http://bass.directhit.com/openssh_snap/ Starting tonight I plan on tracking changes very closely with the OpenBSD tree. I need people to test the latest snapshot (9/14 at of right now) and report success or failure on compiling. I am starting this now because we are looking at a code freeze soon and I really want to ensure it compiles and runs on all existing platforms. So we (the portable group) is not rushing to get a release out of the door. Anyone with AES issues in 2.9pX (Cray, NeXT FAT binary, etc) please test to see if the current snapshot supports your platform correctly. - Ben
redhat 6.2, compiled fine. irix 6.5 - compiled fine. solaris 5.8 - compiled fine except for missing prototype *** session.c.orig Fri Sep 14 19:01:42 2001 --- session.c Fri Sep 14 19:02:08 2001 *************** *** 130,135 **** --- 130,136 ---- void do_exec(Session *, const char *); void do_login(Session *, const char *); void do_child(Session *, const char *); + void do_pre_login(Session *); void do_motd(void); int check_quietlogin(Session *, const char *); cray unicos - compiled fine once i added the rest of the unicos changes that haven't been integrated yet. (you caught me just as i was leaving for the night, so i hurried up and ran them). have a good weekend, wendy mouring at etoh.eviladmin.org wrote:> > http://bass.directhit.com/openssh_snap/ > > Starting tonight I plan on tracking changes very closely with the OpenBSD > tree. I need people to test the latest snapshot (9/14 at of right now) > and report success or failure on compiling. > > I am starting this now because we are looking at a code freeze soon and I > really want to ensure it compiles and runs on all existing platforms. So > we (the portable group) is not rushing to get a release out of the door. > > Anyone with AES issues in 2.9pX (Cray, NeXT FAT binary, etc) please test > to see if the current snapshot supports your platform correctly. > > - Ben-- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154
On Fri, Sep 14, 2001 at 06:24:13PM -0500, mouring at etoh.eviladmin.org wrote:> > http://bass.directhit.com/openssh_snap/ > > Starting tonight I plan on tracking changes very closely with the OpenBSD > tree. I need people to test the latest snapshot (9/14 at of right now) > and report success or failure on compiling. > > I am starting this now because we are looking at a code freeze soon and I > really want to ensure it compiles and runs on all existing platforms. So > we (the portable group) is not rushing to get a release out of the door.Mumble, mumble. I feel like a parrot: the fix for the ssh-agent forwarding problem on some platforms (e.g. HP-UX) is still not in the code. Background: When using agent forwarding (-A) and actually accessing the agent, the forwarded connection is not closed. This has two consequences: 1. with the forwarded connection still open, the ssh connection will not close down properly (similar to the often discussed sleep;exit hang). 2. The ssh-agent itself will only serve a limited number of connections at a time (10?), so that the ssh-agent will run into a resource limit and will stop accepting connections. Reason is, that on some platforms (namely HP-UX), the shutdown() in only one direction is not propagated (ssh uses shutdown() on the UNIX socket to the agent, but the agent never learns about this shutdown()). I have seen similar effects on pipe-connections on HP-UX, which therefore requires the USE_PIPE flag. I would therefore expect the other platforms requiring the USE_PIPE flag to also be affected. According to configure.in these are: cygwin, NeXT, SunOS4, SNI-SysV, SysV4.2, SysV5, SCO3.2v?, unicos. I have again attached the patch worked out between Markus Friedl and myself. Please test, whether agent forwarding works for you _and_, if you experience the problem described above, whether the patch appended helps. To test: * start the agent and load a key. * connect to a server with ssh -A. * from there open another ssh connection which requires public key authentication with the key in the agent. * exit both connections. If the second exit hangs, you have the problem described. Hint1: the patch only affects the client, as it is the UNIX socket between client and ssh-agent that makes the problem. Hint2: don't forget to "make clean; make" after applying the patch, as the data structures are changed. Sorry for bothering you with this longish email, but the security advantages of agent forwarding are obvious: - a malicious ssh-client binary cannot log your password, as you do not type it in. (This does not protect the malicious binary from changing the communication once established, but this is much harder to exploit than simply logging the password and using it later.) - the password timing attack does not apply, as no passwords have to be typed in to open the second connection. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- diff -r -u newsoft/openssh_cvs/channels.c n2/openssh/channels.c --- newsoft/openssh_cvs/channels.c Thu Jul 19 18:03:32 2001 +++ n2/openssh/channels.c Wed Jul 25 18:09:44 2001 @@ -260,6 +260,7 @@ c->cb_fn = NULL; c->cb_arg = NULL; c->cb_event = 0; + c->force_drain = 0; c->detach_user = NULL; c->input_filter = NULL; debug("channel %d: new [%s]", found, remote_name); @@ -1031,6 +1032,7 @@ xfree(remote_ipaddr); return; } + nc->force_drain = 0; if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("x11"); @@ -1185,6 +1187,7 @@ xfree(name); close(newsock); } + nc->force_drain = 0; if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); packet_put_cstring("auth-agent at openssh.com"); @@ -1781,6 +1784,13 @@ if (c == NULL) packet_disconnect("Received ieof for nonexistent channel %d.", id); chan_rcvd_ieof(c); + + /* XXX force input close */ + if (c->force_drain) { + debug2("channel %d: XXX FORCE input drain", c->self); + c->istate = CHAN_INPUT_WAIT_DRAIN; + } + } void @@ -2669,6 +2679,7 @@ close(sock); } else { c->remote_id = remote_id; + c->force_drain = 1; } } if (c == NULL) { @@ -2931,6 +2942,7 @@ close(sock); } else { c->remote_id = remote_id; + c->force_drain = 1; } } if (c == NULL) { diff -r -u newsoft/openssh_cvs/channels.h n2/openssh/channels.h --- newsoft/openssh_cvs/channels.h Thu Jul 19 18:03:33 2001 +++ n2/openssh/channels.h Thu Jul 19 18:31:56 2001 @@ -77,6 +77,7 @@ int efd; /* extended fd */ int sock; /* sock fd */ int isatty; /* rfd is a tty */ + int force_drain; /* force close on iEOF */ Buffer input; /* data read from socket, to be sent over * encrypted connection */ Buffer output; /* data received over encrypted connection for diff -r -u newsoft/openssh_cvs/clientloop.c n2/openssh/clientloop.c --- newsoft/openssh_cvs/clientloop.c Thu Jul 19 18:03:33 2001 +++ n2/openssh/clientloop.c Thu Jul 19 19:24:27 2001 @@ -1111,6 +1111,7 @@ error("client_request_x11: channel_new failed"); close(sock); } + c->force_drain = 1; return c; } @@ -1136,6 +1137,7 @@ error("client_request_agent: channel_new failed"); close(sock); } + c->force_drain = 1; return c; }
> > Starting tonight I plan on tracking changes very closely with the OpenBSD > > tree. I need people to test the latest snapshot (9/14 at of right now) > > and report success or failure on compiling.> irix 6.5 - compiled fine.Really? 1 error detected in the compilation of "rijndael.c in openssh-SNAP-20010915. % uname -aR IRIX64 sea.ayamura.org 6.5 6.5.13f 07091544 IP28 % cc -version MIPSpro Compilers: Version 7.3.1.2m, Patch 4268 % cc -O2 -OPT:Olimit=0 -I. -I/usr/local/ssl/include -I/usr/local/include ... -DHAVE_CONFIG_H -c rijndael.c cc-1020 cc: ERROR File = rijndael.h, Line = 45 The identifier "u_char" is undefined. void rijndael_set_key(rijndael_ctx *, u_char *, int, int); ^ cc-1020 cc: ERROR File = rijndael.h, Line = 46 The identifier "u_char" is undefined. void rijndael_decrypt(rijndael_ctx *, u_char *, u_char *); ^ cc-1020 cc: ERROR File = rijndael.h, Line = 46 The identifier "u_char" is undefined. void rijndael_decrypt(rijndael_ctx *, u_char *, u_char *); ^ cc-1020 cc: ERROR File = rijndael.h, Line = 47 The identifier "u_char" is undefined. void rijndael_encrypt(rijndael_ctx *, u_char *, u_char *); ^ cc-1020 cc: ERROR File = rijndael.h, Line = 47 The identifier "u_char" is undefined. void rijndael_encrypt(rijndael_ctx *, u_char *, u_char *); ^ cc-1020 cc: ERROR File = rijndael.c, Line = 1218 The identifier "u_char" is undefined. rijndael_set_key(rijndael_ctx *ctx, u_char *key, int bits, int encrypt) ^ cc-1020 cc: ERROR File = rijndael.c, Line = 1232 The identifier "u_char" is undefined. rijndael_decrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) ^ cc-1020 cc: ERROR File = rijndael.c, Line = 1232 The identifier "u_char" is undefined. rijndael_decrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) ^ cc-1020 cc: ERROR File = rijndael.c, Line = 1238 The identifier "u_char" is undefined. rijndael_encrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) ^ cc-1020 cc: ERROR File = rijndael.c, Line = 1238 The identifier "u_char" is undefined. rijndael_encrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) -- Ayamura KIKUCHI, M.D., Ph.D.
On Fri, Sep 14, 2001 at 06:24:13PM -0500, mouring at etoh.eviladmin.org wrote:> > http://bass.directhit.com/openssh_snap/ > > Starting tonight I plan on tracking changes very closely with the OpenBSD > tree. I need people to test the latest snapshot (9/14 at of right now) > and report success or failure on compiling. > > I am starting this now because we are looking at a code freeze soon and I > really want to ensure it compiles and runs on all existing platforms. So > we (the portable group) is not rushing to get a release out of the door. > > Anyone with AES issues in 2.9pX (Cray, NeXT FAT binary, etc) please test > to see if the current snapshot supports your platform correctly.At least one additional include is needed in rijndael.c to compile on Cygwin: Index: rijndael.c ==================================================================RCS file: /cvs/openssh_cvs/rijndael.c,v retrieving revision 1.11 diff -u -p -r1.11 rijndael.c --- rijndael.c 2001/09/14 02:47:34 1.11 +++ rijndael.c 2001/09/15 08:53:47 @@ -23,6 +23,7 @@ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include <sys/types.h> #include <stdlib.h> #include <string.h> Otherwise u_char isn't defined. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
rijndael.c does not include includes.h On Sat, Sep 15, 2001 at 05:20:36PM +0900, Ayamura KIKUCHI wrote:> > > Starting tonight I plan on tracking changes very closely with the OpenBSD > > > tree. I need people to test the latest snapshot (9/14 at of right now) > > > and report success or failure on compiling. > > > irix 6.5 - compiled fine. > > Really? 1 error detected in the compilation of "rijndael.c > in openssh-SNAP-20010915. > > % uname -aR > IRIX64 sea.ayamura.org 6.5 6.5.13f 07091544 IP28 > % cc -version > MIPSpro Compilers: Version 7.3.1.2m, Patch 4268 > > % cc -O2 -OPT:Olimit=0 -I. -I/usr/local/ssl/include > -I/usr/local/include ... -DHAVE_CONFIG_H -c rijndael.c > > cc-1020 cc: ERROR File = rijndael.h, Line = 45 > The identifier "u_char" is undefined. > > void rijndael_set_key(rijndael_ctx *, u_char *, int, int); > ^ > cc-1020 cc: ERROR File = rijndael.h, Line = 46 > The identifier "u_char" is undefined. > > void rijndael_decrypt(rijndael_ctx *, u_char *, u_char *); > ^ > cc-1020 cc: ERROR File = rijndael.h, Line = 46 > The identifier "u_char" is undefined. > > void rijndael_decrypt(rijndael_ctx *, u_char *, u_char *); > ^ > cc-1020 cc: ERROR File = rijndael.h, Line = 47 > The identifier "u_char" is undefined. > > void rijndael_encrypt(rijndael_ctx *, u_char *, u_char *); > ^ > cc-1020 cc: ERROR File = rijndael.h, Line = 47 > The identifier "u_char" is undefined. > > void rijndael_encrypt(rijndael_ctx *, u_char *, u_char *); > ^ > cc-1020 cc: ERROR File = rijndael.c, Line = 1218 > The identifier "u_char" is undefined. > > rijndael_set_key(rijndael_ctx *ctx, u_char *key, int bits, int encrypt) > ^ > cc-1020 cc: ERROR File = rijndael.c, Line = 1232 > The identifier "u_char" is undefined. > > rijndael_decrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) > ^ > cc-1020 cc: ERROR File = rijndael.c, Line = 1232 > The identifier "u_char" is undefined. > > rijndael_decrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) > ^ > cc-1020 cc: ERROR File = rijndael.c, Line = 1238 > The identifier "u_char" is undefined. > > rijndael_encrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) > ^ > cc-1020 cc: ERROR File = rijndael.c, Line = 1238 > The identifier "u_char" is undefined. > > rijndael_encrypt(rijndael_ctx *ctx, u_char *src, u_char *dst) > > -- > Ayamura KIKUCHI, M.D., Ph.D.
On Fri, 14 Sep 2001 mouring at etoh.eviladmin.org wrote:> http://bass.directhit.com/openssh_snap/ > Starting tonight I plan on tracking changes very closely with the OpenBSD > tree. I need people to test the latest snapshot (9/14 at of right now) > and report success or failure on compiling. > > I am starting this now because we are looking at a code freeze soon and I > really want to ensure it compiles and runs on all existing platforms. So > we (the portable group) is not rushing to get a release out of the door.Compiled & run fine on RHL62 and RHL72beta. A couple of issues (mostly just fine-tuning :-).. 1) it would be nice if the init scripts took advantage of the new sshd -t feature. Patch attached. The failure will look like: # ./sshd restart /etc/ssh/sshd_config: line 11: Bad configuration option: Unf /etc/ssh/sshd_config: terminating, 1 bad configuration options [FAILED] and the syslog output will be: Sep 15 12:46:48 haukka sshd: Configuration file or keys failed (note that keys almost never should fail as they are autogenerated if missing or support disabled..) 2) Merging the latest Red Hat openssh spec file and the current one a bit. XXX: ssh-keyscan is in both openssh and openssh-clients; I removed it from openssh, your mileage may vary. If there is a will, I could try to merge these further. 3) Taking package descriptions from latest Red Hat spec; IMO these are a bit better, -askpass, -gnome-askpass etc. are too "noisy" at least; as they require OpenSSH, one should not need to explain openssh in those. (separate patch from above for clarity; this might also be a bit more controversial..) 4) A patch from Red Hat that makes sshd.c do setgroups so that under some circumstances supplemental groups are removed (the cookie attack). May or may not be useful. I fixed a warning in this one, in the ambiguous if - if - else structure. 5) It might be time to remove --with-ipv4-default, at least for redhat7, but this is a policy decision.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------- next part -------------- Index: sshd.init ==================================================================RCS file: /cvs/openssh_cvs/contrib/redhat/sshd.init,v retrieving revision 1.8 diff -u -r1.8 sshd.init --- sshd.init 2001/04/27 00:46:18 1.8 +++ sshd.init 2001/09/15 09:55:09 @@ -96,6 +96,16 @@ fi fi } +do_restart_sanity_check() { + $SSHD -t + RETVAL=$? + if [ ! "$RETVAL" = 0 ]; then + my_failure "Configuration file or keys" + echo + exit $RETVAL + fi +} + case "$1" in start) @@ -127,12 +137,14 @@ echo ;; restart) + do_restart_sanity_check $0 stop $0 start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/sshd ] ; then + do_restart_sanity_check $0 stop $0 start RETVAL=$? -------------- next part -------------- Index: openssh.spec ==================================================================RCS file: /cvs/openssh_cvs/contrib/redhat/openssh.spec,v retrieving revision 1.73 diff -u -r1.73 openssh.spec --- openssh.spec 2001/07/25 00:11:15 1.73 +++ openssh.spec 2001/09/15 09:32:33 @@ -36,18 +36,21 @@ Version: %{oversion} Release: 1 Packager: Damien Miller <djm at mindrot.org> -URL: http://www.openssh.com/ +URL: http://www.openssh.com/portable.html Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz %if ! %{no_x11_askpass} -Source1: http://www.jmknoble.cx/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +Source1: http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz %endif -Copyright: BSD +License: BSD Group: Applications/Internet BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot Obsoletes: ssh BuildPreReq: perl, openssl-devel, tcp_wrappers BuildPreReq: /bin/login, /usr/include/security/pam_appl.h BuildPreReq: rpm >= 3.0.5 +%if ! %{no_x11_askpass} +BuildPreReq: XFree86-devel +%endif %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif @@ -242,13 +245,10 @@ %files %defattr(-,root,root) -%doc ChangeLog OVERVIEW README* INSTALL -%doc CREDITS LICENCE +%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING* %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0755,root,root) %{_bindir}/scp -%attr(0755,root,root) %{_bindir}/ssh-keyscan %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* -%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1* %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0755,root,root) %dir %{_sysconfdir} %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/moduli -------------- next part -------------- --- openssh.spec.1 Sat Sep 15 12:27:22 2001 +++ openssh.spec Sat Sep 15 12:34:02 2001 @@ -31,7 +31,7 @@ %define exact_openssl_version %(rpm -q openssl | cut -d - -f 2) -Summary: OpenSSH free Secure Shell (SSH) implementation +Summary: The OpenSSH implementation of SSH. Name: openssh Version: %{oversion} Release: 1 @@ -62,13 +62,13 @@ Requires: rpm >= 3.0.5 %package clients -Summary: OpenSSH Secure Shell protocol clients +Summary: OpenSSH clients. Requires: openssh = %{version}-%{release} Group: Applications/Internet Obsoletes: ssh-clients %package server -Summary: OpenSSH Secure Shell protocol server (sshd) +Summary: The OpenSSH server daemon. Group: System Environment/Daemons Obsoletes: ssh-server PreReq: openssh = %{version}-%{release}, chkconfig >= 0.9 @@ -77,87 +77,55 @@ %endif %package askpass -Summary: OpenSSH X11 passphrase dialog +Summary: A passphrase dialog for OpenSSH and X. Group: Applications/Internet Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %package askpass-gnome -Summary: OpenSSH GNOME passphrase dialog +Summary: A passphrase dialog for OpenSSH, X, and GNOME. Group: Applications/Internet Requires: openssh = %{version}-%{release} Obsoletes: ssh-extras %description -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and +SSH (Secure SHell) is a program for logging into and executing +commands on a remote machine. SSH is intended to replace rlogin and +rsh, and to provide secure encrypted communications between two +untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). +OpenSSH is OpenBSD's version of the last free version of SSH, bringing +it up to date in terms of security and features, as well as removing +all patented algorithms to separate libraries. This package includes the core files necessary for both the OpenSSH -client and server. To make this package useful, you should also +client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. %description clients -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package includes the clients necessary to make encrypted connections -to SSH servers. +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package includes +the clients necessary to make encrypted connections to SSH servers. +You'll also need to install the openssh package on OpenSSH clients. %description server -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package contains the secure shell daemon. The sshd is the server -part of the secure shell protocol and allows ssh clients to connect to -your host. +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +the secure shell daemon (sshd). The sshd daemon allows SSH clients to +securely connect to your SSH server. You also need to have the openssh +package installed. %description askpass -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package contains Jim Knoble's <jmknoble at jmknoble.cx> X11 passphrase -dialog. +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH. %description askpass-gnome -Ssh (Secure Shell) a program for logging into a remote machine and for -executing commands in a remote machine. It is intended to replace -rlogin and rsh, and provide secure encrypted communications between -two untrusted hosts over an insecure network. X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. - -OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all -patented algorithms to separate libraries (OpenSSL). - -This package contains the GNOME passphrase dialog. +OpenSSH is a free version of SSH (Secure SHell), a program for logging +into and executing commands on a remote machine. This package contains +an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop +environment. %prep -------------- next part -------------- Fix one piece of zen-parse at gmx.net's advisory on cookie files. Index: sshd.c ==================================================================RCS file: /cvs/openssh_cvs/sshd.c,v retrieving revision 1.161 diff -u -r1.161 sshd.c --- sshd.c 2001/09/12 16:58:05 1.161 +++ sshd.c 2001/09/15 10:09:57 @@ -776,6 +776,17 @@ #ifdef HAVE_SCO_PROTECTED_PW (void) set_auth_parameters(ac, av); #endif + /* Clear out any supplemental groups we may have inherited. This + * prevents inadvertent creation of files with bad modes (in the + * portable version at least, it's certainly possible for a pluggable + * authentication module to create a file, and we can't control the + * code in eery module which might be used). */ + if (setgroups(0, NULL) < 0) { + if (debug_flag) + error("setgroups() failed: %.200s", strerror(errno)); + else + fatal("setgroups() failed: %.200s", strerror(errno)); + } /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag)
On Fri, 14 Sep 2001 mouring at etoh.eviladmin.org wrote:> I am starting this now because we are looking at a code freeze soon and I > really want to ensure it compiles and runs on all existing platforms.I've compiled the cvs version on Linux Mandrake 8.0 and Solaris x86 2.6 with some minor problems on Solaris. Back in revision 1.133 of session.c, the conditional prototype for do_pre_login() was removed. This either needs to go back into the file, or the do_pre_login() function needs to be moved up in session.c above do_exec_pty(). Here's a patch for the former option: Index: session.c --- session.c 2001/09/15 02:25:54 1.146 +++ session.c 2001/09/15 19:18:00 @@ -129,6 +129,9 @@ void do_exec_no_pty(Session *, const char *); void do_exec(Session *, const char *); void do_login(Session *, const char *); +#ifdef LOGIN_NEEDS_UTMPX +static void do_pre_login(Session *s); +#endif void do_child(Session *, const char *); void do_motd(void); int check_quietlogin(Session *, const char *); And, in revision 1.6 of sshlogin.h, the prototype for record_utmp_only() was removed. This either needs to be restored, or an extern prototype for the function added to session.c inside the do_pre_login() function. Here's a patch for the former choice: Index: sshlogin.h --- sshlogin.h 2001/07/04 04:46:58 1.6 +++ sshlogin.h 2001/09/15 19:31:44 @@ -17,6 +17,11 @@ void record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *); +#ifdef LOGIN_NEEDS_UTMPX +void +record_utmp_only(pid_t, const char *, const char *, + const char *, struct sockaddr *); +#endif void record_logout(pid_t, const char *); u_long get_last_login_time(uid_t, const char *, char *, u_int); Also, the bugs I reported back on June 6 in the LOGIN_NEEDS_UTMPX handling are still there. The following patch combines the two patches I sent back then (and resent together recently). This only affects UseLogin=yes on LOGIN_NEEDS_UTMPX systems (currently only Solaris, but I think that the configure section for Unicos also needs to set this define -- Wendy?). This patch doesn't affect the normal (non- LOGIN_NEEDS_UTMPX) processing at all, so it's quite safe. Index: loginrec.c --- loginrec.c 2001/08/06 23:29:17 1.34 +++ loginrec.c 2001/08/21 17:53:43 @@ -448,6 +448,8 @@ login_utmp_only(struct logininfo *li) { li->type = LTYPE_LOGIN; + /* set the timestamp */ + login_set_current_time(li); # ifdef USE_UTMP utmp_write_entry(li); # endif @@ -456,9 +458,10 @@ # endif # ifdef USE_UTMPX utmpx_write_entry(li); -# endif -# ifdef USE_WTMPX +# else +# ifdef USE_WTMPX wtmpx_write_entry(li); +# endif # endif return 0; } ..wayne..
On 01-09-14 mouring at etoh.eviladmin.org wrote:> http://bass.directhit.com/openssh_snap/> Starting tonight I plan on tracking changes very closely with the OpenBSD > tree. I need people to test the latest snapshot (9/14 at of right now)Is this source identical with the current cvs code? I'll ask because with the current code from cvs, I'll get a lot of these warnings: |/usr/include/sys/types.h:34: warning: `u_char' previously declared here |gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local -DETCDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/bin/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c auth-rh-rsa.c |In file included from config.h:779, | from includes.h:22, | from auth-rh-rsa.c:15: |defines.h:242: warning: redefinition of `u_char' |/usr/include/sys/types.h:34: warning: `u_char' previously declared here Christian -- A good reputation is more valuable than money. -- Publilius Syrus