL 5.8 x86_64-redhat-linux gcc 4.1.2-52 0.9.8x OK*2 all tests passed RHEL 5.9 x86_64-redhat-linux gcc 4.1.2-54 0.9.8x OK*4 all tests passed RHEL 6.2 i686-redhat-linux gcc 4.4.6-3 0.9.8x OK*2 all tests passed RHEL 6.2 x86_64-redhat-linux gcc 4.4.6-3 1.0.0-fips OK all tests passed Ubuntu 8.04.04 i686-pc-linux-gnu gcc 4.2.4-1ubuntu4 0.9.8g OK all tests passed Ubuntu 11.10 x86_64-linux-gnu gcc 4.6.1-2ubuntu5 1.0.0e OK all tests passed AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 08.00.0000.0016 0.9.8k OK*3 all tests passed AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0 0.9.8k OK all tests passed AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8x OK all tests passed AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 xlc 11.01.0000.0012 0.9.8x OK all tests passed AIX 7100-02-01 powerpc-ibm-aix7.1.0.0 xlc 11.01.0000.0012 0.9.8x OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8w OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2 0.9.8t OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 aCC A.06.20 0.9.8t OK all tests passed # RHL Red Hat Linux # RHEL Red Hat Enterprise Linux # *1 --without-zlib-version-check # *2 missing headers - so zlib 1.2.7 and openssl 0.9.8x in /var/tmp/ssh/ # *3 missing zlib.h - so zlib 1.2.7 /var/tmp/ssh/ # *4 missing openssl.h - so openssl 0.9.8x in /var/tmp/ssh/ ?My last usable hppa2.0w-hp-hpux11.11 build host ?finally got retired, so I can't speak to ?Amit's build issue - but I'll bet anything it's a compile environment issue ?, not a result of the patch - which shouldn't cause that output. Trying to see if I can scrounge time on any of the (few) remaining 11.11 boxes we have can be borrowed for a test run. Otherwise those two patches to modpipe.c seem to have resolved the build/test failures. From djm at mindrot.org Tue Mar 5 09:53:10 2013 From: djm at mindrot.org (Damien Miller) Date: Tue, 5 Mar 2013 09:53:10 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: On Mon, 4 Mar 2013, Kevin Brott wrote: > ? > > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130305.tar.gz > + modpipe.c patch #1 > + modpipe.c patch #2 > = openssh-SNAP-20130305-p2.tar.gz [snip extensive, passing test results] Thanks! These patches have been applied and will be in tomorrow's snapshot and, of course, the release. -d From kevin.brott at gmail.com Tue Mar 5 11:43:41 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 4 Mar 2013 16:43:41 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: Confirmed Amit's issue on HP-UX 11.11 ... something is broken on this OS version - appears to be compiler-independent ... as he's getting it via the HP cc, and I'm seeing it in gcc as well. target hppa2.0w-hp-hpux11.11 using gcc 4.1.1 ./configure - MOSTLY OK ... checking whether vsnprintf returns correct values on overflow... no configure: WARNING: ****** Your vsnprintf() function is broken, complain to your vendor checking whether snprintf can declare const char *fmt... yes ... checking if setrlimit RLIMIT_FSIZE works... yes ./configure[12173]: ==: A test command parameter is not valid. checking for long long... yes ... checking if your system defines _PATH_LASTLOG... no configure: WARNING: ** Cannot find lastlog ** checking if your system defines UTMP_FILE... yes ... Host: hppa2.0w-hp-hpux11.11 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 Preprocessor flags: -I/var/tmp/ssh/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 Linker flags: -L/var/tmp/ssh/lib Libraries: -lcrypto -lz -lnsl -lxnet -lsec WARNING: the operating system that you are using does not appear to support getpeereid(), getpeerucred() or the SO_PEERCRED getsockopt() option. These facilities are used to enforce security checks to prevent unauthorised connections to ssh-agent. Their absence increases the risk that a malicious user can connect to your agent. make tests- FAILS: ... ranlib libopenbsd-compat.a gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I. -I/var/tmp/ssh/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" CC=gcc -DHAVE_CONFIG_H -c authfd.c gcc: CC=gcc: No such file or directory *** Error exit code 1 Doesn't seem to matter if shell is /usr/bin/ksh, /usr/bin/sh, or /usr/old/bin/sh - same results either way ... On Mon, Mar 4, 2013 at 2:53 PM, Damien Miller wrote: > On Mon, 4 Mar 2013, Kevin Brott wrote: > > > ? > > > > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130305.tar.gz > > + modpipe.c patch #1 > > + modpipe.c patch #2 > > = openssh-SNAP-20130305-p2.tar.gz > > [snip extensive, passing test results] > > Thanks! These patches have been applied and will be in tomorrow's snapshot > and, of course, the release. > > -d > -- # include /* Kevin Brott */ From dtucker at zip.com.au Tue Mar 5 20:03:39 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 5 Mar 2013 20:03:39 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: <20130305090339.GA9108@gate.dtucker.net> On Mon, Mar 04, 2013 at 04:43:41PM -0800, Kevin Brott wrote: > Confirmed Amit's issue on HP-UX 11.11 ... something is broken on this OS > version - appears to be compiler-independent ... as he's getting it via the > HP cc, and I'm seeing it in gcc as well. > checking if setrlimit RLIMIT_FSIZE works... yes > ./configure[12173]: ==: A test command parameter is not valid. Fixed, thanks. > gcc: CC=gcc: No such file or directory > *** Error exit code 1 I dusted off my old HP workstation and I can reproduce this one, although I have no clue why yet. I'll look some more. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Mar 5 20:18:17 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 5 Mar 2013 20:18:17 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130305090339.GA9108@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> Message-ID: <20130305091817.GB9108@gate.dtucker.net> On Tue, Mar 05, 2013 at 08:03:39PM +1100, Darren Tucker wrote: > On Mon, Mar 04, 2013 at 04:43:41PM -0800, Kevin Brott wrote: > > gcc: CC=gcc: No such file or directory > > *** Error exit code 1 > > I dusted off my old HP workstation and I can reproduce this one, > although I have no clue why yet. I'll look some more. it *does* seem related to make, though, since it'll build fine with GNU make. Looking at the changelog, this one is my immediate suspect: ---------------------------- revision 1.329 date: 2012-12-17 15:59:43 +1100; author: dtucker; state: Exp; lines: +4 -1; - (dtucker) [Makefile.in] Add some scaffolding so that the new regress tests will work with VPATH directories. ---------------------------- What's weird is that it doesn't seem to have happened on any other platform, even the dingy old ones. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Mar 5 21:45:03 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 5 Mar 2013 21:45:03 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130305091817.GB9108@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> Message-ID: <20130305104503.GA11704@gate.dtucker.net> On Tue, Mar 05, 2013 at 08:18:17PM +1100, Darren Tucker wrote: > it *does* seem related to make, though, since it'll build fine with GNU > make. I think I found it. Makefile.in has: PATHS= -DSSHDIR=\"$(sysconfdir)\" \ ... -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ CC=gcc CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ Note the trailing "\" on the last line of PATHS=. It looks like HP-UX's make ignores the blank line (which is probably a bug) and appends CC=gcc to $(PATHS). Eventually make runs: cc ... -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" CC=gcc -DHAVE_CONFIG_H -c authfd.c which chokes. It's been there a lot longer than than I expected: revision 1.322 date: 2011-05-05 13:48:37 +1000; author: djm; state: Exp; lines: +10 -40; - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms. This patch ought to fix it: Index: Makefile.in =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/Makefile.in,v retrieving revision 1.333 diff -u -r1.333 Makefile.in --- Makefile.in 21 Feb 2013 23:40:00 -0000 1.333 +++ Makefile.in 5 Mar 2013 10:33:13 -0000 @@ -37,7 +37,7 @@ -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ - -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ + -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" CC=@CC@ LD=@LD@ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kevin.brott at gmail.com Wed Mar 6 03:42:36 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 5 Mar 2013 08:42:36 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130305104503.GA11704@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: Looks like that did the trick - my old 11.11 build/test host did have GNU make on it (required for some other packages I build), so I never ran into this one before. The loaner I'm running this test on is pretty 'stock' except for the gcc install, et voila! openssh-SNAP-20130306.tar.gz seems to be building cleanly across all my hosts - I'll report back if anything else blows up. Oops .... spoke too soon ... I did say this was a stock host: so no ssh already installed ... and I don't have root here ... $ make tests .... test "no" != yes || \ /var/tmp/ssh/openssh/ssh-keygen -Bf /var/tmp/ssh/openssh/regress//t9.out > /dev/null run test connect.sh ... Privilege separation user sshd does not exist FATAL: sshd_proxy broken *** Error exit code 1 Stop. *** Error exit code 1 Stop. Sooo ... it looks like I ought to be able get around this with: TLIB=/var/tmp/ssh ./configure --with-zlib=$TLIB --with-privsep-user=nobody --with-privsep-path=$TLIB/empty But noooo ... "/var/tmp/ssh/empty must be owned by root and not group or world-writable." Just wondering - is everybody just configuring and compiling as root these days? *licks gums* "Why in my day, we rolled everything by hand and then used root just to place files" :p Guess I'll have to bug the admin to see if I can schmooze him into changing the root password temporarily so I can run the bloody tests all the way out ... (damn bloody regional territoriality anyway). From kevin.brott at gmail.com Wed Mar 6 04:07:32 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 5 Mar 2013 09:07:32 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: ?So - got root temporarily - followed README.privsep to create sshd user/group and /var/empty m ?ake tests . ?... run test connect.sh ... ok simple connect run test proxy-connect.sh ... ok proxy connect run test connect-privsep.sh ... Connection closed by UNKNOWN WARNING: ssh privsep/sandbox+proxyconnect protocol 1 failed Connection closed by UNKNOWN WARNING: ssh privsep/sandbox+proxyconnect protocol 2 failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'A' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'A' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'F' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'F' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'G' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'G' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'H' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'H' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'J' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'J' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'P' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'P' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'R' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'R' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'S' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'S' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'X' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'X' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt 'Z' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt 'Z' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '<' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '<' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 1 mopt '>' failed Connection closed by UNKNOWN ssh privsep/sandbox+proxyconnect protocol 2 mopt '>' failed failed proxy connect with privsep *** Error exit code 1 Stop. *** Error exit code 1 Stop. B ?leah. From openssh at roumenpetrov.info Wed Mar 6 07:19:47 2013 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Tue, 05 Mar 2013 22:19:47 +0200 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130305091817.GB9108@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> Message-ID: <51365363.2020503@roumenpetrov.info> Darren Tucker wrote: > On Tue, Mar 05, 2013 at 08:03:39PM +1100, Darren Tucker wrote: >> On Mon, Mar 04, 2013 at 04:43:41PM -0800, Kevin Brott wrote: >>> gcc: CC=gcc: No such file or directory >>> *** Error exit code 1 >> I dusted off my old HP workstation and I can reproduce this one, >> although I have no clue why yet. I'll look some more. > it *does* seem related to make, though, since it'll build fine with GNU > make. Looking at the changelog, this one is my immediate suspect: > > ---------------------------- > revision 1.329 > date: 2012-12-17 15:59:43 +1100; author: dtucker; state: Exp; lines: > +4 -1; > - (dtucker) [Makefile.in] Add some scaffolding so that the new regress > tests will work with VPATH directories. > ---------------------------- > > What's weird is that it doesn't seem to have happened on any other > platform, even the dingy old ones. > After revision 1.329 above modpipe is changed by another commit to : ---- regress/modpipe: $(srcdir)/regress/modpipe.c [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ $(CC) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) ---- First target lack $(EXEXT) and second I cannot understand why lines ends with \ . Probably is fixed is master repository as my extract is out of date about two weeks old. Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From tim at multitalents.net Wed Mar 6 09:27:14 2013 From: tim at multitalents.net (Tim Rice) Date: Tue, 5 Mar 2013 14:27:14 -0800 (PST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <51365363.2020503@roumenpetrov.info> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <51365363.2020503@roumenpetrov.info> Message-ID: On Tue, 5 Mar 2013, Roumen Petrov wrote: > After revision 1.329 above modpipe is changed by another commit to : > ---- > regress/modpipe: $(srcdir)/regress/modpipe.c > [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ > $(CC) $(CPPFLAGS) -o $@ $? \ > $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) > ---- > > First target lack $(EXEXT) and second I cannot understand why lines ends with > \ . Thanks for spotting the missing $(EXEXT). Fixed now. > Probably is fixed is master repository as my extract is out of date about two > weeks old. > > > Roumen > -- Tim Rice Multitalents tim at multitalents.net From forumnemail at gmail.com Tue Mar 5 19:21:08 2013 From: forumnemail at gmail.com (Stephen Thatcher) Date: Tue, 05 Mar 2013 00:21:08 -0800 Subject: Help connecting to SOCKS5 proxy server with Open SSH Message-ID: <5135AAF4.2010205@gmail.com> My desire is to form a connection from my laptop running ubuntu to a SOCKS5 server listed on the Internet. I have read the Ubuntu man page on OpenSSH client program. The description indicates that I have to connect to given host name (assumed to be an ip address?) with optional username. I want the server receive my Internet traffic in SOCKS5 protocol and respond to my computer the requested encrypted web traffic. I have heard that firefox needs to connect to the SSH client on my side using dynamic port forwarding, therefore this is necessary for me. From the Man-Page, receiving what command needed for me to send the client, through 'ssh' terminal command. Interpreting Wikipedia's definitions of the SOCKS5 protocol, has revealed that I have to 'TCP/IP stream' to the proxy server. The SOCKS5 protocol is defined in RFC 1928. It is an extension of the SOCKS4 protocol. It offers more choices of authentication, adds support for IPv6 and UDP that can be used for DNS lookups. The initial handshake now consists of the following: Client connects and sends a greeting which includes a list of authentication methods supported. Server chooses one (or sends a failure response if none of the offered methods are acceptable). Several messages may now pass between the client and the server depending on the authentication method chosen. Client sends a connection request similar to SOCKS4. Server responds similar to SOCKS4. The authentication methods supported are numbered as follows: 0x00: No authentication 0x01: GSSAPI[11] 0x02: Username/Password[12] 0x03-0x7F: methods assigned by IANA[13] 0x80-0xFE: methods reserved for private use The initial greeting from the client is field 1: SOCKS version number (must be 0x05 for this version) field 2: number of authentication methods supported, 1 byte field 3: authentication methods, variable length, 1 byte per method supported Wikipedia's knowledge of SOCKS5 protocol and proxy server connection request. Step 1 in the initial handshake is 'connecting' to server and including a list of authentication methods supported. I need the right commands for this. Lets say I want to connect to SOCKS5 proxy server 72.230.89.105:3816 @ hostname: cpe-72-230-89-105.twcny.res.rr.com. Could I enter in terminal : "ssh -2 cpe-72-230-89-105.twcny.res.rr.com"? When I do, it says ssh: connect to host cpe-72-230-89-105.twcny.res.rr.com port 22: Connection refused. Why is the connection being refused? Why is the connection attempting to be made on the hosts port 22? Lets say I connected to the SOCKS server somehow. Would the server choose not to use authentication and respond that choice to me? Lets say no authentication was accepted by my client and the server. Can I local forward a random port(7763) to the server with this terminal command: ssh -L [localhost:]7763:72.230.89.105:3816. Then would I want to enter: ssh -D [localhost:]10255. Following by setting up firefox to connect to SOCKS5 proxy server: localhost on port 7763? From mouring at eviladmin.org Wed Mar 6 11:59:11 2013 From: mouring at eviladmin.org (Ben Lindstrom) Date: Tue, 5 Mar 2013 18:59:11 -0600 Subject: Help connecting to SOCKS5 proxy server with Open SSH In-Reply-To: <5135AAF4.2010205@gmail.com> References: <5135AAF4.2010205@gmail.com> Message-ID: On Mar 5, 2013, at 2:21 AM, Stephen Thatcher wrote: [..] > Wikipedia's knowledge of SOCKS5 protocol and proxy server connection request. > Step 1 in the initial handshake is 'connecting' to server and including a list of authentication methods supported. I need the right commands for this. Lets say I want to connect to SOCKS5 proxy server 72.230.89.105:3816 @ hostname: cpe-72-230-89-105.twcny.res.rr.com. > Could I enter in terminal : "ssh -2 cpe-72-230-89-105.twcny.res.rr.com"? When I do, it says ssh: connect to host cpe-72-230-89-105.twcny.res.rr.com port 22: Connection refused. > Why is the connection being refused? Why is the connection attempting to be made on the hosts port 22? > Lets say I connected to the SOCKS server somehow. Would the server choose not to use authentication and respond that choice to me? > Lets say no authentication was accepted by my client and the server. Can I local forward a random port(7763) to the server with this terminal command: > ssh -L [localhost:]7763:72.230.89.105:3816. Then would I want to enter: ssh -D [localhost:]10255. Following by setting up firefox to connect to SOCKS5 proxy server: localhost on port 7763? You are confusing two different aspects. Ssh doesn't know how to use socks5 as a proxy method by default. It knows how to create an SOCKS5 proxy, and it has a generic "proxy" interface to allow you to call a 3rd party program to do the proxy for you. The reason for the latter is to allow people to do http proxy, or any other method of doing proxy without having to hack the ssh code for every unique proxy type. ** ssh as a socks5 proxy server: $ ssh -D 8080 bastin.company.com [Authenticate] Start firefox, set SOCKS5 proxy to localhost:8080 ** ssh USING a socks5 proxy server: However, if you want ssh to use a SOCKS5 proxy you need a 3rd party packages like: http://paulbetts.org/connect-proxy.tar.bz2 And setup a ~/.ssh/config like: Host * ProxyCommand connect-proxy -R both -5 -S socks5.proxyserver.com:1080 %h %p Then any attempt at using ssh will use connect-proxy to open a channel to socks5.proxyserver.com then will open a connection to the %h and try talk to it via ssh. - Ben From dtucker at zip.com.au Wed Mar 6 12:51:09 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 6 Mar 2013 12:51:09 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <51365363.2020503@roumenpetrov.info> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <51365363.2020503@roumenpetrov.info> Message-ID: <20130306015109.GA28258@gate.dtucker.net> On Tue, Mar 05, 2013 at 10:19:47PM +0200, Roumen Petrov wrote: > After revision 1.329 above modpipe is changed by another commit to : > ---- > regress/modpipe: $(srcdir)/regress/modpipe.c > [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ > $(CC) $(CPPFLAGS) -o $@ $? \ > $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) > ---- > > First target lack $(EXEXT) and second I cannot understand why lines > ends with \ . the line first need not since it tests for the presence of the directory first, but the last two lines are actually a single command to compile and link although it looks a bit like separate steps (I thought that at first glance). Anyway it should be harmless so I'd be inclined to leave it until after the release to change it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Mar 6 14:57:20 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 6 Mar 2013 14:57:20 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Wed, Mar 6, 2013 at 4:07 AM, Kevin Brott wrote: [...] > WARNING: ssh privsep/sandbox+proxyconnect protocol 1 failed > Connection closed by UNKNOWN OK, I've reproduced this one too. Here's what I did (Colin, this may provide some hints for your case too): I stuck "exit 1" at the bottom of the "fail" function in test-exec.sh then ran: $ env TEST_SSH_LOGFILE=/tmp/sshd.log SUDO=sudo make tests LTESTS=connect-privsep and in /tmp/sshd.log I found: ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid argument [preauth] so, setrlimit is the problem, but only for UsePrivilegeSeparation=sandbox. Not sure why though (or, for that matter, why the test in configure didn't catch it). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Mar 6 15:25:45 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 6 Mar 2013 15:25:45 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Wed, Mar 6, 2013 at 2:57 PM, Darren Tucker wrote: > ssh_sandbox_child: setrlimit(RLIMIT_NOFILE, { 0, 0 }): Invalid > argument [preauth] > > so, setrlimit is the problem, but only for > UsePrivilegeSeparation=sandbox. Not sure why though (or, for that > matter, why the test in configure didn't catch it). it's a different problem to what's in the configure test. It looks like HP-UX does not allow you to set RLIMIT_NOFILE below the number of descriptors you currently have open. with this little test program: #include #include #include #include int main(void) { int i, r; struct rlimit rl; for (i = 5; i >= 0; i--) { rl.rlim_cur = rl.rlim_max = i; r = setrlimit(RLIMIT_NOFILE, &rl); printf("%d %s %s\n", i, r == 0 ? "ok" : "fail", r == 0 ? "" : strerror(errno)); } } I get it start to fail at 2, and if I add a "close(2)" at the top it then fails at 1. This makes it effectively useless for the sandbox, since there's nothing to stop a compromised slave recycling descriptors. I'll look at adding a test for that and set SANDBOX_NULL in that case. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Mar 6 17:06:02 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 6 Mar 2013 17:06:02 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: <20130306060602.GA2118@gate.dtucker.net> On Wed, Mar 06, 2013 at 03:25:45PM +1100, Darren Tucker wrote: > it's a different problem to what's in the configure test. It looks > like HP-UX does not allow you to set RLIMIT_NOFILE below the number of > descriptors you currently have open. [...] > descriptors. I'll look at adding a test for that and set SANDBOX_NULL > in that case. This seems to work for me. Note: you'll need to run "autoreconf" to rebuild configure. Index: configure.ac =================================================================== RCS file: /openssh_cvs/openssh/configure.ac,v retrieving revision 1.511 diff -u -r1.511 configure.ac --- configure.ac 5 Mar 2013 08:57:39 -0000 1.511 +++ configure.ac 6 Mar 2013 06:03:43 -0000 @@ -2690,6 +2690,32 @@ [AC_MSG_WARN([cross compiling: assuming yes])] ) +AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include +#ifdef HAVE_SYS_TIME_H +# include +#endif +#include +#include +#include + ]],[[ + struct rlimit rl_zero; + int fd, r; + fd_set fds; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + r = setrlimit(RLIMIT_NOFILE, &rl_zero); + exit (r == -1 ? 1 : 0); + ]])], + [AC_MSG_RESULT([yes]) + rlimit_nofile_zero_works=yes], + [AC_MSG_RESULT([no]) + rlimit_nofile_zero_works=no], + [AC_MSG_WARN([cross compiling: assuming yes])] +) + AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) AC_RUN_IFELSE( [AC_LANG_PROGRAM([[ @@ -2744,7 +2770,8 @@ AC_DEFINE([SANDBOX_SECCOMP_FILTER], [1], [Sandbox using seccomp filter]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \ - test "x$select_works_with_rlimit" = "xyes" ) ; then + test "x$select_works_with_rlimit" = "xyes" && \ + test "x$rlimit_nofile_zero_works" = "xyes" ) ; then test "x$ac_cv_func_setrlimit" != "xyes" && \ AC_MSG_ERROR([rlimit sandbox requires setrlimit function]) test "x$select_works_with_rlimit" != "xyes" && \ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From des at des.no Wed Mar 6 23:59:53 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed, 06 Mar 2013 13:59:53 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: (Damien Miller's message of "Wed, 27 Feb 2013 09:09:29 +1100 (EST)") References: Message-ID: <86y5e0smye.fsf@ds4.des.no> Damien Miller writes: > It's that time again... SNAP-20130306 builds fine on FreeBSD 9. On FreeBSD 10, it still gets confused about utmp / wtmp / utmpx, just like 6.0 and 6.1. This is because of code in loginrec.c that tries to use utmp without checking whether it's available. Line 625 says #if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) which may be true even if UTMP is not available. DES -- Dag-Erling Sm?rgrav - des at des.no From des at des.no Thu Mar 7 01:05:36 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed, 06 Mar 2013 15:05:36 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <86y5e0smye.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Wed, 06 Mar 2013 13:59:53 +0100") References: <86y5e0smye.fsf@ds4.des.no> Message-ID: <86ip54sjwv.fsf@ds4.des.no> Dag-Erling Sm?rgrav writes: > On FreeBSD 10, it still gets confused about utmp / wtmp / utmpx, just > like 6.0 and 6.1. [...] Apparently, configure looks for log files instead of checking that the relevant APIs are available. This trips it up on long-lived machines that have old log files left over. I worked around it by explicitly specifying --disable-{utmp,wtmp,lastlog}. DES -- Dag-Erling Sm?rgrav - des at des.no From highc at us.ibm.com Thu Mar 7 01:14:45 2013 From: highc at us.ibm.com (Chris High) Date: Wed, 6 Mar 2013 09:14:45 -0500 Subject: AUTO: Chris High/Endicott/IBM is out of the office until 07/08/2002. (returning 03/07/2013) Message-ID: I am out of the office until 03/07/2013. Out sick today. Sudo review items - Sudo Deployment AG/Hartford/IBM, SSAE16 'hot topic' items - Pat Brady Issues requiring immediate management attention may be referred to my manager, Harish Dindigal/Whippany/IBM Note: This is an automated response to your message "openssh-unix-dev Digest, Vol 119, Issue 6" sent on 03/06/2013 8:00:09. This is the only notification you will receive while this person is away. From openssh at roumenpetrov.info Thu Mar 7 07:59:53 2013 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 06 Mar 2013 22:59:53 +0200 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130306060602.GA2118@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> <20130306060602.GA2118@gate.dtucker.net> Message-ID: <5137AE49.1000901@roumenpetrov.info> Darren Tucker wrote: > [SNIP] > . > This seems to work for me. Note: you'll need to run "autoreconf" to > rebuild configure. > [SNIP] > +AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) > +AC_RUN_IFELSE( May I ask if configure script use AC_RUN_IFELSE to ensure that users could set appropriate defaults in case of cross-compilation . Lets ensure next version to be more user friendly in case of cross-compilation. Roumen From tgc at jupiterrise.com Thu Mar 7 08:07:22 2013 From: tgc at jupiterrise.com (Tom Christensen) Date: Wed, 06 Mar 2013 22:07:22 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: Message-ID: <5137B00A.7000009@jupiterrise.com> On 02/26/2013 11:09 PM, Damien Miller wrote: > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > I tried to build the 20130307 snapshot on IRIX 5.3 but ran into problems. First problem is that configure hangs in the select+rlimit test. Taking away the setrlimit calls changes nothing so I guess it might have something to do with the use of /dev/null, though replacing /dev/null with /dev/zero does not help either. There did not seem to be a way to bypass the test (ie. setting something like 'select_works_with_rlimit=no') so I had to modify configure to avoid it. Bypassing the select+rlimit test the build then continues until this happens: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -I/usr/tgcware/include/openssl -I/usr/tgcware/include -DHAVE_CONFIG_H -c port-tun.c In file included from port-tun.c:24: /usr/include/netinet/ip.h:34: error: redefinition of `struct ip' /usr/include/netinet/ip.h:112: error: redefinition of `struct ip_timestamp' /usr/include/netinet/ip.h:124: error: redefinition of `union ipt_timestamp' /usr/include/netinet/ip.h:126: error: redefinition of `struct ipt_ta' make[1]: *** [port-tun.o] Error 1 As a workaround I removed #include #include from defines.h. With that workaround the build then continues until sshd is linked: gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o -L. -Lopenbsd-compat/ -Wl,-rpath,/usr/tgcware/lib -L/usr/tgcware/lib -Wl,-no_rqs -lssh -lopenbsd-compat -lcrypto -lz -lgen ld: ERROR 33: Unresolved text symbol "usleep" -- 1st referenced by sshd.o. ld: INFO 60: Output file removed because of error. collect2: ld returned 1 exit status IRIX 5.3 does not have usleep anywhere. I worked around this by replacing usleep with sginap. A generic IRIX issue is the use of killpg in sshd.c. sshd.c: In function `grace_alarm_handler': sshd.c:368: warning: implicit declaration of function `killpg' On IRIX using this function requires _BSD_SIGNALS to be defined otherwise results are unpredictable. See the manpage here for more details: http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?cmd=getdoc&coll=0650&db=man&fname=3%20killpg Looking at the kill() manpage it seems to me that killpg could be replaced with kill(0, SIGTERM) to achieve the same thing. With all the workarounds I can get the build to complete. The testsuite hangs in the 'test stderr data transfer: proto 2' tests (both with and without -n) which is unchanged from previous releases. -tgc From openssh at roumenpetrov.info Thu Mar 7 08:40:25 2013 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 06 Mar 2013 23:40:25 +0200 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130306015109.GA28258@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <51365363.2020503@roumenpetrov.info> <20130306015109.GA28258@gate.dtucker.net> Message-ID: <5137B7C9.1010506@roumenpetrov.info> Darren Tucker wrote: > On Tue, Mar 05, 2013 at 10:19:47PM +0200, Roumen Petrov wrote: >> After revision 1.329 above modpipe is changed by another commit to : >> ---- >> regress/modpipe: $(srcdir)/regress/modpipe.c >> [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ >> $(CC) $(CPPFLAGS) -o $@ $? \ >> $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) >> ---- >> >> First target lack $(EXEXT) and second I cannot understand why lines >> ends with \ . > the line first need not since it tests for the presence of the directory > first, but the last two lines are actually a single command to compile > and link although it looks a bit like separate steps (I thought that at > first glance). Anyway it should be harmless so I'd be inclined to leave > it until after the release to change it. I'm sorry maybe I'm wrong. Currently I do have access to build environment to test multiprocess build. May be I'm wrong but Makefile in regress directory is linked to source file, in case of VPATH build, .i.e build out of source tree. The rule, if i remember well, create subdirectory 'regress'. Now new target introduced in 6.2 try to create same directory. I mean that I prefer to write rule with two shell execution as creation of directory to be hidden from users : - at mkdir foo 2>/dev/null || : $(CC) ... -o foo/bar.o \ ...... Between test and creation of subdirectory another parallel process could create subdir and as result users will see failure message for directory creation followed by successful compilation. Please ignore my post if the current make rules ensure consecutive execution , i.e. go ahead with new release. I will check later new target rule. Previous one was not correct as modpipe object file was created in source tree. It seems to me this is resolved with new target. Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From djm at mindrot.org Thu Mar 7 10:30:21 2013 From: djm at mindrot.org (Damien Miller) Date: Thu, 7 Mar 2013 10:30:21 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <86y5e0smye.fsf@ds4.des.no> References: <86y5e0smye.fsf@ds4.des.no> Message-ID: On Wed, 6 Mar 2013, Dag-Erling Sm?rgrav wrote: > Damien Miller writes: > > It's that time again... > > SNAP-20130306 builds fine on FreeBSD 9. > > On FreeBSD 10, it still gets confused about utmp / wtmp / utmpx, just > like 6.0 and 6.1. This is because of code in loginrec.c that tries to > use utmp without checking whether it's available. Line 625 says > > #if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) > > which may be true even if UTMP is not available. Isn't that block just utility functions? Whether they are actually called or not is determined by the more granular #ifdefs in login_write() -d From djm at mindrot.org Thu Mar 7 10:33:12 2013 From: djm at mindrot.org (Damien Miller) Date: Thu, 7 Mar 2013 10:33:12 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <86ip54sjwv.fsf@ds4.des.no> References: <86y5e0smye.fsf@ds4.des.no> <86ip54sjwv.fsf@ds4.des.no> Message-ID: On Wed, 6 Mar 2013, Dag-Erling Sm?rgrav wrote: > Dag-Erling Sm?rgrav writes: > > On FreeBSD 10, it still gets confused about utmp / wtmp / utmpx, just > > like 6.0 and 6.1. [...] > > Apparently, configure looks for log files instead of checking that the > relevant APIs are available. This trips it up on long-lived machines > that have old log files left over. I worked around it by explicitly > specifying --disable-{utmp,wtmp,lastlog}. The detection of the login recording could probably do with an overhaul. What version of FreeBSD deprecated these? What is you host system type as reported by configure? I'll at least be able to add these to configure.ac -d From dtucker at zip.com.au Thu Mar 7 15:42:39 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 7 Mar 2013 15:42:39 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <5137AE49.1000901@roumenpetrov.info> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> <20130306060602.GA2118@gate.dtucker.net> <5137AE49.1000901@roumenpetrov.info> Message-ID: On Thu, Mar 7, 2013 at 7:59 AM, Roumen Petrov wrote: > Darren Tucker wrote: [...] >> +AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) >> +AC_RUN_IFELSE( > > May I ask if configure script use AC_RUN_IFELSE to ensure that users could > set appropriate defaults in case of cross-compilation . I guess it depends on what you consider "appropriate" in this case. This one defaults to assuming that RLIMIT_NOFILE with zero descriptors works, which is the case for the majority of platforms we know about. If it doesn't you'll get a cross-compiled binary that will fail at startup rather than have a weaker sandbox than expected. If you're willing to accept that you can always manually set the sandbox at configure time. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From ajclements at gmail.com Thu Mar 7 17:58:03 2013 From: ajclements at gmail.com (Andy Clements) Date: Thu, 7 Mar 2013 00:58:03 -0600 Subject: OpenSSH-6.2 tests Message-ID: I ran the tests for the latest snapshot (openssh-SNAP-20130307.tar.gz), and all tests reported passed. Full results can be sent, but the zip I originally tried was blocked. My system: Linux rigel 2.6.38-gentoo-r6 #1 SMP Sat Jun 25 13:48:28 CDT 2011 x86_64 Intel(R) Xeon(R) CPU X5355 @ 2.66GHz GenuineIntel GNU/Linux Andy Clements From des at des.no Thu Mar 7 20:32:11 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Thu, 07 Mar 2013 10:32:11 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: (Damien Miller's message of "Thu, 7 Mar 2013 10:30:21 +1100 (EST)") References: <86y5e0smye.fsf@ds4.des.no> Message-ID: <86ehfrsgh0.fsf@ds4.des.no> Damien Miller writes: > Isn't that block just utility functions? Whether they are actually called > or not is determined by the more granular #ifdefs in login_write() Doesn't matter whether or not they're called... the problem is that they use APIs that don't exist in FreeBSD 10, so they break the build. DES -- Dag-Erling Sm?rgrav - des at des.no From des at des.no Thu Mar 7 22:41:10 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Thu, 07 Mar 2013 12:41:10 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: (Damien Miller's message of "Thu, 7 Mar 2013 10:33:12 +1100 (EST)") References: <86y5e0smye.fsf@ds4.des.no> <86ip54sjwv.fsf@ds4.des.no> Message-ID: <866213sai1.fsf@ds4.des.no> Damien Miller writes: > What version of FreeBSD deprecated these? What is you host system type > as reported by configure? I'll at least be able to add these to > configure.ac We switched from utmp to utmpx in 9 on 2010-01-13. FreeBSD 8 and older still have utmp. Any machine that at one point ran FreeBSD 8 or older, or FreeBSD 9 prior to 2010-01-13, and has since then been upgraded to a newer version of FreeBSD 9 or 10 is likely to have old log files lying around even though the interfaces are no longer available. The problem seems to be a combination of factors in configure.ac and defines.h which cause OpenSSH to attempt to use utmp / wtmp / lastlog based solely on the existence of log files, even if it knows the API functions are not available. Let's look at lastlog, for instance. defines.h: 743: /* I hope that the presence of LASTLOG_FILE is enough to detect this */ 744: #if defined(LASTLOG_FILE) && !defined(DISABLE_LASTLOG) 745: # define USE_LASTLOG 746: #endif LASTLOG_FILE comes from _PATH_LASTLOG in or, if _PATH_LASTLOG is not defined, from CONF_LASTLOG_FILE, which is the location of the lastlog file which configure found. DISABLE_LASTLOG is defined by configure if and only if at least one of the following is true: a) --disable-lastlog was specified on the command line b) --with-lastlog=no was specified on the command line c) there is no lastlog file in the expected location(s). configure never checks whether struct lastlog is defined. The easiest solution would probably be to add something like this in configure.ac, around line 4300: AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ AC_DEFINE([DISABLE_LASTLOG]) ], [ #ifdef HAVE_SYS_TYPES_H #include #endif #include ]) AC_CHECK_MEMBER([struct utmp.ut_line], [], [ AC_DEFINE([DISABLE_UTMP]) AC_DEFINE([DISABLE_WTMP]) ], [ #ifdef HAVE_SYS_TYPES_H #include #endif #include ]) On FreeBSD 10, this results in % egrep "DISABLE_(LASTLOG|UTMP)" config.h #define DISABLE_LASTLOG 1 #define DISABLE_UTMP 1 /* #undef DISABLE_UTMPX */ One last nit is that the conf_lastlog_file logic runs regardless of whether DISABLE_LASTLOG is defined, which is a waste of time. The attached patch combines the DISABLE_{LASTLOG,UTMP,WTMP} logic above with additional code to disable the log file search. All tests pass on 8 and 9. The connect.sh test fails on 10 (both with and without the patch), but that's likely to be a local issue. I'll have to re-run the tests in a clean environment. DES -- Dag-Erling Sm?rgrav - des at des.no -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-lastlog.diff Type: text/x-patch Size: 5499 bytes Desc: not available URL: From des at des.no Fri Mar 8 02:21:25 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Thu, 07 Mar 2013 16:21:25 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: (Damien Miller's message of "Wed, 27 Feb 2013 09:09:29 +1100 (EST)") References: Message-ID: <86boavqlqi.fsf@ds4.des.no> Here's another issue: FreeBSD's strnvis() is not 100% compatible with OpenBSD's, and OpenSSH can segfault when trying to use it. The attached patch adds a BROKEN_STRNVIS conditional (inspired by BROKEN_GLOB) and defines it on FreeBSD. DES -- Dag-Erling Sm?rgrav - des at des.no -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-strnvis.diff Type: text/x-patch Size: 2245 bytes Desc: not available URL: From wnefal at gmail.com Fri Mar 8 05:29:06 2013 From: wnefal at gmail.com (Markus Falb) Date: Thu, 7 Mar 2013 19:29:06 +0100 Subject: compression only in one direction Message-ID: <2DC34DB6-E847-4516-8127-205A7735414B@gmail.com> Hi, I know that it is possible to enable or disable compression. I just learned that the protocol would allow for one-way negotiations for things like how to encrypt the traffic, hash it, compress it. http://marc.info/?l=secure-shell&m=103578532423325&w=2 Many people have very asymmetric internet access bandwidth. e.g. 1 mb download, only 100 kb upload Would it not be useful to be able to compress only outbound traffic in such a situation? -- Kind Regards, Markus "just wondering" From alan.r.olsen at intel.com Fri Mar 8 05:55:11 2013 From: alan.r.olsen at intel.com (Olsen, Alan R) Date: Thu, 7 Mar 2013 18:55:11 +0000 Subject: compression only in one direction In-Reply-To: <2DC34DB6-E847-4516-8127-205A7735414B@gmail.com> References: <2DC34DB6-E847-4516-8127-205A7735414B@gmail.com> Message-ID: <4B2793BF110AAB47AB0EE7B9089703854FEF77B8@fmsmsx110.amr.corp.intel.com> [Sorry for the top post. I hate Outlook.] How much CPU does SSH take for compression? (I have never benchmarked it.) I have never noticed an issue with hit impacting a machine when compression is turned on. Seems like more pain that it is worth. -----Original Message----- From: openssh-unix-dev-bounces+alan.r.olsen=intel.com at mindrot.org [mailto:openssh-unix-dev-bounces+alan.r.olsen=intel.com at mindrot.org] On Behalf Of Markus Falb Sent: Thursday, March 07, 2013 10:29 AM To: openssh-unix-dev at mindrot.org Subject: compression only in one direction Hi, I know that it is possible to enable or disable compression. I just learned that the protocol would allow for one-way negotiations for things like how to encrypt the traffic, hash it, compress it. http://marc.info/?l=secure-shell&m=103578532423325&w=2 Many people have very asymmetric internet access bandwidth. e.g. 1 mb download, only 100 kb upload Would it not be useful to be able to compress only outbound traffic in such a situation? -- Kind Regards, Markus "just wondering" _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Fri Mar 8 10:03:22 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 8 Mar 2013 10:03:22 +1100 (EST) Subject: compression only in one direction In-Reply-To: <2DC34DB6-E847-4516-8127-205A7735414B@gmail.com> References: <2DC34DB6-E847-4516-8127-205A7735414B@gmail.com> Message-ID: On Thu, 7 Mar 2013, Markus Falb wrote: > Would it not be useful to be able to compress only outbound traffic in > such a situation? Probably not - asymmetric transport options are pretty confusing and AFAIK no client supports actually selecting them. I consider them to be a protocol feature that seems nice in theory but isn't useful in practice. -d From djm at mindrot.org Fri Mar 8 12:02:51 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 8 Mar 2013 12:02:51 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <5137B00A.7000009@jupiterrise.com> References: <5137B00A.7000009@jupiterrise.com> Message-ID: On Wed, 6 Mar 2013, Tom Christensen wrote: > ld: ERROR 33: Unresolved text symbol "usleep" -- 1st referenced by sshd.o. > ld: INFO 60: Output file removed because of error. > collect2: ld returned 1 exit status > > IRIX 5.3 does not have usleep anywhere. I worked around this by replacing > usleep with sginap. Here's a usleep replacement at least. Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.512 diff -u -p -r1.512 configure.ac --- configure.ac 6 Mar 2013 06:48:48 -0000 1.512 +++ configure.ac 8 Mar 2013 01:01:28 -0000 @@ -1602,6 +1602,7 @@ AC_CHECK_FUNCS([ \ unsetenv \ updwtmpx \ user_from_uid \ + usleep \ vasprintf \ vhangup \ vsnprintf \ Index: openbsd-compat/bsd-misc.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/bsd-misc.c,v retrieving revision 1.39 diff -u -p -r1.39 bsd-misc.c --- openbsd-compat/bsd-misc.c 15 Feb 2013 03:55:39 -0000 1.39 +++ openbsd-compat/bsd-misc.c 8 Mar 2013 01:01:01 -0000 @@ -165,6 +165,17 @@ int nanosleep(const struct timespec *req } #endif +#if !defined(HAVE_USLEEP) +int usleep(unsigned int useconds) +{ + struct timespec ts; + + ts.tv_sec = useconds / 1000000; + ts.tv_nsec = (useconds % 1000000) * 1000; + return nanosleep(&ts, NULL); +} +#endif + #ifndef HAVE_TCGETPGRP pid_t tcgetpgrp(int fd) Index: openbsd-compat/bsd-misc.h =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/bsd-misc.h,v retrieving revision 1.22 diff -u -p -r1.22 bsd-misc.h --- openbsd-compat/bsd-misc.h 15 Feb 2013 00:41:36 -0000 1.22 +++ openbsd-compat/bsd-misc.h 8 Mar 2013 01:01:04 -0000 @@ -80,6 +80,10 @@ struct timespec { int nanosleep(const struct timespec *, struct timespec *); #endif +#ifndef HAVE_USLEEP +int usleep(unsigned int useconds); +#endif + #ifndef HAVE_TCGETPGRP pid_t tcgetpgrp(int); #endif From dtucker at zip.com.au Fri Mar 8 13:04:27 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 8 Mar 2013 13:04:27 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <5137B00A.7000009@jupiterrise.com> Message-ID: <20130308020427.GA12854@gate.dtucker.net> On Fri, Mar 08, 2013 at 12:02:51PM +1100, Damien Miller wrote: [...] > +int usleep(unsigned int useconds) In theory that's supposed to be useconds_t, although I guess it doesn't matter much for the one use we have which has a static argument. It's possible that something, somewhere *doesn't* have the function but *does* have the prototype. I further guess we can cross that bridge if/when we come to it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Mar 8 17:59:18 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 8 Mar 2013 17:59:18 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <866213sai1.fsf@ds4.des.no> References: <86y5e0smye.fsf@ds4.des.no> <86ip54sjwv.fsf@ds4.des.no> <866213sai1.fsf@ds4.des.no> Message-ID: On Thu, 7 Mar 2013, Dag-Erling Sm?rgrav wrote: > The attached patch combines the DISABLE_{LASTLOG,UTMP,WTMP} logic above > with additional code to disable the log file search. That's probably a bit too extensive a patch for this stage of release, but I think just the tests might be okay since they wouldn't break anything that isn't already broken. Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.513 diff -u -p -r1.513 configure.ac --- configure.ac 8 Mar 2013 01:14:23 -0000 1.513 +++ configure.ac 8 Mar 2013 06:32:22 -0000 @@ -4468,6 +4467,41 @@ if test ! -z "$blibpath" ; then LDFLAGS="$LDFLAGS $blibflags$blibpath" AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) fi + +AC_CHECK_MEMBER([struct lastlog.ll_line], [], [ + AC_DEFINE([DISABLE_LASTLOG]) + ], [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + ]) + +AC_CHECK_MEMBER([struct utmp.ut_line], [], [ + AC_DEFINE([DISABLE_UTMP]) + AC_DEFINE([DISABLE_WTMP]) + ], [ +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_UTMP_H +#include +#endif +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_LASTLOG_H +#include +#endif + ]) dnl Adding -Werror to CFLAGS early prevents configure tests from running. dnl Add now. From dfnsonfsduifb at gmx.de Sat Mar 9 01:46:09 2013 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Fri, 08 Mar 2013 15:46:09 +0100 Subject: Logging of failed publickey authentication attempts Message-ID: <5139F9B1.2070902@gmx.de> Hello list, I'd like to monitor failed publickey authentication attempts to my OpenSSH server and noticed that they're not logged (even in VERBOSE logging mode). Doing some digging, I found this 8 year old bug: https://bugzilla.mindrot.org/show_bug.cgi?id=974 Apparently, that issue was already known eight years ago and a patch is even attached -- but it never made it into mainline? I'd like to ask if it is planned to incorporate this change into OpenSSL? If not, why so? Or has the bug just not been update and a fix already exists? Best regards, Johannes From kevin.brott at gmail.com Sat Mar 9 09:06:16 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 8 Mar 2013 14:06:16 -0800 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux 11.11 is still not passing make tests. Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130309.tar.gz OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================ ============ ===== ================= AIX 5300-12-04 powerpc-ibm-aix5.3.0.0 gcc 4.2.0 0.9.8k OK all tests passed AIX 5300-12-02 powerpc-ibm-aix5.3.0.0 xlc 08.00.0000.0016 0.9.8k OK*3 all tests passed AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 gcc 4.2.0 0.9.8x OK all tests passeD AIX 6100-07-06 powerpc-ibm-aix6.1.0.0 xlc 11.01.0000.0012 0.9.8x OK all tests passed AIX 7100-02-01 powerpc-ibm-aix7.1.0.0 xlc 11.01.0000.0012 0.9.8x OK all tests passed HP-UX 11.11 hppa2-0w-hp-hpux11.11 gcc 4.1.1 0.9.7d OK*3 FAIL *5 HP-UX 11.23 ia64-hp-hpux11.23 gcc 4.1.1 0.9.8w OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 C/aC++ C.11.23.12 0.9.8w OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 gcc 4.6.2 0.9.8t OK all tests passed HP-UX 11.31 ia64-hp-hpux11.31 C/aC++ C.11.31.05 0.9.8t OK all tests passed ?# *3 missing zlib.h - so zlib 1.2.7 /var/tmp/ssh/ # *5 run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer scp: failed copy /bin/ls cmp: cannot open /var/tmp/ssh/openssh/regress/ls.copy scp: corrupted copy of /bin/ls test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 test connection multiplexing: cmd check test connection multiplexing: cmd exit test connection multiplexing: cmd stop failed connection multiplexing *** Error exit code 1 Stop. *** Error exit code 1 Stop. From dtucker at zip.com.au Sat Mar 9 09:57:42 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 9 Mar 2013 09:57:42 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Sat, Mar 9, 2013 at 9:06 AM, Kevin Brott wrote: > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux > 11.11 is still not passing make tests. What are you using as an entropy source? I've found that I'm exhausting prngd on my (admittedly otherwise idle) HP workstation which is causing the tests to fail at the point it runs out. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tgc at jupiterrise.com Sat Mar 9 10:07:19 2013 From: tgc at jupiterrise.com (Tom Christensen) Date: Sat, 09 Mar 2013 00:07:19 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <5137B00A.7000009@jupiterrise.com> Message-ID: <513A6F27.2050103@jupiterrise.com> On 03/08/2013 02:02 AM, Damien Miller wrote: > Here's a usleep replacement at least. > Thanks. I tested on IRIX 5.3 (no usleep) and IRIX 6.2 (has usleep) and configure correctly detects this and the build can complete on both. -tgc From tim at multitalents.net Sat Mar 9 10:24:28 2013 From: tim at multitalents.net (Tim Rice) Date: Fri, 8 Mar 2013 15:24:28 -0800 (PST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Fri, 8 Mar 2013, Kevin Brott wrote: > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux > 11.11 is still not passing make tests. > > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130309.tar.gz > [snip] > test connection multiplexing: cmd exit > test connection multiplexing: cmd stop > failed connection multiplexing > *** Error exit code 1 If you run the regress tests 10 times, does it fail all 10 times? I ask because my SVR5 platforms fail there about half the time. -- Tim Rice Multitalents tim at multitalents.net From kevin.brott at gmail.com Mon Mar 11 03:00:49 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Sun, 10 Mar 2013 09:00:49 -0700 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Fri, Mar 8, 2013 at 3:24 PM, Tim Rice wrote: > On Fri, 8 Mar 2013, Kevin Brott wrote: > > > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux > > 11.11 is still not passing make tests. > > > > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130309.tar.gz > > > [snip] > > test connection multiplexing: cmd exit > > test connection multiplexing: cmd stop > > failed connection multiplexing > > *** Error exit code 1 > > If you run the regress tests 10 times, does it fail all 10 times? > > I ask because my SVR5 platforms fail there about half the time. I'll test that out come Monday and see ... I'm betting probably 10:10?? -- # include /* Kevin Brott */ From kevin.brott at gmail.com Mon Mar 11 03:03:29 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Sun, 10 Mar 2013 09:03:29 -0700 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Fri, Mar 8, 2013 at 2:57 PM, Darren Tucker wrote: > On Sat, Mar 9, 2013 at 9:06 AM, Kevin Brott wrote: > > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux > > 11.11 is still not passing make tests. > > What are you using as an entropy source? I've found that I'm > exhausting prngd on my (admittedly otherwise idle) HP workstation > which is causing the tests to fail at the point it runs out. It's pretty much a stock HP-UX B.11.11?? system (not one of mine) so it's using whatever is there - I'll double-check Monday, but I'm pretty sure prngd isn't installed. -- # include /* Kevin Brott */ From dtucker at zip.com.au Mon Mar 11 13:28:20 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 11 Mar 2013 13:28:20 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Mon, Mar 11, 2013 at 3:03 AM, Kevin Brott wrote: > On Fri, Mar 8, 2013 at 2:57 PM, Darren Tucker wrote: > >> On Sat, Mar 9, 2013 at 9:06 AM, Kevin Brott wrote: >> > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but hp-ux >> > 11.11 is still not passing make tests. >> >> What are you using as an entropy source? I've found that I'm >> exhausting prngd on my (admittedly otherwise idle) HP workstation >> which is causing the tests to fail at the point it runs out. > > > It's pretty much a stock HP-UX B.11.11 system (not one of mine) so it's > using whatever is there - I'll double-check Monday, but I'm pretty sure > prngd isn't installed. OK, here's another thing in keys-command: Unsafe AuthorizedKeysCommand: bad ownership or modes for directory /var/run where /var/run and /var are owned by "bin" (uid 2) $ ls -ldn /var /var/run dr-xr-xr-x 28 2 2 8192 Aug 14 2004 /var dr-xr-xr-x 2 2 2 96 Mar 11 12:16 /var/run At least some revisions of AIX have a similar problem (/ is owned by "bin"). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Mar 11 15:14:32 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 11 Mar 2013 15:14:32 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: <20130311041432.GA13588@gate.dtucker.net> On Mon, Mar 11, 2013 at 01:28:20PM +1100, Darren Tucker wrote: > Unsafe AuthorizedKeysCommand: bad ownership or modes for directory /var/run > > where /var/run and /var are owned by "bin" (uid 2) Possible solution (note you'll need to run "autoreconf" to rebuild configure then run ./configure again). djm, tim: wanted for release or not? Index: auth.c =================================================================== RCS file: /openssh_cvs/openssh/auth.c,v retrieving revision 1.156 diff -u -r1.156 auth.c --- auth.c 12 Feb 2013 00:02:28 -0000 1.156 +++ auth.c 11 Mar 2013 02:26:27 -0000 @@ -448,7 +448,7 @@ snprintf(err, errlen, "%s is not a regular file", buf); return -1; } - if ((stp->st_uid != 0 && stp->st_uid != uid) || + if ((!platform_system_uid(stp->st_uid) && stp->st_uid != uid) || (stp->st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for file %s", buf); @@ -464,7 +464,7 @@ strlcpy(buf, cp, sizeof(buf)); if (stat(buf, &st) < 0 || - (st.st_uid != 0 && st.st_uid != uid) || + (!platform_system_uid(st.st_uid) && st.st_uid != uid) || (st.st_mode & 022) != 0) { snprintf(err, errlen, "bad ownership or modes for directory %s", buf); Index: configure.ac =================================================================== RCS file: /openssh_cvs/openssh/configure.ac,v retrieving revision 1.513 diff -u -r1.513 configure.ac --- configure.ac 8 Mar 2013 01:14:23 -0000 1.513 +++ configure.ac 11 Mar 2013 02:26:27 -0000 @@ -480,6 +480,7 @@ AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], [AIX 5.2 and 5.3 (and presumably newer) require this]) AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) + AC_DEFINE([PLATFORM_SYSTEM_UID], 2, [System dirs owned by bin (uid 2)]) ;; *-*-cygwin*) check_for_libcrypt_later=1 @@ -565,6 +566,7 @@ AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], [String used in /etc/passwd to denote locked account]) AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) + AC_DEFINE([PLATFORM_SYSTEM_UID], 2, [System dirs owned by bin (uid 2)]) maildir="/var/mail" LIBS="$LIBS -lsec" AC_CHECK_LIB([xnet], [t_error], , Index: platform.c =================================================================== RCS file: /openssh_cvs/openssh/platform.c,v retrieving revision 1.18 diff -u -r1.18 platform.c --- platform.c 11 Jan 2011 06:02:25 -0000 1.18 +++ platform.c 11 Mar 2013 02:26:27 -0000 @@ -194,3 +194,15 @@ return NULL; #endif } + +int +platform_system_uid(uid_t uid) +{ + if (uid == 0) + return 1; +#ifdef PLATFORM_SYSTEM_UID + if (uid == PLATFORM_SYSTEM_UID) + return 1; +#endif + return 0; +} Index: platform.h =================================================================== RCS file: /openssh_cvs/openssh/platform.h,v retrieving revision 1.7 diff -u -r1.7 platform.h --- platform.h 5 Nov 2010 03:47:01 -0000 1.7 +++ platform.h 11 Mar 2013 02:26:27 -0000 @@ -29,5 +29,4 @@ void platform_setusercontext_post_groups(struct passwd *); char *platform_get_krb5_client(const char *); char *platform_krb5_get_principal_name(const char *); - - +int platform_system_uid(uid_t); -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kulkarniamit at hp.com Mon Mar 11 16:40:31 2013 From: kulkarniamit at hp.com (Kulkarni, Amit (HP-UX Network Security)) Date: Mon, 11 Mar 2013 05:40:31 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: With openssh-SNAP-20130311, we have positive build and testing results for HP-UX 11.11,11.23 and 11.31. Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130311.tar.gz Results : OS Build_Target CC OpenSSL BUILD TEST ============== =========================== ================= ============ ===== ================= HP-UX 11.31 ia64-hp-hpux11.31 HP C/aC++ A.06.12 0.9.8w OK all tests passed HP-UX 11.31 PA-RISC-hp-hpux11.31 HP C/aC++ (*1) 0.9.8x OK all tests passed HP-UX 11.23 ia64-hp-hpux11.23 HP C/aC++ A.06.25 0.9.8x OK all tests passed HP-UX 11.23 PA-RISC-hp-hpux11.23 HP C/aC++ (*2) 0.9.8x OK all tests passed HP-UX 11.11 PA-RISC-hp-hpux11.11 HP C/aC++ (*3) 0.9.8y OK all tests passed # *1: HP C/aC++ Developer's Bundle C.11.31.06 B9007AA # *2: HP C/aC++ Developer's Bundle C.11.23.06 B9007AA # *3: HP C/aC++ Developer's Bundle C.11.11.20 B9007AA Random number generator used in HP-UX 11.11: HP-UX 11.11 Strong Random Number Generator B.11.11.09 KRNG11i Regards, Amit Kulkarni -----Original Message----- From: dtucker at dtucker.net [mailto:dtucker at dtucker.net] On Behalf Of Darren Tucker Sent: Saturday, March 09, 2013 4:28 AM To: Kevin Brott Cc: Damien Miller; openssh-unix-dev at mindrot.org; Kulkarni, Amit (HP-UX Network Security) Subject: Re: Call for testing: OpenSSH-6.2 On Sat, Mar 9, 2013 at 9:06 AM, Kevin Brott > wrote: > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but > hp-ux > 11.11 is still not passing make tests. What are you using as an entropy source? I've found that I'm exhausting prngd on my (admittedly otherwise idle) HP workstation which is causing the tests to fail at the point it runs out. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From imorgan at nas.nasa.gov Tue Mar 12 04:56:21 2013 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Mon, 11 Mar 2013 10:56:21 -0700 Subject: Logging of failed publickey authentication attempts In-Reply-To: <5139F9B1.2070902@gmx.de> References: <5139F9B1.2070902@gmx.de> Message-ID: <20130311175621.GA3045@linux124.nas.nasa.gov> On Fri, Mar 08, 2013 at 08:46:09 -0600, Johannes Bauer wrote: > Hello list, > > I'd like to monitor failed publickey authentication attempts to my > OpenSSH server and noticed that they're not logged (even in VERBOSE > logging mode). Doing some digging, I found this 8 year old bug: > https://bugzilla.mindrot.org/show_bug.cgi?id=974 > > Apparently, that issue was already known eight years ago and a patch is > even attached -- but it never made it into mainline? I'd like to ask if > it is planned to incorporate this change into OpenSSL? If not, why so? > Or has the bug just not been update and a fix already exists? > What version of OpenSSH are you using? If I recall correctly, you need to have your syslog daemon listen to /var/empty/dev/log if you are using a version older than v5.9p1. -- Iain Morgan From imorgan at nas.nasa.gov Tue Mar 12 05:33:35 2013 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Mon, 11 Mar 2013 11:33:35 -0700 Subject: [PATCH] Portability improvements for regress/cipher-speed.sh Message-ID: <20130311183334.GB3045@linux124.nas.nasa.gov> Hi, Although cipher-speed.sh isn't failing, its output is useless on some platforms. Aside from the definition of $DATA noted in a previous post to this list, it makes assumptions about dd's status message and the behaviour of echo. The patch below addresses these issue, at least on RHEL. Index: regress/cipher-speed.sh =================================================================== RCS file: /cvs/openssh/regress/cipher-speed.sh,v retrieving revision 1.10 diff -u -r1.10 cipher-speed.sh --- regress/cipher-speed.sh 19 Feb 2013 19:53:30 -0000 1.10 +++ regress/cipher-speed.sh 11 Mar 2013 18:19:14 -0000 @@ -5,12 +5,13 @@ getbytes () { - sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' + sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \ + -e '/copied/s/.*s, \(.* MB.s\).*/\1/p' } tries="1 2" -DATA=/bin/ls -DATA=/bsd +DATA=/tmp/cipher-speed.$$ +dd if=/dev/zero of=$DATA bs=4k count=1024 2> /dev/null ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour @@ -26,7 +27,7 @@ for c in $ciphers; do n=0; for m in $macs; do trace "proto 2 cipher $c mac $m" for x in $tries; do - echon "$c/$m:\t" + printf "%-60s" "$c/$m:" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ @@ -47,7 +48,7 @@ for c in $ciphers; do trace "proto 1 cipher $c" for x in $tries; do - echon "$c:\t" + printf "%-60s" "$c:" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -1 -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ @@ -57,3 +58,5 @@ fi done done + +rm $DATA -- Iain Morgan From djm at mindrot.org Tue Mar 12 08:33:09 2013 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Mar 2013 08:33:09 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130311041432.GA13588@gate.dtucker.net> References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> <20130311041432.GA13588@gate.dtucker.net> Message-ID: I don't mind, but are these really the only uid==0 checks that matter? On Mon, 11 Mar 2013, Darren Tucker wrote: > On Mon, Mar 11, 2013 at 01:28:20PM +1100, Darren Tucker wrote: > > Unsafe AuthorizedKeysCommand: bad ownership or modes for directory /var/run > > > > where /var/run and /var are owned by "bin" (uid 2) > > Possible solution (note you'll need to run "autoreconf" to rebuild > configure then run ./configure again). > > djm, tim: wanted for release or not? > > Index: auth.c > =================================================================== > RCS file: /openssh_cvs/openssh/auth.c,v > retrieving revision 1.156 > diff -u -r1.156 auth.c > --- auth.c 12 Feb 2013 00:02:28 -0000 1.156 > +++ auth.c 11 Mar 2013 02:26:27 -0000 > @@ -448,7 +448,7 @@ > snprintf(err, errlen, "%s is not a regular file", buf); > return -1; > } > - if ((stp->st_uid != 0 && stp->st_uid != uid) || > + if ((!platform_system_uid(stp->st_uid) && stp->st_uid != uid) || > (stp->st_mode & 022) != 0) { > snprintf(err, errlen, "bad ownership or modes for file %s", > buf); > @@ -464,7 +464,7 @@ > strlcpy(buf, cp, sizeof(buf)); > > if (stat(buf, &st) < 0 || > - (st.st_uid != 0 && st.st_uid != uid) || > + (!platform_system_uid(st.st_uid) && st.st_uid != uid) || > (st.st_mode & 022) != 0) { > snprintf(err, errlen, > "bad ownership or modes for directory %s", buf); > Index: configure.ac > =================================================================== > RCS file: /openssh_cvs/openssh/configure.ac,v > retrieving revision 1.513 > diff -u -r1.513 configure.ac > --- configure.ac 8 Mar 2013 01:14:23 -0000 1.513 > +++ configure.ac 11 Mar 2013 02:26:27 -0000 > @@ -480,6 +480,7 @@ > AC_DEFINE([SSHPAM_CHAUTHTOK_NEEDS_RUID], [1], > [AIX 5.2 and 5.3 (and presumably newer) require this]) > AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd]) > + AC_DEFINE([PLATFORM_SYSTEM_UID], 2, [System dirs owned by bin (uid 2)]) > ;; > *-*-cygwin*) > check_for_libcrypt_later=1 > @@ -565,6 +566,7 @@ > AC_DEFINE([LOCKED_PASSWD_STRING], ["*"], > [String used in /etc/passwd to denote locked account]) > AC_DEFINE([SPT_TYPE], [SPT_PSTAT]) > + AC_DEFINE([PLATFORM_SYSTEM_UID], 2, [System dirs owned by bin (uid 2)]) > maildir="/var/mail" > LIBS="$LIBS -lsec" > AC_CHECK_LIB([xnet], [t_error], , > Index: platform.c > =================================================================== > RCS file: /openssh_cvs/openssh/platform.c,v > retrieving revision 1.18 > diff -u -r1.18 platform.c > --- platform.c 11 Jan 2011 06:02:25 -0000 1.18 > +++ platform.c 11 Mar 2013 02:26:27 -0000 > @@ -194,3 +194,15 @@ > return NULL; > #endif > } > + > +int > +platform_system_uid(uid_t uid) > +{ > + if (uid == 0) > + return 1; > +#ifdef PLATFORM_SYSTEM_UID > + if (uid == PLATFORM_SYSTEM_UID) > + return 1; > +#endif > + return 0; > +} > Index: platform.h > =================================================================== > RCS file: /openssh_cvs/openssh/platform.h,v > retrieving revision 1.7 > diff -u -r1.7 platform.h > --- platform.h 5 Nov 2010 03:47:01 -0000 1.7 > +++ platform.h 11 Mar 2013 02:26:27 -0000 > @@ -29,5 +29,4 @@ > void platform_setusercontext_post_groups(struct passwd *); > char *platform_get_krb5_client(const char *); > char *platform_krb5_get_principal_name(const char *); > - > - > +int platform_system_uid(uid_t); > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Tue Mar 12 09:58:07 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 12 Mar 2013 09:58:07 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> <20130311041432.GA13588@gate.dtucker.net> Message-ID: On Tue, Mar 12, 2013 at 8:33 AM, Damien Miller wrote: > I don't mind, but are these really the only uid==0 checks that matter? for AuthorizedKeysCommand, yes. There's probably other places where it would also be useful (StrictModes checks come to mind) but those are not new and I'd rather review those on a case by case basis. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Mar 12 10:20:15 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 12 Mar 2013 10:20:15 +1100 Subject: [PATCH] Portability improvements for regress/cipher-speed.sh In-Reply-To: <20130311183334.GB3045@linux124.nas.nasa.gov> References: <20130311183334.GB3045@linux124.nas.nasa.gov> Message-ID: <20130311232015.GA14628@gate.dtucker.net> On Mon, Mar 11, 2013 at 11:33:35AM -0700, Iain Morgan wrote: > Hi, > > Although cipher-speed.sh isn't failing, its output is useless on some > platforms. Aside from the definition of $DATA noted in a previous post > to this list, it makes assumptions about dd's status message and the > behaviour of echo. > > The patch below addresses these issue, at least on RHEL. The patch makes assumptions about the existence of /dev/zero :-) I'd rather have test-exec.sh create (and cleanup) $DATA in one place, maybe by concatenating sshd$(EXEEXT) a few times. Also, why the echon->printf changes? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Mar 12 10:40:09 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 12 Mar 2013 10:40:09 +1100 Subject: [PATCH] Portability improvements for regress/cipher-speed.sh In-Reply-To: <20130311232015.GA14628@gate.dtucker.net> References: <20130311183334.GB3045@linux124.nas.nasa.gov> <20130311232015.GA14628@gate.dtucker.net> Message-ID: <20130311234009.GB14628@gate.dtucker.net> On Tue, Mar 12, 2013 at 10:20:15AM +1100, Darren Tucker wrote: > On Mon, Mar 11, 2013 at 11:33:35AM -0700, Iain Morgan wrote: > > Hi, > > > > Although cipher-speed.sh isn't failing, its output is useless on some > > platforms. Aside from the definition of $DATA noted in a previous post > > to this list, it makes assumptions about dd's status message and the > > behaviour of echo. > > > > The patch below addresses these issue, at least on RHEL. > > The patch makes assumptions about the existence of /dev/zero :-) > I'd rather have test-exec.sh create (and cleanup) $DATA in one place, > maybe by concatenating sshd$(EXEEXT) a few times. > > Also, why the echon->printf changes? nevermind, I see the problem with \t parsing (or not). How about this? I'll remove DATA from the other tests later. Index: regress/Makefile =================================================================== RCS file: /var/cvs/openssh/regress/Makefile,v retrieving revision 1.55 diff -u -p -r1.55 Makefile --- regress/Makefile 20 Feb 2013 03:01:52 -0000 1.55 +++ regress/Makefile 11 Mar 2013 23:34:30 -0000 @@ -71,7 +71,7 @@ INTEROP_TESTS= putty-transfer putty-ciph USER!= id -un CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ t8.out t8.out.pub t9.out t9.out.pub \ - authorized_keys_${USER} known_hosts pidfile \ + authorized_keys_${USER} known_hosts pidfile testdata \ ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ Index: regress/cipher-speed.sh =================================================================== RCS file: /var/cvs/openssh/regress/cipher-speed.sh,v retrieving revision 1.10 diff -u -p -r1.10 cipher-speed.sh --- regress/cipher-speed.sh 19 Feb 2013 19:53:30 -0000 1.10 +++ regress/cipher-speed.sh 11 Mar 2013 23:34:30 -0000 @@ -5,12 +5,11 @@ tid="cipher speed" getbytes () { - sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' + sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \ + -e '/copied/s/.*s, \(.* MB.s\).*/\1/p' } tries="1 2" -DATA=/bin/ls -DATA=/bsd ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour @@ -26,7 +25,7 @@ config_defined HAVE_EVP_SHA256 && \ for c in $ciphers; do n=0; for m in $macs; do trace "proto 2 cipher $c mac $m" for x in $tries; do - echon "$c/$m:\t" + printf "%-60s" "$c/$m:" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ @@ -47,7 +46,7 @@ ciphers="3des blowfish" for c in $ciphers; do trace "proto 1 cipher $c" for x in $tries; do - echon "$c:\t" + printf "%-60s" "$c:" ( ${SSH} -o 'compression no' \ -F $OBJ/ssh_proxy -1 -c $c somehost \ exec sh -c \'"dd of=/dev/null obs=32k"\' \ Index: regress/test-exec.sh =================================================================== RCS file: /var/cvs/openssh/regress/test-exec.sh,v retrieving revision 1.45 diff -u -p -r1.45 test-exec.sh --- regress/test-exec.sh 2 Jul 2012 15:11:28 -0000 1.45 +++ regress/test-exec.sh 11 Mar 2013 23:34:30 -0000 @@ -140,6 +140,10 @@ if [ "x$TEST_SSH_LOGFILE" = "x" ]; then TEST_SSH_LOGFILE=/dev/null fi +# Some data for test copies +DATA=$OBJ/testdata +cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Mar 12 10:47:10 2013 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Mar 2013 10:47:10 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> <20130311041432.GA13588@gate.dtucker.net> Message-ID: On Tue, 12 Mar 2013, Darren Tucker wrote: > On Tue, Mar 12, 2013 at 8:33 AM, Damien Miller wrote: > > I don't mind, but are these really the only uid==0 checks that matter? > > for AuthorizedKeysCommand, yes. There's probably other places where > it would also be useful (StrictModes checks come to mind) but those > are not new and I'd rather review those on a case by case basis. ok for release so long as we use it pervasively afterwards From imorgan at nas.nasa.gov Tue Mar 12 11:21:30 2013 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Mon, 11 Mar 2013 17:21:30 -0700 Subject: [PATCH] Portability improvements for regress/cipher-speed.sh In-Reply-To: <20130311234009.GB14628@gate.dtucker.net> References: <20130311183334.GB3045@linux124.nas.nasa.gov> <20130311232015.GA14628@gate.dtucker.net> <20130311234009.GB14628@gate.dtucker.net> Message-ID: <20130312002130.GI3027@linux124.nas.nasa.gov> That works for me! -- Iain On Mon, Mar 11, 2013 at 18:40:09 -0500, Darren Tucker wrote: > On Tue, Mar 12, 2013 at 10:20:15AM +1100, Darren Tucker wrote: > > On Mon, Mar 11, 2013 at 11:33:35AM -0700, Iain Morgan wrote: > > > Hi, > > > > > > Although cipher-speed.sh isn't failing, its output is useless on some > > > platforms. Aside from the definition of $DATA noted in a previous post > > > to this list, it makes assumptions about dd's status message and the > > > behaviour of echo. > > > > > > The patch below addresses these issue, at least on RHEL. > > > > The patch makes assumptions about the existence of /dev/zero :-) > > I'd rather have test-exec.sh create (and cleanup) $DATA in one place, > > maybe by concatenating sshd$(EXEEXT) a few times. > > > > Also, why the echon->printf changes? > > nevermind, I see the problem with \t parsing (or not). > > How about this? I'll remove DATA from the other tests later. > > Index: regress/Makefile > =================================================================== > RCS file: /var/cvs/openssh/regress/Makefile,v > retrieving revision 1.55 > diff -u -p -r1.55 Makefile > --- regress/Makefile 20 Feb 2013 03:01:52 -0000 1.55 > +++ regress/Makefile 11 Mar 2013 23:34:30 -0000 > @@ -71,7 +71,7 @@ INTEROP_TESTS= putty-transfer putty-ciph > USER!= id -un > CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ > t8.out t8.out.pub t9.out t9.out.pub \ > - authorized_keys_${USER} known_hosts pidfile \ > + authorized_keys_${USER} known_hosts pidfile testdata \ > ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ > rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ > rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ > Index: regress/cipher-speed.sh > =================================================================== > RCS file: /var/cvs/openssh/regress/cipher-speed.sh,v > retrieving revision 1.10 > diff -u -p -r1.10 cipher-speed.sh > --- regress/cipher-speed.sh 19 Feb 2013 19:53:30 -0000 1.10 > +++ regress/cipher-speed.sh 11 Mar 2013 23:34:30 -0000 > @@ -5,12 +5,11 @@ tid="cipher speed" > > getbytes () > { > - sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' > + sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \ > + -e '/copied/s/.*s, \(.* MB.s\).*/\1/p' > } > > tries="1 2" > -DATA=/bin/ls > -DATA=/bsd > > ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc > arcfour128 arcfour256 arcfour > @@ -26,7 +25,7 @@ config_defined HAVE_EVP_SHA256 && \ > for c in $ciphers; do n=0; for m in $macs; do > trace "proto 2 cipher $c mac $m" > for x in $tries; do > - echon "$c/$m:\t" > + printf "%-60s" "$c/$m:" > ( ${SSH} -o 'compression no' \ > -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ > exec sh -c \'"dd of=/dev/null obs=32k"\' \ > @@ -47,7 +46,7 @@ ciphers="3des blowfish" > for c in $ciphers; do > trace "proto 1 cipher $c" > for x in $tries; do > - echon "$c:\t" > + printf "%-60s" "$c:" > ( ${SSH} -o 'compression no' \ > -F $OBJ/ssh_proxy -1 -c $c somehost \ > exec sh -c \'"dd of=/dev/null obs=32k"\' \ > Index: regress/test-exec.sh > =================================================================== > RCS file: /var/cvs/openssh/regress/test-exec.sh,v > retrieving revision 1.45 > diff -u -p -r1.45 test-exec.sh > --- regress/test-exec.sh 2 Jul 2012 15:11:28 -0000 1.45 > +++ regress/test-exec.sh 11 Mar 2013 23:34:30 -0000 > @@ -140,6 +140,10 @@ if [ "x$TEST_SSH_LOGFILE" = "x" ]; then > TEST_SSH_LOGFILE=/dev/null > fi > > +# Some data for test copies > +DATA=$OBJ/testdata > +cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA > + > # these should be used in tests > export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP > #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. -- Iain Morgan From dtucker at zip.com.au Tue Mar 12 11:28:10 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 12 Mar 2013 11:28:10 +1100 Subject: [PATCH] Portability improvements for regress/cipher-speed.sh In-Reply-To: <20130312002130.GI3027@linux124.nas.nasa.gov> References: <20130311183334.GB3045@linux124.nas.nasa.gov> <20130311232015.GA14628@gate.dtucker.net> <20130311234009.GB14628@gate.dtucker.net> <20130312002130.GI3027@linux124.nas.nasa.gov> Message-ID: <20130312002810.GA9915@gate.dtucker.net> On Mon, Mar 11, 2013 at 05:21:30PM -0700, Iain Morgan wrote: > That works for me! great, thanks. committed, it'll be in the release. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Mar 12 11:31:57 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 12 Mar 2013 11:31:57 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130311041432.GA13588@gate.dtucker.net> Message-ID: <20130312003157.GB9915@gate.dtucker.net> On Tue, Mar 12, 2013 at 10:47:10AM +1100, Damien Miller wrote: > On Tue, 12 Mar 2013, Darren Tucker wrote: > > > On Tue, Mar 12, 2013 at 8:33 AM, Damien Miller wrote: > > > I don't mind, but are these really the only uid==0 checks that matter? > > > > for AuthorizedKeysCommand, yes. There's probably other places where > > it would also be useful (StrictModes checks come to mind) but those > > are not new and I'd rather review those on a case by case basis. > > ok for release so long as we use it pervasively afterwards thanks, committed with a slightly more descriptive function name and comment. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Tue Mar 12 20:42:21 2013 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 12 Mar 2013 10:42:21 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130312003157.GB9915@gate.dtucker.net> References: <20130311041432.GA13588@gate.dtucker.net> <20130312003157.GB9915@gate.dtucker.net> Message-ID: <20130312094221.GE23987@calimero.vinschen.de> Hi Darren, On Mar 12 11:31, Darren Tucker wrote: > On Tue, Mar 12, 2013 at 10:47:10AM +1100, Damien Miller wrote: > > On Tue, 12 Mar 2013, Darren Tucker wrote: > > > > > On Tue, Mar 12, 2013 at 8:33 AM, Damien Miller wrote: > > > > I don't mind, but are these really the only uid==0 checks that matter? > > > > > > for AuthorizedKeysCommand, yes. There's probably other places where > > > it would also be useful (StrictModes checks come to mind) but those > > > are not new and I'd rather review those on a case by case basis. > > > > ok for release so long as we use it pervasively afterwards > > thanks, committed with a slightly more descriptive function name and > comment. Along the same lines, will a yet-to-be-designed patch have a chance in future, which replaces all tests for uid == 0 with a platform-dependent function testing the uid for being any administrative user? We discussed this a couple of times in the past and I even provided a patch ages ago, but this never came to fruition. Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From tgc at jupiterrise.com Wed Mar 13 07:03:58 2013 From: tgc at jupiterrise.com (Tom Christensen) Date: Tue, 12 Mar 2013 21:03:58 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <5137B00A.7000009@jupiterrise.com> Message-ID: <513F8A2E.1040104@jupiterrise.com> On 03/08/2013 02:02 AM, Damien Miller wrote: > On Wed, 6 Mar 2013, Tom Christensen wrote: > >> ld: ERROR 33: Unresolved text symbol "usleep" -- 1st referenced by sshd.o. >> ld: INFO 60: Output file removed because of error. >> collect2: ld returned 1 exit status >> >> IRIX 5.3 does not have usleep anywhere. I worked around this by replacing >> usleep with sginap. > > Here's a usleep replacement at least. > I just tried to build 20130313 but it failed because this patch was not included. Will this be in the next release? -tgc From tgc at jupiterrise.com Wed Mar 13 07:14:18 2013 From: tgc at jupiterrise.com (Tom Christensen) Date: Tue, 12 Mar 2013 21:14:18 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <5137B00A.7000009@jupiterrise.com> References: <5137B00A.7000009@jupiterrise.com> Message-ID: <513F8C9A.8020708@jupiterrise.com> On 03/06/2013 10:07 PM, Tom Christensen wrote: > First problem is that configure hangs in the select+rlimit test. > I see that a timeout was added and the test now passes on IRIX 5.3. > A generic IRIX issue is the use of killpg in sshd.c. > sshd.c: In function `grace_alarm_handler': > sshd.c:368: warning: implicit declaration of function `killpg' > > On IRIX using this function requires _BSD_SIGNALS to be defined > otherwise results are unpredictable. > See the manpage here for more details: > http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?cmd=getdoc&coll=0650&db=man&fname=3%20killpg > > Looking at the kill() manpage it seems to me that killpg could be > replaced with kill(0, SIGTERM) to achieve the same thing. > Any opinion on this one? Building openssh with -D_BSD_SIGNALS forced on causes numerous warnings like the below to appear: gcc -D_BSD_SIGNALS -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -std=gnu99 -I. -I.. -I. -I./.. -I/usr/tgcware/include/openssl -I/usr/tgcware/include -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from ../openbsd-compat/openbsd-compat.h:151, from ../includes.h:172, from bsd-arc4random.c:17: ../openbsd-compat/bsd-misc.h:99:1: warning: "signal" redefined In file included from /usr/tgcware/gcc-3.4.6/lib/gcc/mips-sgi-irix5.3/3.4.6/include/sys/param.h:46, from /usr/tgcware/gcc-3.4.6/lib/gcc/mips-sgi-irix5.3/3.4.6/include/arpa/nameser.h:77, from ../openbsd-compat/getrrsetbyname.h:57, from ../openbsd-compat/openbsd-compat.h:45, from ../includes.h:172, from bsd-arc4random.c:17: /usr/tgcware/gcc-3.4.6/lib/gcc/mips-sgi-irix5.3/3.4.6/include/sys/signal.h:209:1: warning: this is the location of the previous definition This is because the system does a #define signal BSDsignal when _BSD_SIGNALS is defined. -tgc From des at des.no Wed Mar 13 20:51:15 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Wed, 13 Mar 2013 10:51:15 +0100 Subject: [patch] Incorrect umask in FreeBSD Message-ID: <86ip4vy6ek.fsf@ds4.des.no> Normally, in the !UseLogin case on a system with login classes, the umask is set implicitly by the first setusercontext() call in do_setusercontext() in session.c. However, FreeBSD treats the umask differently from other login settings: unless running with the target user's UID, it will only apply the value from /etc/login.conf, not that from the user's ~/.login.conf. The patch below addresses this (although not in the most efficient manner, which would be to add LOGIN_SETUMASK to the LOGIN_SETUSER call). It is harmless on systems (such as OpenBSD) which have login classes but do not share this particular idiosyncrasy with FreeBSD. ------------------------------------------------------------------------ r248231 | des | 2013-03-13 10:41:55 +0100 (Wed, 13 Mar 2013) | 8 lines Changed paths: M /head/crypto/openssh/session.c Unlike OpenBSD's, our setusercontext() will intentionally ignore the user's own umask setting (from ~/.login.conf) unless running with the user's UID. Therefore, we need to call it again with LOGIN_SETUMASK after changing UID. PR: bin/176740 Submitted by: John Marshall MFC after: 1 week Index: session.c =================================================================== --- session.c (revision 248230) +++ session.c (revision 248231) @@ -1533,6 +1533,12 @@ perror("unable to set user context (setuser)"); exit(1); } + + /* + * FreeBSD's setusercontext() will not apply the user's + * own umask setting unless running with the user's UID. + */ + setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK); #else /* Permanently switch to the desired uid. */ permanently_set_uid(pw); ------------------------------------------------------------------------ DES -- Dag-Erling Sm?rgrav - des at des.no From john.m.olsson at ericsson.com Wed Mar 13 21:24:40 2013 From: john.m.olsson at ericsson.com (John Olsson M) Date: Wed, 13 Mar 2013 10:24:40 +0000 Subject: Time zone for chrooted internal-sftp? Message-ID: <56C5269167653F4EB997E85F8CBB3299140014@ESESSMB301.ericsson.se> Hi, A question regarding chroot, internal-sftp, and time zones: Is it possible to get the time stamps presented by the chrooted internal-sftp to always be aligned with the system global time zone setting? What is the reason this not done by default, that is couldn't the chrooted internal-sftp inherit the time zone information from the SSH daemon? /John -- John Olsson Ericsson AB From cmanalyst66 at gmail.com Thu Mar 14 06:50:26 2013 From: cmanalyst66 at gmail.com (C M) Date: Wed, 13 Mar 2013 14:50:26 -0500 Subject: Support for QNX 4.25 Message-ID: Hello, I wanted to find out if your team would be willing to develop an OpenSSH port for QNX 4.25. We have several open source tools we would like to utilize as part of our QNX based development environment. Mnay of them require SSH capability which currently doesn?t exist for QNX 4.X. Please let me know if your team would be willing to make such a port available. I am reasonably certain we would make a reasonable contribution to the effort. Please let me know if there?s any interest. Thanks. Amad From cmanalyst66 at gmail.com Fri Mar 15 00:30:53 2013 From: cmanalyst66 at gmail.com (C M) Date: Thu, 14 Mar 2013 08:30:53 -0500 Subject: Support for QNX 4.25 In-Reply-To: References: Message-ID: Repost Hello, > > > I wanted to find out if the OpenSSH-Unix-Dev team would be willing to > develop an OpenSSH port for QNX 4.25. > > > > We have several open source tools we would like to utilize as part of our > QNX based development environment. Many of them require SSH capability > which currently does not exist for QNX 4.X. > > > > Please let me know if your team would be willing to make such a port > available. I am reasonably certain we would make a reasonable contribution > to the effort. > > > > Please let me know if there?s any interest. > > > Thanks. > Amad > From djm at mindrot.org Fri Mar 15 10:35:20 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Mar 2013 10:35:20 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <513F8A2E.1040104@jupiterrise.com> References: <5137B00A.7000009@jupiterrise.com> <513F8A2E.1040104@jupiterrise.com> Message-ID: On Tue, 12 Mar 2013, Tom Christensen wrote: > > Here's a usleep replacement at least. > > > I just tried to build 20130313 but it failed because this patch was not > included. > Will this be in the next release? Sorry, been travelling. Just committed and will be in the 20130316 snapshot -d From djm at mindrot.org Fri Mar 15 10:35:59 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Mar 2013 10:35:59 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <86y5e0smye.fsf@ds4.des.no> <86ip54sjwv.fsf@ds4.des.no> <866213sai1.fsf@ds4.des.no> Message-ID: On Fri, 8 Mar 2013, Damien Miller wrote: > On Thu, 7 Mar 2013, Dag-Erling Sm?rgrav wrote: > > > The attached patch combines the DISABLE_{LASTLOG,UTMP,WTMP} logic above > > with additional code to disable the log file search. > > That's probably a bit too extensive a patch for this stage of release, > but I think just the tests might be okay since they wouldn't break > anything that isn't already broken. FYI this has been committed and will be in the 20130316 snapshot From dtucker at zip.com.au Fri Mar 15 10:35:45 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 15 Mar 2013 10:35:45 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130312094221.GE23987@calimero.vinschen.de> References: <20130311041432.GA13588@gate.dtucker.net> <20130312003157.GB9915@gate.dtucker.net> <20130312094221.GE23987@calimero.vinschen.de> Message-ID: On Tue, Mar 12, 2013 at 8:42 PM, Corinna Vinschen wrote: [...] > Along the same lines, will a yet-to-be-designed patch have a chance in > future, which replaces all tests for uid == 0 with a platform-dependent > function testing the uid for being any administrative user? Yeah, that's the intent, and I think it's what Damien meant by "use it pervasively". > We discussed this a couple of times in the past and I even provided a > patch ages ago, but this never came to fruition. Sorry, I probably dropped the ball on that. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Mar 15 11:23:02 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Mar 2013 11:23:02 +1100 (EST) Subject: [patch] Incorrect umask in FreeBSD In-Reply-To: <86ip4vy6ek.fsf@ds4.des.no> References: <86ip4vy6ek.fsf@ds4.des.no> Message-ID: On Wed, 13 Mar 2013, Dag-Erling Sm?rgrav wrote: > Normally, in the !UseLogin case on a system with login classes, the > umask is set implicitly by the first setusercontext() call in > do_setusercontext() in session.c. However, FreeBSD treats the umask > differently from other login settings: unless running with the target > user's UID, it will only apply the value from /etc/login.conf, not that > from the user's ~/.login.conf. The patch below addresses this (although > not in the most efficient manner, which would be to add LOGIN_SETUMASK > to the LOGIN_SETUSER call). It is harmless on systems (such as OpenBSD) > which have login classes but do not share this particular idiosyncrasy > with FreeBSD. Committed - this will be in the 20130316 snapshot too. -d From djm at mindrot.org Fri Mar 15 11:24:59 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Mar 2013 11:24:59 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <513F8C9A.8020708@jupiterrise.com> References: <5137B00A.7000009@jupiterrise.com> <513F8C9A.8020708@jupiterrise.com> Message-ID: On Tue, 12 Mar 2013, Tom Christensen wrote: > > replaced with kill(0, SIGTERM) to achieve the same thing. > > > Any opinion on this one? > > Building openssh with -D_BSD_SIGNALS forced on causes numerous warnings like > the below to appear: How did you enable this? Was it CFLAGS="-D_BSD_SIGNALS" ./configure ... or by editing the Makefile after configure ran? If you haven't, I'd recommend you try the CFLAGS/configure way so all the configure tests have a chance to find and react to the exposed symbols. -d From djm at mindrot.org Fri Mar 15 11:26:25 2013 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Mar 2013 11:26:25 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <51349EB8.6080405@gmail.com> References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> <51349EB8.6080405@gmail.com> Message-ID: So, did all the portability issues get sorted out here? AFAIK there was something to do with Solaris that was lingering... -d On Mon, 4 Mar 2013, ?ngel Gonz?lez wrote: > Philip Hands writes: > > ?ngel Gonz?lez writes: > >> Well, there's the usual offender of Solaris sh > >> (fails with syntax error at line 36: `DEFAULT_PUB_ID_FILE=$', so not too > >> bad, > > "Not too bad" in the sense that it gets as far as the first line of the > > script before failing? ;-) > > > > So Solaris portability will require replacing $(...) with `...` *sigh* > > 'Not too bad' because it hasn't processed yet anything, so it's harmless. > > > >> it also has a broken ${FOO:+BAR} syntax, printing BAR instead of $BAR) > > That's correct behaviour -- you do ${FOO:+$BAR} if that's what you > > wanted. I'm using it to avoid adding an extra space to a list of > > options, thus: > > > > X="${X:+$X }..." > > ^ > > (so the space after the $X only gets added when $X is already set) > > Sorry, you're right. I thought I had tested it in bash, but apparently it > was just its documentation what confused me: > > `${PARAMETER:+WORD}' > > If PARAMETER is null or unset, nothing is substituted, otherwise > > the expansion of WORD is substituted. > > > > > > > >> The first thing I notice of your script is the missing \n at the end of > >> the usage (why are you using printf instead of echo?). > > Well, echo is depressingly unportable, so I recently decided that I'd > > spent enough time thinking about whether each usage of echo was going to > > be portable, so why not avoid the problem completely. This lays out the > > problem: > > > > http://www.etalabs.net/sh_tricks.html > > > > of course, that's where the missing \n bug came from -- thanks for > > spotting that. > > > > Note to self: changes that are too trivial to introduce bugs ... aren't > In this case, I think echo would be safe, as it'd be followed by a > string literal ("Usage:"), > but adding that newline to printf is also fine, of course :) > > > > >> Finally, the error (usage parameters) given if you don't have an agent > >> running is not helpful. > > How are you getting that? Is this still somehow with Solaris? > > > > It _should_ spit out: > > > > ERROR: No identities found > > > > If you could describe what you did to get that, assuming that it still > > happens with the latest version, I'll see if I can work out what's going > > on. > With either no agent (just unset SSH_AUTH_SOCK and SSH_AGENT_PID) or an > empty agent (you can overwrite your 'normal' agent with a new one in a > shell instance) > I get with the latest version (fdb4641): > > $ ./ssh-copy-id host > > ./ssh-copy-id: ERROR: failed to open ID file '/home/user/.ssh/id_rsa': > No such file or directory > > > The usage problem seems to be due to the getopt version that it is > picking Solaris > In Linux: > $ getopt --options 'i::o:p:nh?' --name "ssh-copy-id" --quiet -- "hostname" > -- 'hostname' > > In Solaris: > $ getopt --options 'i::o:p:nh?' --name "ssh-copy-id" --quiet -- "host" > -- i::o:p:nh? --name ssh-copy-id --quiet -- host > > So $# is 6, thus it enters the if [ $# != 1 ] path. > Seems it's a traditional getopt, which only expects the options to be > the first parameter and $@ the rest of the arguments. > > > > Perhaps you'd be kind enough to give this a go on solaris for me: > > > > http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris > > > > I have a suspicion that if it doesn't like $(...) it might not like > > $((maths)) much either. > As expected, it doesn't. > $ echo $((5 + 1)) > syntax error: `(' unexpected > > For the two additions you use, expr is more than enough. > > > It would also be interesting if we had some tests for ssh-copy-id which > could then be run on the different systems, instead of making up them > each time. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From phil at hands.com Fri Mar 15 20:21:17 2013 From: phil at hands.com (Philip Hands) Date: Fri, 15 Mar 2013 09:21:17 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> <51349EB8.6080405@gmail.com> Message-ID: <87li9pdnn6.fsf@poker.hands.com> Damien Miller writes: > So, did all the portability issues get sorted out here? AFAIK there was > something to do with Solaris that was lingering... The current state is that the solaris branch still doesn't work because the solaris version of getopt doesn't take options. There was a suggestion of detecting at the start of the script whether one is on an ancient shell, and if so then exec ksh or some other better shell to allow the script to work unmolested, but the it looks like I need to use getopts rather than getopt too (as solaris getopt doesn't like options). I was planning on getting a solaris VM image so that I can test this stuff today. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From vinschen at redhat.com Fri Mar 15 20:44:11 2013 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 15 Mar 2013 10:44:11 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130311041432.GA13588@gate.dtucker.net> <20130312003157.GB9915@gate.dtucker.net> <20130312094221.GE23987@calimero.vinschen.de> Message-ID: <20130315094411.GA1360@calimero.vinschen.de> On Mar 15 10:35, Darren Tucker wrote: > On Tue, Mar 12, 2013 at 8:42 PM, Corinna Vinschen wrote: > [...] > > Along the same lines, will a yet-to-be-designed patch have a chance in > > future, which replaces all tests for uid == 0 with a platform-dependent > > function testing the uid for being any administrative user? > > Yeah, that's the intent, and I think it's what Damien meant by "use it > pervasively". > > > We discussed this a couple of times in the past and I even provided a > > patch ages ago, but this never came to fruition. > > Sorry, I probably dropped the ball on that. No worries. It would be nice if we could pick it up at one point :) Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From tgc at jupiterrise.com Sat Mar 16 03:58:19 2013 From: tgc at jupiterrise.com (Tom Christensen) Date: Fri, 15 Mar 2013 17:58:19 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <5137B00A.7000009@jupiterrise.com> <513F8C9A.8020708@jupiterrise.com> Message-ID: <5143532B.9040206@jupiterrise.com> On 03/15/2013 01:24 AM, Damien Miller wrote: > On Tue, 12 Mar 2013, Tom Christensen wrote: > >>> replaced with kill(0, SIGTERM) to achieve the same thing. >>> >> Any opinion on this one? >> >> Building openssh with -D_BSD_SIGNALS forced on causes numerous warnings like >> the below to appear: > > How did you enable this? Was it CFLAGS="-D_BSD_SIGNALS" ./configure ... or > by editing the Makefile after configure ran? > I did CC="gcc -D_BSD_SIGNALS" ./configure ... > If you haven't, I'd recommend you try the CFLAGS/configure way so all the > configure tests have a chance to find and react to the exposed symbols. > I just double checked with CFLAGS="-D_BSD_SIGNALS" ./configure ... As expected it did not make a difference. I did a build on IRIX 6.2 with SGI MIPSpro 7.3 and it had this to report: cc -D_BSD_SIGNALS -I. -I.. -I. -I./.. -I/usr/tgcware/include/openssl -I/usr/tgcware/include -DHAVE_CONFIG_H -c bsd-arc4random.c c-1047 cc: WARNING File = ../openbsd-compat/bsd-misc.h, Line = 103 Macro "signal" (declared at line 376 of "/usr/include/sys/signal.h") has an incompatible redefinition. #define signal(a,b) mysignal(a,b) ^ -tgc From imorgan at nas.nasa.gov Sat Mar 16 05:11:40 2013 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 15 Mar 2013 11:11:40 -0700 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <5143532B.9040206@jupiterrise.com> References: <5137B00A.7000009@jupiterrise.com> <513F8C9A.8020708@jupiterrise.com> <5143532B.9040206@jupiterrise.com> Message-ID: <20130315181140.GD3045@linux124.nas.nasa.gov> On Fri, Mar 15, 2013 at 11:58:19 -0500, Tom Christensen wrote: > On 03/15/2013 01:24 AM, Damien Miller wrote: > > On Tue, 12 Mar 2013, Tom Christensen wrote: > > > >>> replaced with kill(0, SIGTERM) to achieve the same thing. > >>> > >> Any opinion on this one? > >> > >> Building openssh with -D_BSD_SIGNALS forced on causes numerous warnings like > >> the below to appear: > > > > How did you enable this? Was it CFLAGS="-D_BSD_SIGNALS" ./configure ... or > > by editing the Makefile after configure ran? > > > I did CC="gcc -D_BSD_SIGNALS" ./configure ... > > > If you haven't, I'd recommend you try the CFLAGS/configure way so all the > > configure tests have a chance to find and react to the exposed symbols. > > > I just double checked with CFLAGS="-D_BSD_SIGNALS" ./configure ... > As expected it did not make a difference. > > I did a build on IRIX 6.2 with SGI MIPSpro 7.3 and it had this to report: > cc -D_BSD_SIGNALS -I. -I.. -I. -I./.. -I/usr/tgcware/include/openssl > -I/usr/tgcware/include -DHAVE_CONFIG_H -c bsd-arc4random.c > c-1047 cc: WARNING File = ../openbsd-compat/bsd-misc.h, Line = 103 > Macro "signal" (declared at line 376 of "/usr/include/sys/signal.h") > has an > incompatible redefinition. > > #define signal(a,b) mysignal(a,b) > ^ > > I haven't had an IRIX system to play with for several years, but looking back on my notes I see that it used to be necessary to set CC=c99 when using the MIPSpro. -- Iain Morgan From tgc at jupiterrise.com Sat Mar 16 06:34:29 2013 From: tgc at jupiterrise.com (Tom Christensen) Date: Fri, 15 Mar 2013 20:34:29 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130315181140.GD3045@linux124.nas.nasa.gov> References: <5137B00A.7000009@jupiterrise.com> <513F8C9A.8020708@jupiterrise.com> <5143532B.9040206@jupiterrise.com> <20130315181140.GD3045@linux124.nas.nasa.gov> Message-ID: <514377C5.2070605@jupiterrise.com> On 03/15/2013 07:11 PM, Iain Morgan wrote: > I haven't had an IRIX system to play with for several years, but looking > back on my notes I see that it used to be necessary to set CC=c99 when > using the MIPSpro. > c99 is only available with MIPSpro 7.4.x on IRIX 6.5. -tgc From scott_n at xypro.com Tue Mar 19 02:32:53 2013 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 18 Mar 2013 08:32:53 -0700 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <20130315094411.GA1360@calimero.vinschen.de> References: <20130311041432.GA13588@gate.dtucker.net> <20130312003157.GB9915@gate.dtucker.net> <20130312094221.GE23987@calimero.vinschen.de> <20130315094411.GA1360@calimero.vinschen.de> Message-ID: <78DD71C304F38B41885A242996B96F730425D308@xyservd.XYPRO-23.LOCAL> > > [...] > > > Along the same lines, will a yet-to-be-designed patch have a chance > > > in future, which replaces all tests for uid == 0 with a > > > platform-dependent function testing the uid for being any > administrative user? > > > > Yeah, that's the intent, and I think it's what Damien meant by "use > it > > pervasively". > > > > > We discussed this a couple of times in the past and I even provided > > > a patch ages ago, but this never came to fruition. > > > > Sorry, I probably dropped the ball on that. > > No worries. It would be nice if we could pick it up at one point :) That would be awesome for me as well. On an HP Nonstop, admin is also not 0. From des at des.no Tue Mar 19 08:54:30 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Mon, 18 Mar 2013 22:54:30 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: (Damien Miller's message of "Fri, 15 Mar 2013 10:35:59 +1100 (EST)") References: <86y5e0smye.fsf@ds4.des.no> <86ip54sjwv.fsf@ds4.des.no> <866213sai1.fsf@ds4.des.no> Message-ID: <86620oqsq1.fsf@ds4.des.no> Damien Miller writes: > FYI this has been committed and will be in the 20130316 snapshot Confirmed in 20130319. Any chance of getting my BROKEN_STRNVIS patch committed as well? DES -- Dag-Erling Sm?rgrav - des at des.no From djm at mindrot.org Tue Mar 19 10:28:47 2013 From: djm at mindrot.org (Damien Miller) Date: Tue, 19 Mar 2013 10:28:47 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <86boavqlqi.fsf@ds4.des.no> References: <86boavqlqi.fsf@ds4.des.no> Message-ID: On Thu, 7 Mar 2013, Dag-Erling Sm?rgrav wrote: > Here's another issue: FreeBSD's strnvis() is not 100% compatible with > OpenBSD's, and OpenSSH can segfault when trying to use it. The attached > patch adds a BROKEN_STRNVIS conditional (inspired by BROKEN_GLOB) and > defines it on FreeBSD. What exactly is the incompatibility? -d From des at des.no Tue Mar 19 19:49:45 2013 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Tue, 19 Mar 2013 09:49:45 +0100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: (Damien Miller's message of "Tue, 19 Mar 2013 10:28:47 +1100 (EST)") References: <86boavqlqi.fsf@ds4.des.no> Message-ID: <86a9pzdb9y.fsf@ds4.des.no> Damien Miller writes: > What exactly is the incompatibility? To be honest, I was just going by "ssh crashes when it uses FreeBSD's version", but I took a closer look: OpenBSD's strnvis(3): int strnvis(char *dst, const char *src, size_t dstsize, int flag); FreeBSD's and NetBSD's strnvis(3): int strnvis(char *dst, size_t dlen, const char *src, int flag); so perhaps "BROKEN_STRNVIS" is a bit harsh, but they're definitely incompatible. DES -- Dag-Erling Sm?rgrav - des at des.no From kevin.brott at gmail.com Wed Mar 20 07:46:22 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 19 Mar 2013 13:46:22 -0700 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Sun, Mar 10, 2013 at 9:03 AM, Kevin Brott wrote: > On Fri, Mar 8, 2013 at 2:57 PM, Darren Tucker wrote: > >> On Sat, Mar 9, 2013 at 9:06 AM, Kevin Brott >> wrote: >> > Got a bit further this time with openssh-SNAP-20130309.tar.gz - but >> hp-ux >> > 11.11 is still not passing make tests. >> >> What are you using as an entropy source? I've found that I'm >> exhausting prngd on my (admittedly otherwise idle) HP workstation >> which is causing the tests to fail at the point it runs out. > > > It's pretty much a stock HP-UX B.11.11?? system (not one of mine) so it's > using whatever is there - I'll double-check Monday, but I'm pretty sure > prngd isn't installed. > > > ?So - a week later - when I'm not on-call anymore and I can look at this without interruption. Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130320.tar.gz this time ... No extra RNG ?toolkit installed at all on this system - and make tests always fails right at multiplex.sh every single time. I know that HP-UX 11.11 doesn't have a kernel-based RNG by default (optional package KRNGD supplies it, but I can't install anything new on this box. I seem to remember once upon a time - that while it was 'insecure' due to the entropy being drek - that openssh would still pass make tests (with warnings) if no decent RNG was installed. Admittedly I haven't tested on such a system in a very long time, but did I miss something in a release note somewhere that says it's a required element now? ?? run test multiplex.sh test connection multiplexing: envpass test connection multiplexing: transfer scp: failed copy /bin/ls cmp: cannot open /var/tmp/ssh/openssh/regress/ls.copy scp: corrupted copy of /bin/ls test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 test connection multiplexing: cmd check test connection multiplexing: cmd exit test connection multiplexing: cmd stop failed connection multiplexing *** Error exit code 1 Stop. *** Error exit code 1 Stop. -- # include /* Kevin Brott */ From dtucker at zip.com.au Wed Mar 20 10:25:09 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 20 Mar 2013 10:25:09 +1100 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Wed, Mar 20, 2013 at 7:46 AM, Kevin Brott wrote: [....] > Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20130320.tar.gz this > time ... > > No extra RNG toolkit installed at all on this system - and make tests > always fails right at multiplex.sh every single time. > I know that HP-UX 11.11 doesn't have a kernel-based RNG by default > (optional package KRNGD supplies it, but I can't install anything new on > this box. > > I seem to remember once upon a time - that while it was 'insecure' due to > the entropy being drek - that openssh would still pass make tests (with > warnings) if no decent RNG was installed. Admittedly I haven't tested on > such a system in a very long time, but did I miss something in a release > note somewhere that says it's a required element now? Yep, in 5.9 ssh-random-helper was removed: http://openssh.com/txt/release-5.9 " * This release removes support for ssh-rand-helper. OpenSSH now obtains its random numbers directly from OpenSSL or from a PRNGd/EGD instance specified at configure time. " You must have some form of entropy available to openssl, though, or it would not build or run at all. You can probably run prngd as a non-privileged user then build openssh with "./configure --with-prngd-socket=/tmp/socket" (admittedly I've never tried this). Looking at the code in entropy.c I think it'll prefer the system entropy source it it's available. I'd try this myself, but my trusty old HP workstation decided it no longer wants to power on :-( -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed Mar 20 12:56:14 2013 From: djm at mindrot.org (Damien Miller) Date: Wed, 20 Mar 2013 12:56:14 +1100 (EST) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <86a9pzdb9y.fsf@ds4.des.no> References: <86boavqlqi.fsf@ds4.des.no> <86a9pzdb9y.fsf@ds4.des.no> Message-ID: On Tue, 19 Mar 2013, Dag-Erling Sm?rgrav wrote: > Damien Miller writes: > > What exactly is the incompatibility? > > To be honest, I was just going by "ssh crashes when it uses FreeBSD's > version", but I took a closer look: > > OpenBSD's strnvis(3): > > int strnvis(char *dst, const char *src, size_t dstsize, int flag); > > FreeBSD's and NetBSD's strnvis(3): > > int strnvis(char *dst, size_t dlen, const char *src, int flag); > > so perhaps "BROKEN_STRNVIS" is a bit harsh, but they're definitely > incompatible. There's probably a more elegant fix than using the OpenBSD replacement but it can wait until after release. -d From phil at hands.com Wed Mar 20 19:28:14 2013 From: phil at hands.com (Philip Hands) Date: Wed, 20 Mar 2013 08:28:14 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> <51349EB8.6080405@gmail.com> <87li9pdnn6.fsf@poker.hands.com> Message-ID: <87li9icw69.fsf@poker.hands.com> Damien Miller writes: > On Fri, 15 Mar 2013, Philip Hands wrote: > >> Damien Miller writes: >> >> > So, did all the portability issues get sorted out here? AFAIK there was >> > something to do with Solaris that was lingering... >> >> The current state is that the solaris branch still doesn't work because >> the solaris version of getopt doesn't take options. >> >> There was a suggestion of detecting at the start of the script whether >> one is on an ancient shell, and if so then exec ksh or some other better >> shell to allow the script to work unmolested, but the it looks like I >> need to use getopts rather than getopt too (as solaris getopt doesn't >> like options). >> >> I was planning on getting a solaris VM image so that I can test this >> stuff today. > > Thanks - making shell-script work on every horrid platform is an > unrewarding and usually thankless task. I'd fogotted quite how maddening Solaris is. ;-) Solaris sh trap's failure to deal with '-' has decided me to go with the test and exec ksh approach, but while I'm cherrypicking the stuff like getopts replacement, and avoiding grep -q etc. from the solaris branch, it would be nice if people with solaris could try to spot any remaining breakage in this: http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=refs/heads/solaris it's not greatly tested, bit it was working for some things. The option handling needs proper testing on lots of platforms (I'll be grabbing that into the master branch later today). Also, the just reverted "no IdentitiesOnly=yes" commit is needed for me to test here, as I've not got OpenSSH installed on my Solaris VM, so I cannot test the exact version I want to publish at present. I'll do the cherrypicking later today, but here's something to go on with. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From phil at hands.com Wed Mar 20 23:20:36 2013 From: phil at hands.com (Philip Hands) Date: Wed, 20 Mar 2013 12:20:36 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <87li9icw69.fsf@poker.hands.com> References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> <51349EB8.6080405@gmail.com> <87li9pdnn6.fsf@poker.hands.com> <87li9icw69.fsf@poker.hands.com> Message-ID: <87ip4mclez.fsf@poker.hands.com> Hi, I've now knocked up something to exec the script under ksh if the /bin/sh is too annoying, and incorporated the tweaks to avoid other bits of Solaris brokenness, so that's now all in the master branch again: http://git.hands.com/ssh-copy-id?p=ssh-copy-id.git;a=blob_plain;f=ssh-copy-id;hb=HEAD and http://git.hands.com/ssh-copy-id I'm afraid I need to catch a train now, so won't be online till tomorrow, probably -- I've only briefly tested that, but it seems to work so far, but it could do with more testing. Particularly, I've rewritten the option handling, so please try out all the odd combinations of options you like, if you've got some of those. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From keisial at gmail.com Thu Mar 21 01:18:50 2013 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Wed, 20 Mar 2013 15:18:50 +0100 Subject: Time zone for chrooted internal-sftp? In-Reply-To: <56C5269167653F4EB997E85F8CBB3299140014@ESESSMB301.ericsson.se> References: <56C5269167653F4EB997E85F8CBB3299140014@ESESSMB301.ericsson.se> Message-ID: <5149C54A.8000500@gmail.com> On 13/03/13 11:24, John Olsson M wrote: > Hi, > > A question regarding chroot, internal-sftp, and time zones: Is it possible to get the time stamps presented by the chrooted internal-sftp to always be aligned with the system global time zone setting? > > What is the reason this not done by default, that is couldn't the chrooted internal-sftp inherit the time zone information from the SSH daemon? > > /John Are the relevant zoneinfo files available inside the chroot? From djm at mindrot.org Thu Mar 21 04:57:12 2013 From: djm at mindrot.org (Damien Miller) Date: Thu, 21 Mar 2013 04:57:12 +1100 (EST) Subject: Time zone for chrooted internal-sftp? In-Reply-To: <56C5269167653F4EB997E85F8CBB3299140014@ESESSMB301.ericsson.se> References: <56C5269167653F4EB997E85F8CBB3299140014@ESESSMB301.ericsson.se> Message-ID: On Wed, 13 Mar 2013, John Olsson M wrote: > Hi, > > A question regarding chroot, internal-sftp, and time zones: Is > it possible to get the time stamps presented by the chrooted > internal-sftp to always be aligned with the system global time zone > setting? > > What is the reason this not done by default, that is couldn't the > chrooted internal-sftp inherit the time zone information from the SSH > daemon? I'd expect that it would, but maybe something gets reset after fork(). You might want to try this patch to see if it makes any difference. Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.416 diff -u -p -r1.416 session.c --- session.c 15 Mar 2013 00:22:37 -0000 1.416 +++ session.c 20 Mar 2013 17:55:21 -0000 @@ -58,6 +58,7 @@ #include #include #include +#include #include #include "openbsd-compat/sys-queue.h" @@ -1461,6 +1462,7 @@ safely_chroot(const char *path, uid_t ui } + tzset(); if (chdir(path) == -1) fatal("Unable to chdir to chroot path \"%s\": " "%s", path, strerror(errno)); Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.420 diff -u -p -r1.420 sshd.c --- sshd.c 12 Feb 2013 00:04:48 -0000 1.420 +++ sshd.c 20 Mar 2013 17:55:41 -0000 @@ -607,6 +607,7 @@ privsep_preauth_child(void) arc4random_stir(); arc4random_buf(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd)); + tzset(); /* Demote the private keys to public keys. */ demote_sensitive_data(); From kevin.brott at gmail.com Thu Mar 21 09:12:37 2013 From: kevin.brott at gmail.com (Kevin Brott) Date: Wed, 20 Mar 2013 15:12:37 -0700 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Tue, Mar 19, 2013 at 4:25 PM, Darren Tucker wrote: > On Wed, Mar 20, 2013 at 7:46 AM, Kevin Brott > wrote: > [....] > > I seem to remember once upon a time - that while it was 'insecure' due to > > the entropy being drek - that openssh would still pass make tests (with > > warnings) if no decent RNG was installed. Admittedly I haven't tested on > > such a system in a very long time, but did I miss something in a release > > note somewhere that says it's a required element now? > > Yep, in 5.9 ssh-random-helper was removed: > http://openssh.com/txt/release-5.9 > > " * This release removes support for ssh-rand-helper. OpenSSH now > obtains its random numbers directly from OpenSSL or from > a PRNGd/EGD instance specified at configure time. > " > ?I knew it might be something like that. You must have some form of entropy available to openssl, though, or it > would not build or run at all. > ?DOH. As I go grab a copy of prngd to test this out - I find that ?/var/run/egd-pool already exists, and is generated by /opt/openssl/prngd/prngd - so there is a working RNG on the system - it just wasn't the one I was expecting. Now I'm back to square one- why is multiplexer.sh failing if it's not the RNG. :/ -- # include /* Kevin Brott */ From tim at multitalents.net Thu Mar 21 10:14:41 2013 From: tim at multitalents.net (Tim Rice) Date: Wed, 20 Mar 2013 16:14:41 -0700 (PDT) Subject: Call for testing: OpenSSH-6.2 In-Reply-To: References: <20130305090339.GA9108@gate.dtucker.net> <20130305091817.GB9108@gate.dtucker.net> <20130305104503.GA11704@gate.dtucker.net> Message-ID: On Wed, 20 Mar 2013, Kevin Brott wrote: > Now I'm back to square one- why is multiplexer.sh failing if it's not the > RNG. :/ As I mentioned a while ago, my UnixWare 7.1.4 fails multiplexer.sh about half the time. That machine is running natively on a HP DL385 G1. In the last round of testing, I noticed my UnixWare 7.1.4 and OpenServer 6 VMs on my HP DL360 G5 ESXi 5.1 box fail 100% of the time. I used to have OpenServer 6 running on a 600MHz PIII that never failed multiplexer.sh So the old slow machine worked and my fastest machine always fails. I wonder is there is some obscure race condition we are tripping on. It's nice to know it is not just my SVR5 boxes that fail. ;-) -- Tim Rice Multitalents (707) 456-1146 tim at multitalents.net (707) 887-1469 From c at charlesmatkinson.org Thu Mar 21 18:50:25 2013 From: c at charlesmatkinson.org (Charles) Date: Thu, 21 Mar 2013 13:20:25 +0530 Subject: sshfs -o rellinks (module option) rejected by fuse Message-ID: <514ABBC1.4080703@charlesmatkinson.org> New to sshfs and new to this mailing list so please guide me if required. Is this a bug? When sshfs is given option -o rellinks, it responds with fuse: unknown option `rellinks' According to my understanding of the sshfs man page and --help output this option a) is valid and b) should be passed to the module, not to fuse. Versions: SSHFS version 2.4 FUSE library version: 2.8.5 fusermount version: 2.8.5 using FUSE kernel interface version 7.12 OS: Slackware64 14.0 Incidentally, I'm thinking of making two sshfs documentation enhancement requests. But are they based on misconception? They are: 1. Mount options. In the sshfs general options, mount options (-o opt,[opt...]) documentation, additionally specify which options are available. Rationale: sshfs rightly does not support all the mount man page's "FILESYSTEM INDEPENDENT MOUNT OPTIONS" and the mount man page does not have a section for sshfs. There is thus no documentation to tell the sshfs user which mount options are available. For example I found by experiment that noatime is accepted but nodiratime and noiversion are not. 2. Command path completion. Add a note in the documentation that this does not work. For example when the user types cd / then tab and tab, nothing is listed as it is for the usual file systems. Rationale: this is not customary behaviour. Nice for there to be no surprises for the user who has read the documentation. Nice for the user who finds and investigates unusual behaviour to have it confirmed as normal in the documentation. Best, Charles From phil at hands.com Thu Mar 21 21:24:11 2013 From: phil at hands.com (Philip Hands) Date: Thu, 21 Mar 2013 10:24:11 +0000 Subject: Call for testing: OpenSSH-6.2 In-Reply-To: <87ip4mclez.fsf@poker.hands.com> References: <874ngwisi6.fsf@poker.hands.com> <51323EB5.2010706@gmail.com> <87hakth57d.fsf@poker.hands.com> <51349EB8.6080405@gmail.com> <87li9pdnn6.fsf@poker.hands.com> <87li9icw69.fsf@poker.hands.com> <87ip4mclez.fsf@poker.hands.com> Message-ID: <87fvzpcapg.fsf@poker.hands.com> Philip Hands writes: ... > I'm afraid I need to catch a train now, so won't be online till > tomorrow, probably -- I've only briefly tested that, Of course, I found a few bugs while on the train -- fixes pushed. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From flavien-ssh at lebarbe.net Fri Mar 22 00:53:21 2013 From: flavien-ssh at lebarbe.net (Flavien) Date: Thu, 21 Mar 2013 14:53:21 +0100 Subject: SSH 5.8p1 hang in kernel mode / AIX 7.1 In-Reply-To: <20121227164348.GA17378@srv3.flavien.org> References: <20121214111821.GA861@srv3.flavien.org> <20121227164348.GA17378@srv3.flavien.org> Message-ID: <20130321135321.GA4061@srv3.flavien.org> Hello, The bug I'm triggering has been confirmed by IBM. They are currently investigating it and we're waiting for a fix. The workaround they proposed for now is to disable PKCS so that the buggy code is not triggered. Flavien. > Hello, > > > Replying to self, for the archives. > > This really looking like an AIX kernel bug that SSH is triggering > somehow (once every 5000/6000 runs here on a test machine). We have > an open issue with IBM on this. Here's the stack we got from kdb. > It's related to CLiC (CryptoLite for C kernel, a kernel extension). > > > Flavien. > > 0)> f > pvthread+01A000 STACK: > [F1000000C0339E84].RdTBR+000004 () > [F1000000C02F9D64]CLiC__trng+000104 (F1000102135279A8) > [F1000000C02FA280]CLiC_rng_seed+0001A0 (F100010213527A80, 0000000000000000, > 0000000000000014) > [F1000000C02FA448]clic_ctxrng_init+000068 (F100010213527980, 0000000400000004) > [F1000000C02FA74C]CLiC_context+00018C (F10001021355B550, 0000000200000002, > 0000000400000004, F1000000C03C3A98, F1000000C03C3AB0) > [F1000000C036D2E8]P11_CLiC_app_init+000108 (F10001021355B458, F00000002FF45FC8) > [F1000000C02C5A9C]p11_init_crypto_ctx+00011C (F10001021355B458, F00000002FF45FC8) > [F1000000C02C5F28]p11_acquire_context+000268 (00000000011E00DC, 0000000100000001, > F00000002FF45FC8) > [F1000000C02C567C]p11_dd_open+0000FC (8000002200000000, 0000000000000001, > 000BB003000BB003, 0000000000000000) > [00014D70].hkey_legacy_gate+00004C () > [005769C0]devcopen+000480 (??, ??, ??, ??, ??) > [00576020]rdevopen+000140 (??, ??, ??, ??, ??) > [007E2D90]mpx_open+000070 (F10001020FE0D5F0, 0000000100000001, > 0000000000000000) > [00753E7C]spec_open+0000FC (??, ??, ??, ??, ??) > [005A44F8]vnop_open+0004F8 (??, ??, ??, ??, ??) > [0063FEAC]openpnp+0006EC (??, ??, ??, ??, ??, ??, ??, ??) > [0064056C]openpath+00028C (??, ??, ??, ??, ??, ??, ??, ??) > [00640934]copen+000314 (FFFFFFFEFFFFFFFE, 00000000F084A164, > 0000000000000000, 0000000800000008, 0000000000000000, F00000002FF47580) > [0063F744]kopen+000024 (??, ??, ??) > [0000386C]ovlya_addr_sc_flih_main+00014C () > [D0119A54]open+0000F4 (F084A164, 00000000, 00000008, 00000001, > 11A000C5, 01A000C5, 00000000, F0731A54) > [D232F934]C_Initialize+000394 (00000000) > [D100DBAC]D100DBAC () > [D100BA18]D100BA18 () > [D100B9B0]D100B9B0 () > [D10109CC]D10109CC () > [D1009AEC]D1009AEC () > [10060334]ssh_SSLeay_add_all_algorithms+000014 () > [100032F0]main+001290 (00000001, 2FF22800) > [100001E8]__start+000098 () > > > > Flavien Lebarbe wrote : > > Hello, > > > > > > > > An AIX machine runs a program that forks ssh client in order to > > launch commands on a remote. I'm first seting up a Master connection > > with a ControlPath, then using that connection to launch various > > commands on the remote, and killing the master by issuing a > > "-O exit" command. > > > > SSH client version on that machine is : > > # ssh -V > > OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011 > > # uname -nrsv > > AIX P7_AIX7 1 7 > > > > The program runs every 5 minutes for about 10s or so, gathering the > > information from the remote just fine. > > > > Now, I'm looking at the output of "ps" and see some left-over processes : > > root 5832832 1 69 22 nov - 5424:59 ssh -o BatchMode=yes -o ControlPath=/opt/data/ssh-socket_A-10.10.14.126 -o User=foobar 10.10.14.126 remote_command > > > > This instance of ssh client should not be there anymore. > > > > Having a deeper look: > > * kill -9 on that process does not kill it. > > * The corresponding ControlPath socket does not exist anymore on the system, > > nor does the ssh master process for this socket. > > * truss on that process does not show any activity at all: the process is > > apparently inside a system call. > > * kernel activity on the machine as reported by topas is 99% > > * ls -l /proc/5832832/fd only shows 3 FDs : > > # ls -l /proc/5832832/fd > > 0 total > > c--------- 1 root system 2, 2 14 d? 11:22 0 > > p--------- 0 root system 0 22 nov 06:18 1 > > c--------- 1 root system 2, 2 14 d? 11:22 2 > > > > I have currently 6 of those processes running on this system. Some of them > > are running for weeks like the above. Others are running for days. > > > > This situation looks like a kernel bug to me. Do you have any idea of > > anything that might be triggering it in the OpenSSH code in this old > > version of OpenSSH ? > > > > > > Thanks, > > Flavien. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- From imorgan at nas.nasa.gov Fri Mar 22 03:11:32 2013 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 21 Mar 2013 09:11:32 -0700 Subject: sshfs -o rellinks (module option) rejected by fuse In-Reply-To: <514ABBC1.4080703@charlesmatkinson.org> References: <514ABBC1.4080703@charlesmatkinson.org> Message-ID: <20130321161132.GF3045@linux124.nas.nasa.gov> On Thu, Mar 21, 2013 at 02:50:25 -0500, Charles wrote: > New to sshfs and new to this mailing list so please guide me if required. > > Is this a bug? When sshfs is given option -o rellinks, it responds with > fuse: unknown option `rellinks' > According to my understanding of the sshfs man page and --help output > this option a) is valid and b) should be passed to the module, not to fuse. > > Versions: > SSHFS version 2.4 > FUSE library version: 2.8.5 > fusermount version: 2.8.5 > using FUSE kernel interface version 7.12 > OS: Slackware64 14.0 > > Incidentally, I'm thinking of making two sshfs documentation enhancement > requests. But are they based on misconception? They are: > > 1. Mount options. In the sshfs general options, mount options (-o > opt,[opt...]) documentation, additionally specify which options are > available. > > Rationale: sshfs rightly does not support all the mount man page's > "FILESYSTEM INDEPENDENT MOUNT OPTIONS" and the mount man page does not > have a section for sshfs. There is thus no documentation to tell the > sshfs user which mount options are available. For example I found by > experiment that noatime is accepted but nodiratime and noiversion are not. > > 2. Command path completion. Add a note in the documentation that this > does not work. For example when the user types cd / > then tab and tab, nothing is listed as it is for the usual file systems. > > Rationale: this is not customary behaviour. Nice for there to be no > surprises for the user who has read the documentation. Nice for the > user who finds and investigates unusual behaviour to have it confirmed > as normal in the documentation. > Although some on this mailing list undoubtedly use sshfs, you should really be posting your question to a list specifically for sshfs. This list is for OpenSSH and only deals with sshfs in the context of occasional feature enhancements to sftp-server. -- Iain Morgan From djm at cvs.openbsd.org Fri Mar 22 11:38:43 2013 From: djm at cvs.openbsd.org (Damien Miller) Date: Thu, 21 Mar 2013 18:38:43 -0600 (MDT) Subject: Announce: OpenSSH 6.2 released Message-ID: <201303220038.r2M0chNQ002722@cvs.openbsd.org> Changes since OpenSSH 6.1 ========================= This release introduces a number of new features: Features: * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com and aes256-gcm at openssh.com. It uses an identical packet format to the AES-GCM mode specified in RFC 5647, but uses simpler and different selection rules during key exchange. * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes for SSH protocol 2. These modes alter the packet format and compute the MAC over the packet length and encrypted packet rather than over the plaintext data. These modes are considered more secure and are used by default when available. * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter being an encrypt-then-mac mode. * sshd(8): Added support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete. This allows, for example, requiring a user having to authenticate via public key or GSSAPI before they are offered password authentication. * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists (KRLs), a compact binary format to represent lists of revoked keys and certificates that take as little as one bit per certificate when revoking by serial number. KRLs may be generated using ssh-keygen(1) and are loaded into sshd(8) via the existing RevokedKeys sshd_config option. * ssh(1): IdentitiesOnly now applies to keys obtained from a PKCS11Provider. This allows control of which keys are offered from tokens using IdentityFile. * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" and "remote" in addition to its previous "yes"/"no" keywords to allow the server to specify whether just local or remote TCP forwarding is enabled. * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option. * sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory. * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider". * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) now immediately sends its SSH protocol banner to the server without waiting to receive the server's banner, saving time when connecting. * ssh(1): Added ~v and ~V escape sequences to raise and lower the logging level respectively. * ssh(1): Made the escape command help (~?) context sensitive so that only commands that will work in the current session are shown. * ssh-keygen(1): When deleting host lines from known_hosts using "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines were removed. Bugfixes: * ssh(1): Force a clean shutdown of ControlMaster client sessions when the ~. escape sequence is used. This means that ~. should now work in mux clients even if the server is no longer responding. * ssh(1): Correctly detect errors during local TCP forward setup in multiplexed clients. bz#2055 * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with adding keys with respect to certificates. It now tries to delete the corresponding certificate and respects the -k option to allow deleting of the key only. * sftp(1): Fix a number of parsing and command-editing bugs, including bz#1956 * ssh(1): When muxmaster is run with -N, ensured that it shuts down gracefully when a client sends it "-O stop" rather than hanging around. bz#1985 * ssh-keygen(1): When screening moduli candidates, append to the file rather than overwriting to allow resumption. bz#1957 * ssh(1): Record "Received disconnect" messages at ERROR rather than INFO priority. bz#2057. * ssh(1): Loudly warn if explicitly-provided private key is unreadable. bz#1981 Portable OpenSSH: * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM platforms where the kernel supports it. * sshd(8): The seccomp-filter sandbox will not be enabled if the system headers support it at compile time, regardless of whether it can be enabled then. If the run-time system does not support seccomp-filter, sshd will fall back to the rlimit pseudo-sandbox. * ssh(1): Don't link in the Kerberos libraries. They aren't necessary on the client, just on sshd(8). bz#2072 * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI library. bz#2073 * Fix compilation on systems with openssl-1.0.0-fips. * Fix a number of errors in the RPM spec files. Checksums: ========== - SHA1 (openssh-6.2.tar.gz) = b3f6cd774d345f22f6d0038cc9464cce131a0676 - SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From rak at debian.org Fri Mar 22 12:51:27 2013 From: rak at debian.org (Ryan Kavanagh) Date: Thu, 21 Mar 2013 21:51:27 -0400 Subject: [PATCH] Allow matching HostName against Host entries Message-ID: <20130322015127.GC30194@nu.ryanak.ca> It would be useful to allow matching HostName entries against Host entries. That's to say, I would find it very convenient to have an ssh_config like: Host zeus HostName zeus.greek.gods User hades Host hera HostName hera.greek.gods # [ ... ] Host *.greek.gods User poseidon UserKnownHostsFile ~/.ssh/known_hosts.d/athens # [ Default settings for *.greek.gods ] where I can then go $ ssh zeus to log in as hades on zeus.greek.gods, using the settings in the stanzas matching zeus and zeus.greek.gods. Similarly, $ ssh hera to log on as poseidon on hera.greek.gods, using the settings in the stanzas matching hera and hera.greek.gods. This allows me to set an "alias" for frequently hosts while still using the settings matching the associated HostName. This is similar to writing Host zeus HostName zeus.greek.gods User hades Host hera HostName hera.greek.gods # [ ... ] Host *.greek.gods zeus hera [ ... ] User poseidon UserKnownHostsFile ~/.ssh/known_hosts.d/athens # [ Default settings for *.greek.gods ] making use of the "fallthrough" functionality of ssh's config parser, where each Host stanza matching the name given on the command line is parsed, setting any parameters not previously set. Unfortunately, this becomes unmanageable for large numbers of "aliases". Now said functionality might break existing SSH configs, and some users might find it undesirable, so I've added the following ssh_config parameter: MatchHostName This option matches the value of HostName against any subsequent Host entries. MatchHostName may be set at any point, but only takes effect once HostName is set. The argument to this keyword must be ``yes'' or ``no''. The default is ``no''. Please see the patch below for the details. I wasn't able to get SSH to build on a CVS checkout of OpenBSD-current (with or without the patch), but it applied, compiled, and ran fine on my CVS checkout of OpenBSD 5.2. Best wishes, Ryan -- |_)|_/ Ryan Kavanagh | Debian Developer | \| \ http://ryanak.ca/ | GPG Key 4A11C97A Index: usr.bin/ssh/ssh_config.5 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v retrieving revision 1.161 diff -u -r1.161 ssh_config.5 --- usr.bin/ssh/ssh_config.5 8 Jan 2013 18:49:04 -0000 1.161 +++ usr.bin/ssh/ssh_config.5 22 Mar 2013 01:34:26 -0000 @@ -810,6 +810,22 @@ hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 .Ed +.It Cm MatchHostName +This option matches the value of +.Cm HostName +against any subsequent +.Cm Host +entries. +.Cm MatchHostName +may be set at any point, but only takes effect once +.Cm HostName +is set. +The argument to this keyword must be +.Dq yes +or +.Dq no . +The default is +.Dq no . .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. In this case localhost will refer to a different machine on each of Index: usr.bin/ssh/readconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/readconf.c,v retrieving revision 1.197 diff -u -r1.197 readconf.c --- usr.bin/ssh/readconf.c 6 Mar 2013 23:36:53 -0000 1.197 +++ usr.bin/ssh/readconf.c 22 Mar 2013 01:34:26 -0000 @@ -128,7 +128,7 @@ oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, + oHashKnownHosts, oMatchHostName, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oKexAlgorithms, oIPQoS, oRequestTTY, @@ -228,6 +228,7 @@ { "controlmaster", oControlMaster }, { "controlpersist", oControlPersist }, { "hashknownhosts", oHashKnownHosts }, + { "matchhostname", oMatchHostName }, { "tunnel", oTunnel }, { "tunneldevice", oTunnelDevice }, { "localcommand", oLocalCommand }, @@ -823,7 +824,9 @@ negated = *arg == '!'; if (negated) arg++; - if (match_pattern(host, arg)) { + if (match_pattern(host, arg) || + (options->match_host_name == 1 && &options->hostname != NULL && + match_pattern(options->hostname, arg))) { if (negated) { debug("%.200s line %d: Skipping Host " "block because of negated match " @@ -970,6 +973,10 @@ intptr = &options->hash_known_hosts; goto parse_flag; + case oMatchHostName: + intptr = &options->match_host_name; + goto parse_flag; + case oTunnel: intptr = &options->tun_open; arg = strdelim(&s); @@ -1207,6 +1214,7 @@ options->control_persist = -1; options->control_persist_timeout = 0; options->hash_known_hosts = -1; + options->match_host_name = -1; options->tun_open = -1; options->tun_local = -1; options->tun_remote = -1; @@ -1345,6 +1353,8 @@ } if (options->hash_known_hosts == -1) options->hash_known_hosts = 0; + if (options->match_host_name == -1) + options->match_host_name = 0; if (options->tun_open == -1) options->tun_open = SSH_TUNMODE_NO; if (options->tun_local == -1) Index: usr.bin/ssh/readconf.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/readconf.h,v retrieving revision 1.93 diff -u -r1.93 readconf.h --- usr.bin/ssh/readconf.h 22 Feb 2013 04:45:09 -0000 1.93 +++ usr.bin/ssh/readconf.h 22 Mar 2013 01:34:26 -0000 @@ -125,6 +125,8 @@ int hash_known_hosts; + int match_host_name; + int tun_open; /* tun(4) */ int tun_local; /* force tun device (optional) */ int tun_remote; /* force tun device (optional) */ From dtucker at zip.com.au Fri Mar 22 16:08:15 2013 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 22 Mar 2013 16:08:15 +1100 Subject: additional compiler hardening flags Message-ID: <20130322050815.GA6024@gate.dtucker.net> Hi all. Any reason not to turn these on if the system supports them? They're cheap but not free (a bit under 1% slower to run the complete regress suite in a completely unscientific test). They're based on info from these places: https://wiki.ubuntu.com/ToolChain/CompilerFlags http://wiki.debian.org/Hardening http://www.gentoo.org/proj/en/hardened/gnu-stack.xml and I've attempted to take the ones that make sense for openssh. >From my reading, -fPIE should be sufficient since we're not building a shared library, however having -fPIC to does not seem to hurt. Things in those pages that I don't think are needed: -Wa,--noexecstack (don't have any assembler sources) . --param=ssp-buffer-size=4 (superceded by -fstack-protector-all) Tests/comments/corrections welcome. Index: Makefile.in =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/Makefile.in,v retrieving revision 1.336 diff -u -p -r1.336 Makefile.in --- Makefile.in 7 Mar 2013 15:37:13 -0000 1.336 +++ Makefile.in 22 Mar 2013 02:42:20 -0000 @@ -383,7 +383,7 @@ uninstall: regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ - $(CC) $(CPPFLAGS) -o $@ $? \ + $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \ $(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) Index: aclocal.m4 =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/aclocal.m4,v retrieving revision 1.8 diff -u -p -r1.8 aclocal.m4 --- aclocal.m4 20 May 2011 01:45:25 -0000 1.8 +++ aclocal.m4 22 Mar 2013 02:42:20 -0000 @@ -21,6 +21,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ ) }]) +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +dnl Check that $LD accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{ + AC_MSG_CHECKING([if $LD supports $1]) + saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], + [ AC_MSG_RESULT([yes]) + LDFLAGS="$saved_LDFLAGS $_define_flag"], + [ AC_MSG_RESULT([no]) + LDFLAGS="$saved_LDFLAGS" ] + ) +}]) dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol) dnl Does AC_EGREP_HEADER on 'header' for the string 'field' Index: configure.ac =================================================================== RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v retrieving revision 1.519 diff -u -p -r1.519 configure.ac --- configure.ac 22 Mar 2013 01:49:15 -0000 1.519 +++ configure.ac 22 Mar 2013 04:45:37 -0000 @@ -138,6 +138,13 @@ if test "$GCC" = "yes" || test "$GCC" = OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) + OSSH_CHECK_CFLAG_COMPILE([-ftrapv]) + OSSH_CHECK_CFLAG_COMPILE([-fPIC]) + OSSH_CHECK_CFLAG_COMPILE([-fPIE]) + OSSH_CHECK_LDFLAG_LINK([-pie]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) + OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` case $GCC_VER in -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From andyb1 at andy-t.org Sat Mar 23 01:57:04 2013 From: andyb1 at andy-t.org (Andy Tsouladze) Date: Fri, 22 Mar 2013 09:57:04 -0500 (CDT) Subject: Announce: OpenSSH 6.2 released In-Reply-To: <201303220038.r2M0chNQ002722@cvs.openbsd.org> References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> Message-ID: > * sshd(8): Added support for multiple required authentication in SSH > protocol 2 via an AuthenticationMethods option. This option lists > one or more comma-separated lists of authentication method names. > Successful completion of all the methods in any list is required for > authentication to complete. This allows, for example, requiring a > user having to authenticate via public key or GSSAPI before they > are offered password authentication. I have compiled and installed openssh-6.2, and configured it to use AuthenticationMethods publickey,password It works well but it returns a message "Authenticated with partial success." after the key is accepted. If I change the order of authentication to be `password,publickey', the same message is returned after password is accepted. IMHO, no message should be printed until full authentication is completed, because "partial success" will give an attacker a clue as to what is going on. Can this message be suppressed? If so, does it require a patch, or just some config option? Regards, Andy Dr Andy Tsouladze Sr Unix/Storage SysAdmin From mfriedl at gmail.com Sat Mar 23 02:58:53 2013 From: mfriedl at gmail.com (Markus Friedl) Date: Fri, 22 Mar 2013 16:58:53 +0100 Subject: Announce: OpenSSH 6.2 released In-Reply-To: References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> Message-ID: no. check http://tools.ietf.org/html/rfc4252 Am 22.03.2013 um 15:57 schrieb Andy Tsouladze : > >> * sshd(8): Added support for multiple required authentication in SSH >> protocol 2 via an AuthenticationMethods option. This option lists >> one or more comma-separated lists of authentication method names. >> Successful completion of all the methods in any list is required for >> authentication to complete. This allows, for example, requiring a >> user having to authenticate via public key or GSSAPI before they >> are offered password authentication. > > I have compiled and installed openssh-6.2, and configured it to use > > AuthenticationMethods publickey,password > > It works well but it returns a message "Authenticated with partial success." after the key is accepted. If I change the order of authentication to be `password,publickey', the same message is returned after password is accepted. IMHO, no message should be printed until full authentication is completed, because "partial success" will give an attacker a clue as to what is going on. Can this message be suppressed? If so, does it require a patch, or just some config option? > > Regards, > > Andy > > Dr Andy Tsouladze > Sr Unix/Storage SysAdmin > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From imorgan at nas.nasa.gov Sat Mar 23 12:20:20 2013 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 22 Mar 2013 18:20:20 -0700 Subject: Announce: OpenSSH 6.2 released In-Reply-To: <201303220038.r2M0chNQ002722@cvs.openbsd.org> References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> Message-ID: <20130323012020.GG3045@linux124.nas.nasa.gov> There are some _really_ nice features in this release. Thanks to the OpenSSH developers for all their effort! -- Iain Morgan On Thu, Mar 21, 2013 at 19:38:43 -0500, Damien Miller wrote: > > Changes since OpenSSH 6.1 > ========================= > > This release introduces a number of new features: > > Features: > > * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in > SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com > and aes256-gcm at openssh.com. It uses an identical packet format to the > AES-GCM mode specified in RFC 5647, but uses simpler and different > selection rules during key exchange. > > * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes > for SSH protocol 2. These modes alter the packet format and compute > the MAC over the packet length and encrypted packet rather than over > the plaintext data. These modes are considered more secure and are > used by default when available. > > * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as > "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter > being an encrypt-then-mac mode. > > * sshd(8): Added support for multiple required authentication in SSH > protocol 2 via an AuthenticationMethods option. This option lists > one or more comma-separated lists of authentication method names. > Successful completion of all the methods in any list is required for > authentication to complete. This allows, for example, requiring a > user having to authenticate via public key or GSSAPI before they > are offered password authentication. > > * sshd(8)/ssh-keygen(1): Added support for Key Revocation Lists > (KRLs), a compact binary format to represent lists of revoked keys > and certificates that take as little as one bit per certificate when > revoking by serial number. KRLs may be generated using ssh-keygen(1) > and are loaded into sshd(8) via the existing RevokedKeys sshd_config > option. > > * ssh(1): IdentitiesOnly now applies to keys obtained from a > PKCS11Provider. This allows control of which keys are offered from > tokens using IdentityFile. > > * sshd(8): sshd_config(5)'s AllowTcpForwarding now accepts "local" > and "remote" in addition to its previous "yes"/"no" keywords to allow > the server to specify whether just local or remote TCP forwarding is > enabled. > > * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to > support fetching authorized_keys from a command in addition to (or > instead of) from the filesystem. The command is run under an account > specified by an AuthorizedKeysCommandUser sshd_config(5) option. > > * sftp-server(8): Now supports a -d option to allow the starting > directory to be something other than the user's home directory. > > * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 > tokens using "ssh-keygen -lD pkcs11_provider". > > * ssh(1): When SSH protocol 2 only is selected (the default), ssh(1) > now immediately sends its SSH protocol banner to the server without > waiting to receive the server's banner, saving time when connecting. > > * ssh(1): Added ~v and ~V escape sequences to raise and lower the > logging level respectively. > > * ssh(1): Made the escape command help (~?) context sensitive so that > only commands that will work in the current session are shown. > > * ssh-keygen(1): When deleting host lines from known_hosts using > "ssh-keygen -R host", ssh-keygen(1) now prints details of which lines > were removed. > > Bugfixes: > > * ssh(1): Force a clean shutdown of ControlMaster client sessions when > the ~. escape sequence is used. This means that ~. should now work in > mux clients even if the server is no longer responding. > > * ssh(1): Correctly detect errors during local TCP forward setup in > multiplexed clients. bz#2055 > > * ssh-add(1): Made deleting explicit keys "ssh-add -d" symmetric with > adding keys with respect to certificates. It now tries to delete the > corresponding certificate and respects the -k option to allow deleting > of the key only. > > * sftp(1): Fix a number of parsing and command-editing bugs, including > bz#1956 > > * ssh(1): When muxmaster is run with -N, ensured that it shuts down > gracefully when a client sends it "-O stop" rather than hanging around. > bz#1985 > > * ssh-keygen(1): When screening moduli candidates, append to the file > rather than overwriting to allow resumption. bz#1957 > > * ssh(1): Record "Received disconnect" messages at ERROR rather than > INFO priority. bz#2057. > > * ssh(1): Loudly warn if explicitly-provided private key is unreadable. > bz#1981 > > Portable OpenSSH: > > * sshd(8): The Linux seccomp-filter sandbox is now supported on ARM > platforms where the kernel supports it. > > * sshd(8): The seccomp-filter sandbox will not be enabled if the system > headers support it at compile time, regardless of whether it can be > enabled then. If the run-time system does not support seccomp-filter, > sshd will fall back to the rlimit pseudo-sandbox. > > * ssh(1): Don't link in the Kerberos libraries. They aren't necessary > on the client, just on sshd(8). bz#2072 > > * Fix GSSAPI linking on Solaris, which uses a differently-named GSSAPI > library. bz#2073 > > * Fix compilation on systems with openssl-1.0.0-fips. > > * Fix a number of errors in the RPM spec files. > > Checksums: > ========== > > - SHA1 (openssh-6.2.tar.gz) = b3f6cd774d345f22f6d0038cc9464cce131a0676 > - SHA1 (openssh-6.2p1.tar.gz) = 8824708c617cc781b2bb29fa20bd905fd3d2a43d > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Iain Morgan From peter at stuge.se Sat Mar 23 13:09:06 2013 From: peter at stuge.se (Peter Stuge) Date: Sat, 23 Mar 2013 03:09:06 +0100 Subject: Announce: OpenSSH 6.2 released In-Reply-To: References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> Message-ID: <20130323020906.5892.qmail@stuge.se> Andy Tsouladze wrote: > "partial success" will give an attacker a clue .. > Can this message be suppressed? If so, does it require a patch, or > just some config option? The message can be removed, but as Markus pointed out the information is part of the wire protocol, so there is no way to stop the attacker from clue. //Peter From vinschen at redhat.com Wed Mar 27 06:48:16 2013 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 26 Mar 2013 20:48:16 +0100 Subject: Announce: OpenSSH 6.2 released In-Reply-To: <201303220038.r2M0chNQ002722@cvs.openbsd.org> References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> Message-ID: <20130326194816.GJ7127@calimero.vinschen.de> Hi guys, On Mar 21 18:38, Damien Miller wrote: > > Changes since OpenSSH 6.1 > ========================= > > This release introduces a number of new features: > > Features: > > * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in > SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com > and aes256-gcm at openssh.com. It uses an identical packet format to the > AES-GCM mode specified in RFC 5647, but uses simpler and different > selection rules during key exchange. > > * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes > for SSH protocol 2. These modes alter the packet format and compute > the MAC over the packet length and encrypted packet rather than over > the plaintext data. These modes are considered more secure and are > used by default when available. > > * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as > "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter > being an encrypt-then-mac mode. while I can build openssh-6.2p1 fine on Cygwin for i686, I just found that it doesn't build on the yet-to-be-released Cygwin for x86_64. The reason is a clash of the UINT64 type. It gets defined in umac.c as well as in the Windows headers. The Windows headers define it like this: typedef unsigned __int64 UINT64,*PUINT64; The interesting thing here is that the same clash occurs in the i686 version, but gcc does not complain. It only complains when building for x86_64 for some reason. It could be a result of using different gcc versions (4.5.3 on i686, 4.8.0 on x86_64), but I'm not sure. For the time being, I applied the following patch: Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.15 diff -u -p -r1.15 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 28 Aug 2012 09:57:19 -0000 1.15 +++ openbsd-compat/bsd-cygwin_util.h 26 Mar 2013 19:45:01 -0000 @@ -37,10 +37,13 @@ #undef ERROR #define WIN32_LEAN_AND_MEAN +#define UINT64 __UINT64 #include #include #include + +#undef UINT64 /* Make sure _WIN32 isn't defined later in the code, otherwise headers from other packages might get the wrong idea about the target system. */ Is that ok to apply? Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From openssh at roumenpetrov.info Wed Mar 27 08:36:03 2013 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Tue, 26 Mar 2013 23:36:03 +0200 Subject: Announce: OpenSSH 6.2 released In-Reply-To: <20130326194816.GJ7127@calimero.vinschen.de> References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> <20130326194816.GJ7127@calimero.vinschen.de> Message-ID: <515214C3.6090502@roumenpetrov.info> Corinna Vinschen wrote: > Hi guys, > > On Mar 21 18:38, Damien Miller wrote: >> Changes since OpenSSH 6.1 >> ========================= >> >> This release introduces a number of new features: >> >> Features: >> >> * ssh(1)/sshd(8): Added support for AES-GCM authenticated encryption in >> SSH protocol 2. The new cipher is available as aes128-gcm at openssh.com >> and aes256-gcm at openssh.com. It uses an identical packet format to the >> AES-GCM mode specified in RFC 5647, but uses simpler and different >> selection rules during key exchange. >> >> * ssh(1)/sshd(8): Added support for encrypt-then-mac (EtM) MAC modes >> for SSH protocol 2. These modes alter the packet format and compute >> the MAC over the packet length and encrypted packet rather than over >> the plaintext data. These modes are considered more secure and are >> used by default when available. >> >> * ssh(1)/sshd(8): Added support for the UMAC-128 MAC as >> "umac-128 at openssh.com" and "umac-128-etm at openssh.com". The latter >> being an encrypt-then-mac mode. > while I can build openssh-6.2p1 fine on Cygwin for i686, I just found > that it doesn't build on the yet-to-be-released Cygwin for x86_64. > > The reason is a clash of the UINT64 type. It gets defined in umac.c as > well as in the Windows headers. The Windows headers define it like > this: > > typedef unsigned __int64 UINT64,*PUINT64; winapi: $ grep typedef.*UINT b* basetsd.h:typedef unsigned char UINT8; basetsd.h:typedef unsigned short UINT16; basetsd.h:typedef unsigned int UINT32, *PUINT32; basetsd.h:typedef unsigned __int64 UINT_PTR, *PUINT_PTR; basetsd.h:typedef unsigned int UINT_PTR, *PUINT_PTR; basetsd.h:typedef unsigned __int64 UINT64, *PUINT64; openssh: $ grep typedef.*UINT u* umac.c:typedef u_int8_t UINT8; /* 1 byte */ umac.c:typedef u_int16_t UINT16; /* 2 byte */ umac.c:typedef u_int32_t UINT32; /* 4 byte */ umac.c:typedef u_int64_t UINT64; /* 8 bytes */ > > The interesting thing here is that the same clash occurs in the i686 > version, but gcc does not complain. It only complains when building > for x86_64 for some reason. It could be a result of using different > gcc versions (4.5.3 on i686, 4.8.0 on x86_64), but I'm not sure. > > For the time being, I applied the following patch: > > Index: openbsd-compat/bsd-cygwin_util.h > =================================================================== > RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v > retrieving revision 1.15 > diff -u -p -r1.15 bsd-cygwin_util.h > --- openbsd-compat/bsd-cygwin_util.h 28 Aug 2012 09:57:19 -0000 1.15 > +++ openbsd-compat/bsd-cygwin_util.h 26 Mar 2013 19:45:01 -0000 > @@ -37,10 +37,13 @@ > #undef ERROR > > #define WIN32_LEAN_AND_MEAN > +#define UINT64 __UINT64 > > #include > #include > #include > + > +#undef UINT64 > > /* Make sure _WIN32 isn't defined later in the code, otherwise headers from > other packages might get the wrong idea about the target system. */ > > Is that ok to apply? Question is if build is fine for UINTnn where nn < 64 , why fail for 64 ? May be correct patch is to define u_int64_t to be same as as unsigned __int64 ? Please confirm that u_intNN_t, where NN < 64 are properly (re-)defined ? > > Thanks, > Corinna > Regards, Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From vinschen at redhat.com Wed Mar 27 09:02:10 2013 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 26 Mar 2013 23:02:10 +0100 Subject: Announce: OpenSSH 6.2 released In-Reply-To: <515214C3.6090502@roumenpetrov.info> References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> <20130326194816.GJ7127@calimero.vinschen.de> <515214C3.6090502@roumenpetrov.info> Message-ID: <20130326220210.GL7127@calimero.vinschen.de> On Mar 26 23:36, Roumen Petrov wrote: > Corinna Vinschen wrote: > >The reason is a clash of the UINT64 type. It gets defined in umac.c as > >well as in the Windows headers. The Windows headers define it like > >this: > > > > typedef unsigned __int64 UINT64,*PUINT64; > Question is if build is fine for UINTnn where nn < 64 , why fail for 64 ? u_int64_t is unsigned long, while unsigned __int64 is unsigned long long. > May be correct patch is to define u_int64_t to be same as as > unsigned __int64 ? The right thing is to fix the __int64 definition in _mingw.h.in for LP64 targets. I'll send a patch to the mingw64 ML tomorrow. Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From vinschen at redhat.com Thu Mar 28 01:14:18 2013 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 27 Mar 2013 15:14:18 +0100 Subject: [patch] Update bsd-cygwin_util files (was Re: Announce: OpenSSH 6.2 released) In-Reply-To: <20130326220210.GL7127@calimero.vinschen.de> References: <201303220038.r2M0chNQ002722@cvs.openbsd.org> <20130326194816.GJ7127@calimero.vinschen.de> <515214C3.6090502@roumenpetrov.info> <20130326220210.GL7127@calimero.vinschen.de> Message-ID: <20130327141418.GA5860@calimero.vinschen.de> On Mar 26 23:02, Corinna Vinschen wrote: > On Mar 26 23:36, Roumen Petrov wrote: > > Corinna Vinschen wrote: > > >The reason is a clash of the UINT64 type. It gets defined in umac.c as > > >well as in the Windows headers. The Windows headers define it like > > >this: > > > > > > typedef unsigned __int64 UINT64,*PUINT64; > > Question is if build is fine for UINTnn where nn < 64 , why fail for 64 ? > > u_int64_t is unsigned long, while unsigned __int64 is unsigned long long. > > > May be correct patch is to define u_int64_t to be same as as > > unsigned __int64 ? > > The right thing is to fix the __int64 definition in _mingw.h.in for > LP64 targets. I'll send a patch to the mingw64 ML tomorrow. On second thought (and after some sleep), this is probably not the right thing to do. Changing the type for UINT64 in the Windows headers just because of a single instance of clashing definitions in a POSIX file is pretty intrusive. The potential side effects of this change are simply not worth it. As a result I have now reworked the bsd-cygwin_util.* files in openbsd-compat. The most important change is not to include the windows.h header at all. The only two Windows definitions used are HANDLE and INVALID_HANDLE_VALUE. I defined those in bsd-cygwin_util.h so there's no reason anymore to include windows headers. This fixes the UINT64 issue as well, obviously. Additionally I made the handling of open vs. binary_open a bit more clear (I think) by introducing a NO_BINARY_OPEN definition. Is that ok to apply? Thanks, Corinna Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.24 diff -u -p -r1.24 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 13 Feb 2012 19:38:38 -0000 1.24 +++ openbsd-compat/bsd-cygwin_util.c 27 Mar 2013 12:59:07 -0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2001, 2011 Corinna Vinschen + * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -27,20 +27,15 @@ * binary mode on Windows systems. */ +#define NO_BINARY_OPEN /* Avoid redefining open to binary_open for this file */ #include "includes.h" #ifdef HAVE_CYGWIN -#if defined(open) && open == binary_open -# undef open -#endif - #include - #include -#include +#include #include -#include #include "xmalloc.h" Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.15 diff -u -p -r1.15 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 28 Aug 2012 09:57:19 -0000 1.15 +++ openbsd-compat/bsd-cygwin_util.h 27 Mar 2013 12:59:07 -0000 @@ -1,7 +1,7 @@ /* $Id: bsd-cygwin_util.h,v 1.15 2012/08/28 09:57:19 dtucker Exp $ */ /* - * Copyright (c) 2000, 2001, 2011 Corinna Vinschen + * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,24 +36,21 @@ #undef ERROR -#define WIN32_LEAN_AND_MEAN +/* Avoid including windows headers. */ +typedef void *HANDLE; +#define INVALID_HANDLE_VALUE ((HANDLE) -1) -#include #include #include -/* Make sure _WIN32 isn't defined later in the code, otherwise headers from - other packages might get the wrong idea about the target system. */ -#ifdef _WIN32 -#undef _WIN32 -#endif - int binary_open(const char *, int , ...); int check_ntsec(const char *); char **fetch_windows_environment(void); void free_windows_environment(char **); +#ifndef NO_BINARY_OPEN #define open binary_open +#endif #endif /* HAVE_CYGWIN */ -- Corinna Vinschen Cygwin Maintainer Red Hat