OpenSSH 3.2.2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Security Changes: ================ - fixed buffer overflow in Kerberos/AFS token passing - fixed overflow in Kerberos client code - sshd no longer auto-enables Kerberos/AFS - experimental support for privilege separation, see UsePrivilegeSeparation in sshd(8) and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more information. - only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger Other Changes: ============= - improved smartcard support (including support for OpenSC, see www.opensc.org) - improved Kerberos support (including support for MIT-Kerberos V) - fixed stderr handling in protocol v2 - client reports failure if -R style TCP forwarding fails in protocol v2 - support configuration of TCP forwarding during interactive sessions (~C) - improved support for older sftp servers - improved support for importing old DSA keys (from ssh.com software). - client side suport for PASSWD_CHANGEREQ in protocol v2 - fixed waitpid race conditions - record correct lastlogin time Reporting Bugs: ============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom.
On Fri, May 17, 2002 at 12:36:22AM +0200, Markus Friedl wrote:> OpenSSH 3.2.2 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly.Sigh. I'm somewhat annoyed. Sorry. Why has the setgroups() call been added to sshd.c a week ago w/o asking for further testing? It doesn't exist in Cygwin. All other setgroups() calls are #ifndef'd HAVE_CYGWIN. Why not this one? Now this error which screws up building ssh on Cygwin is in an official release. :-((((( Grrr, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
Le Vendredi 17 Mai 2002 00:36, Markus Friedl a ?crit :> OpenSSH 3.2.2 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly.Do you plan to add chrooting to OpenSSH shortly? Chrooting is, IMHO, the most wanted add-on feature. Cheers, Jean-Michel POURE
Denis Ducamp
2002-May-17 13:43 UTC
UsePrivilegeSeparation doesn t work on Linux 2.2.x [Re: OpenSSH 3.2.2 released]
On Fri, May 17, 2002 at 12:36:22AM +0200, Markus Friedl wrote:> - experimental support for privilege separation, > see UsePrivilegeSeparation in sshd(8) and > http://www.citi.umich.edu/u/provos/ssh/privsep.html > for more information.This is a very good feature and I want to thanks again Niels Provos and others for their work on it. I tested it during snapshot and worked well on my non-production systems but this morning I couldn't make it work on some of my production systems. In fact the difference is the linux kernel version : 2.4.x vs 2.2.x UsePrivilegeSeparation work on all my slackware 8.0 linux 2.4.17 glibc 2.2.3 UsePrivilegeSeparation doesn't work on following systems with the same result : . slackware 7.1-cur linux 2.2.19pre16 glibc 2.2.2 . slackware 7.1 linux 2.2.19 glibc 2.1.3 . redhat 6.0 linux 2.2.19 glibc 2.1.1 . debian 3.0 linux 2.2.20 glibc 2.2.5 All configured with : ./configure --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --with-md5-passwords --disable-suid-ssh Here is the sshd dump : root at server:openssh-3.2.2p1# ./sshd -p 28 -d -D -o 'UsePrivilegeSeparation yes' debug1: sshd version OpenSSH_3.2.2p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 28 on 0.0.0.0. Server listening on 0.0.0.0 port 28. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. setsid: Operation not permitted Connection from 62.4.21.62 port 3247 debug1: Client protocol version 2.0; client software version OpenSSH_3.2.2p1 debug1: match: OpenSSH_3.2.2p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.2.2p1 mmap(65536) debug1: Calling cleanup 0x8068954(0x0) root at server:openssh-3.2.2p1# Here is what strace can see (on the debian system) : fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1 ENOSYS (Function not implemented) old_mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1 EINVAL (Invalid argument) write(2, "mmap(65536)\r\n", 13mmap(65536) ) = 13 write(2, "debug1: Calling cleanup 0x806ae9"..., 40debug1: Calling cleanup 0x806ae9c(0x0) ) = 40 shutdown(4, 2 /* send and receive */) = 0 close(4) = 0 _exit(255) = ? The connexion is made with a simple 'ssh server -p 28' and the result in the same in sshv1/2 with publickey/password authentication. Best regards, Denis Ducamp. -- Denis.Ducamp at hsc.fr --- Herv? Schauer Consultants --- http://www.hsc.fr/ Owl/Openwall/snort/hping/dsniff en fran?ais http://www.groar.org/trad/ Owl en fran?ais http://www.openwall.com/Owl/fr/ Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
Niels Provos
2002-May-17 14:16 UTC
UsePrivilegeSeparation doesn t work on Linux 2.2.x [Re: OpenSSH 3.2.2 released]
On Fri, May 17, 2002 at 03:43:30PM +0200, Denis Ducamp wrote:> fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 > socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0 > fcntl(3, F_SETFD, FD_CLOEXEC) = 0 > fcntl(7, F_SETFD, FD_CLOEXEC) = 0 > mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1 ENOSYS (Function not implemented) > old_mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1 EINVAL (Invalid argument) > write(2, "mmap(65536)\r\n", 13mmap(65536) > ) = 13 > write(2, "debug1: Calling cleanup 0x806ae9"..., 40debug1: Calling cleanup 0x806ae9c(0x0) > ) = 40 > shutdown(4, 2 /* send and receive */) = 0That looks more like a kernel problem to me. It does not know about the mmap2 system call. That is sort of pretty weird. Did you you pre-compiled binaries or did you compile it yourself? And then it seems that the fallback old_mmap does not like one of the parameters. You need to see what API changed in Linux to make this break. Niels.
On Fri, May 17, 2002 at 12:36:22AM +0200, Markus Friedl wrote:> - experimental support for privilege separation, > see UsePrivilegeSeparation in sshd(8) and > http://www.citi.umich.edu/u/provos/ssh/privsep.html > for more information.I can't get this working on AIX 5.1: ./configure --prefix=/usr/openssh --sysconfdir=/etc/openssh --disable-suid-ssh OpenSSH has been configured with the following options: User binaries: /usr/openssh/bin System binaries: /usr/openssh/sbin Configuration files: /etc/openssh Askpass program: /usr/openssh/libexec/ssh-askpass Manual pages: /usr/openssh/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: powerpc-ibm-aix5.1.0.0 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib Libraries: -lz -lcrypto # /usr/openssh/sbin/sshd -p 2022 -d -D -o 'UsePrivilegeSeparation yes' debug1: sshd version OpenSSH_3.2.2p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 2022 on 0.0.0.0. Server listening on 0.0.0.0 port 2022. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. setsid: Not owner Connection from 217.13.1.91 port 38497 debug1: Client protocol version 2.0; client software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.2.2p1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 129/256 debug1: bits set: 1534/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1617/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user janfrode service ssh-connection method none debug1: attempt 0 failures 0 Failed none for janfrode from 217.13.1.91 port 38497 ssh2Failed none for janfrode from 217.13.1.91 port 38497 ssh2 debug1: userauth-request for user janfrode service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 50012/50012 (e=0) debug1: trying public key file /home/parallab/plab/janfrode/.ssh/authorized_keys debug1: matching key found: file /home/parallab/plab/janfrode/.ssh/authorized_keys, line 2 Found matching DSA key: d6:73:c1:54:51:df:56:18:43:8c:ca:fd:ec:a1:c4:4b debug1: restore_uid Postponed publickey for janfrode from 217.13.1.91 port 38497 ssh2 debug1: userauth-request for user janfrode service ssh-connection method publickey debug1: attempt 2 failures 1 debug1: temporarily_use_uid: 50012/50012 (e=0) debug1: trying public key file /home/parallab/plab/janfrode/.ssh/authorized_keys debug1: matching key found: file /home/parallab/plab/janfrode/.ssh/authorized_keys, line 2 Found matching DSA key: d6:73:c1:54:51:df:56:18:43:8c:ca:fd:ec:a1:c4:4b debug1: restore_uid debug1: ssh_dss_verify: signature correct Accepted publickey for janfrode from 217.13.1.91 port 38497 ssh2 Accepted publickey for janfrode from 217.13.1.91 port 38497 ssh2debug1: monitor_child_preauth: janfrode has been authenticated by privileged process debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 8 setting O_NONBLOCK debug1: fd 9 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/pts/10 debug1: Ignoring unsupported tty mode opcode 13 (0xd) debug1: Ignoring unsupported tty mode opcode 18 (0x12) debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 4 setting TCP_NODELAY debug1: channel 0: rfd 11 isatty debug1: fd 11 setting O_NONBLOCK setsid: Operation not permitted. debug1: session_by_tty: session 0 tty /dev/pts/10 debug1: session_pty_cleanup: session 0 release /dev/pts/10 Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 1 debug1: session_close: session 0 pid 49666 Closing connection to 217.13.1.91 debug1: session_by_tty: unknown tty /dev/pts/10 debug1: dump: used 0 session 0 200326c0 channel -1 pid 29204 debug1: dump: used 0 session 0 2003285c channel 0 pid 0 debug1: dump: used 0 session 0 200329f8 channel 0 pid 0 debug1: dump: used 0 session 0 20032b94 channel 0 pid 0 debug1: dump: used 0 session 0 20032d30 channel 0 pid 0 debug1: dump: used 0 session 0 20032ecc channel 0 pid 0 debug1: dump: used 0 session 0 20033068 channel 0 pid 0 debug1: dump: used 0 session 0 20033204 channel 0 pid 0 debug1: dump: used 0 session 0 200333a0 channel 0 pid 0 debug1: dump: used 0 session 0 2003353c channel 0 pid 0 On the client side i get the /etc/motd printed, and then the connection is closed. Any hints to what I might be doing wrong? -jf
Reasonably Related Threads
- [Bug 261] AIX capabilities + port-aix.c cleanup
- [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo:
- [Bug 276] openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined
- OpenSSH 3.2.2p1 sshd: fatal: xfree: NULL pointer given as argument
- snapshot sftpserver