openssh unix dev - Jun 2002 - Last call.

Outside the pre-auth patch by Markus to fix Cygwin and a few other
platforms.

SEND ME (privately) ANY required patch against the lastest snapshot.

I'm doing the final commits this evening.


Patches that have been temporary rejected for this release.

- Owl's full patch for SysV Shm if mmap fails
- mmap() on /dev/zero
- mmap() on sparse file


.. Not looked at the BSD/OS 5.0 patch tonight when I get home.


Cut off.. 9pm CST.  (5 and 1/2 hours).

At that time I'll throw a openssh*.tar.gz tar ball out for people to do
quick tests on to ensure nothing else was broken.

I know this has been a strain on some people.. =) Just have a coke and rum
and relax if your platform works.  I know I'll be breaking out the whiskey
as soon as I get home.

- Ben

On Tue, 2002-06-25 at 14:30, Ben Lindstrom wrote:
> Patches that have been temporary rejected for this release.
> 
> - Owl's full patch for SysV Shm if mmap fails
> - mmap() on /dev/zero
> - mmap() on sparse file
Will the RH6.2 builds automatically turn off compression?

-- 
John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 Any time that PR dominates the information stream, you can't trust
 the information.
                                               - CRYPTO-GRAM 01/2002
-----------------------------------------------------------------------
 5 days until First Class postage goes up to 37 cents

I've just commited a change sugested by Markus that disables post-auth
privsep on platforms that can't pass fd's.

I've added AC_DEFINE(BROKEN_FD_PASSING) to Cygwin, Cray, and SCO

Would some DEC people look over configure.ac and sugest some changes
to address the versions that need AC_DEFINE(BROKEN_FD_PASSING)

The e-mail I've seen seems to indicate that not all versions need it.


-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

Ben Lindstrom wrote:
[about a test tarball]
> http://www.eviladmin.org/~mouring/openssh.tar.gz
That seems to work fine on AIX 4.3.3. I'll beat on it a bit more but it
looks good.

$ uname -s; oslevel
AIX
4.3.3.0
$ ps -eaf |grep sshd
 dtucker  5164 10828   1 12:08:09  pts/0  0:00 grep sshd 
 dtucker  9252  9632   0 12:07:55      -  0:00 /usr/local/sbin/sshd 
    root  9632 11516   0 12:07:47      -  0:00 /usr/local/sbin/sshd 
    root 11516     1   0 12:04:24      -  0:03 /usr/local/sbin/sshd 

I'd like to thank you and the rest of the team for doing such a great
job with openssh in general and the handling of this upcoming problem in
particular. I imagine it's not easy.

		-Daz.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Well, back to 3.1p1.... 

Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:54:26 EST 2000 sparc unknown
------------------------------------------------------------------------
During the install of 3.4p1 I saw:

[snip]
./mkinstalldirs /var/empty
chmod 0700 /var/empty
[snip]
id sshd || \
        echo "WARNING: Privilege separation user \"sshd\" does
not exist"
uid=9999(sshd) gid=9999(sshd) groups=9999(sshd)

------------------------------------------------------------------------
When attempting to run I see:

[root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d
This platform does not support both privilege separation and compression
Compression disabled
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Bad owner or mode for /var/empty
[root at ns1 openssh-3.4p1]# ls -l /usr/local/sbin/sshd
-rwxr-xr-x    1 root     root       801476 Jun 26 11:36 
/usr/local/sbin/sshd
[root at ns1 openssh-3.4p1]# ls -lag /var/empty
total 5
drwx------    2 sshd     sshd         1024 Jun 25 16:13 .
drwxr-xr-x   19 root     root         1024 Jun 25 16:13 ..
-rw-r--r--    1 sshd     sshd           24 Jun 25 16:13 .bash_logout
-rw-r--r--    1 sshd     sshd          230 Jun 25 16:13 .bash_profile
-rw-r--r--    1 sshd     sshd          124 Jun 25 16:13 .bashrc
[root at ns1 openssh-3.4p1]#

------------------------------------------------------------------------
Built --with-pam, so:

[root at ns1 openssh-3.4p1]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     /lib/security/pam_pwdb.so shadow nodelay
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok md5
session    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_limits.so

[root at ns1 openssh-3.4p1]# grep ssh /etc/shadow /etc/passwd /etc/group
/etc/shadow:sshd:!!:11863:0:99999:7:::
/etc/passwd:sshd:x:9999:9999::/var/empty:/bin/bash
/etc/group:sshd:x:9999:

chown root:root /var/empty

On Wed, 26 Jun 2002, Bob Van Cleef wrote:
>
> Well, back to 3.1p1....
>
> Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:54:26 EST 2000 sparc unknown
> ------------------------------------------------------------------------
> During the install of 3.4p1 I saw:
>
> [snip]
> ./mkinstalldirs /var/empty
> chmod 0700 /var/empty
> [snip]
> id sshd || \
>         echo "WARNING: Privilege separation user \"sshd\"
does not exist"
> uid=9999(sshd) gid=9999(sshd) groups=9999(sshd)
>
> ------------------------------------------------------------------------
> When attempting to run I see:
>
> [root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d
> This platform does not support both privilege separation and compression
> Compression disabled
> debug1: sshd version OpenSSH_3.4p1
> debug1: private host key: #0 type 0 RSA1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> Bad owner or mode for /var/empty
> [root at ns1 openssh-3.4p1]# ls -l /usr/local/sbin/sshd
> -rwxr-xr-x    1 root     root       801476 Jun 26 11:36
> /usr/local/sbin/sshd
> [root at ns1 openssh-3.4p1]# ls -lag /var/empty
> total 5
> drwx------    2 sshd     sshd         1024 Jun 25 16:13 .
> drwxr-xr-x   19 root     root         1024 Jun 25 16:13 ..
> -rw-r--r--    1 sshd     sshd           24 Jun 25 16:13 .bash_logout
> -rw-r--r--    1 sshd     sshd          230 Jun 25 16:13 .bash_profile
> -rw-r--r--    1 sshd     sshd          124 Jun 25 16:13 .bashrc
> [root at ns1 openssh-3.4p1]#
>
> ------------------------------------------------------------------------
> Built --with-pam, so:
>
> [root at ns1 openssh-3.4p1]# cat /etc/pam.d/sshd
> #%PAM-1.0
> auth       required     /lib/security/pam_pwdb.so shadow nodelay
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_pwdb.so
> password   required     /lib/security/pam_cracklib.so
> password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
md5
> session    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_limits.so
>
> [root at ns1 openssh-3.4p1]# grep ssh /etc/shadow /etc/passwd /etc/group
> /etc/shadow:sshd:!!:11863:0:99999:7:::
> /etc/passwd:sshd:x:9999:9999::/var/empty:/bin/bash
> /etc/group:sshd:x:9999:
>
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

On Wed, 26 Jun 2002, Tim Rice wrote:
> 
> chown root:root /var/empty
Thank you = that fixed the problem.  

So, for the record, sparc linux RH 6.2 works....  Thank you all!


> > Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:54:26 EST 2000 sparc unknown

[root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d
This platform does not support both privilege separation and compression
Compression disabled
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Invalid argument
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 192.86.6.8 port 1476
debug1: Client protocol version 1.5; client software version 1.2.25
debug1: match: 1.2.25 pat 1.2.1*,1.2.2*,1.2.3*
debug1: Local version string SSH-1.99-OpenSSH_3.4p1
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: 3des
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Attempting authentication for vancleef.
debug1: Starting up PAM with username "vancleef"
debug1: PAM setting rhost to "pan-6.microunity.com"
debug1: PAM Password authentication for "vancleef" failed[7]: 
Authentication failure
Failed none for vancleef from 192.86.6.8 port 1476
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: trying public RSA key file /home/vancleef/.ssh/authorized_keys
debug1: restore_uid
Failed rsa for vancleef from 192.86.6.8 port 1476
debug1: PAM Password authentication accepted for user "vancleef"
Accepted password for vancleef from 192.86.6.8 port 1476
Accepted password for vancleef from 192.86.6.8 port 1476
debug1: monitor_child_preauth: vancleef has been authenticated by 
privileged process
debug1: PAM establishing creds
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: session_new: init
debug1: session_new: session 0
debug1: Installing crc compensation attack detector.
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/3
debug1: Ignoring unsupported tty mode opcode 16 (0x10)
debug1: Ignoring unsupported tty mode opcode 17 (0x11)
Setting tty modes failed: Invalid argument
debug1: PAM setting tty to "/dev/pts/3"
debug1: PAM establishing creds
debug1: fd 4 setting TCP_NODELAY
debug1: Entering interactive session.
debug1: Setting controlling tty using TIOCSCTTY.
debug1: fd 7 setting O_NONBLOCK
debug1: fd 10 setting O_NONBLOCK
debug1: fd 11 setting O_NONBLOCK
debug1: server_init_dispatch_13
debug1: server_init_dispatch_15
debug1: Received SIGCHLD.
debug1: End of interactive session; stdin 5, stdout (read 781, sent 781), 
stderr 0 bytes.
debug1: Command exited with status 0.
debug1: Received exit confirmation.
debug1: session_close: session 0 pid 6665
debug1: session_by_tty: session 0 tty /dev/pts/3
debug1: session_pty_cleanup: session 0 release /dev/pts/3
Closing connection to 192.86.6.8
[root at ns1 openssh-3.4p1]#

On Wed, Jun 26, 2002 at 05:00:48PM -0300, Andreas Hasenack
wrote:
> Em Wed, Jun 26, 2002 at 12:50:59PM -0700, Tim Rice escreveu:
> > Shall we patch Makefile.in ?
> > 
> > --- Makefile.in.old	Tue Jun 25 16:45:42 2002
> > +++ Makefile.in	Wed Jun 26 12:49:25 2002
> > @@ -219,6 +219,7 @@
> >  	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
> >  	$(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)
> >  	chmod 0700 $(DESTDIR)$(PRIVSEP_PATH)
> > +	chown 0 $(DESTDIR)$(PRIVSEP_PATH)
> 
> Distros will just remove this line again, otherwise they would have to
start
> building packages as root.
And uid 0 has no meaning on some systems...

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com

On Wed, 26 Jun 2002, Andreas Hasenack wrote:
> Em Wed, Jun 26, 2002 at 12:50:59PM -0700, Tim Rice escreveu:
> > Shall we patch Makefile.in ?
> >
> > --- Makefile.in.old	Tue Jun 25 16:45:42 2002
> > +++ Makefile.in	Wed Jun 26 12:49:25 2002
> > @@ -219,6 +219,7 @@
> >  	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
> >  	$(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)
> >  	chmod 0700 $(DESTDIR)$(PRIVSEP_PATH)
> > +	chown 0 $(DESTDIR)$(PRIVSEP_PATH)
>
> Distros will just remove this line again, otherwise they would have to
start
> building packages as root.
Good point.
That would mess up buildpkg.sh

Bad Idea. :-)


-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

Previously Andreas Hasenack wrote:
> Distros will just remove this line again, otherwise they would have to
start
> building packages as root.
Not if they use fakeroot

Wichert.

-- 
  _________________________________________________________________
 /wichert at wiggy.net         This space intentionally left occupied \
| wichert at deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Circa 2002-Jun-27 13:28:24 +0200 dixit Dag-Erling Smorgrav:

: Thomas Binder <binder at arago.de> writes:
: > Note that make install will create the directory with 0700, while
: > README.privsep propagates 0755. Which mode is the one to use?
: 
: FreeBSD uses 0555 with no apparent trouble.

I suspect that the privsep/chroot directory could even be mode 0111.
sshd complains about it if (a) either chroot() or the subsequent
chdir("/") fails, (b) the privsep directory is owned by anyone other
than root, or (c) the privsep directory is either group- or
world-writeable.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 262 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/b1c5c1c8/attachment.bin