OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was mmap() detection issues (it was misdetecting it). 2. Tru64 issues. If it has been decided there is no way to get post-authentication going then someone please official submit the patch to disable it. 3. A solaris issue (which I've not been following sorry, I've been massively distracted) in regards to NULL pointers. 4. The kerb issue wandering around. ... Anything else? Cygwin? AIX? ..etc.. - Ben
Just started a Cygwin compile; got this: configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** config.log details are useless; better to specify a minimum version number if that's what we're checking for. --Dan
Cygwin status:
Compiles perfect out of cvs.
Horrendously laggy console -- totally unusable. SO_NODELAY get nuked?
--Dan
ben-
i have 4 patches left that have not been added that are absolutely
required to work on a cray system.
they were part of bug 367, but were not added with the rest.
do you want me to close that one and open a new one with only
these patches?
thanks,
wendy
diff -cr openssh/auth1.c openssh.cray/auth1.c
*** openssh/auth1.c Wed Sep 11 18:47:30 2002
--- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002
***************
*** 25,32 ****
--- 25,36 ----
#include "channels.h"
#include "session.h"
#include "uidswap.h"
+ #if defined(_CRAY) && ! defined(_CRAYSV2)
+ #include <ia.h>
+ #endif /* _CRAY */
#include "monitor_wrap.h"
+
/* import */
extern ServerOptions options;
***************
*** 303,308 ****
--- 307,321 ----
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user
%s",
authctxt->user);
+
+ # if defined(_CRAY) && ! defined(_CRAYSV2)
+ if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
+ cray_login_failure(authctxt->user, IA_UDBERR);
+ if (authenticated &&
cray_access_denied(authctxt->user)) {
+ authenticated = 0;
+ fatal("Access denied for user
%s.",authctxt->user);
+ }
+ #endif /* _CRAY */
#ifdef HAVE_CYGWIN
if (authenticated &&
diff -cr openssh/auth2.c openssh.cray/auth2.c
*** openssh/auth2.c Wed Sep 4 01:37:27 2002
--- openssh.cray/auth2.c Mon Sep 23 12:39:15 2002
***************
*** 35,40 ****
--- 35,43 ----
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+ #if defined(_CRAY) && ! defined(_CRAYSV2)
+ #include <ia.h>
+ #endif /* _CRAY */
/* import */
extern ServerOptions options;
***************
*** 216,221 ****
--- 219,231 ----
authenticated = 0;
#endif /* USE_PAM */
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ if (authenticated && cray_access_denied(authctxt->user)) {
+ authenticated = 0;
+ fatal("Access denied for user
%s.",authctxt->user);
+ }
+ #endif /* _CRAY */
+
/* Log before sending the reply */
auth_log(authctxt, authenticated, method, " ssh2");
***************
*** 235,240 ****
--- 245,254 ----
if (authctxt->failures++ > AUTH_FAIL_MAX) {
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ if (strcmp(method, "password") == 0)
+ cray_login_failure(authctxt->user, IA_UDBERR);
+ #endif /* _CRAY */
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
diff -cr openssh/deattack.c openssh.cray/deattack.c
*** openssh/deattack.c Mon Mar 4 19:53:05 2002
--- openssh.cray/deattack.c Mon Sep 23 13:34:01 2002
***************
*** 101,111 ****
--- 101,119 ----
if (h == NULL) {
debug("Installing crc compensation attack detector.");
n = l;
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t));
+ #else
h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+ #endif /* _CRAY */
} else {
if (l > n) {
n = l;
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t));
+ #else
h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+ #endif /* _CRAY */
}
}
***************
*** 128,134 ****
--- 136,146 ----
}
return (DEATTACK_OK);
}
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ for (i=0; i<n; i++) h[i] = HASH_UNUSED;
+ #else
memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE);
+ #endif /* _CRAY */
if (IV)
h[HASH(IV) & (n - 1)] = HASH_IV;
diff -cr openssh/serverloop.c openssh.cray/serverloop.c
*** openssh/serverloop.c Sat Sep 21 10:26:28 2002
--- openssh.cray/serverloop.c Mon Sep 23 13:38:52 2002
***************
*** 144,150 ****
--- 144,152 ----
int save_errno = errno;
debug("Received SIGCHLD.");
child_terminated = 1;
+ #if !defined(_CRAY) || defined(_CRAYSV2)
mysignal(SIGCHLD, sigchld_handler);
+ #endif
notify_parent();
errno = save_errno;
}
diff -cr openssh/session.c openssh.cray/session.c
*** openssh/session.c Wed Sep 18 20:50:49 2002
--- openssh.cray/session.c Mon Sep 23 12:47:35 2002
***************
*** 57,62 ****
--- 57,65 ----
#include "canohost.h"
#include "session.h"
#include "monitor_wrap.h"
+ #if defined(_CRAY) && ! defined(_CRAYSV2)
+ #include <tmpdir.h>
+ #endif
#ifdef HAVE_CYGWIN
#include <windows.h>
***************
*** 519,528 ****
--- 522,538 ----
perror("dup2 stderr");
#endif /* USE_PIPES */
+ #if defined(_CRAY) && ! defined(_CRAYSV2)
+ cray_init_job(s->pw); /* set up cray jid and tmpdir */
+ #endif
+
/* Do processing for the child (exec command etc). */
do_child(s, command);
/* NOTREACHED */
}
+ #if defined(_CRAY) && ! defined(_CRAYSV2)
+ signal(WJSIGNAL, cray_job_termination_handler);
+ #endif /* _CRAY */
#ifdef HAVE_CYGWIN
if (is_winnt)
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
***************
*** 611,617 ****
--- 621,632 ----
/* record login, etc. similar to login(1) */
#ifndef HAVE_OSF_SIA
if (!(options.use_login && command == NULL))
+ {
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ cray_init_job(s->pw); /* set up cray jid and tmpdir
*/
+ #endif /* _CRAY */
do_login(s, command);
+ }
# ifdef LOGIN_NEEDS_UTMPX
else
do_pre_login(s);
***************
*** 622,627 ****
--- 637,645 ----
do_child(s, command);
/* NOTREACHED */
}
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ signal(WJSIGNAL, cray_job_termination_handler);
+ #endif /* _CRAY */
#ifdef HAVE_CYGWIN
if (is_winnt)
cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
***************
*** 762,767 ****
--- 780,786 ----
printf("%s\n", aixloginmsg);
#endif /* WITH_AIXAUTHENTICATE */
+ #if !defined(_CRAY) || defined(_CRAYSV2)
if (options.print_lastlog && s->last_login_time != 0) {
time_string = ctime(&s->last_login_time);
if (strchr(time_string, '\n'))
***************
*** 772,778 ****
printf("Last login: %s from %s\r\n",
time_string,
s->hostname);
}
!
do_motd();
}
--- 791,797 ----
printf("Last login: %s from %s\r\n",
time_string,
s->hostname);
}
! #endif /* _CRAY */
do_motd();
}
***************
*** 1031,1036 ****
--- 1050,1060 ----
child_set_env(&env, &envsize,
"SSH_ORIGINAL_COMMAND",
original_command);
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ if (cray_tmpdir[0] != '\0')
+ child_set_env(&env, &envsize, "TMPDIR",
cray_tmpdir);
+ #endif /* _CRAY */
+
#ifdef _AIX
{
char *cp;
***************
*** 1281,1286 ****
--- 1305,1314 ----
/* login(1) is only called if we execute the login shell */
if (options.use_login && command != NULL)
options.use_login = 0;
+
+ #if defined(_CRAY) && !defined(_CRAYSV2)
+ cray_setup(pw->pw_uid, pw->pw_name, command);
+ #endif /* _CRAY */
/*
* Login(1) does this as well, and it needs uid 0 for the "-h"
On Mon, 23 Sep 2002, Wendy Palm wrote: [snip]> diff -cr openssh/auth1.c openssh.cray/auth1.c > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > --- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002 > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include <ia.h> > + #endif /* _CRAY */Is this because ia.h does not exist on _CRAYSV2 ? Or because including ia.h breaks on _CRAYSV2 ? Could we test for ia.h in configure and use HAVE_IA_H ? Same question for openssh/auth2.c> *** openssh/session.c Wed Sep 18 20:50:49 2002 > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include <tmpdir.h> > + #endifCan we use HAVE_TMPDIR_H ?
On Mon, Sep 23, 2002 at 12:46:08PM -0700, Dan Kaminsky wrote:> Horrendously laggy console -- totally unusable. SO_NODELAY get nuked?Nagle usage is unchanged. This problem report is useless.
i guess we also ship with PAM password change remaining disabled. have not seen any feedback on solar's patch (which is in the tree but remains #if 0 in auth-pam.c).
Ben Lindstrom wrote:> Issues I know off of right now. > > ... Anything else? Cygwin? AIX? ..etc..There are 2 issues with AIX for which there are fixes that haven't been integrated: 1) http://bugzilla.mindrot.org/show_bug.cgi?id=355 loginsuccess() isn't called on AIX an thus failed login counts are never cleared. This can lead to account lockout. I think this is the right fix (but someone else should check it!): http://bugzilla.mindrot.org/attachment.cgi?id=141&action=view 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 strsep() is in libc but isn't defined in the headers unless _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the native compiler. Apart from the patch, another option could be to have configure define _LINUX_SOURCE_COMPAT for AIX. Apart from those, I've been running recent builds from CVS on my development systems without problems. I'll re-run the regression tests on AIX & Solaris and post if I find any other problems. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Mon, Sep 23, 2002 at 09:17:57AM -0500, Ben Lindstrom wrote:> ... Anything else? Cygwin? AIX? ..etc..Cygwin version (net release rules) builds perfectly fine. Runs fine. I can't reproduce Dan's speed issues. It's pretty fast on my box. OTOH, how do I run the regression tests? I'm just getting an error message: openssh/src/regress $ make Makefile:67: *** missing separator. Stop. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
On Mon, Sep 23, 2002 at 09:17:57AM -0500, Ben Lindstrom wrote:> OpenBSD tree is heading into a lock and this includes OpenSSH. So we are > winding up for a 3.5 release. If we can get people to test the current > snapshots and report any problems that would improve the odds that your > platform won't be broke for 3.5.When do you plan to release 3.5p1? I have the problem that I'm offline from next Monday up to early November so I'd be unable to create an official Cygwin net release of OpenSSH if it's later than the coming weekend. Just a question, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com
Tim Rice wrote:> > On Mon, 23 Sep 2002, Wendy Palm wrote: > > [snip] > > diff -cr openssh/auth1.c openssh.cray/auth1.c > > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > > --- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002 > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > + #include <ia.h> > > + #endif /* _CRAY */ > > Is this because ia.h does not exist on _CRAYSV2 ? > Or because including ia.h breaks on _CRAYSV2 ? > Could we test for ia.h in configure and use HAVE_IA_H ? > > Same question for openssh/auth2.cia.h does not exist on the sv2. yes, can do the check in configure.> > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > + #include <tmpdir.h> > > + #endif > > Can we use HAVE_TMPDIR_H ?however you guys want to do it is fine with me. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154
Markus Friedl wrote:> > On Tue, Sep 24, 2002 at 03:38:40PM -0500, Wendy Palm wrote: > > cray has 64 bit ints, so if HASH_UNUSED is 0xffff, then shift it 8 > > hm, is there a u_int32t, too ?on a pvp cray all ints are 64 bit. char is 8 bit. on a t3e cray, char is 8bit short is 32bit int, long, longlong are 64bit. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154
unsubscribe Barel --- Wendy Palm <wendyp at cray.com> wrote:> Tim Rice wrote: > > > > On Mon, 23 Sep 2002, Wendy Palm wrote: > > > > [snip] > > > diff -cr openssh/auth1.c openssh.cray/auth1.c > > > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > > > --- openssh.cray/auth1.c Mon Sep 23 > 12:39:06 2002 > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > + #include <ia.h> > > > + #endif /* _CRAY */ > > > > Is this because ia.h does not exist on _CRAYSV2 ? > > Or because including ia.h breaks on _CRAYSV2 ? > > Could we test for ia.h in configure and use > HAVE_IA_H ? > > > > Same question for openssh/auth2.c > > ia.h does not exist on the sv2. yes, can do the > check in > configure. > > > > > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > > --- openssh.cray/session.c Mon Sep 23 > 12:47:35 2002 > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > + #include <tmpdir.h> > > > + #endif > > > > Can we use HAVE_TMPDIR_H ? > > however you guys want to do it is fine with me. > > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com
Can someone reply and let me know what the status is on getting the PAM password expiration on Solaris issue working on OpenSSH? Password expiring on our Solaris 7 and 8 servers does not work correctly with OpenSSH. I believe this is a known issue, and was told that it might get resolved in 3.5, but now it sounds like it may not be resolved. I hate to say it, but this is a critical feature for us now and my boss is pressuring me to get it resolved. I am trying to avoid his suggestion of going with commercial SSH and would like to continue using what I like (OpenSSH). Any info on when and/or if this will be resolved with 3.5 would be greatly appreciated. Thanks, Jeff>>> Kevin Steves <kevin at atomicgears.com> 09/25/02 11:46AM >>>On Wed, Sep 25, 2002 at 02:38:12PM +1000, Damien Miller wrote:> On Tue, 2002-09-24 at 11:18, Kevin Steves wrote: > > i guess we also ship with PAM password change remaining disabled. > > have not seen any feedback on solar's patch (which is in the > > tree but remains #if 0 in auth-pam.c). > > It looks like it needs some monitor work as well.there was a patch for the privsep case that used some Linux-specific PAM magic if i recall. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
On Wed, Sep 25, 2002 at 06:09:30PM -0500, Jeff Koenig wrote:> Can someone reply and let me know what the status is on getting the PAM password expiration on Solaris issue working on OpenSSH?http://www.eviladmin.org/cgi-bin/cvsweb.cgi/auth-pam.c issues: .no privsep support .needs testing and review http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103065556302487&w=2> Password expiring on our Solaris 7 and 8 servers does not work correctly with OpenSSH. I believe this is a known issue, and was told that it might get resolved in 3.5, but now it sounds like it may not be resolved.It appears that it will not.> I hate to say it, but this is a critical feature for us now and my boss is pressuring me to get it resolved. I am trying to avoid his suggestion of going with commercial SSH and would like to continue using what I like (OpenSSH).You can also pay someone to address this in OpenSSH.
For whatever its worth, we're doing the same thing with no problems so far. We turned the auth-pam stuff on and privsep off. We'd love to use privsep, but usable password aging is more important. -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Thursday, September 26, 2002 2:12 AM To: Damien Miller Cc: Jeff Koenig; Portable OpenSSH Subject: Re: Call for testing for 3.5 OpenSSH Damien Miller wrote:> On Thu, 2002-09-26 at 09:09, Jeff Koenig wrote: > > Can someone reply and let me know what the status is > > on getting the PAM password expiration on Solaris > > issue working on OpenSSH? > > It won't happen for 3.5p1. Maybe for 3.6p1 if people fix and test it.I've been using the existing code in auth-pam.c (minus the "#if 0" obviously) on a couple of Solaris 7 systems. It seems to work OK as long as you're not using privsep. Would it be possible to wrap it inside "if (!use_privsep)" until the privsep case is fixed, or is this bad because it encourages people to use non-privsep configurations? I can provide the (trivial) patch for this if anyone wants it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/61f4062e/attachment.html
It's an organizational value, not a personal one. It's much harder to get an exception from way on high to turn off password aging on 500 unix servers than it is to just turn off privsep. -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Thursday, September 26, 2002 8:31 AM To: Lacoss-Arnold, Jason Cc: 'Darren Tucker'; Jeff Koenig; Portable OpenSSH Subject: RE: Call for testing for 3.5 OpenSSH On Thu, 2002-09-26 at 23:14, Lacoss-Arnold, Jason wrote:> For whatever its worth, we're doing the same thing with no problems sofar.> We turned the auth-pam stuff on and privsep off. We'd love to useprivsep,> but usable password aging is more important.You are so wrong... How many break-ins are achieved by guessed passwords? How many by exploiting bugs in server software? -d *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/b942bce5/attachment.html
And our management considers it impractical to lock our users out when they could normally change their passwords and go on with life. Our access control people are too slow to help them on a useful basis. -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Thursday, September 26, 2002 3:10 PM To: Lacoss-Arnold, Jason Cc: Portable OpenSSH Subject: Re: Call for testing for 3.5 OpenSSH On Thu, Sep 26, 2002 at 09:53:11AM -0500, Lacoss-Arnold, Jason wrote:> It's an organizational value, not a personal one. It's much harder to get > an exception from way on high to turn off password aging on 500 unixservers> than it is to just turn off privsep.password aging should work. you just cannot login or change your expired password. *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/2a8c122f/attachment.html
> > >4. The kerb issue wandering around. >I haven't looked at -current or a snapshot recently so I don't know if this got in but we have tested Olaf Kirch's patch pretty thoroughly on Linux 7.x and Solaris 2.x and have found no problems with it for the cases we have tested. Dave -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov
>>>>> "MF" == Markus Friedl <markus at openbsd.org> writes:MF> On Thu, Oct 10, 2002 at 11:25:01AM +0200, Jan Iven wrote: >> Dear list, MF> but there is a MF> #ifdef KRB4 MF> int mm_answer_krb4(int, Buffer *); MF> #endif MF> #ifdef KRB5 MF> int mm_answer_krb5(int, Buffer *); MF> #endif Sorry for the wasted bandwidth -- I was looking for mm_answer_authkrb4 etc.. Thanks for having integrated this into 3.5. Jan