openssh unix dev - Nov 2003 - Testing of recent commits

There have been a few recent commits to portable OpenSSH that require
testing. It would be appreciated if you could grab the 20031118 (or
later) snapshot and give it a try on your platforms of choice. 

Ideally, "giving it a try" means running the regress tests, in
addition
to casual (non-production) use and reporting your experiences back to
the list. The more platforms and compile-time options, the better.

Please note that the new snapshots replace the experimental "gssapi"
authentication method with an improved "gssapi-with-mic" method. The
new
method (which does *not* interoperate with the deprecated "gssapi"
method) provides proper validation of the session ID between the client
and the server.

Some of the highlights (more in the ChangeLog):

 - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic 
   tty_conv, and use it for do_pam_session.  Fixes problems like
   pam_motd not displaying anything.  ok djm@

 - jakob at cvs.openbsd.org 2003/11/12 16:39:58
   [dns.c dns.h readconf.c ssh_config.5 sshconnect.c]
   update SSHFP validation. ok markus@

 - markus at cvs.openbsd.org 2003/11/17 11:06:07
   [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h]
   [monitor_wrap.c monitor_wrap.h sshconnect2.c ssh-gss.h]
   replace "gssapi" with "gssapi-with-mic"; from Simon
Wilkinson;
   test + ok jakob.

 - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int
   conversation function

 - (djm) Export environment variables from authentication subprocess to 
   parent. Part of Bug #717


-d

On Tue, Nov 18, 2003 at 10:45:26PM +1100, Damien Miller
wrote:
> There have been a few recent commits to portable OpenSSH that require
> testing. It would be appreciated if you could grab the 20031118 (or
> later) snapshot and give it a try on your platforms of choice. 
I had no time to build latest openssh from CVS for a few weeks now
and, unfortunately, a change from last month results in not being
able to build on Cygwin:

20031015
    - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c
      openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always
      compiled in but disabled in config.

The problem is that this change requires a system to have the
DNS query functions and header files arpa/nameser.h and resolv.h
which are not available on Cygwin.  There exists an implementation
but it's not part of Cygwin so far.

Building OpenSSH works probably fine again, if the above change is
reverted, including all code snippets, which were ifdef'd DNS before.

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.

>There have been a few recent commits to portable OpenSSH that require
>testing. It would be appreciated if you could grab the 20031118 (or
>later) snapshot and give it a try on your platforms of choice.
>
>Ideally, "giving it a try" means running the regress tests, in
addition
>to casual (non-production) use and reporting your experiences back to
>the list. The more platforms and compile-time options, the better.
>
>Please note that the new snapshots replace the experimental
"gssapi"
>authentication method with an improved "gssapi-with-mic" method.
The new
>method (which does *not* interoperate with the deprecated "gssapi"
>method) provides proper validation of the session ID between the client
>and the server.
Hi,

	I compiled 20031118 on debian:woody on intel without 
problems. Given some time constraints, I haven't been able to test it.

	However, I noticed that the bug preventing 'do_pam_session()' 
from getting compiled in for systems that have 'HAVE_SETPCRED' set, 
such as FreeBSD 4.7 (and apparently linux), is still there 
(session.c:do_setusercontext()).  I think the following patch 
(similar to the one I submitted previously) should fix this.  I am 
not sure how setpred() and PAM interact, so do take this patch with a 
grain of salt.

--- session.c.orig      Mon Nov 17 10:41:42 2003
+++ session.c   Wed Nov 19 11:21:36 2003
@@ -1237,6 +1237,17 @@
                         fatal("Failed to set process credentials");
  #endif /* HAVE_SETPCRED */
  #ifdef HAVE_LOGIN_CAP
+
+# ifdef USE_PAM
+               /*
+                * Run do_pam_session() here too
+                */
+               if (options.use_pam) {
+                       do_pam_session();
+                       do_pam_setcred(0);
+               }
+# endif /* USE_PAM */
+
  # ifdef __bsdi__
                 setpgid(0, 0);
  # endif
@@ -1245,6 +1256,7 @@
                         perror("unable to set user context");
                         exit(1);

Damien,
> -----Original Message-----
> From: Damien Miller [mailto:djm at mindrot.org] 
> Sent: Tuesday, November 18, 2003 3:45 AM
> To: openssh-unix-dev at mindrot.org
> Subject: Testing of recent commits
> 
> 
> There have been a few recent commits to portable OpenSSH that require
> testing. It would be appreciated if you could grab the 20031118 (or
> later) snapshot and give it a try on your platforms of choice. 
> 
> Ideally, "giving it a try" means running the regress tests, 
> in addition
> to casual (non-production) use and reporting your experiences back to
> the list. The more platforms and compile-time options, the better.
> 
> Please note that the new snapshots replace the experimental
"gssapi"
> authentication method with an improved "gssapi-with-mic" 
> method. The new
> method (which does *not* interoperate with the deprecated
"gssapi"
> method) provides proper validation of the session ID between 
> the client
> and the server.
> 
> Some of the highlights (more in the ChangeLog):
> 
>  - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic 
>    tty_conv, and use it for do_pam_session.  Fixes problems like
>    pam_motd not displaying anything.  ok djm@
> 
>  - jakob at cvs.openbsd.org 2003/11/12 16:39:58
>    [dns.c dns.h readconf.c ssh_config.5 sshconnect.c]
>    update SSHFP validation. ok markus@
> 
>  - markus at cvs.openbsd.org 2003/11/17 11:06:07
>    [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h]
>    [monitor_wrap.c monitor_wrap.h sshconnect2.c ssh-gss.h]
>    replace "gssapi" with "gssapi-with-mic"; from Simon
Wilkinson;
>    test + ok jakob.
> 
>  - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int
>    conversation function
> 
>  - (djm) Export environment variables from authentication 
> subprocess to 
>    parent. Part of Bug #717
> 
> 
> -d
> 
I tested on sgi IRIX 6.5.18m with gcc 3.3.

make tests reported no errors.

cheers,
scott

Damien

[snip]
> 
> I tested on sgi IRIX 6.5.18m with gcc 3.3.
> 
> make tests reported no errors.
> 
> cheers,
> scott
> 
I also just tested openssh-SNAP-20031118 with MipsPro 7.4 on the same IRIX
6.5.18m system.

make tests reported no errors. there was considerably more noise during
complication than with gcc so I will see if I can throw together a diff...

cheers,
scott

Here is an updated patch for Tru64.  I ran the regression tests with no
problems (had to run as root because of SIA and no sudo) except for the
reconfigure test hung (had to kill it); I haven't had a chance to look
at that yet.

The patch changes a couple of things:

- auth-sia.c: the SIA functions leave the uid=0, euid=pw->pw_uid, and
  the "saved set uid"=0 (this is apparently not something you can look
  at or set directly).  setuid(0) will set all three to 0, and then
  permanently_set_uid() works correctly (maybe permanently_set_uid()
  should make the setuid(0) call as the first thing?).  I think the old
  setreuid() call was okay, because I think the "saved set uid" is
  cleared on exec(), but this way is sure.

- configure.ac: DISABLE_FD_PASSING only needs to be defined once, and
  only when building with SIA (because SIA is the problem).  Also, SIA
  takes care of locked accounts, so the password file entry shouldn't be
  looked at to determine if an account is locked.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


diff -ur openssh-dist/auth-sia.c openssh/auth-sia.c
--- openssh-dist/auth-sia.c	Mon Jun  2 19:25:48 2003
+++ openssh/auth-sia.c	Thu Nov 20 22:42:02 2003
@@ -31,6 +31,7 @@
 #include "log.h"
 #include "servconf.h"
 #include "canohost.h"
+#include "uidswap.h"
 
 #include <sia.h>
 #include <siad.h>
@@ -103,8 +104,8 @@
 	
 	sia_ses_release(&ent);
 
-	if (setreuid(geteuid(), geteuid()) < 0)
-		fatal("setreuid: %s", strerror(errno));
+	setuid(0);
+	permanently_set_uid(pw);
 }
 
 #endif /* HAVE_OSF_SIA */
diff -ur openssh-dist/configure.ac openssh/configure.ac
--- openssh-dist/configure.ac	Wed Oct 15 01:57:57 2003
+++ openssh/configure.ac	Thu Nov 20 22:07:19 2003
@@ -409,14 +409,13 @@
 			LIBS="$LIBS -lsecurity -ldb -lm -laud"
 		else
 			AC_MSG_RESULT(no)
+			AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
 		fi
 	fi
-	AC_DEFINE(DISABLE_FD_PASSING)
 	AC_DEFINE(BROKEN_GETADDRINFO)
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
 	AC_DEFINE(BROKEN_SETREUID)
 	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin")
 	;;
 
 *-*-nto-qnx)