From klausz at haus-gisela.de Mon Feb 1 10:52:35 2016 From: klausz at haus-gisela.de (Klaus Ziegler - owner of sunfreeware.de) Date: Mon, 01 Feb 2016 00:52:35 +0100 Subject: configure warning on SunOS 4.1.4 Message-ID: <56AE9E43.9040606@haus-gisela.de> Hi, I was told to do so by configure of openssh-7.1p2 -:) ... configure: WARNING: sys/audit.h: present but cannot be compiled configure: WARNING: sys/audit.h: check for missing prerequisite headers? configure: WARNING: sys/audit.h: see the Autoconf documentation configure: WARNING: sys/audit.h: section "Present But Cannot Be Compiled" configure: WARNING: sys/audit.h: proceeding with the preprocessor's result configure: WARNING: sys/audit.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------- ## configure: WARNING: ## Report this to openssh-unix-dev at mindrot.org ## configure: WARNING: ## ------------------------------------------- ## configure options used: --sysconfdir=/etc/ssh --libexecdir=/usr/lib/ssh --sbindir=/usr/lib/ssh --prefix=/usr --with-pid-dir=/var/tmp -with-xauth=/usr/openwin/bin/xauth --with-mantype=man --with-md5-passwords --with-ssl-engine --with-default-path=/usr/bin --with-privsep-path=/var/opt/sshd --with-privsep-user=sshd environment used: PATH=/usr/lang:/opt/sfw/bin:/bin:/usr/ucb:/usr/kvm:/usr/etc:/usr/5bin CFLAGS=-Xa -D__SYS5__ -D__EXTENSIONS__ -xCC -cg92 -fast -nolibmil -xO4 compiler used: acc -V acc: SC3.0.1 12/7/95 patch_101913-05 error in config.log: configure:7525: checking sys/audit.h usability configure:7542: acc -c -Xa -D__SYS5__ -D__EXTENSIONS__ -xCC -cg92 -fast -nolibmil -xO4 conftest.c >&5 "/usr/include/sys/audit.h", line 189: syntax error before or at: blabel_t "/usr/include/sys/audit.h", line 189: cannot recover from previous errors configure:7548: $? = 10 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "OpenSSH" ... can be fixed by the following patch to sys/audith.h: --- audit.h.orig 1994-10-14 20:29:44.000000000 +0100 +++ audit.h 2016-02-01 00:18:49.000000000 +0100 @@ -6,6 +6,9 @@ #ifndef _sys_audit_h #define _sys_audit_h +/* This makes the test for audith.h in openssh-7.1p2 happy -:) */ +#include + /* * Maximum size for audit data passed from the audit system call * This value is arbitrary, so offers of better numbers are invited. let's see how the build goes, when the new openssl has finshed testing the build went fine so far - shared library support is still missing - but we'll see -:) Best Regards Klaus -- Tel: (++49 6105) 968846 Klaus Ziegler Mobil: (++49 172) 3064445 Zeppelinstrasse 3 mailto: klausz at haus-gisela.de D-64546 Walldorf-Moerfelden http://www.haus-gisela.de/~klausz From nkadel at gmail.com Mon Feb 1 18:20:30 2016 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Mon, 1 Feb 2016 02:20:30 -0500 Subject: configure warning on SunOS 4.1.4 In-Reply-To: <56AE9E43.9040606@haus-gisela.de> References: <56AE9E43.9040606@haus-gisela.de> Message-ID: On Sun, Jan 31, 2016 at 6:52 PM, Klaus Ziegler - owner of sunfreeware.de wrote: > > Hi, > > I was told to do so by configure of openssh-7.1p2 -:) SunOS 4.1.4? Dear lord, that OS is old enough to drink now.I still remember doing the first published ports of ssh-1, ssh-2, and openssh to SunOS way, way back in yesteryear. *Why* are you still running this? I'm not deprecating the work, just wondering why you're supporting an OS more than 20 years old from a company that no longer exists, on an OS that Sun itself tried to deprecate when Solaris came out. From klausz at haus-gisela.de Thu Feb 4 07:52:13 2016 From: klausz at haus-gisela.de (Klaus Ziegler - owner of sunfreeware.de) Date: Wed, 03 Feb 2016 21:52:13 +0100 Subject: configure warning on SunOS 4.1.4 In-Reply-To: References: <56AE9E43.9040606@haus-gisela.de> Message-ID: <56B2687D.4060105@haus-gisela.de> On 01.02.16 08:20, Nico Kadel-Garcia wrote: > SunOS 4.1.4? Dear lord, that OS is old enough to drink now.I still > remember doing the first published ports of ssh-1, ssh-2, and openssh > to SunOS way, way back in yesteryear. *Why* are you still running > this? I'm not deprecating the work, just wondering why you're > supporting an OS more than 20 years old from a company that no longer > exists, on an OS that Sun itself tried to deprecate when Solaris came > out. Hi Nico, well, I used to work for that company and went through all thinkable migrations from SunOS to Solaris at many customer sites. Now I'm old and play around with some of these oldtimer's I've sitting around here. And not to get too rusty I try to get some things going. To be honest I don't want to get SSH for SunOS 4.1.4 running, instead I want to have have it for SunOS 4.1.1_U1 on Sun3x architecture (3/80). But since compiling on this even more older hardware I begun my work on a SS10 with 4.1.4 - 2x60Mhz/512MB memory. But to something more serious, you would be wondering how much people still use such old operating systems on some island-systems which would love to have a secure connectivity for. The last known working SecureShell server for Sun3 you can get is: OpenSSH-4.3p2, OpenSSL 0.98a from: http://www.sun3arc.org/precompiled/precomp.phtml - I have a working OpenSSL 1.0.2f for Sun4 now the build for Sun3 will follow when SSH is working. I even have made good progress implementing the missing snprintf into the libc to at least have the underlying zlib as secure as possible. But if you tell me you will abandon SunOS4 completely I would be sad, but well the world doesn't go down the bin because of that. And after all it's much fun -:) So the first build on SPARC is fished and installed the conclusions so far: hostnameresolution isn't working - only IP's possible everything runs without dumping at least a core. if trying to connect via ssh from the build system to any other secure-shell server the following happens: nobody at nosystem % ssh 192.168.xxx.xxx The authenticity of host '192.168.xxx.xxx (192.168.xxx.xxx)' can't be established. RSA key fingerprint is SHA256:TtrEzvxTL5C... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.xxx.xxx' (RSA) to the list of known hosts. Enter passphrase for key '/home/nobody/.ssh/id_rsa': xreallocarray: out of memory (1 elements of 4 bytes) <-- here is the first thing which goes wrong in xmalloc.c one thing to mention is that blocks.c isn't able to compile with any optimization, just -g is possible no matter if I try gcc-2.95.3/3.2.3 or SPARCworks SC3.0.1 - blocks.c allocates more and ore ram until nothing is left, this one will be hard to find I guess. I will try the bootstrap using SPARCworks again as it found some integer-overflows I hope they aren't real overflows, just bugs in this compiler. I keep you posted of next progresses, please find the patch I did so far - of course not for integration purposes - just to let you know, I know how to use GNU diff/patch -:) Much Regards Klaus -- Tel: (++49 6105) 968846 Klaus Ziegler Mobil: (++49 172) 3064445 Zeppelinstrasse 3 mailto: klausz at haus-gisela.de D-64546 Walldorf-Moerfelden http://www.haus-gisela.de/~klausz From christian.mauderer at embedded-brains.de Thu Feb 4 23:40:30 2016 From: christian.mauderer at embedded-brains.de (Christian Mauderer) Date: Thu, 4 Feb 2016 13:40:30 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) Message-ID: <56B346BE.2030108@embedded-brains.de> Hello, I am searching a SSH server for remote administration of an embedded application running on RTEMS (https://www.rtems.org). This environment has neither virtual memory nor user and kernel space. So this is like an application running in kernel mode only. Would it be possible to run (a very basic version of) OpenSSH in such an environment using e.g. threads instead of forking new subprocesses? Is there already some known similar configuration (e.g. on another embedded OS)? Kind regards Christian Mauderer -- -------------------------------------------- embedded brains GmbH Christian Mauderer Dornierstr. 4 D-82178 Puchheim Germany email: christian.mauderer at embedded-brains.de Phone: +49-89-18 94 741 - 18 Fax: +49-89-18 94 741 - 08 PGP: Public key available on request. Diese Nachricht ist keine gesch?ftliche Mitteilung im Sinne des EHUG. From dgoulet at torproject.org Thu Feb 4 23:40:39 2016 From: dgoulet at torproject.org (David Goulet) Date: Thu, 4 Feb 2016 07:40:39 -0500 Subject: Unix socket support for sshd Message-ID: <20160204124039.GA20026@raoul> Greetings everyone! I would like to know if adding support for Unix socket to sshd would be a feature that would be consider to be added upstream? (ListenAddress). One of the main reason for this question to you all is that tor now has Unix socket support for hidden services that is traffic of a hidden service can be forwarded to a Unix socket (see HiddenServicePort in tor.1). The rationale behind that is basically so someone can set up a server with no inet traffic allowed (firewall, namespace, ) _except_ for the tor daemon and use hidden service to access services on the local machine using only Unix socket, in this case ssh. That being said, if you wouldn't object to this feature being added to ssh, I'm willing to implement it and make the efforts for upstream merge. But before I do start the work, I would like to make sure it's something that won't get an automatic NACK just based on the original idea :). Big thanks! David -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: Digital signature URL: From christian.mauderer at embedded-brains.de Fri Feb 5 00:35:46 2016 From: christian.mauderer at embedded-brains.de (Christian Mauderer) Date: Thu, 4 Feb 2016 14:35:46 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: <20160204131144.GA29422@emyr.net> References: <56B346BE.2030108@embedded-brains.de> <20160204131144.GA29422@emyr.net> Message-ID: <56B353B2.2080702@embedded-brains.de> Am 04.02.2016 um 14:11 schrieb Luca Filipozzi: > On Thu, Feb 04, 2016 at 01:40:30PM +0100, Christian Mauderer wrote: >> I am searching a SSH server for remote administration of an embedded >> application running on RTEMS (https://www.rtems.org). This environment >> has neither virtual memory nor user and kernel space. So this is like an >> application running in kernel mode only. >> >> Would it be possible to run (a very basic version of) OpenSSH in such an >> environment using e.g. threads instead of forking new subprocesses? Is >> there already some known similar configuration (e.g. on another embedded >> OS)? > > https://matt.ucc.asn.au/dropbear/dropbear.html > > http://dropbear.ucc.asn.narkive.com/EzweMUvJ/single-address-space-no-processes Hello Luca Filipozzi, of course you are right: I should have mentioned that my colleague posted nearly the same question on the dropbear mailing list. Dropbear is one of the alternatives that we are evaluating. Currently we are not sure which one would be easier to port. It seems that dropbear would be at least possible to port. One difference is that OpenSSH has an integrated SFTP solution while as far as i know dropbear would need an extra application for that. Kind regards Christian Mauderer -- -------------------------------------------- embedded brains GmbH Christian Mauderer Dornierstr. 4 D-82178 Puchheim Germany email: christian.mauderer at embedded-brains.de Phone: +49-89-18 94 741 - 18 Fax: +49-89-18 94 741 - 08 PGP: Public key available on request. Diese Nachricht ist keine gesch?ftliche Mitteilung im Sinne des EHUG. From roland.mainz at nrubsig.org Fri Feb 5 00:46:57 2016 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Thu, 4 Feb 2016 14:46:57 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: <56B346BE.2030108@embedded-brains.de> References: <56B346BE.2030108@embedded-brains.de> Message-ID: On Thu, Feb 4, 2016 at 1:40 PM, Christian Mauderer wrote: > I am searching a SSH server for remote administration of an embedded > application running on RTEMS (https://www.rtems.org). This environment > has neither virtual memory nor user and kernel space. So this is like an > application running in kernel mode only. > > Would it be possible to run (a very basic version of) OpenSSH in such an > environment using e.g. threads instead of forking new subprocesses? Is > there already some known similar configuration (e.g. on another embedded > OS)? Well, not much harder than a port to the original m68k AmigaOS or most of the military-oriented embedded OSes... not hard but lots of work (unless you have an existing POSIX(-like) layer emulation), mostly related to resource tracking and the socket stuff. ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 3992797 (;O/ \/ \O;) From christian.mauderer at embedded-brains.de Fri Feb 5 01:19:36 2016 From: christian.mauderer at embedded-brains.de (Christian Mauderer) Date: Thu, 4 Feb 2016 15:19:36 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: References: <56B346BE.2030108@embedded-brains.de> Message-ID: <56B35DF8.9090402@embedded-brains.de> Am 04.02.2016 um 14:46 schrieb Roland Mainz: > On Thu, Feb 4, 2016 at 1:40 PM, Christian Mauderer > wrote: >> I am searching a SSH server for remote administration of an embedded >> application running on RTEMS (https://www.rtems.org). This environment >> has neither virtual memory nor user and kernel space. So this is like an >> application running in kernel mode only. >> >> Would it be possible to run (a very basic version of) OpenSSH in such an >> environment using e.g. threads instead of forking new subprocesses? Is >> there already some known similar configuration (e.g. on another embedded >> OS)? > > Well, not much harder than a port to the original m68k AmigaOS or most > of the military-oriented embedded OSes... not hard but lots of work > (unless you have an existing POSIX(-like) layer emulation), mostly > related to resource tracking and the socket stuff. > Hello Roland, thanks for the quick answer. I must have overlooked these ports. I have mostly seen the list of full Unixes on this page: http://www.openssh.com/portable.html After your hint, I noted that there are a lot more ports in the sources. Is there some kind of porting guide or a hint where to begin reading documentation? If we would create a port: Would it be theoretically possible to contribute it to the official sources? For the POSIX-layer: RTEMS implements a part of the POSIX standard (or at least of the embedded subset of POSIX). But like I said it doesn't have processes but only threads. Kind Regards Christian Mauderer -- -------------------------------------------- embedded brains GmbH Christian Mauderer Dornierstr. 4 D-82178 Puchheim Germany email: christian.mauderer at embedded-brains.de Phone: +49-89-18 94 741 - 18 Fax: +49-89-18 94 741 - 08 PGP: Public key available on request. Diese Nachricht ist keine gesch?ftliche Mitteilung im Sinne des EHUG. From dkg at fifthhorseman.net Fri Feb 5 02:46:55 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 04 Feb 2016 10:46:55 -0500 Subject: Unix socket support for sshd In-Reply-To: <20160204124039.GA20026@raoul> References: <20160204124039.GA20026@raoul> Message-ID: <87r3gslbps.fsf@alice.fifthhorseman.net> On Thu 2016-02-04 07:40:39 -0500, David Goulet wrote: > I would like to know if adding support for Unix socket to sshd would be a > feature that would be consider to be added upstream? (ListenAddress). fwiw, i think this is a good idea, but i wouldn't implement it as an explicit ListenAddress option: i'd rather have sshd be able to listen on an inherited file descriptor. This would allow generic socket activation, regardless of socket type. --dkg From ronf at timeheart.net Fri Feb 5 02:57:21 2016 From: ronf at timeheart.net (Ron Frederick) Date: Thu, 4 Feb 2016 07:57:21 -0800 Subject: Unix socket support for sshd In-Reply-To: <87r3gslbps.fsf@alice.fifthhorseman.net> References: <20160204124039.GA20026@raoul> <87r3gslbps.fsf@alice.fifthhorseman.net> Message-ID: <9FB8ABBF-F94B-4510-82C4-53874B554D60@timeheart.net> > On Feb 4, 2016, at 7:46 AM, Daniel Kahn Gillmor wrote: > > On Thu 2016-02-04 07:40:39 -0500, David Goulet wrote: > >> I would like to know if adding support for Unix socket to sshd would be a >> feature that would be consider to be added upstream? (ListenAddress). > > fwiw, i think this is a good idea, but i wouldn't implement it as an > explicit ListenAddress option: i'd rather have sshd be able to listen on > an inherited file descriptor. This would allow generic socket > activation, regardless of socket type. Can?t this already be done with ?sshd -i?, by passing in the socket via stdin/stdout? A simple wrapper which listened on the UNIX domain socket could fork & exec ?sshd -i? as new UNIX domain socket connections arrived, similar to inetd. -- Ron Frederick ronf at timeheart.net From dgoulet at torproject.org Fri Feb 5 03:00:27 2016 From: dgoulet at torproject.org (David Goulet) Date: Thu, 4 Feb 2016 11:00:27 -0500 Subject: Unix socket support for sshd In-Reply-To: <87r3gslbps.fsf@alice.fifthhorseman.net> References: <20160204124039.GA20026@raoul> <87r3gslbps.fsf@alice.fifthhorseman.net> Message-ID: <20160204160027.GB29023@raoul> On 04 Feb (10:46:55), Daniel Kahn Gillmor wrote: > On Thu 2016-02-04 07:40:39 -0500, David Goulet wrote: > > > I would like to know if adding support for Unix socket to sshd would be a > > feature that would be consider to be added upstream? (ListenAddress). > > fwiw, i think this is a good idea, but i wouldn't implement it as an > explicit ListenAddress option: i'd rather have sshd be able to listen on > an inherited file descriptor. This would allow generic socket > activation, regardless of socket type. Hrm... not sure I fully understand here. How would sshd inherited an fd? And what do you mean by "allow generic socket activation"? If I understand it, wouldn't that require a wrapper over sshd? Let's assume I set up an sshd and want it to use Unix socket in /foo/bar/ssh.sock, how would that work without me being able to specify somewhere the path? Thanks! David > > --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 603 bytes Desc: Digital signature URL: From dkg at fifthhorseman.net Fri Feb 5 03:25:36 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 04 Feb 2016 11:25:36 -0500 Subject: Unix socket support for sshd In-Reply-To: <9FB8ABBF-F94B-4510-82C4-53874B554D60@timeheart.net> References: <20160204124039.GA20026@raoul> <87r3gslbps.fsf@alice.fifthhorseman.net> <9FB8ABBF-F94B-4510-82C4-53874B554D60@timeheart.net> Message-ID: <87lh70l9xb.fsf@alice.fifthhorseman.net> On Thu 2016-02-04 10:57:21 -0500, Ron Frederick wrote: >> On Feb 4, 2016, at 7:46 AM, Daniel Kahn Gillmor wrote: >> fwiw, i think this is a good idea, but i wouldn't implement it as an >> explicit ListenAddress option: i'd rather have sshd be able to listen on >> an inherited file descriptor. This would allow generic socket >> activation, regardless of socket type. > > Can?t this already be done with ?sshd -i?, by passing in the socket > via stdin/stdout? A simple wrapper which listened on the UNIX domain > socket could fork & exec ?sshd -i? as new UNIX domain socket > connections arrived, similar to inetd. I've done this before (and even had ssh running over the serial console with it), but forking and exec'ing a new sshd instance for each connection is rather different from having a running sshd that can make overall decisions about the state of the machine (e.g. MaxStartups in sshd_config(5)), and it also requires a bunch of initial setup work each time a connection comes in. socket activation handed off to a single running master daemon addresses both of these legit engineering concerns better than an inetd-spawned "sshd -i" would. --dkg From shinose at gmail.com Fri Feb 5 03:42:25 2016 From: shinose at gmail.com (Shinose) Date: Thu, 4 Feb 2016 22:12:25 +0530 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: <56B35DF8.9090402@embedded-brains.de> References: <56B346BE.2030108@embedded-brains.de> <56B35DF8.9090402@embedded-brains.de> Message-ID: On Thu, Feb 4, 2016 at 7:49 PM, Christian Mauderer < christian.mauderer at embedded-brains.de> wrote: > Am 04.02.2016 um 14:46 schrieb Roland Mainz: > > On Thu, Feb 4, 2016 at 1:40 PM, Christian Mauderer > > wrote: > >> I am searching a SSH server for remote administration of an embedded > >> application running on RTEMS (https://www.rtems.org). This environment > >> has neither virtual memory nor user and kernel space. So this is like an > >> application running in kernel mode only. > >> > >> Would it be possible to run (a very basic version of) OpenSSH in such an > >> environment using e.g. threads instead of forking new subprocesses? Is > >> there already some known similar configuration (e.g. on another embedded > >> OS)? > > > > Well, not much harder than a port to the original m68k AmigaOS or most > > of the military-oriented embedded OSes... not hard but lots of work > > (unless you have an existing POSIX(-like) layer emulation), mostly > > related to resource tracking and the socket stuff. > > > > Hello Roland, > > thanks for the quick answer. I must have overlooked these ports. I have > mostly seen the list of full Unixes on this page: > > http://www.openssh.com/portable.html > > After your hint, I noted that there are a lot more ports in the sources. > Is there some kind of porting guide or a hint where to begin reading > documentation? > > If we would create a port: Would it be theoretically possible to > contribute it to the official sources? > > For the POSIX-layer: RTEMS implements a part of the POSIX standard (or > at least of the embedded subset of POSIX). But like I said it doesn't > have processes but only threads. > > Kind Regards > > Christian Mauderer > > -- > -------------------------------------------- > embedded brains GmbH > Christian Mauderer > Dornierstr. 4 > D-82178 Puchheim > Germany > email: christian.mauderer at embedded-brains.de > Phone: +49-89-18 94 741 - 18 > Fax: +49-89-18 94 741 - 08 > PGP: Public key available on request. > > Diese Nachricht ist keine gesch?ftliche Mitteilung im Sinne des EHUG. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > Hi, We have successfully ported OpenSSH along with SFTP-Server for a Greenhills platform, where it was only having single address space and threads. But I could say it was really a painful work to resolve the global variables and data structures to each threads. We have used a total of 3 threads including the SFTP Server. Thanks, Shinose. From dkg at fifthhorseman.net Fri Feb 5 04:31:12 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 04 Feb 2016 12:31:12 -0500 Subject: Unix socket support for sshd In-Reply-To: <20160204160027.GB29023@raoul> References: <20160204124039.GA20026@raoul> <87r3gslbps.fsf@alice.fifthhorseman.net> <20160204160027.GB29023@raoul> Message-ID: <87io24l6vz.fsf@alice.fifthhorseman.net> On Thu 2016-02-04 11:00:27 -0500, David Goulet wrote: > On 04 Feb (10:46:55), Daniel Kahn Gillmor wrote: >> On Thu 2016-02-04 07:40:39 -0500, David Goulet wrote: >> >> > I would like to know if adding support for Unix socket to sshd would be a >> > feature that would be consider to be added upstream? (ListenAddress). >> >> fwiw, i think this is a good idea, but i wouldn't implement it as an >> explicit ListenAddress option: i'd rather have sshd be able to listen on >> an inherited file descriptor. This would allow generic socket >> activation, regardless of socket type. > > Hrm... not sure I fully understand here. How would sshd inherited an fd? And > what do you mean by "allow generic socket activation"? If I understand it, > wouldn't that require a wrapper over sshd? > > Let's assume I set up an sshd and want it to use Unix socket in > /foo/bar/ssh.sock, how would that work without me being able to specify > somewhere the path? The most common toolchain for doing this sort of thing today on GNU/Linux systems is systemd, which acts as pid 1. systemd's pid 1 instance is configured to know which sockets will be listened for by all the daemons on the host, and it pre-opens all of those sockets. Then, when a connection is made to a socket that it knows should belong to a daemon, if that daemon isn't already running, it spawns (fork/execs) it, handing over the relevant socket(s) to the daemon as a file descriptor during startup. There are several advantages to this: * if the daemon can be run in a non-privileged mode, it can start in the non-privileged mode from the beginning. no need for each daemon to need to start privileged to grab the relevant socket and then drop privileges. we've seen many bugs around daemons not properly dropping privileges * no race for grabbing the socket. In the event that multiple daemons are want to listen on the same socket, there's a predictable arbiter (pid 1) who decides where the socket gets passed to, and other daemons that try to listen on that socket get rejected, because the socket is already busy. * before any daemons are running, the sockets are opened for incoming connections. This means there will be much smaller (possibly non-existent) window of time during system startup or daemon restart where the socket itself is closed. Connections made to these sockets before the associated daemon starts up will of course hang until the daemon gets around to responding, but the system won't reject the connections. * socket activation also enables the OS to selectively start services on an as-needed basis. If daemon X depends on daemon Y operationally (because X needs to talk to Y over Y's listening socket), there is no need for explicit representation of this startup dependency -- rather, the daemons are spawned as the first connections come in. Note that the daemon management service (what systemd's pid 1 provides) needs some way to communicate to the spawned daemon which file descriptors it has inherited should be treated as listeners. for systemd, this is a contiguious block of file descriptors starting at fd 3 (SD_LISTEN_FDS_START), and the enviornment variable LISTEN_FDS is a decimal number indicating how many file descriptors to use for listening (see sd_listen_fds(3) from libsystemd for more detail). A reasonable approach that would avoid linking in libsystemd might be to just specify something like ListenFDs N:M (meaning file descriptors N through M are sockets you should listen on). (perhaps -L N:M on the command line, so that the config file could stay static and the spawning daemon manager could dynamically adjust the invocation as sockets were added or removed) --dkg From dtucker at zip.com.au Fri Feb 5 11:11:13 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 5 Feb 2016 11:11:13 +1100 Subject: Unix socket support for sshd In-Reply-To: <9FB8ABBF-F94B-4510-82C4-53874B554D60@timeheart.net> References: <20160204124039.GA20026@raoul> <87r3gslbps.fsf@alice.fifthhorseman.net> <9FB8ABBF-F94B-4510-82C4-53874B554D60@timeheart.net> Message-ID: On Fri, Feb 5, 2016 at 2:57 AM, Ron Frederick wrote: [...] > Can?t this already be done with ?sshd -i?, by passing in the socket via stdin/stdout? yes. > similar to inetd. Looks like inetd on many BSDs and some implementations on Linux already support listening on unix domain sockets. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Feb 5 13:38:24 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 5 Feb 2016 13:38:24 +1100 Subject: configure warning on SunOS 4.1.4 In-Reply-To: <56AE9E43.9040606@haus-gisela.de> References: <56AE9E43.9040606@haus-gisela.de> Message-ID: <20160205023824.GA11214@gate.dtucker.net> On Mon, Feb 01, 2016 at 12:52:35AM +0100, Klaus Ziegler - owner of sunfreeware.de wrote: [...] > "/usr/include/sys/audit.h", line 189: syntax error before or at: blabel_t > "/usr/include/sys/audit.h", line 189: cannot recover from previous errors Does sys/types.h pull in the required headers? The configure tests do this kind of thing: | #ifdef HAVE_SYS_TYPES_H | # include | #endif however right now the AC_CHECK_FUNCS are in alphabetical order so things like sys/types.h don't get checked until quite late. If we check these things first it's probably a bit more likely to avoid this class of problems across the board. Does this patch help? You will need to run "autoreconf" to rebuild configure after applying. > let's see how the build goes, when the new openssl has finshed testing the > build went > fine so far - shared library support is still missing - but we'll see -:) In general, as long as a) someone is willing to do the work and b) it does not compromise support of modern platforms I'm happy to accept patches to support retrocomputing systems :-) diff --git a/configure.ac b/configure.ac index 0b399ce..e97565a 100644 --- a/configure.ac +++ b/configure.ac @@ -365,6 +365,16 @@ AC_ARG_WITH([Werror], ] ) +# Standard system headers used by AC_CHECK_FUNCS, sys ones first. +AC_CHECK_HEADERS([ \ + sys/types.h \ + sys/stat.h \ + stdint.h \ + string.h \ + strings.h \ + unistd.h \ +]) + AC_CHECK_HEADERS([ \ blf.h \ bstring.h \ @@ -399,7 +409,6 @@ AC_CHECK_HEADERS([ \ sha2.h \ shadow.h \ stddef.h \ - stdint.h \ string.h \ strings.h \ sys/audit.h \ @@ -414,7 +423,6 @@ AC_CHECK_HEADERS([ \ sys/prctl.h \ sys/pstat.h \ sys/select.h \ - sys/stat.h \ sys/stream.h \ sys/stropts.h \ sys/strtio.h \ @@ -426,7 +434,6 @@ AC_CHECK_HEADERS([ \ tmpdir.h \ ttyent.h \ ucred.h \ - unistd.h \ usersec.h \ util.h \ utime.h \ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From christian.mauderer at embedded-brains.de Fri Feb 5 23:00:05 2016 From: christian.mauderer at embedded-brains.de (Christian Mauderer) Date: Fri, 5 Feb 2016 13:00:05 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: References: <56B346BE.2030108@embedded-brains.de> <56B35DF8.9090402@embedded-brains.de> Message-ID: <56B48EC5.60005@embedded-brains.de> Am 04.02.2016 um 17:42 schrieb Shinose: > > On Thu, Feb 4, 2016 at 7:49 PM, Christian Mauderer > > wrote: > > Am 04.02.2016 um 14:46 schrieb Roland Mainz: > > On Thu, Feb 4, 2016 at 1:40 PM, Christian Mauderer > > > wrote: > >> I am searching a SSH server for remote administration of an embedded > >> application running on RTEMS (https://www.rtems.org). This environment > >> has neither virtual memory nor user and kernel space. So this is like an > >> application running in kernel mode only. > >> > >> Would it be possible to run (a very basic version of) OpenSSH in such an > >> environment using e.g. threads instead of forking new subprocesses? Is > >> there already some known similar configuration (e.g. on another embedded > >> OS)? > > > > Well, not much harder than a port to the original m68k AmigaOS or most > > of the military-oriented embedded OSes... not hard but lots of work > > (unless you have an existing POSIX(-like) layer emulation), mostly > > related to resource tracking and the socket stuff. > > > > Hello Roland, > > thanks for the quick answer. I must have overlooked these ports. I have > mostly seen the list of full Unixes on this page: > > http://www.openssh.com/portable.html > > After your hint, I noted that there are a lot more ports in the sources. > Is there some kind of porting guide or a hint where to begin reading > documentation? > > If we would create a port: Would it be theoretically possible to > contribute it to the official sources? > > For the POSIX-layer: RTEMS implements a part of the POSIX standard (or > at least of the embedded subset of POSIX). But like I said it doesn't > have processes but only threads. > > Kind Regards > > Christian Mauderer > > > Hi, > > We have successfully ported OpenSSH along with SFTP-Server for a > Greenhills platform, where it was only having single address space and > threads. > > But I could say it was really a painful work to resolve the global > variables and data structures to each threads. > > We have used a total of 3 threads including the SFTP Server. > > Thanks, > Shinose. Hello Shinose, thanks for your feedback. It's good to know that it is possible and someone has already done something similar. Kind regards Christian Mauderer -- -------------------------------------------- embedded brains GmbH Christian Mauderer Dornierstr. 4 D-82178 Puchheim Germany email: christian.mauderer at embedded-brains.de Phone: +49-89-18 94 741 - 18 Fax: +49-89-18 94 741 - 08 PGP: Public key available on request. Diese Nachricht ist keine gesch?ftliche Mitteilung im Sinne des EHUG. From roland.mainz at nrubsig.org Sat Feb 6 00:27:27 2016 From: roland.mainz at nrubsig.org (Roland Mainz) Date: Fri, 5 Feb 2016 14:27:27 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: References: <56B346BE.2030108@embedded-brains.de> <56B35DF8.9090402@embedded-brains.de> Message-ID: On Thu, Feb 4, 2016 at 5:42 PM, Shinose wrote: > On Thu, Feb 4, 2016 at 7:49 PM, Christian Mauderer > wrote: >> Am 04.02.2016 um 14:46 schrieb Roland Mainz: >> > On Thu, Feb 4, 2016 at 1:40 PM, Christian Mauderer >> > wrote: [snip] > We have successfully ported OpenSSH along with SFTP-Server for a Greenhills > platform, where it was only having single address space and threads. > > But I could say it was really a painful work to resolve the global variables > and data structures to each threads. Gnnn... bit offtopic, but that reminds me of the two regrets the original UNIX authors had: 1. Avoid spelling error and write creat() as create() - would have saved lots of emails... 2. Global variables in the K&R C language, more or less inherited from BCPL - caused *pain* over (first in the linker, than everywhere else) and over again... That said, global variables aren't the only issue, there are other global resources like signals and other per-process or per-thread properties which need to be tracked. ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 3992797 (;O/ \/ \O;) From christian.mauderer at embedded-brains.de Sat Feb 6 00:26:57 2016 From: christian.mauderer at embedded-brains.de (Christian Mauderer) Date: Fri, 5 Feb 2016 14:26:57 +0100 Subject: Evaluating a port to RTEMS (embedded OS with single address space and no processes) In-Reply-To: References: <56B346BE.2030108@embedded-brains.de> <56B35DF8.9090402@embedded-brains.de>

Message-ID: <56B4A321.5030609@embedded-brains.de> Hello Cedric, thanks for the info regarding fork and the resource tracking. I'll just have to find out, how to avoid the fork() in the sshd. By the way: Is there any reason that you've sent the mails off list? Otherwise it would be good if we could send it to the list too so that someone who reads the thread can get this information too. Kind regards Christian Mauderer Note: This answers accidentally slipped off the list. I've decided to send it to the list too after sorting this out with Cedric. Am 04.02.2016 um 23:20 schrieb Cedric Blancher: > Quick grep of 'roland mainz amigaos' shows that he worked on that > topic, so you might have a candidate for HR :) > > Ced > > On 4 February 2016 at 23:17, Cedric Blancher wrote: >> You can even implement processes without a MMU - POSIX allows it if >> you exclude the fork() family of syscalls. >> As Roland said its all about resource tracking. Find an expert who >> knows what to do and then beat the code into shape. >> >> Ced >> >> On 4 February 2016 at 15:19, Christian Mauderer >> wrote: >>> Am 04.02.2016 um 14:46 schrieb Roland Mainz: >>>> On Thu, Feb 4, 2016 at 1:40 PM, Christian Mauderer >>>> wrote: >>>>> I am searching a SSH server for remote administration of an embedded >>>>> application running on RTEMS (https://www.rtems.org). This environment >>>>> has neither virtual memory nor user and kernel space. So this is like an >>>>> application running in kernel mode only. >>>>> >>>>> Would it be possible to run (a very basic version of) OpenSSH in such an >>>>> environment using e.g. threads instead of forking new subprocesses? Is >>>>> there already some known similar configuration (e.g. on another embedded >>>>> OS)? >>>> >>>> Well, not much harder than a port to the original m68k AmigaOS or most >>>> of the military-oriented embedded OSes... not hard but lots of work >>>> (unless you have an existing POSIX(-like) layer emulation), mostly >>>> related to resource tracking and the socket stuff. >>>> >>> >>> Hello Roland, >>> >>> thanks for the quick answer. I must have overlooked these ports. I have >>> mostly seen the list of full Unixes on this page: >>> >>> http://www.openssh.com/portable.html >>> >>> After your hint, I noted that there are a lot more ports in the sources. >>> Is there some kind of porting guide or a hint where to begin reading >>> documentation? >>> >>> If we would create a port: Would it be theoretically possible to >>> contribute it to the official sources? >>> >>> For the POSIX-layer: RTEMS implements a part of the POSIX standard (or >>> at least of the embedded subset of POSIX). But like I said it doesn't >>> have processes but only threads. >>> >>> Kind Regards >>> >>> Christian Mauderer >>> >> -- >> Cedric Blancher >> Institute Pasteur -- -------------------------------------------- embedded brains GmbH Christian Mauderer Dornierstr. 4 D-82178 Puchheim Germany email: christian.mauderer at embedded-brains.de Phone: +49-89-18 94 741 - 18 Fax: +49-89-18 94 741 - 08 PGP: Public key available on request. Diese Nachricht ist keine gesch?ftliche Mitteilung im Sinne des EHUG. From klausz at haus-gisela.de Sat Feb 6 01:04:57 2016 From: klausz at haus-gisela.de (Klaus Ziegler - owner of sunfreeware.de) Date: Fri, 05 Feb 2016 15:04:57 +0100 Subject: configure warning on SunOS 4.1.4 In-Reply-To: <20160205023824.GA11214@gate.dtucker.net> References: <56AE9E43.9040606@haus-gisela.de> <20160205023824.GA11214@gate.dtucker.net> Message-ID: <56B4AC09.9000400@haus-gisela.de> On 05.02.16 03:38, Darren Tucker wrote: > On Mon, Feb 01, 2016 at 12:52:35AM +0100, Klaus Ziegler - owner of sunfreeware.de wrote: > [...] >> "/usr/include/sys/audit.h", line 189: syntax error before or at: blabel_t >> "/usr/include/sys/audit.h", line 189: cannot recover from previous errors > Does sys/types.h pull in the required headers? The configure tests do > this kind of thing: > > | #ifdef HAVE_SYS_TYPES_H > | # include > | #endif > > however right now the AC_CHECK_FUNCS are in alphabetical order so things > like sys/types.h don't get checked until quite late. If we check these > things first it's probably a bit more likely to avoid this class of > problems across the board. > > Does this patch help? You will need to run "autoreconf" to rebuild > configure after applying. > > In general, as long as a) someone is willing to do the work and b) it > does not compromise support of modern platforms I'm happy to accept > patches to support retrocomputing systems :-) Hi Darren, cool, this realy sounds like you are my man. Thanks a lot for the patch - I implemented it directly in configure, so no need to build all the autoconf tools on that platform, unfortunately your patch does not help, I still need to include in sys/audit.h to pass the test. For the time being I can live with that. More important are these - the first error where the build bails out is this: acc -Xa -D__SYS5__ -D__EXTENSIONS__ -xCC -cg92 -fast -nolibmil -xO4 -I. -I.. -I. -I./.. -DSUNOS4 -DHAVE_CONFIG_H -c bsd-statvfs.c "bsd-statvfs.c", line 31: warning: dubious tag declaration: struct statfs "bsd-statvfs.c", line 33: improper member use: f_bsize "bsd-statvfs.c", line 34: improper member use: f_bsize "bsd-statvfs.c", line 35: improper member use: f_blocks "bsd-statvfs.c", line 36: improper member use: f_bfree "bsd-statvfs.c", line 37: improper member use: f_bavail "bsd-statvfs.c", line 38: improper member use: f_files "bsd-statvfs.c", line 39: improper member use: f_ffree "bsd-statvfs.c", line 40: improper member use: f_ffree "bsd-statvfs.c", line 42: undefined struct/union member: f_flags "bsd-statvfs.c", line 43: undefined symbol: MNAMELEN "bsd-statvfs.c", line 50: incomplete struct/union/enum statfs: fs "bsd-statvfs.c", line 55: warning: argument #2 is incompatible with prototype: prototype: pointer to struct buf {} : "bsd-statvfs.c", line 31 argument : pointer to struct statfs {} "bsd-statvfs.c", line 68: incomplete struct/union/enum statfs: fs "bsd-statvfs.c", line 73: warning: argument #2 is incompatible with prototype: prototype: pointer to struct buf {} : "bsd-statvfs.c", line 31 argument : pointer to struct statfs {} gmake[1]: *** [bsd-statvfs.o] Error 2 this is happens, because SunOS4 does not have nor , but it has in which "struct statfs" can be found - but not completely as required by bsd-statvfs.c, it misses struct/union member: f_flags. The following patches fix this: --- openbsd-compat/bsd-statvfs.c.orig 2016-01-14 02:10:45.000000000 +0100 +++ openbsd-compat/bsd-statvfs.c 2016-02-05 14:26:52.000000000 +0100 @@ -20,6 +20,11 @@ #if !defined(HAVE_STATVFS) || !defined(HAVE_FSTATVFS) +#ifdef SUNOS4 +#include +#define MNAMELEN 90 +#endif + #include #ifdef HAVE_SYS_MOUNT_H # include --- /usr/include/sys/vfs.h.orig 1994-10-14 20:29:59.000000000 +0100 +++ /usr/include/sys/vfs.h 2016-02-05 14:50:15.000000000 +0100 @@ -92,7 +92,7 @@ long f_files; /* total file nodes in file system */ long f_ffree; /* free file nodes in fs */ fsid_t f_fsid; /* file system id */ - long f_spare[7]; /* spare for later */ + long f_flags; /* spare for later */ }; question is for what is f_flags for? - or more important in sys/vfs.h: "long f_spare[7]; /* spare for later */". I could not find f_flags in any newer Solaris releases (checked 2.4/2.6 8 and 10). Hey, I don't mind building autoconf tools - just tell me which releases you use. Thanks much in advance Best Reagrds Klaus -- Tel: (++49 6105) 968846 Klaus Ziegler Mobil: (++49 172) 3064445 Zeppelinstrasse 3 mailto: klausz at haus-gisela.de D-64546 Walldorf-Moerfelden http://www.haus-gisela.de/~klausz From nils.rennebarth at web.de Sun Feb 7 02:38:04 2016 From: nils.rennebarth at web.de (Nils Rennebarth) Date: Sat, 6 Feb 2016 16:38:04 +0100 Subject: patch: update agent protocol documentation to mention ED25519 Message-ID: <56B6135C.7050705@web.de> Hello, The attached patch (against current git sources) updates the documentation of the agent's protocol for ED25519 related issues. It is hereby in the public domain if such legalese is required. Best regards, Nils Rennebarth -------------- next part -------------- A non-text attachment was scrubbed... Name: agent-doc-ed25529.diff Type: text/x-patch Size: 1646 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From rsbecker at nexbridge.com Tue Feb 9 06:36:39 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Mon, 8 Feb 2016 14:36:39 -0500 Subject: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on HPE NSE above dd-size 32k Message-ID: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> G'Day, I am requesting help in resolving an issue on the HPE NonStop platform in OpenSSH 7.1 P2 in the regression suite for all dd-size above 32k. Previous tests are all passing, but in the for-loop inside regress/transfer.sh, when s is 64k, the command: dd if=$DATA obs=${s} 2> /dev/null | \ ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" does not transfer any data. regress/copy is empty and the test fails. I have checked the platform's API for read/write code, which has no issue transferring data at 1Mb - so that's probably not it. Is there some ioctl or other system call might be new that may be falling in this specific situation? I have been looking for math problems but have not found any - int/long/size_t are 32bit on the box. 56k is a common boundary in some functions, but I don't get what OpenSSH would be doing in this regard. Our previous version, 6.7 based at commit 28453d5, did not have this problem, and regress/transfer.sh does not have any substantively differences compared to back then. The code is built using OpenSSL 1.0.2f. Getting detailed debug logs of the regression test would also really help here. Anyone have any pointers on where I can look to try to resolve this? Thanks, Randall -- -- Randall Becker -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. From dtucker at zip.com.au Tue Feb 9 07:30:18 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 9 Feb 2016 07:30:18 +1100 Subject: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on HPE NSE above dd-size 32k In-Reply-To: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> References: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> Message-ID: On Tue, Feb 9, 2016 at 6:36 AM, Randall S. Becker wrote: [...] > Getting detailed debug logs of the regression test would also really help > here. Anyone have any pointers on where I can look to try to resolve this? The logs should be in the regress directory. There should be ssh.log and ssh.log for the currently running test and failed-ssh.log and failed-sshd.log containing the concatenation of the logs from any failed tests. You can run "make t-exec LTESTS=transfer" to run just that single test while you're playing around to save some time. I have seen something similar on old FreeBSD systems when the test was run on an NFS mount. I never figured out why this was, but running the test on local disk worked in that case. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rsbecker at nexbridge.com Tue Feb 9 08:51:18 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Mon, 8 Feb 2016 16:51:18 -0500 Subject: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on HPE NSE above dd-size 32k In-Reply-To: References: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> Message-ID: <00d001d162ba$d84fe9d0$88efbd70$@nexbridge.com> On February 8, 2016 3:30 PM, Darren Tucker wrote: > To: Randall S. Becker > Cc: OpenSSH Devel List > Subject: Re: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on > HPE NSE above dd-size 32k > > On Tue, Feb 9, 2016 at 6:36 AM, Randall S. Becker > wrote: > [...] > > Getting detailed debug logs of the regression test would also really > > help here. Anyone have any pointers on where I can look to try to resolve > this? > > The logs should be in the regress directory. There should be ssh.log and > ssh.log for the currently running test and failed-ssh.log and failed-sshd.log > containing the concatenation of the logs from any failed tests. You can run > "make t-exec LTESTS=transfer" to run just that single test while you're playing > around to save some time. > > I have seen something similar on old FreeBSD systems when the test was run > on an NFS mount. I never figured out why this was, but running the test on > local disk worked in that case. I've got those logs. Unfortunately, hoping for more details. The logs do show the test failure, but no details in failed-sshd.log indicating a specific problem. Some of the formats are a bit wonky but I can live with those. Since you mentioned NFS, which could have been constrained by UDP packet sizes, and this platform sometimes cannot read beyond 56Kb off disk (in some situations), it may be the read of regress/data that is failing. Any pointers where that is hiding so that I can verify that data is actually getting into sshd from the disk? Cheers, Randall From dtucker at zip.com.au Tue Feb 9 09:05:13 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 9 Feb 2016 09:05:13 +1100 Subject: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on HPE NSE above dd-size 32k In-Reply-To: <00d001d162ba$d84fe9d0$88efbd70$@nexbridge.com> References: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> <00d001d162ba$d84fe9d0$88efbd70$@nexbridge.com> Message-ID: On Tue, Feb 9, 2016 at 8:51 AM, Randall S. Becker wrote: [...] > I've got those logs. Unfortunately, hoping for more details. Me too. For example, a copy of those logs :-) > The logs do > show the test failure, but no details in failed-sshd.log indicating a > specific problem. Some of the formats are a bit wonky but I can live with > those. Since you mentioned NFS, which could have been constrained by UDP > packet sizes, and this platform sometimes cannot read beyond 56Kb off disk > (in some situations), it may be the read of regress/data that is failing. > Any pointers where that is hiding so that I can verify that data is actually > getting into sshd from the disk? Unfortunately debugging test failures is a pain that I don't have a good answer too. One thing I do is edit regress/test-exec.sh to add a "set -x" at the top and "exit 1" into the fail() function. Now when you run the test at the point it fails you'll have the exact command that failed and exits without cleaning up, leaving the keys and configs in place so you can rerun the command in you shell, playing around with truss/strace/whatever your platform has. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rsbecker at nexbridge.com Tue Feb 9 09:23:36 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Mon, 8 Feb 2016 17:23:36 -0500 Subject: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on HPE NSE above dd-size 32k In-Reply-To: References: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> <00d001d162ba$d84fe9d0$88efbd70$@nexbridge.com> Message-ID: <00d901d162bf$5c0bae40$14230ac0$@nexbridge.com> On February 8, 2016 5:05 PM, Darren Tucker wrote: > On Tue, Feb 9, 2016 at 8:51 AM, Randall S. Becker > wrote: > [...] > > I've got those logs. Unfortunately, hoping for more details. > > Me too. For example, a copy of those logs :-) > > > The logs do > > show the test failure, but no details in failed-sshd.log indicating a > > specific problem. Some of the formats are a bit wonky but I can live > > with those. Since you mentioned NFS, which could have been constrained > > by UDP packet sizes, and this platform sometimes cannot read beyond > > 56Kb off disk (in some situations), it may be the read of regress/data that is > failing. > > Any pointers where that is hiding so that I can verify that data is > > actually getting into sshd from the disk? > > Unfortunately debugging test failures is a pain that I don't have a good > answer too. > > One thing I do is edit regress/test-exec.sh to add a "set -x" at the top and > "exit 1" into the fail() function. Now when you run the test at the point it fails > you'll have the exact command that failed and exits without cleaning up, > leaving the keys and configs in place so you can rerun the command in you > shell, playing around with truss/strace/whatever your platform has. Tracked down to a bad 'dd' implementation. I'm working on fixing that. Likely of this problem being OpenSSH just dropped to under 5% ;) Thanks Darren. Cheers, Randall From rsbecker at nexbridge.com Tue Feb 9 11:19:09 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Mon, 8 Feb 2016 19:19:09 -0500 Subject: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on HPE NSE above dd-size 32k In-Reply-To: References: <00bb01d162a8$08e1d260$1aa57720$@nexbridge.com> Message-ID: <011a01d162cf$7fc515f0$7f4f41d0$@nexbridge.com> On February 8, 2016 3:30 PM, Darren Tucker wrote: > To: Randall S. Becker > Cc: OpenSSH Devel List > Subject: Re: [Bug] Regression problem in transfer.sh for OpenSSH 7.1 P2 on > HPE NSE above dd-size 32k > > On Tue, Feb 9, 2016 at 6:36 AM, Randall S. Becker > wrote: > [...] > > Getting detailed debug logs of the regression test would also really > > help here. Anyone have any pointers on where I can look to try to resolve > this? > > The logs should be in the regress directory. There should be ssh.log and > ssh.log for the currently running test and failed-ssh.log and failed-sshd.log > containing the concatenation of the logs from any failed tests. You can run > "make t-exec LTESTS=transfer" to run just that single test while you're playing > around to save some time. > > I have seen something similar on old FreeBSD systems when the test was run > on an NFS mount. I never figured out why this was, but running the test on > local disk worked in that case. So here's where the 5% comes in. The dd code explicitly checks SSIZE_MAX on the platform and restricts the obs values that are legitimate. From limits.h on NSE: #define SSIZE_MAX 53248 /* max single I/O size, 52K */ The result is that dd is failing parameter checks above 32k, so 64k, 128k, and 256k are invalid and should have been omitted on the platform in any event. Is this a legit bug in the OpenSSH regression suite? Cheers, Randall From amb-sendok-1457588095.ghfejecppgjlbbhllmne at bradfords.org Tue Feb 9 16:34:55 2016 From: amb-sendok-1457588095.ghfejecppgjlbbhllmne at bradfords.org (Andy Bradford) Date: 8 Feb 2016 22:34:55 -0700 Subject: PubkeyAcceptedKeyTypes with + in Match block not working correctly. Message-ID: <20160208223455.26792.qmail@angmar.bradfordfamily.org> Hello, I notice that if I configure sshd_config with: PubkeyAcceptedKeyTypes +ssh-dss Everything works as expected and the algorithm is appended to the default list, but if I place that same option in a Match block it does not extend the setting, but instead replaces it with a literal string of ``+ssh-dss'' which effectively disables all algorithms. # tail -2 /etc/ssh/sshd_config Match Address 192.168.1.0/24 PubkeyAcceptedKeyTypes +ssh-dss # sshd -T -C user=tester,host=example.dom,addr=192.168.1.1,laddr=192.168.1.2,lport=22 | grep pubkey pubkeyauthentication yes pubkeyacceptedkeytypes +ssh-dss I found a similar bug mentioned here regarding HostkeyAlgorithms but as far as I can tell the fix didn't extend to cover the above mentioned scenario: http://marc.info/?l=openssh-unix-dev&m=144019508104294&w=2 Does this need to go reported also to bugs@ or is this list sufficient? Thanks, Andy -- TAI64 timestamp: 4000000056b97aa2 From djm at mindrot.org Tue Feb 9 22:07:10 2016 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 Feb 2016 22:07:10 +1100 (AEDT) Subject: PubkeyAcceptedKeyTypes with + in Match block not working correctly. In-Reply-To: <20160208223455.26792.qmail@angmar.bradfordfamily.org> References: <20160208223455.26792.qmail@angmar.bradfordfamily.org> Message-ID: On Tue, 8 Feb 2016, Andy Bradford wrote: > Hello, > > I notice that if I configure sshd_config with: > > PubkeyAcceptedKeyTypes +ssh-dss > > Everything works as expected and the algorithm is appended to the > default list, but if I place that same option in a Match block it does > not extend the setting, but instead replaces it with a literal string of > ``+ssh-dss'' which effectively disables all algorithms. This was fixed in commit ed08510d38 and will be in openssh-7.2, which is due real soon now (~weeks). https://anongit.mindrot.org/openssh.git/commit/?id=ed08510d38 -d From rsbecker at nexbridge.com Wed Feb 10 08:08:49 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Tue, 9 Feb 2016 16:08:49 -0500 Subject: Test Status OpenSSH 7.1 P2 on HPE NSE Message-ID: <00b701d1637e$12d67a10$38836e30$@nexbridge.com> Hi All, Just reporting in on how testing has gone. After reducing obs to 32k max and banners to a max of 10000, plus some minor platform changes - root is not 0, for example, all normal tests have passed except for: multiplex - hangs at the end of this output. We had a similar issue that single reads of data were not working in dd but that does not seem to be the case in this test suite. test connection multiplexing: envpass environment not found test connection multiplexing: transfer Binary files /home/git/openssh-portable/regress/data and /home/git/openssh-portable/regress/copy differ ssh -Sctl: corrupted copy of /home/git/openssh-portable/regress/data Binary files /home/git/openssh-portable/regress/data and /home/git/openssh-portable/regress/copy differ ssh -S ctl: corrupted copy of /home/git/openssh-portable/regress/data keys-command (nothing really apparent that I can find in the logs) AuthorizedKeysCommand with arguments connect failed AuthorizedKeysCommand without arguments connect failed integrity (a sample... pretty much all of the tests do this) test integrity: hmac-sha1 @2900 unexpected error mac hmac-sha1 at 2900: Bytes per second: sent 40854.2, received 34836.9. principals-command (a sample. Every 3 to 5 executions fail. Nothing apparent the logs as to why. Could this be a timing issue on recycling ports?). authorized principals command: privsep yes empty authorized_principals authorized principals command: privsep yes wrong authorized_principals authorized principals command: privsep yes correct authorized_principals ssh cert connect failed The build did not use any pthreads, and used c89. Unfortunately, the logs were not particularly helpful identifying why there were issues. I am not sure we can deploy the code at this stage, although it does work for the most of the pretty normal things I need to do. Anyone have any advice? Cheers, Randall -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. From dtucker at zip.com.au Wed Feb 10 09:28:12 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Feb 2016 09:28:12 +1100 Subject: Test Status OpenSSH 7.1 P2 on HPE NSE In-Reply-To: <00b701d1637e$12d67a10$38836e30$@nexbridge.com> References: <00b701d1637e$12d67a10$38836e30$@nexbridge.com> Message-ID: On Wed, Feb 10, 2016 at 8:08 AM, Randall S. Becker wrote: > Hi All, > > Just reporting in on how testing has gone. After reducing obs to 32k max and > banners to a max of 10000, plus some minor platform changes - root is not 0, > for example, all normal tests have passed except for: Did you need to make any code changes? If so, what? > multiplex - hangs at the end of this output. We had a similar issue that > single reads of data were not working in dd but that does not seem to be the > case in this test suite. > test connection multiplexing: envpass > environment not found > test connection multiplexing: transfer > Binary files /home/git/openssh-portable/regress/data and > /home/git/openssh-portable/regress/copy differ > ssh -Sctl: corrupted copy of /home/git/openssh-portable/regress/data > Binary files /home/git/openssh-portable/regress/data and > /home/git/openssh-portable/regress/copy differ These tests are for ControlMaster and requires descriptor passing over Unix domain sockets to work. Does you platform have that? [...] > AuthorizedKeysCommand with arguments > connect failed > AuthorizedKeysCommand without arguments > connect failed These ones might be port reuse or race conditions. the failed-ssh.log and failed-sshd.log should say why the connect failed. > integrity (a sample... pretty much all of the tests do this) > test integrity: hmac-sha1 @2900 > unexpected error mac hmac-sha1 at 2900: Bytes per second: sent > 40854.2, received 34836.9. > principals-command (a sample. Every 3 to 5 executions fail. Nothing apparent > the logs as to why. Could this be a timing issue on recycling ports?). The integrity test failures aren't due to TCP port recycling because they run sshd via a proxycommand and does not depend on TCP ports. It does depend somewhat on what ciphers and macs are offered because those banners affect how many bytes are on the wire before the encrypted traffic starts. These lists of ciphers are macs are in the debug logs which you are yet to share. > authorized principals command: privsep yes empty > authorized_principals > authorized principals command: privsep yes wrong > authorized_principals > authorized principals command: privsep yes correct > authorized_principals > ssh cert connect failed > > The build did not use any pthreads, and used c89. Unfortunately, the logs > were not particularly helpful identifying why there were issues. You keep saying that but don't show them. We might be able to make something out of them if we can see them. > I am not > sure we can deploy the code at this stage, although it does work for the > most of the pretty normal things I need to do. Anyone have any advice? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rsbecker at nexbridge.com Wed Feb 10 09:41:20 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Tue, 9 Feb 2016 17:41:20 -0500 Subject: Test Status OpenSSH 7.1 P2 on HPE NSE In-Reply-To: References: <00b701d1637e$12d67a10$38836e30$@nexbridge.com> Message-ID: <00cc01d1638a$ff975700$fec60500$@nexbridge.com> On February 9, 2016 5:28 PM Darren Tucker wrote: > > On Wed, Feb 10, 2016 at 8:08 AM, Randall S. Becker > wrote: > > Hi All, > > > > Just reporting in on how testing has gone. After reducing obs to 32k > > max and banners to a max of 10000, plus some minor platform changes - > > root is not 0, for example, all normal tests have passed except for: > > Did you need to make any code changes? If so, what? I only changed regress/transfer.sh: - for s in 10 100 1k 32k 64k 128k 256k; do + for s in 10 100 1k 32k ; do and regress/banner.sh -for s in 0 10 100 1000 10000 100000 ; do +for s in 0 10 100 1000 10000 ; do > > multiplex - hangs at the end of this output. We had a similar issue > > that single reads of data were not working in dd but that does not > > seem to be the case in this test suite. > > test connection multiplexing: envpass > > environment not found > > test connection multiplexing: transfer > > Binary files /home/git/openssh-portable/regress/data and > > /home/git/openssh-portable/regress/copy differ > > ssh -Sctl: corrupted copy of /home/git/openssh-portable/regress/data > > Binary files /home/git/openssh-portable/regress/data and > > /home/git/openssh-portable/regress/copy differ > > These tests are for ControlMaster and requires descriptor passing over Unix > domain sockets to work. Does you platform have that? It does, however I think there are setup requirements on the sockets that are not covered and are different on the platform. If you could point me at the setup code, I can check it and/or make it work. > [...] > > AuthorizedKeysCommand with arguments > > connect failed > > AuthorizedKeysCommand without arguments > > connect failed > > These ones might be port reuse or race conditions. the failed-ssh.log and > failed-sshd.log should say why the connect failed. I will post this as a separate thread. > > integrity (a sample... pretty much all of the tests do this) > > test integrity: hmac-sha1 @2900 > > unexpected error mac hmac-sha1 at 2900: Bytes per second: sent > > 40854.2, received 34836.9. > > principals-command (a sample. Every 3 to 5 executions fail. Nothing > > apparent the logs as to why. Could this be a timing issue on recycling > ports?). > > The integrity test failures aren't due to TCP port recycling because they run > sshd via a proxycommand and does not depend on TCP ports. It does > depend somewhat on what ciphers and macs are offered because those > banners affect how many bytes are on the wire before the encrypted traffic > starts. These lists of ciphers are macs are in the debug logs which you are yet > to share. > > > authorized principals command: privsep yes empty > > authorized_principals > > authorized principals command: privsep yes wrong > > authorized_principals > > authorized principals command: privsep yes correct > > authorized_principals > > ssh cert connect failed I will gather up the logs and share them as a separate thread. I assume plain text is ok. > > The build did not use any pthreads, and used c89. Unfortunately, the > > logs were not particularly helpful identifying why there were issues. > > You keep saying that but don't show them. We might be able to make > something out of them if we can see them. Will share later today or tomorrow ($DAYJOB calls). Thanks Darren. Cheers, Randall From dtucker at zip.com.au Wed Feb 10 09:55:55 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Feb 2016 09:55:55 +1100 Subject: Test Status OpenSSH 7.1 P2 on HPE NSE In-Reply-To: <00cc01d1638a$ff975700$fec60500$@nexbridge.com> References: <00b701d1637e$12d67a10$38836e30$@nexbridge.com> <00cc01d1638a$ff975700$fec60500$@nexbridge.com> Message-ID: On Wed, Feb 10, 2016 at 9:41 AM, Randall S. Becker wrote: > On February 9, 2016 5:28 PM Darren Tucker wrote: [...] >> These tests are for ControlMaster and requires descriptor passing over Unix >> domain sockets to work. Does you platform have that? > > It does, however I think there are setup requirements on the sockets that are > not covered and are different on the platform. If you could point me at the > setup code, I can check it and/or make it work. The listener is misc.c:unix_listener(). The code for actually sending the descriptor is in monitor_fdpass.c:mm_send_fd(). Grepping for control_path should show all of the places where it's potentially touched. [...] > I will gather up the logs and share them as a separate thread. I assume plain text is ok. Thanks. Text is fine. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rsbecker at nexbridge.com Wed Feb 10 10:35:18 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Tue, 9 Feb 2016 18:35:18 -0500 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands Message-ID: <00d001d16392$89581040$9c0830c0$@nexbridge.com> Thread split from my previous communication. Here is the key-commands logs on the platform. ***************** failed-regress.log ************ trace: AuthorizedKeysCommand with arguments FAIL: connect failed trace: AuthorizedKeysCommand without arguments FAIL: connect failed ***************** failed-ssh.log ************ trace: AuthorizedKeysCommand with arguments debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (802e0c0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (8023290), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Offering ED25519 public key: /home/git/openssh-portable/regress/ed25519 debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). FAIL: connect failed trace: AuthorizedKeysCommand without arguments debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (802e0c0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (8023290), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Offering ED25519 public key: /home/git/openssh-portable/regress/ed25519 debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). FAIL: connect failed ***************** failed-sshd.log ************ trace: AuthorizedKeysCommand with arguments debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 506 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: subprocess: AuthorizedKeysCommand command "/var/run/keycommand_SUPER.SUPER SUPER.SUPER blah AAAAB3NzaC1yc2EAAAADAQABAAABAQC8RV5U3ot4/aEaY8jnK4CDa99WFPi/DmC2RBiTGrGr6IiI FRvS/JJlYBpYLE6jKcw9dhLOvJKpdII/pvzZwBAlacYQg3P2ODKLEZpccmFB9tYWqWldPFKkXViQ R5L9azEVn1sZJtUTfasiiP5008YGAdg4BrO6ipQI0x3G2nl5Wj4FT99qluAruqUblTkx+cU5v5ta yqOrlEeAXWlwqQEuEWy2Kbfe6JtS53F+DniozOQGqw4iD8HrDoSlj4QGjZgcP7hXn5iGKtBB7rHI mxCz1SvtGzlOJEy8DZzcp77Wl8ZcnxcQbHVhHt+os8rvYSIaEIVnPc1qnMPCNLzGmrYH ssh-rsa SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM blah" running as SUPER.SUPER debug1: temporarily_use_uid: 65535/255 (e=65535/255) Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad ownership or modes for file /var/run/keycommand_SUPER.SUPER debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: subprocess: AuthorizedKeysCommand command "/var/run/keycommand_SUPER.SUPER SUPER.SUPER blah AAAAC3NzaC1lZDI1NTE5AAAAILr++ZVA9K4U+y7msLWKQiiPg9bfje2Y0uhDl60vDVko ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA blah" running as SUPER.SUPER debug1: temporarily_use_uid: 65535/255 (e=65535/255) Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad ownership or modes for file /var/run/keycommand_SUPER.SUPER debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" FAIL: connect failed trace: AuthorizedKeysCommand without arguments debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 484 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: subprocess: AuthorizedKeysCommand command "/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER debug1: temporarily_use_uid: 65535/255 (e=65535/255) Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad ownership or modes for file /var/run/keycommand_SUPER.SUPER debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: subprocess: AuthorizedKeysCommand command "/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER debug1: temporarily_use_uid: 65535/255 (e=65535/255) Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad ownership or modes for file /var/run/keycommand_SUPER.SUPER debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" FAIL: connect failed ***************** regress.log ************ trace: AuthorizedKeysCommand without arguments FAIL: connect failed ***************** ssh.log ************ trace: AuthorizedKeysCommand without arguments debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (802e0c0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (8023290), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Offering ED25519 public key: /home/git/openssh-portable/regress/ed25519 debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). FAIL: connect failed ***************** sshd.log ************ trace: AuthorizedKeysCommand without arguments debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at op enssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.l iu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.c om,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.c om,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at o penssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac- md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hm ac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 484 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: subprocess: AuthorizedKeysCommand command "/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER debug1: temporarily_use_uid: 65535/255 (e=65535/255) Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad ownership or modes for file /var/run/keycommand_SUPER.SUPER debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: subprocess: AuthorizedKeysCommand command "/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER debug1: temporarily_use_uid: 65535/255 (e=65535/255) Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad ownership or modes for file /var/run/keycommand_SUPER.SUPER debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" FAIL: connect failed -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. From cedric.blancher at gmail.com Wed Feb 10 11:12:22 2016 From: cedric.blancher at gmail.com (Cedric Blancher) Date: Wed, 10 Feb 2016 01:12:22 +0100 Subject: Use |mprotect()| to secure key data ? / was: Re: Proposal: always handle keys in separate process In-Reply-To: <87io2p6lx9.fsf@alice.fifthhorseman.net> References: <569EBE64.3040203@gmail.com> <569ED7DD.2020705@gmail.com> <87io2p6lx9.fsf@alice.fifthhorseman.net> Message-ID: On 20 January 2016 at 03:10, Daniel Kahn Gillmor wrote: > On Tue 2016-01-19 19:53:41 -0500, Roland Mainz wrote: >> What about the idea of storing "valuable" data in unlinked temp files >> and |mmap()| then only on demand ? That would keep them out of the >> claws of *other* users (obviously same user can use /proc/$pid/fd/$fd >> to |open()| such files, but then the same user could just attach >> gdb/dbx and dissect the ssh/sshd/ssh_secure_storage processes and even >> inject random code) ... > > depending on the filesystem used, this could mean writing this sensitive > data to the underlying storage medium, which sounds like a worse failure > than anything this proposal would fix. > > --dkg Why? Kernel paging/swaping would do the same, and you can force that paging/swaping to a file in a trusted env and still get user data you are not supposed to obtain. That's even an old trick tiger teams used 5 years ago to demonstrate that using Linux for sensitive data storage at CEA Saclay isn't wise. Ced -- Cedric Blancher Institute Pasteur From dtucker at zip.com.au Wed Feb 10 11:27:35 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Feb 2016 11:27:35 +1100 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands In-Reply-To: <00d001d16392$89581040$9c0830c0$@nexbridge.com> References: <00d001d16392$89581040$9c0830c0$@nexbridge.com> Message-ID: On Wed, Feb 10, 2016 at 10:35 AM, Randall S. Becker wrote: > Thread split from my previous communication. Here is the key-commands logs > on the platform. [...] OK, in this case the interesting bit is in the failed-sshd.log. > Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad > ownership or modes for file /var/run/keycommand_SUPER.SUPER > > debug1: restore_uid: 65535/255 sshd ensures that the AuthorizedKeysCommand can't be modified by a non-privileged user for obvious reasons. Based on what you said earlier, your root (equivalent?) user is not uid 0. I suspect that the permissions on the keycommand file to not match sshd's expectations. The code that checks this is in auth2-pubkey.c:subprocess() which calls auth.c:auth_secure_path(). What are the file permissions on /var/run/keycommand_SUPER.SUPER and its parent directories? Did you run the test with SUDO=sudo? Where did SUPER.SUPER come from? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rsbecker at nexbridge.com Wed Feb 10 11:46:45 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Tue, 9 Feb 2016 19:46:45 -0500 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands In-Reply-To: References: <00d001d16392$89581040$9c0830c0$@nexbridge.com> Message-ID: <00de01d1639c$85202760$8f607620$@nexbridge.com> On February 9, 2016 7:28 PM, Darren Tucker wrote: > To: Randall S. Becker > Cc: OpenSSH Devel List > Subject: Re: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands > > On Wed, Feb 10, 2016 at 10:35 AM, Randall S. Becker > wrote: > > Thread split from my previous communication. Here is the key-commands > > logs on the platform. > > [...] > > OK, in this case the interesting bit is in the failed-sshd.log. > > > Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": > bad > > ownership or modes for file /var/run/keycommand_SUPER.SUPER > > > > debug1: restore_uid: 65535/255 > > sshd ensures that the AuthorizedKeysCommand can't be modified by a non- > privileged user for obvious reasons. > > Based on what you said earlier, your root (equivalent?) user is not uid 0. I > suspect that the permissions on the keycommand file to not match sshd's > expectations. The code that checks this is in > auth2-pubkey.c:subprocess() which calls auth.c:auth_secure_path(). > > What are the file permissions on /var/run/keycommand_SUPER.SUPER and > its parent directories? Did you run the test with SUDO=sudo? Where did > SUPER.SUPER come from? SUPERUSER ends up being 65535, which is root on this platform. SUPER.SUPER is the actual name of root. /var and /var/run are both 755, while /var/run/keycommand_SUPER.SUPER is 644. We do have to run the whole test suite under sudo anyway. From dtucker at zip.com.au Wed Feb 10 12:04:34 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Feb 2016 12:04:34 +1100 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands In-Reply-To: <00de01d1639c$85202760$8f607620$@nexbridge.com> References: <00d001d16392$89581040$9c0830c0$@nexbridge.com> <00de01d1639c$85202760$8f607620$@nexbridge.com> Message-ID: <20160210010434.GA32658@gate.dtucker.net> On Tue, Feb 09, 2016 at 07:46:45PM -0500, Randall S. Becker wrote: [...] > SUPERUSER ends up being 65535, which is root on this platform. SUPER.SUPER > is the actual name of root. /var and /var/run are both 755, while > /var/run/keycommand_SUPER.SUPER is 644. OK, I think the ownership is the problem. auth2-pubkey.c:subprocess() does this: if (stat(av[0], &st) < 0) [...] if (auth_secure_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) { error("Unsafe %s \"%s\": %s", tag, av[0], errmsg); The 4th arg to auth_secure_path is the UID we expect the file to be owned by. If you apply the following and compile with -DROOT_UID=65535 does it work? What does ./config.guess report the platform as? diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 41b34ae..bdcb2c2 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -420,7 +420,7 @@ subprocess(const char *tag, struct passwd *pw, const char *command, restore_uid(); return 0; } - if (auth_secure_path(av[0], &st, NULL, 0, + if (auth_secure_path(av[0], &st, NULL, ROOT_UID, errmsg, sizeof(errmsg)) != 0) { error("Unsafe %s \"%s\": %s", tag, av[0], errmsg); restore_uid(); diff --git a/defines.h b/defines.h index a438ddd..7489fef 100644 --- a/defines.h +++ b/defines.h @@ -857,4 +857,8 @@ struct winsize { # define USE_SYSTEM_GLOB #endif +#ifndef ROOT_UID +# define ROOT_UID 0 +#endif + #endif /* _DEFINES_H */ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rsbecker at nexbridge.com Wed Feb 10 10:41:40 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Tue, 9 Feb 2016 18:41:40 -0500 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for integrity Message-ID: <00d601d16393$6d589800$4809c800$@nexbridge.com> Thread split from my previous communication. Here is the integrity logs on the platform. I had to cut this should due to the length of the logs (5Mb). ***************** failed-regress.log ************ trace: test integrity: hmac-sha1 @2900 FAIL: unexpected error mac hmac-sha1 at 2900: Bytes per second: sent 65665.7, received 55994.0. trace: test integrity: hmac-sha1 @2901 FAIL: unexpected error mac hmac-sha1 at 2901: Bytes per second: sent 36686.1, received 31282.7. trace: test integrity: hmac-sha1 @2902 FAIL: unexpected error mac hmac-sha1 at 2902: Bytes per second: sent 33328.0, received 28419.2. trace: test integrity: hmac-sha1 @2903 FAIL: unexpected error mac hmac-sha1 at 2903: Bytes per second: sent 49762.6, received 42433.2. trace: test integrity: hmac-sha1 @2904 FAIL: unexpected error mac hmac-sha1 at 2904: Bytes per second: sent 54187.5, received 46206.4. trace: test integrity: hmac-sha1 @2905 FATAL: trace: test integrity: hmac-sha1 @2905 FATAL: FAIL: <> ***************** failed-ssh.log ************ trace: test integrity: hmac-sha1 @2900 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2900:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1001/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: bits set: 1053/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (8023bd0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (80235c0), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: sign_and_send_pubkey: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: Authentication succeeded (publickey). Authenticated to 127.0.0.1 (via proxy). debug2: fd 7 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending command: printf "%4096s" " " debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2064, received 1760 bytes, in 0.0 seconds Bytes per second: sent 65665.7, received 55994.0 debug1: Exit status -1 FAIL: unexpected error mac hmac-sha1 at 2900: Bytes per second: sent 65665.7, received 55994.0. trace: test integrity: hmac-sha1 @2901 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2901:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1027/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: bits set: 1014/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (8023bd0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (80235c0), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: sign_and_send_pubkey: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: Authentication succeeded (publickey). Authenticated to 127.0.0.1 (via proxy). debug2: fd 7 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending command: printf "%4096s" " " debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2064, received 1760 bytes, in 0.1 seconds Bytes per second: sent 36686.1, received 31282.7 debug1: Exit status -1 FAIL: unexpected error mac hmac-sha1 at 2901: Bytes per second: sent 36686.1, received 31282.7. trace: test integrity: hmac-sha1 @2902 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2902:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 984/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: bits set: 1015/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (8023bd0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (80235c0), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: sign_and_send_pubkey: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: Authentication succeeded (publickey). Authenticated to 127.0.0.1 (via proxy). debug2: fd 7 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending command: printf "%4096s" " " debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2064, received 1760 bytes, in 0.1 seconds Bytes per second: sent 33328.0, received 28419.2 debug1: Exit status -1 FAIL: unexpected error mac hmac-sha1 at 2902: Bytes per second: sent 33328.0, received 28419.2. trace: test integrity: hmac-sha1 @2903 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2903:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1010/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: bits set: 993/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (8023bd0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (80235c0), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: sign_and_send_pubkey: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: Authentication succeeded (publickey). Authenticated to 127.0.0.1 (via proxy). debug2: fd 7 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending command: printf "%4096s" " " debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2064, received 1760 bytes, in 0.0 seconds Bytes per second: sent 49762.6, received 42433.2 debug1: Exit status -1 FAIL: unexpected error mac hmac-sha1 at 2903: Bytes per second: sent 49762.6, received 42433.2. trace: test integrity: hmac-sha1 @2904 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2904:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1008/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug1: Host 'localhost-with-alias' is known and matches the ED25519 host key. debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2 debug2: bits set: 1042/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/git/openssh-portable/regress/rsa (8023bd0), explicit debug2: key: /home/git/openssh-portable/regress/ed25519 (80235c0), explicit debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey debug3: authmethod_lookup publickey debug3: remaining preferred: debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: sign_and_send_pubkey: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: Authentication succeeded (publickey). Authenticated to 127.0.0.1 (via proxy). debug2: fd 7 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending command: printf "%4096s" " " debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2064, received 1760 bytes, in 0.0 seconds Bytes per second: sent 54187.5, received 46206.4 debug1: Exit status -1 FAIL: unexpected error mac hmac-sha1 at 2904: Bytes per second: sent 54187.5, received 46206.4. trace: test integrity: hmac-sha1 @2905 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2905:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1044/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY FATAL: trace: test integrity: hmac-sha1 @2905 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2905:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1044/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY FATAL: FAIL: ***************** failed-sshd.log ************ trace: test integrity: hmac-sha1 @2900 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1053/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1001/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 475 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 0: ssh-rsa SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 1: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug3: notify_hostkeys: sent 2 hostkeys debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request exec reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req exec Starting session: command for SUPER.SUPER from UNKNOWN port 65535 debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK debug2: fd 12 setting O_NONBLOCK debug1: permanently_set_uid: 65535/255 debug2: channel 0: read 0 from efd 12 debug2: channel 0: closing read-efd 12 debug2: channel 0: read<=0 rfd 10 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 1509949533 debug1: session_exit_message: session 0 channel 0 pid 1509949533 debug2: channel 0: request exit-signal confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from UNKNOWN: 11: disconnected by user Disconnected from UNKNOWN debug1: do_cleanup FAIL: unexpected error mac hmac-sha1 at 2900: Bytes per second: sent 65665.7, received 55994.0. trace: test integrity: hmac-sha1 @2901 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1014/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1027/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 475 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 0: ssh-rsa SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 1: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug3: notify_hostkeys: sent 2 hostkeys debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request exec reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req exec Starting session: command for SUPER.SUPER from UNKNOWN port 65535 debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK debug2: fd 12 setting O_NONBLOCK debug1: permanently_set_uid: 65535/255 debug2: channel 0: read 0 from efd 12 debug2: channel 0: closing read-efd 12 debug2: channel 0: read<=0 rfd 10 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 1526726749 debug1: session_exit_message: session 0 channel 0 pid 1526726749 debug2: channel 0: request exit-signal confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from UNKNOWN: 11: disconnected by user Disconnected from UNKNOWN debug1: do_cleanup FAIL: unexpected error mac hmac-sha1 at 2901: Bytes per second: sent 36686.1, received 31282.7. trace: test integrity: hmac-sha1 @2902 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1015/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 984/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 475 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 0: ssh-rsa SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 1: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug3: notify_hostkeys: sent 2 hostkeys debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request exec reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req exec Starting session: command for SUPER.SUPER from UNKNOWN port 65535 debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK debug2: fd 12 setting O_NONBLOCK debug1: permanently_set_uid: 65535/255 debug2: channel 0: read 0 from efd 12 debug2: channel 0: closing read-efd 12 debug2: channel 0: read<=0 rfd 10 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 1543503965 debug1: session_exit_message: session 0 channel 0 pid 1543503965 debug2: channel 0: request exit-signal confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from UNKNOWN: 11: disconnected by user Disconnected from UNKNOWN debug1: do_cleanup FAIL: unexpected error mac hmac-sha1 at 2902: Bytes per second: sent 33328.0, received 28419.2. trace: test integrity: hmac-sha1 @2903 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 993/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1010/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 475 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 0: ssh-rsa SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 1: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug3: notify_hostkeys: sent 2 hostkeys debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request exec reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req exec Starting session: command for SUPER.SUPER from UNKNOWN port 65535 debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK debug2: fd 12 setting O_NONBLOCK debug1: permanently_set_uid: 65535/255 debug2: channel 0: read 0 from efd 12 debug2: channel 0: closing read-efd 12 debug2: channel 0: read<=0 rfd 10 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 1560281181 debug1: session_exit_message: session 0 channel 0 pid 1560281181 debug2: channel 0: request exit-signal confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from UNKNOWN: 11: disconnected by user Disconnected from UNKNOWN debug1: do_cleanup FAIL: unexpected error mac hmac-sha1 at 2903: Bytes per second: sent 49762.6, received 42433.2. trace: test integrity: hmac-sha1 @2904 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1042/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1008/2048 debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user SUPER.SUPER service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 475 debug2: input_userauth_request: setting up authctxt for SUPER.SUPER debug2: input_userauth_request: try method none Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2 debug1: userauth-request for user SUPER.SUPER service ssh-connection method publickey debug1: attempt 2 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 65535/255 (e=65535/255) debug1: trying public key file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER debug1: fd 6 clearing O_NONBLOCK debug1: matching key found: file /home/git/openssh-portable/regress/authorized_keys_SUPER.SUPER, line 1 RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug1: restore_uid: 65535/255 debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2: RSA SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 0: ssh-rsa SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM debug3: notify_hostkeys: key 1: ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA debug3: notify_hostkeys: sent 2 hostkeys debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request exec reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req exec Starting session: command for SUPER.SUPER from UNKNOWN port 65535 debug2: fd 10 setting O_NONBLOCK debug2: fd 9 setting O_NONBLOCK debug2: fd 12 setting O_NONBLOCK debug1: permanently_set_uid: 65535/255 debug2: channel 0: read 0 from efd 12 debug2: channel 0: closing read-efd 12 debug2: channel 0: read<=0 rfd 10 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 1593835613 debug1: session_exit_message: session 0 channel 0 pid 1593835613 debug2: channel 0: request exit-signal confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close Received disconnect from UNKNOWN: 11: disconnected by user Disconnected from UNKNOWN debug1: do_cleanup FAIL: unexpected error mac hmac-sha1 at 2904: Bytes per second: sent 54187.5, received 46206.4. trace: test integrity: hmac-sha1 @2905 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1045/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1044/2048 FATAL: trace: test integrity: hmac-sha1 @2905 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1045/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1044/2048 FATAL: FAIL: ***************** regress.log ************ trace: test integrity: hmac-sha1 @2905 FATAL: FAIL: ***************** ssh.log ************ trace: test integrity: hmac-sha1 @2905 debug1: Executing proxy command: exec sh /home/git/openssh-portable/regress/sshd-log-wrapper.sh /home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd -i -f /home/git/openssh-portable/regress/sshd_proxy | /home/git/openssh-portable/regress/modpipe -wm xor:2905:1 debug1: permanently_drop_suid: 65535 debug1: identity file /home/git/openssh-portable/regress/rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1 debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug2: fd 6 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER' debug1: using hostkeyalias: localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: hostkeys_foreach: reading file "/home/git/openssh-portable/regress/known_hosts" debug3: record_hostkey: found key type RSA in file /home/git/openssh-portable/regress/known_hosts:1 debug3: record_hostkey: found key type ED25519 in file /home/git/openssh-portable/regress/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: sending SSH2_MSG_KEXDH_INIT debug2: bits set: 1044/2048 debug1: expecting SSH2_MSG_KEXDH_REPLY FATAL: FAIL: ***************** sshd.log ************ trace: test integrity: hmac-sha1 @2905 debug1: inetd sockets after dupping: 4, 5 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 2.0; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.1 debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa,ssh-ed25519 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecd sa-sha2-nistp384,ecdsa-sha2-nistp521 debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: aes128-ctr debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: hmac-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: bits set: 1045/2048 debug1: expecting SSH2_MSG_KEXDH_INIT debug2: bits set: 1044/2048 -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. From dtucker at zip.com.au Wed Feb 10 13:30:23 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Feb 2016 13:30:23 +1100 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for integrity In-Reply-To: <00d601d16393$6d589800$4809c800$@nexbridge.com> References: <00d601d16393$6d589800$4809c800$@nexbridge.com> Message-ID: On Wed, Feb 10, 2016 at 10:41 AM, Randall S. Becker wrote: > Thread split from my previous communication. Here is the integrity logs on > the platform. I had to cut this should due to the length of the logs (5Mb). This one looks odd. The ssh session itself looks OK: it authenticates then sends a printf shell command (basically, just a way of guaranteeing a minimum amount of output being sent back: > debug1: Sending command: printf "%4096s" " " The session then closes OK but ssh exists with a -1 error code, which gets propagated back up the stack as a failure. > debug1: Exit status -1 Exit statuses in POSIX should be 0-255. We can see in the sshd.log that the server sent an exit status (session_exit_message), so either your printf command/builtin returns a bogus exit code, or ssh is mishandling it. What's the return code of printf? ie: printf "%4096s" " "; echo $? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed Feb 10 15:03:07 2016 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Feb 2016 15:03:07 +1100 (AEDT) Subject: Questions about inferred state machines for OpenSSH In-Reply-To: References: Message-ID: On Wed, 27 Jan 2016, P. V. wrote: > Hi Damien, > > Thanks for your reply. I really appreciate you taking the time to > investigate this. > > I will try to clarify some things. > > > I'm not sure what you mean by "entering a key exchange without receiving > > a proper kexinit message" because key exchange is initiated by a kexinit > > message. Do you mean that method specific messages are accepted before > > KEXINIT? (I can't see how this can happen from looking at the code). > > Attached (log1) you find the OpenSSH debug log for a sequence in which > I manually send the sequence "SSH_MSG_KEXDH_INIT; SSH_MSG_KEXDH_INIT; > SSH_MSG_NEWKEYS". A normal key exchange sequence would be > "SSH_MSG_KEXINIT; SSH_MSG_KEXDH_INIT; SSH_MSG_NEWKEYS". Unless there > is an error in my code, it seems that OpenSSH does accept this anyway. > The log states: > > Jan 27 11:19:31 desktop sshd[4066]: debug1: SSH2_MSG_KEXINIT received [preauth] > while it didn't receive a KEXINIT but a KEXDH_INIT. > > Same goes for a sequence such as: "SSH_MSG_IGNORE; SSH_MSG_KEXDH_INIT; > SSH_MSG_NEWKEYS". Instead of receiving a KEXINIT, the server receives > an IGNORE but continues with the key exchange anyway. > > This only applies to the messages the server receives, it always > correctly sends an KEXINIT upon connection. I've added some debugging to ssh and sshd that might prove useful - they will not include the types they receive in debug output. > I sent the following message sequence to the server: "SSH_MSG_KEXINIT; > SSH_MSG_KEXDH_INIT; SSH_MSG_NEWKEYS; SSH_MSG_SERVICE_REQUEST; > SSH_MSG_NEWKEYS". It behaves normally up until the point that I > initiate a key re-exchange (last message). The SSH server returns an > SSH_MSG_UNIMPLEMENTED and closes the connection. Log2 gives the debug > output. You're right - I'll take a look at fixing this. It seems that the userauth code is clobbering the handlers for the KEX messages. > > It would be helpful to see debug messages from ssh/sshd for this case > > (well, all cases but this in particular). > > I sent the following sequence to the OpenSSH server. > > SSH_MSG_KEXINIT; > (server replies with SSH_MSG_KEXINIT) > SSH_MSG_KEXDH_INIT; > (server replies with SSH_MSG_KEXDH_REPLY) > SSH_MSG_NEWKEYS; > (server does not reply) > SSH_MSG_SERVICE_REQUEST; > (server replies with SSH_MSG_SERVICE_ACCEPT) > SSH_MSG_USERAUTH_REQUEST > (server replies with SSH_MSG_USERAUTH_SUCCESS and SSH_MSG_GLOBAL_REQUEST) > SSH_MSG_CHANNEL_OPEN > (server replies with SSH_MSG_CHANNEL_OPEN_CONFIRMATION) > > -- Now I do a rekey -- > SSH_MSG_KEXINIT; > (server replies with SSH_MSG_KEXINIT) > SSH_MSG_KEXDH_INIT; > (server replies with SSH_MSG_KEXDH_REPLY) > SSH_MSG_NEWKEYS; > (server does not reply) > > -- Now I close the channel -- > > SSH_MSG_CHANNEL_CLOSE > (server replies with SSH_MSG_CHANNEL_CLOSE and sends an SSH_MSG_DISCONNECT) > > The entire debug log can be found in the log4 attachment. It looks like the channel is being closed twice for some reason: Jan 27 11:47:32 desktop sshd[4673]: debug1: session_by_channel: session 0 channel 0 Jan 27 11:47:32 desktop sshd[4673]: debug1: session_close_by_channel: channel 0 child 0 Jan 27 11:47:32 desktop sshd[4673]: debug1: session_close: session 0 pid 0 Jan 27 11:47:32 desktop sshd[4673]: debug1: channel 0: free: server-session, nchannels 1 Jan 27 11:47:32 desktop sshd[4673]: channel_by_id: 0: bad id: channel free Jan 27 11:47:32 desktop sshd[4673]: Disconnecting: Received oclose for nonexistent channel 0. I think the extra debugging in git HEAD might help see what's going on here. You should see debug messages like: debug3: receive packet: type 98 debug3: receive packet: type 96 debug3: receive packet: type 97 debug3: send packet: type 97 among the other ones that should make the sequence of operations clearer. -d -d From dirkx at webweaving.org Wed Feb 10 20:30:06 2016 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Wed, 10 Feb 2016 10:30:06 +0100 Subject: wolfSSL port to openSSH In-Reply-To: References: Message-ID: <0679298D-793F-4503-99EF-E1196D7027E3@webweaving.org> On 28 Dec 2015, at 18:32, Kaleb Himes wrote: > wolfSSL now has a stable port for any interested we are nearly ready to > submit a pull request to openssh-portable repository. > > For any and all interested we are ready for some alpha testing. Just to help me planning the use & dissemination of this. 1) Fair to assume that you would expect (user and) distributor of a (binary or source) distribution of an openssh+wolfssl (As opposed to an openssh+openssl) to have agreed to BOTH the: a) the OpenSSH license -and- b) the GPL (or a commercial license entered into with WolfSSL) ? and that (at least) the GPL covers the entire derived work ? (the OpenSSH license does not). 2) And secondly (- are you, as the authors, all -) offering these OpenSSL modifications (i.e. the ?patch) to the world (or to OpenSSL) as part of the work ? Or do you see the patch itself as something purely for OpenSSL; sufficiently free of entanglement to be redistributed solely under the OpenSSH license agreement ? Thanks, Dw. From rsbecker at nexbridge.com Thu Feb 11 02:12:45 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Wed, 10 Feb 2016 10:12:45 -0500 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands In-Reply-To: <20160210010434.GA32658@gate.dtucker.net> References: <00d001d16392$89581040$9c0830c0$@nexbridge.com> <00de01d1639c$85202760$8f607620$@nexbridge.com> <20160210010434.GA32658@gate.dtucker.net> Message-ID: <002201d16415$7fb1e1f0$7f15a5d0$@nexbridge.com> On February 9, 2016 8:05 PM, Darren Tucker wrote: > To: Randall S. Becker > Cc: 'OpenSSH Devel List' > Subject: Re: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands > > On Tue, Feb 09, 2016 at 07:46:45PM -0500, Randall S. Becker wrote: > [...] > > SUPERUSER ends up being 65535, which is root on this platform. > > SUPER.SUPER is the actual name of root. /var and /var/run are both > > 755, while /var/run/keycommand_SUPER.SUPER is 644. > > OK, I think the ownership is the problem. Confirmed. > auth2-pubkey.c:subprocess() does this: > > if (stat(av[0], &st) < 0) > [...] > if (auth_secure_path(av[0], &st, NULL, 0, > errmsg, sizeof(errmsg)) != 0) { > error("Unsafe %s \"%s\": %s", tag, av[0], errmsg); > > The 4th arg to auth_secure_path is the UID we expect the file to be owned > by. > > If you apply the following and compile with -DROOT_UID=65535 does it > work? Replacing if (auth_secure_path(av[0], &st, NULL, 0, with if (auth_secure_path(av[0], &st, NULL, SUPERUSER, Causes the keys-command test to pass! I would prefer this change to introducing ROOT_UID as a duplicate since we already have SUPERUSER. What I'm not sure about is whether SUPERUSER originated with a branch of ours or not. To be investigated later. The original #define we had was in include.h #define SUPERUSER 0, which we wrapped defining SUPERUSER 65535 on our platform and it is used throughout. No real issue changing it to ROOT_UID if we must . > What does ./config.guess report the platform as? >From config.status: S["host_os"]="nsk" S["host_vendor"]="tandem" S["host_cpu"]="nse" S["host"]="nse-tandem-nsk" S["build_os"]="nsk" S["build_vendor"]="tandem" S["build_cpu"]="nse" S["build"]="nse-tandem-nsk" Cheers, Randall -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. From rsbecker at nexbridge.com Thu Feb 11 02:22:36 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Wed, 10 Feb 2016 10:22:36 -0500 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for integrity In-Reply-To: References: <00d601d16393$6d589800$4809c800$@nexbridge.com> Message-ID: <002801d16416$df482380$9dd86a80$@nexbridge.com> On February 9, 2016 9:30 PM, Darren Tucker wrote: > To: Randall S. Becker > Cc: OpenSSH Devel List > Subject: Re: Test Failure OpenSSH 7.1 P2 on HPE NSE for integrity > [...] > This one looks odd. The ssh session itself looks OK: it authenticates then > sends a printf shell command (basically, just a way of guaranteeing a > minimum amount of output being sent back: > > > debug1: Sending command: printf "%4096s" " " > > The session then closes OK but ssh exists with a -1 error code, which gets > propagated back up the stack as a failure. > > > debug1: Exit status -1 > > Exit statuses in POSIX should be 0-255. We can see in the sshd.log that the > server sent an exit status (session_exit_message), so either your printf > command/builtin returns a bogus exit code, or ssh is mishandling it. > > What's the return code of printf? ie: > > printf "%4096s" " "; echo $? Dumps 4K of blanks. Exit code reports 0, as expected. Tried in bash and ksh. Is there a missing return buried that ssh is pulling a non-zero off the stack somewhere? From sortie at maxsi.org Thu Feb 11 10:47:33 2016 From: sortie at maxsi.org (Jonas 'Sortie' Termansen) Date: Thu, 11 Feb 2016 00:47:33 +0100 Subject: OpenSSH portability & buildsystem fixes In-Reply-To: <569EC556.6020700@maxsi.org> References: <569EC556.6020700@maxsi.org> Message-ID: <56BBCC15.3080004@maxsi.org> Ping? Looks I accidentally pasted the original email into my client twice, sorry about that. I also forgot to add a 0 parameter to the memset calls when recreating my work in the openssh-portable git tree. Jonas From djm at mindrot.org Thu Feb 11 11:32:22 2016 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Feb 2016 11:32:22 +1100 (AEDT) Subject: OpenSSH portability & buildsystem fixes In-Reply-To: <56BBCC15.3080004@maxsi.org> References: <569EC556.6020700@maxsi.org> <56BBCC15.3080004@maxsi.org> Message-ID: On Thu, 11 Feb 2016, Jonas 'Sortie' Termansen wrote: > Ping? > > Looks I accidentally pasted the original email into my client twice, > sorry about that. I also forgot to add a 0 parameter to the memset calls > when recreating my work in the openssh-portable git tree. Could you please create a bug at https://bugzilla.mindrot.org and attach your changes there? Thanks, Damien From rsbecker at nexbridge.com Fri Feb 12 09:25:59 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Thu, 11 Feb 2016 17:25:59 -0500 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for integrity In-Reply-To: <002801d16416$df482380$9dd86a80$@nexbridge.com> References: <00d601d16393$6d589800$4809c800$@nexbridge.com> <002801d16416$df482380$9dd86a80$@nexbridge.com> Message-ID: <013b01d1651b$2fcb73c0$8f625b40$@nexbridge.com> On February 10, 2016 10:23 AM, I wrote: > On February 9, 2016 9:30 PM, Darren Tucker wrote: > [...] > > This one looks odd. The ssh session itself looks OK: it authenticates > > then sends a printf shell command (basically, just a way of > > guaranteeing a minimum amount of output being sent back: > > > > > debug1: Sending command: printf "%4096s" " " > > > > The session then closes OK but ssh exists with a -1 error code, which > > gets propagated back up the stack as a failure. > > > > > debug1: Exit status -1 I put in a couple of debug statements in clientloop.c where exit_status is set. It looks like the initialization of exit_status = -1 is the only point where the value is modified. I'm trying to figure out how the while can exit without exit_status being modified. Can you shed some light on that? The neither of the packet_get_int() calls that set exit_status (approx. near 1790 and 2091) are being invoked. Modpipe seems happy enough, with the read and write calls working and internal aborts. Cheers, Randall From dtucker at zip.com.au Fri Feb 12 11:12:05 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 12 Feb 2016 11:12:05 +1100 Subject: Test Failure OpenSSH 7.1 P2 on HPE NSE for integrity In-Reply-To: <013b01d1651b$2fcb73c0$8f625b40$@nexbridge.com> References: <00d601d16393$6d589800$4809c800$@nexbridge.com> <002801d16416$df482380$9dd86a80$@nexbridge.com> <013b01d1651b$2fcb73c0$8f625b40$@nexbridge.com> Message-ID: On Fri, Feb 12, 2016 at 9:25 AM, Randall S. Becker wrote: > On February 10, 2016 10:23 AM, I wrote: >> On February 9, 2016 9:30 PM, Darren Tucker wrote: >> [...] >> > This one looks odd. The ssh session itself looks OK: it authenticates >> > then sends a printf shell command (basically, just a way of >> > guaranteeing a minimum amount of output being sent back: >> > >> > > debug1: Sending command: printf "%4096s" " " >> > >> > The session then closes OK but ssh exists with a -1 error code, which >> > gets propagated back up the stack as a failure. >> > >> > > debug1: Exit status -1 > > I put in a couple of debug statements in clientloop.c where exit_status is > set. It looks like the initialization of exit_status = -1 is the only point > where the value is modified. Looking closer at the sshd log: debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 The code for this is in session_exit_message() and looks like: if (WIFEXITED(status)) { channel_request_start(s->chanid, "exit-status", 0); packet_put_int(WEXITSTATUS(status)); packet_send(); } else if (WIFSIGNALED(status)) { channel_request_start(s->chanid, "exit-signal", 0); so your printf is probably dying with a signal rather than exiting. Which signal? dunno, but my guess would be SIGPIPE. Try adding something like this to the top of session_exit_message(): debug3("%s: status: %d", __func__, status); > I'm trying to figure out how the while can exit > without exit_status being modified. Can you shed some light on that? if the server never sends an "exit-status" packet (as opposed to an "exit-signal" packet, which it does send) then the exit-status code in client_input_channel_req() will never get called and exit_status will remain -1 since that's what it's initialized to. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Feb 12 14:56:30 2016 From: djm at mindrot.org (Damien Miller) Date: Fri, 12 Feb 2016 14:56:30 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 Message-ID: Hi, OpenSSH 7.2 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains many bugfixes and several new features. The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is available via Git at https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at https://github.com/openssh/openssh-portable Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ autoreconf && ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the git revision log. Thanks to the many people who contributed to this release. Future deprecation notice ========================= We plan on retiring more legacy cryptography in a near-future release, specifically: * Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits) This list reflects our current intentions, but please check the final release notes for future releases. Potentially-incompatible changes ================================ This release disables a number of legacy cryptographic algorithms by default in ssh: * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES. * MD5-based and truncated HMAC algorithms. These algorithms are already disabled by default in sshd. Changes since OpenSSH 7.1p2 =========================== This is primarily a bugfix release. Security -------- * ssh(1), sshd(8): remove unfinished and unused roaming code (was already forcibly disabled in OpenSSH 7.1p2). * ssh(1): eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension. * ssh(1), sshd(8): increase the minimum modulus size supported for diffie-hellman-group-exchange to 2048 bits. New Features ------------ * all: add support for RSA signatures using SHA-256/512 hash algorithms based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt. * ssh(1): Add an AddKeysToAgent client option which can be set to 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When enabled, a private key that is used during authentication will be added to ssh-agent if it is running (with confirmation enabled if set to 'confirm'). * sshd(8): add a new authorized_keys option "restrict" that includes all current and future key restrictions (no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g. "no-pty" -> "pty". This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future. * ssh(1): add ssh_config CertificateFile option to explicitly list certificates. bz#2436 * ssh-keygen(1): allow ssh-keygen to change the key comment for all supported formats. * ssh-keygen(1): allow fingerprinting from standard input, e.g. "ssh-keygen -lf -" * ssh-keygen(1): allow fingerprinting multiple public keys in a file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319 * sshd(8): support "none" as an argument for sshd_config Foreground and ChrootDirectory. Useful inside Match blocks to override a global default. bz#2486 * ssh-keygen(1): support multiple certificates (one per line) and reading from standard input (using "-f -") for "ssh-keygen -L" * ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys. * ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in hostname canonicalisation - treat them as already canonical and trailing '.' before matching ssh_config. Bugfixes -------- * sftp(1): existing destination directories should not terminate recursive uploads (regression in openssh 6.8) bz#2528 * ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED replies to unexpected messages during key exchange. bz#2949 * ssh(1): refuse attempts to set ConnectionAttempts=0, which does not make sense and would cause ssh to print an uninitialised stack variable. bz#2500 * ssh(1): fix errors when attempting to connect to scoped IPv6 addresses with hostname canonicalisation enabled. * sshd_config(5): list a couple more options usable in Match blocks. bz#2489 * sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block. * ssh(1): expand tilde characters in filenames passed to -i options before checking whether or not the identity file exists. Avoids confusion for cases where shell doesn't expand (e.g. "-i ~/file" vs. "-i~/file"). bz#2481 * ssh(1): do not prepend "exec" to the shell command run by "Match exec" in a config file, which could cause some commands to fail in certain environments. bz#2471 * ssh-keyscan(1): fix output for multiple hosts/addrs on one line when host hashing or a non standard port is in use bz#2479 * sshd(8): skip "Could not chdir to home directory" message when ChrootDirectory is active. bz#2485 * ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump. * sshd(8): avoid changing TunnelForwarding device flags if they are already what is needed; makes it possible to use tun/tap networking as non-root user if device permissions and interface flags are pre-established * ssh(1), sshd(8): RekeyLimits could be exceeded by one packet. bz#2521 * ssh(1): fix multiplexing master failure to notice client exit. * ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present empty key IDs. bz#1773 * sshd(8): avoid printf of NULL argument. bz#2535 * ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521 * ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature support. * ssh(1), sshd(8): fix connections with peers that use the key exchange guess feature of the protocol. bz#2515 * sshd(8): include remote port number in log messages. bz#2503 * ssh(1): don't try to load SSHv1 private key when compiled without SSHv1 support. bz#2505 * ssh-agent(1), ssh(1): fix incorrect error messages during key loading and signing errors. bz#2507 * ssh-keygen(1): don't leave empty temporary files when performing known_hosts file edits when known_hosts doesn't exist. * sshd(8): correct packet format for tcpip-forward replies for requests that don't allocate a port bz#2509 * ssh(1), sshd(8): fix possible hang on closed output. bz#2469 * ssh(1): expand %i in ControlPath to UID. bz#2449 * ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460 * ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182 * ssh(1): add a some debug output before DNS resolution; it's a place where ssh could previously silently stall in cases of unresponsive DNS servers. bz#2433 * ssh(1): remove spurious newline in visual hostkey. bz#2686 * ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+... * ssh(1): fix expansion of HostkeyAlgorithms=+... Documentation ------------- * ssh_config(5), sshd_config(5): update default algorithm lists to match current reality. bz#2527 * ssh(1): mention -Q key-plain and -Q key-cert query options. bz#2455 * sshd_config(8): more clearly describe what AuthorizedKeysFile=none does. * ssh_config(5): better document ExitOnForwardFailure. bz#2444 * sshd(5): mention internal DH-GEX fallback groups in manual. bz#2302 * sshd_config(5): better description for MaxSessions option. bz#2531 Portability ----------- * ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/ Solaris fine-grained privileges. Including a pre-auth privsep sandbox and several pledge() emulations. bz#2511 * Renovate redhat/openssh.spec, removing deprecated options and syntax. * configure: allow --without-ssl-engine with --without-openssl * sshd(8): fix multiple authentication using S/Key. bz#2502 * sshd(8): read back from libcrypto RAND_* before dropping privileges. Avoids sandboxing violations with BoringSSL. * Fix name collision with system-provided glob(3) functions. bz#2463 * Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459 * configure: correct default value for --with-ssh1 bz#2457 * configure: better detection of _res symbol bz#2259 * support getrandom() syscall on Linux Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From rsbecker at nexbridge.com Fri Feb 12 15:16:40 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Thu, 11 Feb 2016 23:16:40 -0500 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <018101d1654c$2d0e5950$872b0bf0$@nexbridge.com> On February 11, 2016 10:57 PM, Damien Miller wrote > To: openssh-unix-dev at mindrot.org > Subject: Call for testing: OpenSSH 7.2 > OpenSSH 7.2 is almost ready for release, so we would appreciate testing on > as many platforms and systems as possible. This release contains many > bugfixes and several new features. [snip[ Hi Damien, I am porting 7.1 P2 to HPE NonStop NSE. Once that is done, I would be happy to test on that platform. Regards, Randall From vinschen at redhat.com Sat Feb 13 02:44:31 2016 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 12 Feb 2016 16:44:31 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <20160212154431.GA24246@calimero.vinschen.de> Hi Damien, On Feb 12 14:56, Damien Miller wrote: > Hi, > > OpenSSH 7.2 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible. This release > contains many bugfixes and several new features. > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is available via Git at > https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ autoreconf && ./configure && make tests Built and tested on current Cygwin 2.4.1 x86_64. Builds OOTB, all tests pass. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From philipp.marek at linbit.com Fri Feb 12 22:34:37 2016 From: philipp.marek at linbit.com (Philipp Marek) Date: Fri, 12 Feb 2016 12:34:37 +0100 Subject: Arguments, whitespace, splitting, and shells (& compatibility) Message-ID: <20160212113437.GL14023@cacao.linbit> Quite some time ago there was a bit of discussion whether SSH can change it's (information-destroying) way of passing commands to the remote host (whitespace in an argument gets split up, too). [[To reproduce: # echo "yes no" yes no but # ssh echo "yes no" yes no ]] For other problematic things, check "scp" for filenames containing spaces. Now, I'm well aware that the default for so many years can't be changed (easily); but how about a new option that repairs that behaviour? This way new scripts can just add that, and don't have to work around broken tools ;/ (sorry, but it's really cumbersome). I believe there was a patch already; googling found me the (a) old discussion at http://www.gossamer-threads.com/lists/openssh/dev/9249, but the patch (if it exists, perhaps I'm still misremembering) escaped me. Please, let's try to find a solution for that... if not for any other reasons, then to make "ssh" a simple cloud-provider, too ;) Thank you! Regards, Phil From sfandino at gmail.com Fri Feb 12 21:09:43 2016 From: sfandino at gmail.com (=?UTF-8?Q?Salvador_Fandi=c3=b1o?=) Date: Fri, 12 Feb 2016 11:09:43 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <56BDAF67.1070406@gmail.com> > > * ssh(1): refuse attempts to set ConnectionAttempts=0, which does > not make sense and would cause ssh to print an uninitialised stack > variable. bz#2500 When using connection multiplexing, I sometimes set ConnectionAttempts to 0 in order to avoid opening a new connection when the remote side refuses to create new sessions after the top defined by MaxSessions is reached. Having a way to avoid that fall-back behavior is important when writing automation scripts. Otherwise, authentication prompts may appear at any time, and scripts would have to cope with it. From cjwatson at debian.org Sat Feb 13 12:51:38 2016 From: cjwatson at debian.org (Colin Watson) Date: Sat, 13 Feb 2016 01:51:38 +0000 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <20160213015138.GA8576@riva.ucam.org> On Fri, Feb 12, 2016 at 02:56:30PM +1100, Damien Miller wrote: > OpenSSH 7.2 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible. This release > contains many bugfixes and several new features. [...] > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ autoreconf && ./configure && make tests Debian unstable i386 and Ubuntu 16.04 (development branch) amd64; all tests passed on both. I noticed a warning in my Debian environment which might be worth cleaning up: packet.c: In function ?ssh_packet_need_rekeying?: packet.c:1068:48: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] state->rekey_time + state->rekey_interval <= monotime()) ^ Thanks, -- Colin Watson [cjwatson at debian.org] From jjelen at redhat.com Mon Feb 15 20:26:39 2016 From: jjelen at redhat.com (Jakub Jelen) Date: Mon, 15 Feb 2016 10:26:39 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <56C199CF.30803@redhat.com> On 02/12/2016 04:56 AM, Damien Miller wrote: > * all: add support for RSA signatures using SHA-256/512 hash > algorithms based on draft-rsa-dsa-sha2-256-03.txt and > draft-ssh-ext-info-04.txt. So far I hit one memory leak in HostKey signing code (see attached patch). There might be more that were not hit in our use case. Regards, -- Jakub Jelen Security Technologies Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-7.2p1-memleak.patch Type: text/x-patch Size: 302 bytes Desc: not available URL: From jjelen at redhat.com Mon Feb 15 23:37:35 2016 From: jjelen at redhat.com (Jakub Jelen) Date: Mon, 15 Feb 2016 13:37:35 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C199CF.30803@redhat.com> References: <56C199CF.30803@redhat.com> Message-ID: <56C1C68F.2000803@redhat.com> On 02/15/2016 10:26 AM, Jakub Jelen wrote: > On 02/12/2016 04:56 AM, Damien Miller wrote: >> * all: add support for RSA signatures using SHA-256/512 hash >> algorithms based on draft-rsa-dsa-sha2-256-03.txt and >> draft-ssh-ext-info-04.txt. > So far I hit one memory leak in HostKey signing code (see attached > patch). There might be more that were not hit in our use case. > Of course there should have been `alg` instead of `sig` in the patch. Otherwise all the tests passes (without downstream patches) on recent Fedora 23. -- Jakub Jelen Security Technologies Red Hat From jjelen at redhat.com Tue Feb 16 03:02:21 2016 From: jjelen at redhat.com (Jakub Jelen) Date: Mon, 15 Feb 2016 17:02:21 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <56C1F68D.3020003@redhat.com> On 02/12/2016 04:56 AM, Damien Miller wrote: > Hi, > > OpenSSH 7.2 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible. This release > contains many bugfixes and several new features. Hi there, Would it be possible to cover also ssh-copy-id with recent fixes in this release? The accepted patches went to the Philip Hands repo so far: http://git.hands.com/?p=ssh-copy-id.git; Regards, -- Jakub Jelen Security Technologies Red Hat From doctor at doctor.nl2k.ab.ca Tue Feb 16 05:45:27 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 15 Feb 2016 11:45:27 -0700 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <20160215184527.GB11163@doctor.nl2k.ab.ca> Just tested this on the old BSD/OS machine works with openssl 1.0.2X Openssl 1.1.X issues cipher.h in openssl 1.1 needs to read struct sshcipher; struct sshcipher_ctx { int plaintext; int encrypt; struct evp_cipher_ctx_st *evp; struct chachapoly_ctx cp_ctx; /* XXX union with evp? */ struct aesctr_ctx ac_ctx; /* XXX union with evp? */ const struct sshcipher *cipher; }; I am running into issues with sshkey.c gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I. -I/usr/contrib//include -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/contrib/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/contrib/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/contrib/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/contrib/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/contrib/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sshkey.c -o sshkey.o sshkey.c: In function `fingerprint_b64': sshkey.c:936: warning: implicit declaration of function `strlcpy' sshkey.c:937: warning: implicit declaration of function `strlcat' sshkey.c: In function `sshkey_ecdsa_key_to_nid': sshkey.c:1574: warning: `eg' might be used uninitialized in this function sshkey.c: In function `sshkey_private_to_blob2': sshkey.c:3026: warning: `keylen' might be used uninitialized in this function sshkey.c:3026: warning: `ivlen' might be used uninitialized in this function sshkey.c: In function `sshkey_parse_private_pem_fileblob': sshkey.c:3787: dereferencing pointer to incomplete type sshkey.c:3802: dereferencing pointer to incomplete type sshkey.c:3814: dereferencing pointer to incomplete type line 3787 if (pk->type == EVP_PKEY_RSA && line 3802 } else if (pk->type == EVP_PKEY_DSA && line 3814 } else if (pk->type == EVP_PKEY_EC && Now EVP_PKEY *pk = NULL; and /usr/contrib/include/openssl/ossl_typ.h:typedef struct evp_pkey_st EVP_PKEY; Any issue? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Broadcasting the truth for 25 years From djm at mindrot.org Tue Feb 16 10:46:58 2016 From: djm at mindrot.org (Damien Miller) Date: Tue, 16 Feb 2016 10:46:58 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C1C68F.2000803@redhat.com> References: <56C199CF.30803@redhat.com> <56C1C68F.2000803@redhat.com> Message-ID: On Mon, 15 Feb 2016, Jakub Jelen wrote: > On 02/15/2016 10:26 AM, Jakub Jelen wrote: > > On 02/12/2016 04:56 AM, Damien Miller wrote: > > > * all: add support for RSA signatures using SHA-256/512 hash > > > algorithms based on draft-rsa-dsa-sha2-256-03.txt and > > > draft-ssh-ext-info-04.txt. > > So far I hit one memory leak in HostKey signing code (see attached patch). > > There might be more that were not hit in our use case. > > > Of course there should have been `alg` instead of `sig` in the patch. fixed - thanks From djm at mindrot.org Tue Feb 16 10:47:09 2016 From: djm at mindrot.org (Damien Miller) Date: Tue, 16 Feb 2016 10:47:09 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C1F68D.3020003@redhat.com> References: <56C1F68D.3020003@redhat.com> Message-ID: On Mon, 15 Feb 2016, Jakub Jelen wrote: > On 02/12/2016 04:56 AM, Damien Miller wrote: > > Hi, > > > > OpenSSH 7.2 is almost ready for release, so we would appreciate > > testing on as many platforms and systems as possible. This release > > contains many bugfixes and several new features. > Hi there, > > Would it be possible to cover also ssh-copy-id with recent fixes in this > release? The accepted patches went to the Philip Hands repo so far: > http://git.hands.com/?p=ssh-copy-id.git; Done - thanks. -d From djm at mindrot.org Tue Feb 16 11:06:42 2016 From: djm at mindrot.org (Damien Miller) Date: Tue, 16 Feb 2016 11:06:42 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <20160215184527.GB11163@doctor.nl2k.ab.ca> References: <20160215184527.GB11163@doctor.nl2k.ab.ca> Message-ID: On Mon, 15 Feb 2016, The Doctor wrote: > Just tested this on the old BSD/OS machine > > works with openssl 1.0.2X > > Openssl 1.1.X issues Thanks for testing. OpenSSH won't work with OpenSSL until someone ports it and writes compat shims to make it work with both OpenSSL 1.0.x and 1.1.x. The 1.1.x series breaks source compatibility by making a heap of structures opaque, including EVP_PKEY which is causing your compile problems in sshkey.c Porting is a fair bit of work, since at least some of the the newly- opaque structs have not previously had accessor functions available, so I have no intention of starting the effort until 1.1.x is at least in beta (no point in wasting time on a moving target). It would help if OpenSSL publish more detailed migration information than is currently present in https://www.openssl.org/news/openssl-1.1.0-notes.html - including a full list of things that have been made opaque and some links to the accessor functions for things that were previously only reachable directly. -d From wieland at purdue.edu Tue Feb 16 17:28:42 2016 From: wieland at purdue.edu (Jeff Wieland) Date: Tue, 16 Feb 2016 01:28:42 -0500 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <56C2C19A.6080702@purdue.edu> The Solaris privilege code breaks building on Solaris 10. If you let configure just do its thing, you get the following error when compiling: "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with the Solaris sandbox" So, I did add "--with-solaris-privs" to the command line for configure, but then I got the following error messages: Undefined first referenced symbol in file priv_basicset openbsd-compat//libopenbsd-compat.a(port-solaris.o) ld: fatal: symbol referencing errors. No output written to ssh The function priv_basicset doesn't appear to exist on Solaris 10. If I set --with-sandbox=none, the compile and "make tests" succeed (except for the SUDO test, since sudo isn't in the path, and it wouldn't work without munging the config anyway). Damien Miller wrote: > Hi, > > OpenSSH 7.2 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible. This release > contains many bugfixes and several new features. > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is available via Git at > https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at > https://github.com/openssh/openssh-portable > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ autoreconf && ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the git > revision log. > > Thanks to the many people who contributed to this release. > > Future deprecation notice > ========================= > > We plan on retiring more legacy cryptography in a near-future > release, specifically: > > * Refusing all RSA keys smaller than 1024 bits (the current minimum > is 768 bits) > > This list reflects our current intentions, but please check the final > release notes for future releases. > > Potentially-incompatible changes > ================================ > > This release disables a number of legacy cryptographic algorithms > by default in ssh: > > * Several ciphers blowfish-cbc, cast128-cbc, all arcfour variants > and the rijndael-cbc aliases for AES. > > * MD5-based and truncated HMAC algorithms. > > These algorithms are already disabled by default in sshd. > > Changes since OpenSSH 7.1p2 > =========================== > > This is primarily a bugfix release. > > Security > -------- > > * ssh(1), sshd(8): remove unfinished and unused roaming code (was > already forcibly disabled in OpenSSH 7.1p2). > > * ssh(1): eliminate fallback from untrusted X11 forwarding to > trusted forwarding when the X server disables the SECURITY > extension. > > * ssh(1), sshd(8): increase the minimum modulus size supported for > diffie-hellman-group-exchange to 2048 bits. > > New Features > ------------ > > * all: add support for RSA signatures using SHA-256/512 hash > algorithms based on draft-rsa-dsa-sha2-256-03.txt and > draft-ssh-ext-info-04.txt. > > * ssh(1): Add an AddKeysToAgent client option which can be set to > 'yes', 'no', 'ask', or 'confirm', and defaults to 'no'. When > enabled, a private key that is used during authentication will be > added to ssh-agent if it is running (with confirmation enabled if > set to 'confirm'). > > * sshd(8): add a new authorized_keys option "restrict" that includes > all current and future key restrictions (no-*-forwarding, etc.). > Also add permissive versions of the existing restrictions, e.g. > "no-pty" -> "pty". This simplifies the task of setting up > restricted keys and ensures they are maximally-restricted, > regardless of any permissions we might implement in the future. > > * ssh(1): add ssh_config CertificateFile option to explicitly list > certificates. bz#2436 > > * ssh-keygen(1): allow ssh-keygen to change the key comment for all > supported formats. > > * ssh-keygen(1): allow fingerprinting from standard input, e.g. > "ssh-keygen -lf -" > > * ssh-keygen(1): allow fingerprinting multiple public keys in a > file, e.g. "ssh-keygen -lf ~/.ssh/authorized_keys" bz#1319 > > * sshd(8): support "none" as an argument for sshd_config > Foreground and ChrootDirectory. Useful inside Match blocks to > override a global default. bz#2486 > > * ssh-keygen(1): support multiple certificates (one per line) and > reading from standard input (using "-f -") for "ssh-keygen -L" > > * ssh-keyscan(1): add "ssh-keyscan -c ..." flag to allow fetching > certificates instead of plain keys. > > * ssh(1): better handle anchored FQDNs (e.g. 'cvs.openbsd.org.') in > hostname canonicalisation - treat them as already canonical and > trailing '.' before matching ssh_config. > > Bugfixes > -------- > > * sftp(1): existing destination directories should not terminate > recursive uploads (regression in openssh 6.8) bz#2528 > > * ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED > replies to unexpected messages during key exchange. bz#2949 > > * ssh(1): refuse attempts to set ConnectionAttempts=0, which does > not make sense and would cause ssh to print an uninitialised stack > variable. bz#2500 > > * ssh(1): fix errors when attempting to connect to scoped IPv6 > addresses with hostname canonicalisation enabled. > > * sshd_config(5): list a couple more options usable in Match blocks. > bz#2489 > > * sshd(8): fix "PubkeyAcceptedKeyTypes +..." inside a Match block. > > * ssh(1): expand tilde characters in filenames passed to -i options > before checking whether or not the identity file exists. Avoids > confusion for cases where shell doesn't expand (e.g. "-i ~/file" > vs. "-i~/file"). bz#2481 > > * ssh(1): do not prepend "exec" to the shell command run by "Match > exec" in a config file, which could cause some commands to fail > in certain environments. bz#2471 > > * ssh-keyscan(1): fix output for multiple hosts/addrs on one line > when host hashing or a non standard port is in use bz#2479 > > * sshd(8): skip "Could not chdir to home directory" message when > ChrootDirectory is active. bz#2485 > > * ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump. > > * sshd(8): avoid changing TunnelForwarding device flags if they are > already what is needed; makes it possible to use tun/tap > networking as non-root user if device permissions and interface > flags are pre-established > > * ssh(1), sshd(8): RekeyLimits could be exceeded by one packet. > bz#2521 > > * ssh(1): fix multiplexing master failure to notice client exit. > > * ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that present > empty key IDs. bz#1773 > > * sshd(8): avoid printf of NULL argument. bz#2535 > > * ssh(1), sshd(8): allow RekeyLimits larger than 4GB. bz#2521 > > * ssh-keygen(1): sshd(8): fix several bugs in (unused) KRL signature > support. > > * ssh(1), sshd(8): fix connections with peers that use the key > exchange guess feature of the protocol. bz#2515 > > * sshd(8): include remote port number in log messages. bz#2503 > > * ssh(1): don't try to load SSHv1 private key when compiled without > SSHv1 support. bz#2505 > > * ssh-agent(1), ssh(1): fix incorrect error messages during key > loading and signing errors. bz#2507 > > * ssh-keygen(1): don't leave empty temporary files when performing > known_hosts file edits when known_hosts doesn't exist. > > * sshd(8): correct packet format for tcpip-forward replies for > requests that don't allocate a port bz#2509 > > * ssh(1), sshd(8): fix possible hang on closed output. bz#2469 > > * ssh(1): expand %i in ControlPath to UID. bz#2449 > > * ssh(1), sshd(8): fix return type of openssh_RSA_verify. bz#2460 > > * ssh(1), sshd(8): fix some option parsing memory leaks. bz#2182 > > * ssh(1): add a some debug output before DNS resolution; it's a > place where ssh could previously silently stall in cases of > unresponsive DNS servers. bz#2433 > > * ssh(1): remove spurious newline in visual hostkey. bz#2686 > > * ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+... > > * ssh(1): fix expansion of HostkeyAlgorithms=+... > > Documentation > ------------- > > * ssh_config(5), sshd_config(5): update default algorithm lists to > match current reality. bz#2527 > > * ssh(1): mention -Q key-plain and -Q key-cert query options. > bz#2455 > > * sshd_config(8): more clearly describe what AuthorizedKeysFile=none > does. > > * ssh_config(5): better document ExitOnForwardFailure. bz#2444 > > * sshd(5): mention internal DH-GEX fallback groups in manual. > bz#2302 > > * sshd_config(5): better description for MaxSessions option. > bz#2531 > > Portability > ----------- > > * ssh(1), sftp-server(8), ssh-agent(1), sshd(8): Support Illumos/ > Solaris fine-grained privileges. Including a pre-auth privsep > sandbox and several pledge() emulations. bz#2511 > > * Renovate redhat/openssh.spec, removing deprecated options and > syntax. > > * configure: allow --without-ssl-engine with --without-openssl > > * sshd(8): fix multiple authentication using S/Key. bz#2502 > > * sshd(8): read back from libcrypto RAND_* before dropping > privileges. Avoids sandboxing violations with BoringSSL. > > * Fix name collision with system-provided glob(3) functions. > bz#2463 > > * Adapt Makefile to use ssh-keygen -A when generating host keys. > bz#2459 > > * configure: correct default value for --with-ssh1 bz#2457 > > * configure: better detection of _res symbol bz#2259 > > * support getrandom() syscall on Linux > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de > Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, > Tim Rice and Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907 From phil at hands.com Wed Feb 17 01:24:27 2016 From: phil at hands.com (Philip Hands) Date: Tue, 16 Feb 2016 15:24:27 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: <56C1F68D.3020003@redhat.com> Message-ID: <8760xoivhg.fsf@whist.hands.com> Hi Damien, Damien Miller writes: > On Mon, 15 Feb 2016, Jakub Jelen wrote: > >> On 02/12/2016 04:56 AM, Damien Miller wrote: >> > Hi, >> > >> > OpenSSH 7.2 is almost ready for release, so we would appreciate >> > testing on as many platforms and systems as possible. This release >> > contains many bugfixes and several new features. >> Hi there, >> >> Would it be possible to cover also ssh-copy-id with recent fixes in this >> release? The accepted patches went to the Philip Hands repo so far: >> http://git.hands.com/?p=ssh-copy-id.git; > > Done - thanks. Great :-) BTW would you like me to submit an explicit bug report when doing similar updates in future? I commented on, and assigned to myself, most of the bugs shown here: https://bugzilla.mindrot.org/buglist.cgi?quicksearch=ssh-copy-id Most of those can be closed now. Should I just go ahead and close them? Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From glebfm at altlinux.org Wed Feb 17 03:14:04 2016 From: glebfm at altlinux.org (Gleb Fotengauer-Malinovskiy) Date: Tue, 16 Feb 2016 19:14:04 +0300 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <20160216161404.GC12094@glebfm.cloud.tilaa.com> Hi, On Fri, Feb 12, 2016 at 02:56:30PM +1100, Damien Miller wrote: > OpenSSH 7.2 is almost ready for release, so we would appreciate > testing on as many platforms and systems as possible. This release > contains many bugfixes and several new features. According to bdcb7:sshd_config.5, UsePrivilegeSeparation is set to "sandbox" by default. But default in servconf.c is PRIVSEP_NOSANDBOX. I suppose, we should sync servconf.c and sshd_config with documentation: --- a/servconf.c +++ b/servconf.c @@ -362,7 +362,7 @@ fill_default_server_options(ServerOptions *options) /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; + use_privsep = PRIVSEP_ON; #define CLEAR_ON_NONE(v) \ do { \ --- a/sshd_config +++ b/sshd_config @@ -107,7 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation sandbox # Default for new installations. +#UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 -- glebfm From htodd at twofifty.com Wed Feb 17 03:51:43 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Tue, 16 Feb 2016 08:51:43 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: Sorry, I haven't been paying too much attention here, but I'm having repeated failures when I tried this morning. NetBSD-current: test_sshkey: ..................................[1] Segmentation fault (core dumped) ${V} /home/htodd... *** Error code 139 NetBSD-7: test_hostkeys: regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all with key parse" ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0) failed: sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL) = -24 0 = 0 [1] Abort trap (core dumped) ${V} /home/htodd... *** Error code 134 MacOS whatever it is that's current El Capitan: checking OpenSSL header version... not found configure: error: OpenSSL version header not found. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From dtucker at zip.com.au Wed Feb 17 08:39:32 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 08:39:32 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <8760xoivhg.fsf@whist.hands.com> References: <56C1F68D.3020003@redhat.com> <8760xoivhg.fsf@whist.hands.com> Message-ID: On Wed, Feb 17, 2016 at 1:24 AM, Philip Hands wrote: [...] > BTW would you like me to submit an explicit bug report when doing > similar updates in future? Without speaking for Damien, IMO given that it's in contrib, if you're maintaining it then I'm happy to get changes at whatever pace suits you. > I commented on, and assigned to myself, most of the bugs shown here: > > https://bugzilla.mindrot.org/buglist.cgi?quicksearch=ssh-copy-id > > Most of those can be closed now. Should I just go ahead and close them? Any that have been fixed in the import, yes please set the "Blocks" field to V_7_2 (so we pick it up in the release tracking bug) then close it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tgc at jupiterrise.com Wed Feb 17 08:42:37 2016 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Tue, 16 Feb 2016 22:42:37 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <56C397CD.4020304@jupiterrise.com> On 12/02/16 04:56, Damien Miller wrote: > Portable OpenSSH is available via Git at > https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at > https://github.com/openssh/openssh-portable > Building V_7_1_P1-189-g5ac712d on Solaris 2.6 fails: make[1]: Entering directory `/export/home/tgc/buildpkg/openssh/src/openssh-git/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -I. -I.. -I. -I./.. -I/usr/tgcware/include -DHAVE_CONFIG_H -c bsd-asprintf.c bsd-asprintf.c:50:13: error: macro "va_start" requires 2 arguments, but only 1 given bsd-asprintf.c: In function 'vasprintf': bsd-asprintf.c:50: error: 'va_start' undeclared (first use in this function) bsd-asprintf.c:50: error: (Each undeclared identifier is reported only once bsd-asprintf.c:50: error: for each function it appears in.) make[1]: *** [bsd-asprintf.o] Error 1 make[1]: Leaving directory `/export/home/tgc/buildpkg/openssh/src/openssh-git/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 I removed the call to va_start just to see if there would be any other errors lurking and there is: gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -R/usr/tgcware/lib -L/usr/tgcware/lib -Wl,-z,now -fstack-protector-all -lssh -lopenbsd-compat -lcrypto -lposix4 -ldl -lresolv -lz -lsocket ld: warning: symbol `umac_ctx' has differing sizes: (file ./libssh.a(umac.o) value=0x5ec; file ./libssh.a(umac128.o) value=0x684); ./libssh.a(umac128.o) definition taken Undefined first referenced symbol in file gethostbyname openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o) (symbol belongs to implicit dependency /usr/lib/libnsl.so.1) gethostbyaddr openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o) (symbol belongs to implicit dependency /usr/lib/libnsl.so.1) ld: fatal: Symbol referencing errors. No output written to ssh collect2: ld returned 1 exit status make: *** [ssh] Error 1 It looks like the check for yp_match previously ensured that -lnsl was added. -tgc From dtucker at zip.com.au Wed Feb 17 08:51:48 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 08:51:48 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C397CD.4020304@jupiterrise.com> References: <56C397CD.4020304@jupiterrise.com> Message-ID: <20160216215148.GA11090@gate.dtucker.net> On Tue, Feb 16, 2016 at 10:42:37PM +0100, Tom G. Christensen wrote: [...] > gethostbyname openbsd-compat//libopenbsd-compat.a(fake-rfc2553.o) (symbol > belongs to implicit dependency /usr/lib/libnsl.so.1) I think this should fix this problem after applying and running autoreconf to rebuild configure. I'll look at the other problems shortly. diff --git a/configure.ac b/configure.ac index 0b399ce..b4c0aaa 100644 --- a/configure.ac +++ b/configure.ac @@ -1314,8 +1314,10 @@ AC_SEARCH_LIBS([openpty], [util bsd]) AC_SEARCH_LIBS([updwtmp], [util bsd]) AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp]) -# On some platforms, inet_ntop may be found in libresolv or libnsl. +# On some platforms, inet_ntop and gethostbyname may be found in libresolv +# or libnsl. AC_SEARCH_LIBS([inet_ntop], [resolv nsl]) +AC_SEARCH_LIBS([gethostbyname], [resolv nsl]) AC_FUNC_STRFTIME -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Feb 17 09:22:59 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 09:22:59 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C397CD.4020304@jupiterrise.com> References: <56C397CD.4020304@jupiterrise.com> Message-ID: <20160216222259.GA20237@gate.dtucker.net> On Tue, Feb 16, 2016 at 10:42:37PM +0100, Tom G. Christensen wrote: > bsd-asprintf.c:50:13: error: macro "va_start" requires 2 arguments, but only > 1 given I think it's a problem with this commit: https://anongit.mindrot.org/openssh.git/commit/openbsd-compat/bsd-asprintf.c?id=0f754e29dd3760fc0b172c1220f18b753fb0957e Author: Damien Miller Date: Fri Oct 16 10:53:14 2015 +1100 need va_copy before va_start diff --git a/openbsd-compat/bsd-asprintf.c b/openbsd-compat/bsd-asprintf.c index db57acc..d393dfc 100644 --- a/openbsd-compat/bsd-asprintf.c +++ b/openbsd-compat/bsd-asprintf.c @@ -47,7 +47,7 @@ vasprintf(char **str, const char *fmt, va_list ap) char *string, *newstr; size_t len; - va_start(ap); + va_start(ap, fmt); VA_COPY(ap2, ap); if ((string = malloc(INIT_SZ)) == NULL) goto fail; -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Feb 17 09:47:14 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 09:47:14 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <20160216222259.GA20237@gate.dtucker.net> References: <56C397CD.4020304@jupiterrise.com> <20160216222259.GA20237@gate.dtucker.net> Message-ID: On Wed, Feb 17, 2016 at 9:22 AM, Darren Tucker wrote: [...] > - va_start(ap); > + va_start(ap, fmt); Actually that's not right either: "error: 'va_start' used in function with fixed args" I think the entire original commit is wrong and should be reverted: https://anongit.mindrot.org/openssh.git/commit/openbsd-compat/bsd-asprintf.c?id=0f754e29dd3760fc0b172c1220f18b753fb0957e -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Feb 17 10:26:05 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 10:26:05 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C2C19A.6080702@purdue.edu> References: <56C2C19A.6080702@purdue.edu> Message-ID: <20160216232605.GA29225@gate.dtucker.net> On Tue, Feb 16, 2016 at 01:28:42AM -0500, Jeff Wieland wrote: > The Solaris privilege code breaks building on Solaris 10. If > you let configure just do its thing, you get the following error > when compiling: > > "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used > with the Solaris sandbox" Could you please try this patch? It adds priv_basicset to the test for whether or not we have usable solaris privs support. Note that you will need to run "autoreconf" after applying the patch to rebuild configure. Thanks. diff --git a/configure.ac b/configure.ac index b4c0aaa..5b50b9e 100644 --- a/configure.ac +++ b/configure.ac @@ -897,8 +897,10 @@ mips-sony-bsd|mips-sony-newsos4) AC_MSG_RESULT([no]) fi AC_CHECK_FUNC([setppriv], - [ AC_CHECK_HEADERS([priv.h], [ - SOLARIS_PRIVS="yes" + AC_CHECK_FUNC([priv_basicset], + [ AC_CHECK_HEADERS([priv.h], [ + SOLARIS_PRIVS="yes" + ]) ]) ]) AC_ARG_WITH([solaris-contracts], -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Feb 17 12:08:04 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 12:08:04 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: On Wed, Feb 17, 2016 at 3:51 AM, Hisashi T Fujinaka wrote: > Sorry, I haven't been paying too much attention here, but I'm having > repeated failures when I tried this morning. > > NetBSD-current: > test_sshkey: ..................................[1] Segmentation fault > (core dumped) ${V} /home/htodd... > *** Error code 139 did it produce a core dump? if so, could you feed it to gdb and get a backtrace? > NetBSD-7: > test_hostkeys: > regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all > with key parse" I just installed NetBSD 7.0 on a VM ("7.0 NetBSD 7.0 (GENERIC.201509250726Z) amd64") tp try to reproduce this however the tests passed. What architecture is this, and have any changes been made to the system (eg, patches applied)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From wieland at purdue.edu Wed Feb 17 12:18:03 2016 From: wieland at purdue.edu (Jeff Wieland) Date: Tue, 16 Feb 2016 20:18:03 -0500 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <20160216232605.GA29225@gate.dtucker.net> References: <56C2C19A.6080702@purdue.edu> <20160216232605.GA29225@gate.dtucker.net> Message-ID: <56C3CA4B.5040407@purdue.edu> Darren Tucker wrote: > On Tue, Feb 16, 2016 at 01:28:42AM -0500, Jeff Wieland wrote: >> The Solaris privilege code breaks building on Solaris 10. If >> you let configure just do its thing, you get the following error >> when compiling: >> >> "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used >> with the Solaris sandbox" > Could you please try this patch? It adds priv_basicset to the test for > whether or not we have usable solaris privs support. Note that you will > need to run "autoreconf" after applying the patch to rebuild configure. > > Thanks. > > diff --git a/configure.ac b/configure.ac > index b4c0aaa..5b50b9e 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -897,8 +897,10 @@ mips-sony-bsd|mips-sony-newsos4) > AC_MSG_RESULT([no]) > fi > AC_CHECK_FUNC([setppriv], > - [ AC_CHECK_HEADERS([priv.h], [ > - SOLARIS_PRIVS="yes" > + AC_CHECK_FUNC([priv_basicset], > + [ AC_CHECK_HEADERS([priv.h], [ > + SOLARIS_PRIVS="yes" > + ]) > ]) > ]) > AC_ARG_WITH([solaris-contracts], > The patch appears to get getting mangled somewhere along the way -- would you please resend it as some sort of an attachment? Even uuencoding it would be fine :-). -- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907 From dtucker at zip.com.au Wed Feb 17 12:50:32 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 12:50:32 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C3CA4B.5040407@purdue.edu> References: <56C2C19A.6080702@purdue.edu> <20160216232605.GA29225@gate.dtucker.net> <56C3CA4B.5040407@purdue.edu> Message-ID: <20160217015032.GA23522@gate.dtucker.net> On Tue, Feb 16, 2016 at 08:18:03PM -0500, Jeff Wieland wrote: > The patch appears to get getting mangled somewhere along the way -- would > you please resend it as some sort of an attachment? Even uuencoding it > would be fine :-). Attached. Also uploaded at https://www.dtucker.net/tmp/openssh-solaris-priv.patch if that doesn't work. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- diff --git a/configure.ac b/configure.ac index b4c0aaa..5b50b9e 100644 --- a/configure.ac +++ b/configure.ac @@ -897,8 +897,10 @@ mips-sony-bsd|mips-sony-newsos4) AC_MSG_RESULT([no]) fi AC_CHECK_FUNC([setppriv], - [ AC_CHECK_HEADERS([priv.h], [ - SOLARIS_PRIVS="yes" + AC_CHECK_FUNC([priv_basicset], + [ AC_CHECK_HEADERS([priv.h], [ + SOLARIS_PRIVS="yes" + ]) ]) ]) AC_ARG_WITH([solaris-contracts], From htodd at twofifty.com Wed Feb 17 12:54:28 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Tue, 16 Feb 2016 17:54:28 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, 17 Feb 2016, Darren Tucker wrote: > On Wed, Feb 17, 2016 at 3:51 AM, Hisashi T Fujinaka wrote: >> Sorry, I haven't been paying too much attention here, but I'm having >> repeated failures when I tried this morning. >> >> NetBSD-current: >> test_sshkey: ..................................[1] Segmentation fault >> (core dumped) ${V} /home/htodd... >> *** Error code 139 > > did it produce a core dump? if so, could you feed it to gdb and get a > backtrace? Never mind, I'm being stupid. Here's the backtrace: Core was generated by `test_sshkey'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 1896 key->cert->principals[key->cert->nprincipals++] = principal; (gdb) bt #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 #1 sshkey_from_blob_internal (b=b at entry=0x7f7ff7b161b0, keyp=keyp at entry=0x7f7fffff9030, allow_cert=allow_cert at entry=1) at sshkey.c:2116 #2 0x000000000041291c in sshkey_from_blob (blob=, blen=blen at entry=422, keyp=keyp at entry=0x7f7fffff9030) at sshkey.c:2147 #3 0x0000000000412a75 in sshkey_read (ret=ret at entry=0x7f7ff7b12080, cpp=cpp at entry=0x7f7fffff9090) at sshkey.c:1302 #4 0x0000000000415f5a in sshkey_try_load_public (k=k at entry=0x7f7ff7b12080, filename=0x7f7ff7b16070 "/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub", commentp=commentp at entry=0x0) at authfile.c:314 #5 0x0000000000416712 in sshkey_load_cert (filename=, keyp=keyp at entry=0x7f7fffffd140) at authfile.c:419 #6 0x0000000000409f9d in sshkey_tests () at regress/unittests/sshkey/test_sshkey.c:527 #7 0x0000000000405d81 in tests () at regress/unittests/sshkey/tests.c:24 #8 0x000000000042cc4d in main (argc=3, argv=0x7f7fffffd250) at regress/unittests/test_helper/test_helper.c:162 >> NetBSD-7: >> test_hostkeys: >> regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all >> with key parse" > > I just installed NetBSD 7.0 on a VM ("7.0 NetBSD 7.0 > (GENERIC.201509250726Z) amd64") tp try to reproduce this however the > tests passed. What architecture is this, and have any changes been > made to the system (eg, patches applied)? > > -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From dtucker at zip.com.au Wed Feb 17 12:58:06 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Feb 2016 12:58:06 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, Feb 17, 2016 at 12:54 PM, Hisashi T Fujinaka wrote: > On Wed, 17 Feb 2016, Darren Tucker wrote: [...] >> did it produce a core dump? if so, could you feed it to gdb and get a >> backtrace? > > I have the dump but I don't have the executable file (or at least I'm > not sure which one it is.) "file core" will usually tell you. from the output, it's probably regress/unittests/sshkey/test_sshkey. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed Feb 17 15:21:41 2016 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Feb 2016 15:21:41 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C2C19A.6080702@purdue.edu> References: <56C2C19A.6080702@purdue.edu> Message-ID: On Tue, 16 Feb 2016, Jeff Wieland wrote: > The Solaris privilege code breaks building on Solaris 10. If > you let configure just do its thing, you get the following error > when compiling: > > "sandbox-solaris.c", line 22: #error: "--with-solaris-privs must be used with > the Solaris sandbox" > > So, I did add "--with-solaris-privs" to the command line for > configure, but then I got the following error messages: I think this should fix it. It would be good if someone with recent Solaris/ Illumos that does have the fine-grained privilege support could test it too. diff --git a/configure.ac b/configure.ac index b4c0aaa..f614edf 100644 --- a/configure.ac +++ b/configure.ac @@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4) else AC_MSG_RESULT([no]) fi - AC_CHECK_FUNC([setppriv], - [ AC_CHECK_HEADERS([priv.h], [ - SOLARIS_PRIVS="yes" - ]) - ]) + AC_CHECK_FUNC([setppriv]) + AC_CHECK_HEADERS([priv.h]) AC_ARG_WITH([solaris-contracts], [ --with-solaris-contracts Enable Solaris process contracts (experimental)], [ @@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4) [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], [ AC_MSG_CHECKING([for Solaris/Illumos privilege support]) - if test "x$SOLARIS_PRIVS" = "xyes" ; then + if test "x$ac_cv_func_setppriv" = "xyes" -a \ + "x$ac_cv_header_priv_h" = "xyes" ; then + SOLARIS_PRIVS=yes AC_MSG_RESULT([found]) AC_DEFINE([NO_UID_RESTORATION_TEST], [1], [Define to disable UID restoration test]) From djm at mindrot.org Wed Feb 17 15:22:35 2016 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Feb 2016 15:22:35 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <8760xoivhg.fsf@whist.hands.com> References: <56C1F68D.3020003@redhat.com> <8760xoivhg.fsf@whist.hands.com> Message-ID: On Tue, 16 Feb 2016, Philip Hands wrote: > > Done - thanks. > > Great :-) > > BTW would you like me to submit an explicit bug report when doing > similar updates in future? No need - I'll add it to our release checklist. > I commented on, and assigned to myself, most of the bugs shown here: > > https://bugzilla.mindrot.org/buglist.cgi?quicksearch=ssh-copy-id > > Most of those can be closed now. Should I just go ahead and close them? Yes, please mark them as blocking V_7_2 before you close them though. Thanks! -d From djm at mindrot.org Wed Feb 17 16:38:29 2016 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Feb 2016 16:38:29 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <20160216161404.GC12094@glebfm.cloud.tilaa.com> References: <20160216161404.GC12094@glebfm.cloud.tilaa.com> Message-ID: On Tue, 16 Feb 2016, Gleb Fotengauer-Malinovskiy wrote: > Hi, > > On Fri, Feb 12, 2016 at 02:56:30PM +1100, Damien Miller wrote: > > OpenSSH 7.2 is almost ready for release, so we would appreciate > > testing on as many platforms and systems as possible. This release > > contains many bugfixes and several new features. > > According to bdcb7:sshd_config.5, UsePrivilegeSeparation is set to > "sandbox" by default. > But default in servconf.c is PRIVSEP_NOSANDBOX. > > I suppose, we should sync servconf.c and sshd_config with documentation: thanks; done From djm at mindrot.org Wed Feb 17 16:47:04 2016 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Feb 2016 16:47:04 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Tue, 16 Feb 2016, Hisashi T Fujinaka wrote: > On Wed, 17 Feb 2016, Darren Tucker wrote: > > > On Wed, Feb 17, 2016 at 3:51 AM, Hisashi T Fujinaka > > wrote: > > > Sorry, I haven't been paying too much attention here, but I'm having > > > repeated failures when I tried this morning. > > > > > > NetBSD-current: > > > test_sshkey: ..................................[1] Segmentation fault > > > (core dumped) ${V} /home/htodd... > > > *** Error code 139 > > > > did it produce a core dump? if so, could you feed it to gdb and get a > > backtrace? > > Never mind, I'm being stupid. Here's the backtrace: > > Core was generated by `test_sshkey'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, > certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 > 1896 key->cert->principals[key->cert->nprincipals++] = > principal; Could you do a "print *key->cert" to see what is going wrong here? Thanks, Damien From htodd at twofifty.com Wed Feb 17 17:01:26 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Tue, 16 Feb 2016 22:01:26 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, 17 Feb 2016, Damien Miller wrote: > On Tue, 16 Feb 2016, Hisashi T Fujinaka wrote: > >> On Wed, 17 Feb 2016, Darren Tucker wrote: >> >>> On Wed, Feb 17, 2016 at 3:51 AM, Hisashi T Fujinaka >>> wrote: >>>> Sorry, I haven't been paying too much attention here, but I'm having >>>> repeated failures when I tried this morning. >>>> >>>> NetBSD-current: >>>> test_sshkey: ..................................[1] Segmentation fault >>>> (core dumped) ${V} /home/htodd... >>>> *** Error code 139 >>> >>> did it produce a core dump? if so, could you feed it to gdb and get a >>> backtrace? >> >> Never mind, I'm being stupid. Here's the backtrace: >> >> Core was generated by `test_sshkey'. >> Program terminated with signal SIGSEGV, Segmentation fault. >> #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, >> certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 >> 1896 key->cert->principals[key->cert->nprincipals++] = >> principal; > > Could you do a "print *key->cert" to see what is going wrong here? (gdb) print *key->cert $1 = {certblob = 0x7f7ff7b162a0, type = 2, serial = 5, key_id = 0x7f7ff7b18090 "julius", nprincipals = 1, principals = 0xfffffffff7b180a0, valid_after = 915145200, valid_before = 1293836400, critical = 0x7f7ff7b162f0, extensions = 0x7f7ff7b16340, signature_key = 0x0} -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From djm at mindrot.org Wed Feb 17 17:12:28 2016 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Feb 2016 17:12:28 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Tue, 16 Feb 2016, Hisashi T Fujinaka wrote: > On Wed, 17 Feb 2016, Damien Miller wrote: > > > > Core was generated by `test_sshkey'. > > > Program terminated with signal SIGSEGV, Segmentation fault. > > > #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, > > > certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 > > > 1896 key->cert->principals[key->cert->nprincipals++] = > > > principal; > > > > Could you do a "print *key->cert" to see what is going wrong here? > > (gdb) print *key->cert > $1 = {certblob = 0x7f7ff7b162a0, type = 2, serial = 5, key_id = 0x7f7ff7b18090 > "julius", nprincipals = 1, > principals = 0xfffffffff7b180a0, valid_after = 915145200, valid_before = > 1293836400, critical = 0x7f7ff7b162f0, > extensions = 0x7f7ff7b16340, signature_key = 0x0} Thanks, but nothing appears wrong there. How about "print key->cert->principals[0]" - though I'm not sure how it could get to this point without reallocarray() returning a bad pointer. -d From htodd at twofifty.com Wed Feb 17 17:55:12 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Tue, 16 Feb 2016 22:55:12 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, 17 Feb 2016, Damien Miller wrote: > On Tue, 16 Feb 2016, Hisashi T Fujinaka wrote: > >> On Wed, 17 Feb 2016, Damien Miller wrote: >> >>>> Core was generated by `test_sshkey'. >>>> Program terminated with signal SIGSEGV, Segmentation fault. >>>> #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, >>>> certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 >>>> 1896 key->cert->principals[key->cert->nprincipals++] = >>>> principal; >>> >>> Could you do a "print *key->cert" to see what is going wrong here? >> >> (gdb) print *key->cert >> $1 = {certblob = 0x7f7ff7b162a0, type = 2, serial = 5, key_id = 0x7f7ff7b18090 >> "julius", nprincipals = 1, >> principals = 0xfffffffff7b180a0, valid_after = 915145200, valid_before = >> 1293836400, critical = 0x7f7ff7b162f0, >> extensions = 0x7f7ff7b16340, signature_key = 0x0} > > Thanks, but nothing appears wrong there. How about > "print key->cert->principals[0]" - though I'm not sure how it could get > to this point without reallocarray() returning a bad pointer. And in another "oh duh" moment, I think this dumped core on two different machines and I sent you the bt from the wrong machine. Here's the one from NetBSD-7. #0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12 (gdb) bt #0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12 #1 0x00007f7ff630e1e5 in abort () at /usr/src/lib/libc/stdlib/abort.c:74 #2 0x0000000000429992 in test_die () at regress/unittests/test_helper/test_helper.c:290 #3 0x0000000000406b0a in assert_int (file=file at entry=0x42a188 "regress/unittests/hostkeys/test_iterate.c", line=line at entry=163, a1=a1 at entry=0x42a1e0 "sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL)", a2=a2 at entry=0x42d2cf "0", aa1=-24, aa2=aa2 at entry=0, pred=pred at entry=TEST_EQ) at regress/unittests/test_helper/test_helper.c:419 #4 0x0000000000405783 in prepare_expected (n=61, expected=0x652060 ) at regress/unittests/hostkeys/test_iterate.c:161 #5 0x0000000000405823 in test_iterate () at regress/unittests/hostkeys/test_iterate.c:980 #6 0x0000000000405259 in tests () at regress/unittests/hostkeys/tests.c:14 #7 0x0000000000429b7d in main (argc=3, argv=0x7f7fffffd0c8) at regress/unittests/test_helper/test_helper.c:162 (gdb) print *key->cert No symbol "key" in current context. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From carson at taltos.org Thu Feb 18 04:50:13 2016 From: carson at taltos.org (Carson Gaspar) Date: Wed, 17 Feb 2016 09:50:13 -0800 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: <56C2C19A.6080702@purdue.edu> Message-ID: <56C4B2D5.1030805@taltos.org> On 2/16/16 8:21 PM, Damien Miller wrote: > I think this should fix it. It would be good if someone with recent Solaris/ > Illumos that does have the fine-grained privilege support could test it too. Solaris 10 has setppriv, but does not have priv_basicset. To work on Solaris 10, the call would need to be replaced with the equivalent set of explicitly listed privs: "Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered "basic" privileges. These are privileges that used to be always avail- able to unprivileged processes. By default, processes still have the basic privileges." > diff --git a/configure.ac b/configure.ac > index b4c0aaa..f614edf 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -896,11 +896,8 @@ mips-sony-bsd|mips-sony-newsos4) > else > AC_MSG_RESULT([no]) > fi > - AC_CHECK_FUNC([setppriv], > - [ AC_CHECK_HEADERS([priv.h], [ > - SOLARIS_PRIVS="yes" > - ]) > - ]) > + AC_CHECK_FUNC([setppriv]) > + AC_CHECK_HEADERS([priv.h]) > AC_ARG_WITH([solaris-contracts], > [ --with-solaris-contracts Enable Solaris process contracts (experimental)], > [ > @@ -925,7 +922,9 @@ mips-sony-bsd|mips-sony-newsos4) > [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)], > [ > AC_MSG_CHECKING([for Solaris/Illumos privilege support]) > - if test "x$SOLARIS_PRIVS" = "xyes" ; then > + if test "x$ac_cv_func_setppriv" = "xyes" -a \ > + "x$ac_cv_header_priv_h" = "xyes" ; then > + SOLARIS_PRIVS=yes > AC_MSG_RESULT([found]) > AC_DEFINE([NO_UID_RESTORATION_TEST], [1], > [Define to disable UID restoration test]) > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From carson at taltos.org Thu Feb 18 05:09:12 2016 From: carson at taltos.org (Carson Gaspar) Date: Wed, 17 Feb 2016 10:09:12 -0800 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4B2D5.1030805@taltos.org> References: <56C2C19A.6080702@purdue.edu> <56C4B2D5.1030805@taltos.org> Message-ID: <56C4B748.9080009@taltos.org> On 2/17/16 9:50 AM, Carson Gaspar wrote: > On 2/16/16 8:21 PM, Damien Miller wrote: > >> I think this should fix it. It would be good if someone with recent >> Solaris/ >> Illumos that does have the fine-grained privilege support could test >> it too. > > Solaris 10 has setppriv, but does not have priv_basicset. To work on > Solaris 10, the call would need to be replaced with the equivalent set > of explicitly listed privs: > > "Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, > PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION, > PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered > "basic" privileges. These are privileges that used to be always avail- > able to unprivileged processes. By default, processes still have the > basic privileges." Of course that's the Sol 11 man page excerpt. Sol 10 doesn't have PRIV_FILE_{READ,WRITE}, but otherwise the basic privs are the same. -- Carson From wieland at purdue.edu Thu Feb 18 05:20:03 2016 From: wieland at purdue.edu (Jeff Wieland) Date: Wed, 17 Feb 2016 12:20:03 -0600 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4B748.9080009@taltos.org> References: <56C2C19A.6080702@purdue.edu> <56C4B2D5.1030805@taltos.org> <56C4B748.9080009@taltos.org> Message-ID: <56C4B9D3.6030607@purdue.edu> Carson Gaspar wrote: > On 2/17/16 9:50 AM, Carson Gaspar wrote: >> On 2/16/16 8:21 PM, Damien Miller wrote: >> >>> I think this should fix it. It would be good if someone with recent >>> Solaris/ >>> Illumos that does have the fine-grained privilege support could test >>> it too. >> >> Solaris 10 has setppriv, but does not have priv_basicset. To work on >> Solaris 10, the call would need to be replaced with the equivalent set >> of explicitly listed privs: >> >> "Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, >> PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION, >> PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered >> "basic" privileges. These are privileges that used to be always avail- >> able to unprivileged processes. By default, processes still have the >> basic privileges." > > Of course that's the Sol 11 man page excerpt. Sol 10 doesn't have > PRIV_FILE_{READ,WRITE}, but otherwise the basic privs are the same. > I'd be more that willing to try this out on Solaris 10. -- Jeff Wieland | Purdue University Network Systems Administrator | ITIS UNIX Platforms Voice: (765)496-8234 | 155 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907 From lesley.j.kimmel at gmail.com Thu Feb 18 05:59:57 2016 From: lesley.j.kimmel at gmail.com (Lesley Kimmel) Date: Wed, 17 Feb 2016 12:59:57 -0600 Subject: Using 'ForceCommand' Option Message-ID: I would like to implement an arbitrary script to be executed when logging on via SSH. This is supposedly possible using the ForceCommand option to sshd. However, as soon as I implement any script, even as simple as echoing a string, clients can no longer connect to the server. Clients report only that the connection was dropped by the server. The server, in debug mode, shows: Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: Starting session: forced-command (config) '/tmp/s.sh' on pts/3 for kimmell from 198.253.183.24 port 55673 Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_audit_run_command entering command /tmp/s.sh Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_request_send entering: type 114 Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_request_receive_expect entering: type 115 Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug3: mm_request_receive entering Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_request_receive entering Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug3: monitor_read: checking request 114 Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug3: mm_answer_audit_command entering Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: fatal: mm_answer_audit_command: error allocating a session Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug1: do_cleanup Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug1: PAM: cleanup Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug1: PAM: closing session Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: pam_unix(sshd:session): session closed for user Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug1: PAM: deleting credentials Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug3: PAM: sshpam_thread_cleanup entering Feb 17 16:14:01 is-rhsat-lv02 sshd[12985]: debug1: session_pty_cleanup: session 0 release /dev/pts/3 Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug1: do_cleanup Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: PAM: sshpam_thread_cleanup entering Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: debug3: mm_request_send entering: type 122 Feb 17 16:14:01 is-rhsat-lv02 sshd[13008]: fatal: mm_request_send: write: Broken pipe It may be important to note that this is on RHEL7. Hopefully this is on-topic. I tried the general OpenSSH discussion list but there seems to be no activity on that list. Thanks, -LJK From tgc at jupiterrise.com Thu Feb 18 06:57:45 2016 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Wed, 17 Feb 2016 20:57:45 +0100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: Message-ID: <56C4D0B9.2070101@jupiterrise.com> On 12/02/16 04:56, Damien Miller wrote: > Portable OpenSSH is available via Git at > https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at > https://github.com/openssh/openssh-portable > I'm seeing a hang in the testsuite on Solaris: run test transfer.sh ... transfer data: proto 1 I've tested on 2.6, 7 and 9, x86 only for now. I bisected it on Solaris 2.6 and the culprit is: 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a Reverting it gets rid of the hang and the testsuite runs to completion with no errors. I've inserted the logs from Solaris 9/x86 below. -tgc failed-regress.log: trace: proto 1 dd-size 10 FATAL: trace: proto 1 dd-size 10 FATAL: FAIL: failed-ssh.log: trace: proto 1 dd-size 10 FATAL: trace: proto 1 dd-size 10 FATAL: FAIL: failed-sshd.log: trace: proto 1 dd-size 10 debug1: inetd sockets after dupping: 5, 6 Connection from UNKNOWN port 65535 on UNKNOWN port 65535 debug1: Client protocol version 1.5; client software version OpenSSH_7.1 debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000 debug1: Local version string SSH-1.99-OpenSSH_7.1 Generating 1024 bit RSA key. RSA key generation complete. debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug2: Network child is on pid 27122 debug3: preauth child monitor started debug1: Sent 1024 bit server key and 2048 bit host key. [preauth] debug1: Encryption type: 3des [preauth] debug3: mm_request_send entering: type 32 [preauth] debug3: mm_request_receive_expect entering: type 33 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 32 debug3: mm_request_send entering: type 33 debug2: monitor_read: 32 used once, disabling now debug3: mm_ssh1_session_id entering [preauth] debug3: mm_request_send entering: type 34 [preauth] debug1: Received session key; encryption turned on. [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 34 debug3: mm_answer_sessid entering debug2: monitor_read: 34 used once, disabling now debug3: mm_getpwnamallow entering [preauth] debug3: mm_request_send entering: type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect entering: type 9 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 555 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug1: Attempting authentication for tgc. [preauth] debug3: mm_auth_rsa_key_allowed entering [preauth] debug3: mm_request_send entering: type 36 [preauth] debug3: mm_request_receive_expect entering: type 37 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 36 debug3: mm_answer_rsa_keyallowed entering debug1: temporarily_use_uid: 500/500 (e=500/500) debug1: trying public RSA key file /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/authorized_keys_tgc debug1: fd 9 clearing O_NONBLOCK debug1: /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/authorized_keys_tgc, line 1: non ssh1 key syntax debug1: matching key found: file /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/authorized_keys_tgc, line 2 RSA1 SHA256:T373CbnNP2xxI+dYn8iGW/IUdoGB0RyZQd+TEhFbz3k debug1: restore_uid: (unprivileged) debug3: mm_request_send entering: type 37 Failed rsa for tgc from UNKNOWN port 65535 ssh1 debug3: mm_auth_rsa_generate_challenge entering [preauth] debug3: mm_request_send entering: type 38 [preauth] debug3: mm_request_receive_expect entering: type 39 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 38 debug3: mm_answer_rsa_challenge entering debug3: mm_answer_rsa_challenge sending reply debug3: mm_request_send entering: type 39 debug2: monitor_read: 38 used once, disabling now debug3: mm_auth_rsa_verify_response entering [preauth] debug3: mm_request_send entering: type 40 [preauth] debug3: mm_request_receive_expect entering: type 41 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 40 debug3: mm_answer_rsa_response entering debug3: mm_request_send entering: type 41 debug2: monitor_read: 40 used once, disabling now Accepted rsa for tgc from UNKNOWN port 65535 ssh1 debug1: monitor_child_preauth: tgc has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_get_keystate: GOT new keys debug3: mm_request_send entering: type 26 [preauth] debug3: mm_send_keystate: Finished sending state [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug3: monitor_apply_keystate: packet_set_state debug1: ssh_packet_set_postauth: called debug3: ssh_packet_set_state: done debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: Exec command 'cat > /export/home/tgc/buildpkg/openssh/src/openssh-git/regress/copy' Starting session: command for tgc from UNKNOWN port 65535 id 0 User child is on pid 27123 debug1: Entering interactive session. debug2: fd 8 setting O_NONBLOCK debug2: fd 10 setting O_NONBLOCK debug2: fd 12 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug2: fd 11 setting O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug3: mm_request_receive entering debug1: do_cleanup FATAL: FAIL: From gert at greenie.muc.de Thu Feb 18 08:17:19 2016 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 17 Feb 2016 22:17:19 +0100 Subject: Using 'ForceCommand' Option In-Reply-To: References: Message-ID: <20160217211719.GH24952@greenie.muc.de> Hi, On Wed, Feb 17, 2016 at 12:59:57PM -0600, Lesley Kimmel wrote: > I would like to implement an arbitrary script to be executed when logging > on via SSH. I'd just do this in the PAM session handler. ForceCommand means "run this command *and then exit*", so this is not what you want. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From lesley.j.kimmel at gmail.com Thu Feb 18 08:50:40 2016 From: lesley.j.kimmel at gmail.com (Lesley Kimmel) Date: Wed, 17 Feb 2016 15:50:40 -0600 Subject: Using 'ForceCommand' Option In-Reply-To: <20160217211719.GH24952@greenie.muc.de> References: <20160217211719.GH24952@greenie.muc.de> Message-ID: Gert, Thank you for the feedback. Can you give any further direction on where to get more information on what you are describing? On Wed, Feb 17, 2016 at 3:17 PM, Gert Doering wrote: > Hi, > > On Wed, Feb 17, 2016 at 12:59:57PM -0600, Lesley Kimmel wrote: > > I would like to implement an arbitrary script to be executed when logging > > on via SSH. > > I'd just do this in the PAM session handler. > > ForceCommand means "run this command *and then exit*", so this is not > what you want. > > gert > > > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > From alex at cooperi.net Thu Feb 18 09:04:23 2016 From: alex at cooperi.net (Alex Wilson) Date: Wed, 17 Feb 2016 14:04:23 -0800 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4B2D5.1030805@taltos.org> References: <56C2C19A.6080702@purdue.edu> <56C4B2D5.1030805@taltos.org> Message-ID: <56C4EE67.1090003@cooperi.net> On 2/17/16 9:50 AM, Carson Gaspar wrote: > Solaris 10 has setppriv, but does not have priv_basicset. To work on > Solaris 10, the call would need to be replaced with the equivalent set > of explicitly listed privs: The prior art in other apps on the system seems to suggest that priv_str_to_set is a better fallback if priv_basicset is not available. I've attached a patch that seems to build and work on Illumos in both modes (using priv_basicset and using priv_str_to_set). Would you mind trying it on Solaris 10 for me? I did write this keeping Solaris 10 in mind originally, but apparently I missed the lack of priv_basicset. Sorry. -------------- next part -------------- >From 6cc3cf443748a3047ca642fd70438baffd2860fd Mon Sep 17 00:00:00 2001 From: Alex Wilson Date: Wed, 17 Feb 2016 13:56:01 -0800 Subject: [PATCH] wip: fix for sol10 privs --- configure.ac | 1 + openbsd-compat/port-solaris.c | 26 ++++++++++++++++++++------ sandbox-solaris.c | 11 ++++++++--- 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index b4c0aaa..d910f53 100644 --- a/configure.ac +++ b/configure.ac @@ -898,6 +898,7 @@ mips-sony-bsd|mips-sony-newsos4) fi AC_CHECK_FUNC([setppriv], [ AC_CHECK_HEADERS([priv.h], [ + AC_CHECK_FUNCS([priv_basicset]) SOLARIS_PRIVS="yes" ]) ]) diff --git a/openbsd-compat/port-solaris.c b/openbsd-compat/port-solaris.c index 962cd16..0ba80c6 100644 --- a/openbsd-compat/port-solaris.c +++ b/openbsd-compat/port-solaris.c @@ -254,11 +254,17 @@ solaris_drop_privs_pinfo_net_fork_exec(void) * etc etc). */ - if ((pset = priv_allocset()) == NULL || - (npset = priv_allocset()) == NULL) + if ((pset = priv_allocset()) == NULL) fatal("priv_allocset: %s", strerror(errno)); +#if defined(HAVE_PRIV_BASICSET) + if ((npset = priv_allocset()) == NULL) + fatal("priv_allocset: %s", strerror(errno)); priv_basicset(npset); +#else + if ((npset = priv_str_to_set("basic", ",", NULL)) == NULL) + fatal("priv_str_to_set: %s", strerror(errno)); +#endif if (priv_addset(npset, PRIV_FILE_CHOWN) != 0 || priv_addset(npset, PRIV_FILE_DAC_READ) != 0 || @@ -294,11 +300,15 @@ solaris_drop_privs_root_pinfo_net(void) { priv_set_t *pset = NULL; + /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) if ((pset = priv_allocset()) == NULL) fatal("priv_allocset: %s", strerror(errno)); - - /* Start with "basic" and drop everything we don't need. */ priv_basicset(pset); +#else + if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) + fatal("priv_str_to_set: %s", strerror(errno)); +#endif if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || priv_delset(pset, PRIV_NET_ACCESS) != 0 || @@ -319,11 +329,15 @@ solaris_drop_privs_root_pinfo_net_exec(void) { priv_set_t *pset = NULL; + /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) if ((pset = priv_allocset()) == NULL) fatal("priv_allocset: %s", strerror(errno)); - - /* Start with "basic" and drop everything we don't need. */ priv_basicset(pset); +#else + if ((pset = priv_str_to_set("basic", ",", NULL)) == NULL) + fatal("priv_str_to_set: %s", strerror(errno)); +#endif if (priv_delset(pset, PRIV_FILE_LINK_ANY) != 0 || priv_delset(pset, PRIV_NET_ACCESS) != 0 || diff --git a/sandbox-solaris.c b/sandbox-solaris.c index 98714e1..a1828ed 100644 --- a/sandbox-solaris.c +++ b/sandbox-solaris.c @@ -48,15 +48,20 @@ ssh_sandbox_init(struct monitor *monitor) struct ssh_sandbox *box = NULL; box = xcalloc(1, sizeof(*box)); - box->pset = priv_allocset(); + /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) + box->pset = priv_allocset(); +#else + box->pset = priv_str_to_set("basic", ",", NULL); +#endif if (box->pset == NULL) { free(box); return NULL; } - - /* Start with "basic" and drop everything we don't need. */ +#if defined(HAVE_PRIV_BASICSET) priv_basicset(box->pset); +#endif /* Drop everything except the ability to use already-opened files */ if (priv_delset(box->pset, PRIV_FILE_LINK_ANY) != 0 || -- 2.5.4 (Apple Git-61) From djm at mindrot.org Thu Feb 18 09:05:27 2016 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Feb 2016 09:05:27 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, 17 Feb 2016, Hisashi T Fujinaka wrote: > And in another "oh duh" moment, I think this dumped core on two different > machines and I sent you the bt from the wrong machine. Here's the one > from NetBSD-7. > > #0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12 > (gdb) bt > #0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12 > #1 0x00007f7ff630e1e5 in abort () at /usr/src/lib/libc/stdlib/abort.c:74 > #2 0x0000000000429992 in test_die () at > regress/unittests/test_helper/test_helper.c:290 > #3 0x0000000000406b0a in assert_int (file=file at entry=0x42a188 > "regress/unittests/hostkeys/test_iterate.c", line=line at entry=163, > a1=a1 at entry=0x42a1e0 "sshkey_load_public( > test_data_file(expected[i].key_file), &expected[i].l.key, NULL)", > a2=a2 at entry=0x42d2cf "0", aa1=-24, aa2=aa2 at entry=0, This one is failing a test assetion - there should be some more useful output available from the test itself. -d From htodd at twofifty.com Thu Feb 18 09:17:13 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Wed, 17 Feb 2016 14:17:13 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Thu, 18 Feb 2016, Damien Miller wrote: > On Wed, 17 Feb 2016, Hisashi T Fujinaka wrote: > >> And in another "oh duh" moment, I think this dumped core on two different >> machines and I sent you the bt from the wrong machine. Here's the one >> from NetBSD-7. >> >> #0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12 >> (gdb) bt >> #0 0x00007f7ff630e55a in _lwp_kill () from /usr/lib/libc.so.12 >> #1 0x00007f7ff630e1e5 in abort () at /usr/src/lib/libc/stdlib/abort.c:74 >> #2 0x0000000000429992 in test_die () at >> regress/unittests/test_helper/test_helper.c:290 >> #3 0x0000000000406b0a in assert_int (file=file at entry=0x42a188 >> "regress/unittests/hostkeys/test_iterate.c", line=line at entry=163, >> a1=a1 at entry=0x42a1e0 "sshkey_load_public( >> test_data_file(expected[i].key_file), &expected[i].l.key, NULL)", >> a2=a2 at entry=0x42d2cf "0", aa1=-24, aa2=aa2 at entry=0, > > This one is failing a test assetion - there should be some more useful > output available from the test itself. I think it's this: test_hostkeys: regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all with key parse" ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0) failed: sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL) = -24 0 = 0 [1] Abort trap (core dumped) ${V} /home/htodd... *** Error code 134 -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From djm at mindrot.org Thu Feb 18 09:18:40 2016 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Feb 2016 09:18:40 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4D0B9.2070101@jupiterrise.com> References: <56C4D0B9.2070101@jupiterrise.com> Message-ID: On Wed, 17 Feb 2016, Tom G. Christensen wrote: > On 12/02/16 04:56, Damien Miller wrote: > > Portable OpenSSH is available via Git at > > https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at > > https://github.com/openssh/openssh-portable > > > > I'm seeing a hang in the testsuite on Solaris: > run test transfer.sh ... > transfer data: proto 1 > > > I've tested on 2.6, 7 and 9, x86 only for now. > > I bisected it on Solaris 2.6 and the culprit is: > 19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a > > Reverting it gets rid of the hang and the testsuite runs to completion > with no errors. Thanks for the analysis. I think this fixes it. diff --git a/packet.c b/packet.c index 7ddebeb..6755e74 100644 --- a/packet.c +++ b/packet.c @@ -263,8 +263,8 @@ ssh_alloc_session_state(void) int ssh_packet_is_rekeying(struct ssh *ssh) { - return ssh->state->rekeying || - (ssh->kex != NULL && ssh->kex->done == 0); + return compat20 && + (ssh->state->rekeying || (ssh->kex != NULL && ssh->kex->done == 0)); } /* From alex at cooperi.net Thu Feb 18 09:18:34 2016 From: alex at cooperi.net (Alex Wilson) Date: Wed, 17 Feb 2016 14:18:34 -0800 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4EE67.1090003@cooperi.net> References: <56C2C19A.6080702@purdue.edu> <56C4B2D5.1030805@taltos.org> <56C4EE67.1090003@cooperi.net> Message-ID: <56C4F1BA.9090304@cooperi.net> On 2/17/16 2:04 PM, Alex Wilson wrote: > I've attached a patch... > Also at https://us-east.manta.joyent.com/arekinath/public/openssh-wip-fix-for-sol10-privs.patch If you are having trouble getting the patch out of the email. Also, as for Damien's patch, you will want to regenerate configure etc. This doesn't go on top of his suggestion (I don't want to just disable this new code for Solaris 10 if possible, it would be better to fix it up so that you can have sandbox support as well) From djm at mindrot.org Thu Feb 18 09:23:16 2016 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Feb 2016 09:23:16 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, 17 Feb 2016, Hisashi T Fujinaka wrote: > > This one is failing a test assetion - there should be some more useful > > output available from the test itself. > > I think it's this: > > test_hostkeys: > regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all > with key parse" > ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), > &expected[i].l.key, NULL), 0) failed: > sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, > NULL) = -24 I need to make these error messages more user-friendly :( -24 is SSH_ERR_SYSTEM_ERROR, so it's likely failing to find/load the key for some reason. I'll make a patch to improve the error message, but in the meantime you could probably figure out the exact failure using ktrace/ktruss/strace and/or digging errno out of the core file. -d From djm at mindrot.org Thu Feb 18 09:31:03 2016 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Feb 2016 09:31:03 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4F1BA.9090304@cooperi.net> References: <56C2C19A.6080702@purdue.edu> <56C4B2D5.1030805@taltos.org> <56C4EE67.1090003@cooperi.net> <56C4F1BA.9090304@cooperi.net> Message-ID: On Wed, 17 Feb 2016, Alex Wilson wrote: > On 2/17/16 2:04 PM, Alex Wilson wrote: > > I've attached a patch... > > > > Also at > > https://us-east.manta.joyent.com/arekinath/public/openssh-wip-fix-for-sol10-privs.patch > > If you are having trouble getting the patch out of the email. > > Also, as for Damien's patch, you will want to regenerate configure etc. > This doesn't go on top of his suggestion (I don't want to just disable > this new code for Solaris 10 if possible, it would be better to fix it > up so that you can have sandbox support as well) I don't have any Solaris systems around to test, so I'm pretty much flying blind. I'd love to be able to ship something that works for both 10 and 11 though, so if you are both able to come up with a patch including the autoconf gunk that works then I'll get it committed. -d From htodd at twofifty.com Thu Feb 18 09:26:53 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Wed, 17 Feb 2016 14:26:53 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Thu, 18 Feb 2016, Damien Miller wrote: > On Wed, 17 Feb 2016, Hisashi T Fujinaka wrote: > >>> This one is failing a test assetion - there should be some more useful >>> output available from the test itself. >> >> I think it's this: >> >> test_hostkeys: >> regress/unittests/hostkeys/test_iterate.c:163 test #1 "hostkeys_iterate all >> with key parse" >> ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), >> &expected[i].l.key, NULL), 0) failed: >> sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, >> NULL) = -24 > > I need to make these error messages more user-friendly :( > > -24 is SSH_ERR_SYSTEM_ERROR, so it's likely failing to find/load the > key for some reason. I'll make a patch to improve the error message, > but in the meantime you could probably figure out the exact failure > using ktrace/ktruss/strace and/or digging errno out of the core file. Do I have to fish the actual invocation of test_hostkeys from somewhere too? -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From djm at mindrot.org Thu Feb 18 09:34:59 2016 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Feb 2016 09:34:59 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Wed, 17 Feb 2016, Hisashi T Fujinaka wrote: > > I need to make these error messages more user-friendly :( > > > > -24 is SSH_ERR_SYSTEM_ERROR, so it's likely failing to find/load the > > key for some reason. I'll make a patch to improve the error message, > > but in the meantime you could probably figure out the exact failure > > using ktrace/ktruss/strace and/or digging errno out of the core file. > > Do I have to fish the actual invocation of test_hostkeys from somewhere > too? Probably not, if you ktrace or similar you need only look for the last failing syscall (probably open) before the output of the error message. -d From lesley.j.kimmel at gmail.com Thu Feb 18 09:47:27 2016 From: lesley.j.kimmel at gmail.com (Lesley Kimmel) Date: Wed, 17 Feb 2016 16:47:27 -0600 Subject: Using 'ForceCommand' Option In-Reply-To: References: <20160217211719.GH24952@greenie.muc.de> Message-ID: So I probably shouldn't have said "arbitrary" script. What I really want to do is to present a terms of service notice (/etc/issue). But I also want to get the user to actually confirm (by typing 'y') that they accept. If they try to exit or type anything other than 'y' they will be denied access. I'm not sure a user can interact with a script being executed by PAM. Also, I want to differentiate for SCP. It looks like OpenSSH will pass SSH_ORIGINAL_COMMAND variable to the script so I can use that in the script logic and not enforce input for SCP and/or SFTP. So it would seem to be what I want. I found an example on the interwebs with something similar and I built my script similarly but I can't seem to get any output. I guess I was looking for help deciphering that DEBUG output. On Wed, Feb 17, 2016 at 3:50 PM, Lesley Kimmel wrote: > Gert, > > Thank you for the feedback. Can you give any further direction on where to > get more information on what you are describing? > > On Wed, Feb 17, 2016 at 3:17 PM, Gert Doering wrote: > >> Hi, >> >> On Wed, Feb 17, 2016 at 12:59:57PM -0600, Lesley Kimmel wrote: >> > I would like to implement an arbitrary script to be executed when >> logging >> > on via SSH. >> >> I'd just do this in the PAM session handler. >> >> ForceCommand means "run this command *and then exit*", so this is not >> what you want. >> >> gert >> >> >> -- >> USENET is *not* the non-clickable part of WWW! >> // >> www.muc.de/~gert/ >> Gert Doering - Munich, Germany >> gert at greenie.muc.de >> fax: +49-89-35655025 >> gert at net.informatik.tu-muenchen.de >> > > From carson at taltos.org Thu Feb 18 10:02:00 2016 From: carson at taltos.org (Carson Gaspar) Date: Wed, 17 Feb 2016 15:02:00 -0800 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: <56C4EE67.1090003@cooperi.net> References: <56C2C19A.6080702@purdue.edu> <56C4B2D5.1030805@taltos.org> <56C4EE67.1090003@cooperi.net> Message-ID: <56C4FBE8.2090308@taltos.org> On 2/17/16 2:04 PM, Alex Wilson wrote: > On 2/17/16 9:50 AM, Carson Gaspar wrote: >> Solaris 10 has setppriv, but does not have priv_basicset. To work on >> Solaris 10, the call would need to be replaced with the equivalent set >> of explicitly listed privs: > > The prior art in other apps on the system seems to suggest that > priv_str_to_set is a better fallback if priv_basicset is not available. > > I've attached a patch that seems to build and work on Illumos in both > modes (using priv_basicset and using priv_str_to_set). Would you mind > trying it on Solaris 10 for me? I did write this keeping Solaris 10 in > mind originally, but apparently I missed the lack of priv_basicset. Sorry. Sadly I'm hitting a different autoconf bug :-( carson:sol10dev 0 SOL$ grep CPPFLAGS config.log $ ./configure CPPFLAGS=-I/usr/sfw/include LDFLAGS=-L/usr/sfw/lib/64 -R/usr/sfw/lib/64 -L/usr/sfw/lib/64 -R/usr/sfw/lib/64 ac_cv_env_CPPFLAGS_set=set ac_cv_env_CPPFLAGS_value=-I/usr/sfw/include CPPFLAGS='-I/usr/sfw/include' Wed Feb 17 15:00:13 ~/openssh-git carson:sol10dev 0 SOL$ grep CPPFLAGS config.status S["CPPFLAGS"]="" ARRGH! -- Carson From htodd at twofifty.com Thu Feb 18 10:01:16 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Wed, 17 Feb 2016 15:01:16 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: On Thu, 18 Feb 2016, Damien Miller wrote: > On Wed, 17 Feb 2016, Hisashi T Fujinaka wrote: > >>> I need to make these error messages more user-friendly :( >>> >>> -24 is SSH_ERR_SYSTEM_ERROR, so it's likely failing to find/load the >>> key for some reason. I'll make a patch to improve the error message, >>> but in the meantime you could probably figure out the exact failure >>> using ktrace/ktruss/strace and/or digging errno out of the core file. >> >> Do I have to fish the actual invocation of test_hostkeys from somewhere >> too? > > Probably not, if you ktrace or similar you need only look for the > last failing syscall (probably open) before the output of the error > message. More stupidity on my part. A "make distclean" fixed things on my NetBSD-7 box. Unfortunately, the test crashed NetBSD-current. -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From scott_n at xypro.com Thu Feb 18 10:06:04 2016 From: scott_n at xypro.com (Scott Neugroschl) Date: Wed, 17 Feb 2016 23:06:04 +0000 Subject: Using 'ForceCommand' Option In-Reply-To: References: <20160217211719.GH24952@greenie.muc.de>

Message-ID: > So I probably shouldn't have said "arbitrary" script. What I really want to do > is to present a terms of service notice (/etc/issue). But I also want to get > the user to actually confirm (by typing 'y') that they accept. If they try to > exit or type anything other than 'y' they will be denied access. For interactive sessions, at least, can't you just do this in /etc/profile? From htodd at twofifty.com Thu Feb 18 10:13:45 2016 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Wed, 17 Feb 2016 15:13:45 -0800 (PST) Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References:

Message-ID: OK, on NetBSD-current: test_sshbuf: ................................................................................................... 100 tests ok test_sshkey: ..................................[1] Segmentation fault (core dumped) ${V} /home/htodd... *** Error code 139 Stop. ... Core was generated by `test_sshkey'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 1896 key->cert->principals[key->cert->nprincipals++] = principal; (gdb) bt #0 0x000000000041273e in cert_parse (key=0x7f7ff7b120c0, certbuf=0x7f7ff7b16200, b=0x7f7ff7b161b0) at sshkey.c:1896 #1 sshkey_from_blob_internal (b=b at entry=0x7f7ff7b161b0, keyp=keyp at entry=0x7f7fffff9040, allow_cert=allow_cert at entry=1) at sshkey.c:2116 #2 0x000000000041291c in sshkey_from_blob (blob=, blen=blen at entry=422, keyp=keyp at entry=0x7f7fffff9040) at sshkey.c:2147 #3 0x0000000000412a75 in sshkey_read (ret=ret at entry=0x7f7ff7b12080, cpp=cpp at entry=0x7f7fffff90a0) at sshkey.c:1302 #4 0x0000000000415f5a in sshkey_try_load_public (k=k at entry=0x7f7ff7b12080, filename=0x7f7ff7b16070 "/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub", commentp=commentp at entry=0x0) at authfile.c:314 #5 0x0000000000416712 in sshkey_load_cert (filename=, keyp=keyp at entry=0x7f7fffffd150) at authfile.c:419 #6 0x0000000000409f9b in sshkey_tests () at regress/unittests/sshkey/test_sshkey.c:527 #7 0x0000000000405d81 in tests () at regress/unittests/sshkey/tests.c:24 #8 0x000000000042cc4d in main (argc=3, argv=0x7f7fffffd258) at regress/unittests/test_helper/test_helper.c:162 -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From dtucker at zip.com.au Thu Feb 18 10:22:09 2016 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 18 Feb 2016 10:22:09 +1100 Subject: Call for testing: OpenSSH 7.2 In-Reply-To: References: <56C2C19A.6080702@purdue.edu>