openssh bugs - Sep 2005 - [Bug 1080] 4.1p1 to 4.2p1 broke UsePrivilegeSeparation on HPUX

http://bugzilla.mindrot.org/show_bug.cgi?id=1080

           Summary: 4.1p1 to 4.2p1 broke UsePrivilegeSeparation on HPUX
           Product: Portable OpenSSH
           Version: 4.2p1
          Platform: HPPA
        OS/Version: HP-UX
            Status: NEW
          Severity: security
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: jaearick at colby.edu
                CC: jaearick at colby.edu


4.2p1 code configured on HPUX 11.11 as: 
./configure CC="gcc" CFLAGS="-O" \
        --prefix=/opt/openssh --sysconfdir=/etc/ssh \
        --with-ssl-dir=/opt/openssl --with-zlib \
        --without-rsh --with-pam --with-privsep-user=ssh \
        --with-tcp-wrappers --with-ipv4-default >& configure.out

If UsePrivilegeSeparation=yes in sshd.config, then ssh connections fail with the
syslog message:
fatal: mm_receive_fd: recvmsg: expected received 1 got 0
The only way 4.2p1 will work on HPUX 11.11 is to set UsePrivilegeSeparation=no,
which I view
as a security hazard and will not do.  UsePrivilegeSeparation=yes worked
correctly with 4.1p1.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1080





------- Additional Comments From dtucker at zip.com.au  2005-09-08 10:20 -------
What options do you have set in sshd_config?  Also, could you please attach (ie
use "create attachment" rather than pasting into the comment field) a
copy of
the debug output from the server (eg "/path/to/sshd -ddde -p 2022"
then point a
client at port 2022).

BTW it runs OK on my 11.11 box with similar build options and the default
sshd_config and the mm_receive_fd() code hasn't changed since 4.0p1.

Also, what compiler are you using?  If it's gcc 4.0.0 then I've had
trouble with
it on HP-UX not compiling stuff (especially OpenSSL) correctly.  3.x and 4.0.1
seem OK.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1080





------- Additional Comments From jaearick at colby.edu  2005-09-08 11:14 -------
Compiler used is:
gcc -v
Using built-in specs.
Target: hppa2.0w-hp-hpux11.11
Configured with: /usr/local/src/gnu/gcc-4.0.1/configure 
Thread model: single
gcc version 4.0.1

I will have to do the sshd -ddde -p 2022 thing tomorrow when I am on a fast link
and can manage
multiple windows more easily.  I dropped back to 4.1 on my test machine for
tonight.  I have had
this same bug/failure on an A500 and an L3000, both HPUX 11.11.  Attached is the
sshd_config
from the A500.  BTW, my openssl 0.9.8 build/test fails on both boxes, I am using
0.9.7g instead.
I filed an openssl bug about the "make test" feature failing, see
openssl.org #1188 bug.  HPUX
sux when compared to Solaris...   Hmmm, how to use the attachments link on the
webpage?
I am on a Mac, OSX 10.4.2, Safari 2 (popups allowed), I click nothing happens. 
Can I send this
stuff by email attachment instead?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1080





------- Additional Comments From dtucker at zip.com.au  2005-09-08 11:30 -------
(In reply to comment #2)
> I filed an openssl bug about the "make test" feature failing, see
> openssl.org #1188 bug.
I'm using an old OpenSSL (0.9.7d) and gcc (3.3.3, the 4.x stuff was found on
11.00).  I'll try 0.9.7g.
> Hmmm, how to use the attachments link on the webpage?
It's just a link to a page with a form, no popups:
http://bugzilla.mindrot.org/attachment.cgi?bugid=1080&action=enter

Try pasting that into your browser, if that doesn't work then you can mail
them
to me directly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1080


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




------- Additional Comments From dtucker at zip.com.au  2005-09-19 13:47 -------
Jeff had some problems attaching files, so after a bit off offline discussion
the outcome was that gcc-4.0.1 seems to be the source of this problem.  I've
also personally had problems with 4.0.0.

[quote]
Lo and behold, I built and installed gcc 3.4.4:

Reading specs from /usr/local/lib/gcc/hppa2.0w-hp-hpux11.11/3.4.4/specs
Configured with: /usr/local/src/gnu/gcc-3.4.4/configure --with-gnu-as
--with-as=/usr/local/bin/gas
Thread model: single
gcc version 3.4.4

then rebuilt and reinstalled openssh4.2p1.  Boom!  ssh works with
my original sshd_config file, no problems.  Time to rebuild openssl 0.9.8
and see if the problems there go away.

Having gotten things to work with gcc 3.4.4, I'll blame that and move
on.  Conclusion: gcc 4.0.1 generates bad code for hppa systems.
[/quote]

I don't know where to even start with a gcc bug report, though...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.