I have just tarred up a snapshot and uploaded it to:
http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz
The snapshot incorporates the last month's fixes and enhancements from
the openssh-unix-dev mailing list and from the OpenBSD developers.
In particular:
- ssh-agent and ssh-add now handle DSA keys. NB. this does not interop
with ssh.com's ssh-agent. (Markus Friedl)
- Fix crashes when sshd is run out of inetd
- More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert)
- Add Solaris package support in contrib/solaris/ (Rip Loomis)
- Random Early Drop connection rate limiting for sshd (Markus Friedl)
- Fix duplicate lastlog logging (Markus & me)
- Add -u option to sshd to make wtmp logging more like login's (Markus)
- Use pipes instead of socketpairs to avoid scp not exiting problem
on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz
Jaenicke)
- Lots of other fixes (see changelog below)
Please give the snapshot a good run and report problems back to the
mailing list.
If you have received this email twice, it is because you are on the
list of testers. I will be setting up a seperate email list over the
weekend.
Regards,
Damien Miller
Changelog:
20000823
- (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4
Avoids "scp never exits" problem. Reports from Lutz Jaenicke
<Lutz.Jaenicke at aet.TU-Cottbus.DE> and Tamito KAJIYAMA
<kajiyama at grad.sccs.chukyo-u.ac.jp>
- (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers
- (djm) Add local version to version.h
- (djm) OpenBSD CVS updates:
- deraadt at cvs.openbsd.org 2000/08/18 20:07:23
[ssh.c]
accept remsh as a valid name as well; roman at buildpoint.com
- deraadt at cvs.openbsd.org 2000/08/18 20:17:13
[deattack.c crc32.c packet.c]
rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to
libz crc32 function yet, because it has ugly "long"'s in it;
oneill at cs.sfu.ca
- deraadt at cvs.openbsd.org 2000/08/18 20:26:08
[scp.1 scp.c]
-S prog support; tv at debian.org
- deraadt at cvs.openbsd.org 2000/08/18 20:50:07
[scp.c]
knf
- deraadt at cvs.openbsd.org 2000/08/18 20:57:33
[log-client.c]
shorten
- markus at cvs.openbsd.org 2000/08/19 12:48:11
[channels.c channels.h clientloop.c ssh.c ssh.h]
support for ~. in ssh2
- deraadt at cvs.openbsd.org 2000/08/19 15:29:40
[crc32.h]
proper prototype
- markus at cvs.openbsd.org 2000/08/19 15:34:44
[authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1]
[ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile]
[fingerprint.c fingerprint.h]
add SSH2/DSA support to the agent and some other DSA related cleanups.
(note that we cannot talk to ssh.com's ssh2 agents)
- markus at cvs.openbsd.org 2000/08/19 15:55:52
[channels.c channels.h clientloop.c]
more ~ support for ssh2
- markus at cvs.openbsd.org 2000/08/19 16:21:19
[clientloop.c]
oops
- millert at cvs.openbsd.org 2000/08/20 12:25:53
[session.c]
We have to stash the result of get_remote_name_or_ip() before we
close our socket or getpeername() will get EBADF and the process
will exit. Only a problem for "UseLogin yes".
- millert at cvs.openbsd.org 2000/08/20 12:30:59
[session.c]
Only check /etc/nologin if "UseLogin no" since login(1) may have
its
own policy on determining who is allowed to login when /etc/nologin
is present. Also use the _PATH_NOLOGIN define.
- millert at cvs.openbsd.org 2000/08/20 12:42:43
[auth1.c auth2.c session.c ssh.c]
Add calls to setusercontext() and login_get*(). We basically call
setusercontext() in most places where previously we did a setlogin().
Add default login.conf file and put root in the "daemon" login
class.
- millert at cvs.openbsd.org 2000/08/21 10:23:31
[session.c]
Fix incorrect PATH setting; noted by Markus.
20000818
- (djm) OpenBSD CVS changes:
- markus at cvs.openbsd.org 2000/07/22 03:14:37
[servconf.c servconf.h sshd.8 sshd.c sshd_config]
random early drop; ok theo, niels
- deraadt at cvs.openbsd.org 2000/07/26 11:46:51
[ssh.1]
typo
- deraadt at cvs.openbsd.org 2000/08/01 11:46:11
[sshd.8]
many fixes from pepper at mail.reppep.com
- provos at cvs.openbsd.org 2000/08/01 13:01:42
[Makefile.in util.c aux.c]
rename aux.c to util.c to help with cygwin port
- deraadt at cvs.openbsd.org 2000/08/02 00:23:31
[authfd.c]
correct sun_len; Alexander at Leidinger.net
- provos at cvs.openbsd.org 2000/08/02 10:27:17
[readconf.c sshd.8]
disable kerberos authentication by default
- provos at cvs.openbsd.org 2000/08/02 11:27:05
[sshd.8 readconf.c auth-krb4.c]
disallow kerberos authentication if we can't verify the TGT; from
dugsong@
kerberos authentication is on by default only if you have a srvtab.
- markus at cvs.openbsd.org 2000/08/04 14:30:07
[auth.c]
unused
- markus at cvs.openbsd.org 2000/08/04 14:30:35
[sshd_config]
MaxStartups
- markus at cvs.openbsd.org 2000/08/15 13:20:46
[authfd.c]
cleanup; ok niels@
- markus at cvs.openbsd.org 2000/08/17 14:05:10
[session.c]
cleanup login(1)-like jobs, no duplicate utmp entries
- markus at cvs.openbsd.org 2000/08/17 14:06:34
[session.c sshd.8 sshd.c]
sshd -u len, similar to telnetd
- (djm) Lastlog was not getting closed after writing login entry
- (djm) Add Solaris package support from Rip Loomis <loomisg at
cist.saic.com>
20000816
- (djm) Replacement for inet_ntoa for Irix (which breaks on gcc)
- (djm) Fix strerror replacement for old SunOS. Based on patch from
Charles Levert <charles at comm.polymtl.ca>
- (djm) Seperate arc4random into seperate file and use OpenSSL's RC4
implementation.
- (djm) SUN_LEN macro for systems which lack it
20000815
- (djm) More SunOS 4.1.x fixes from Nate Itkin <nitkin at europa.com>
- (djm) Avoid failures on Irix when ssh is not setuid. Fix from
Michael Stone <mstone at cs.loyola.edu>
- (djm) Don't seek in directory based lastlogs
- (djm) Fix --with-ipaddr-display configure option test. Patch from
Jarno Huuskonen <jhuuskon at messi.uku.fi>
- (djm) Fix AIX limits from Alexandre Oliva <oliva at lsd.ic.unicamp.br>
20000813
- (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from
Fabrice bacchella <fabrice.bacchella at marchfirst.fr>
20000809
- (djm) Define AIX hard limits if headers don't. Report from
Bill Painter <william.t.painter at lmco.com>
- (djm) utmp direct write & SunOS 4 patch from Charles Levert
<charles at comm.polymtl.ca>
20000808
- (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install
time, spec file cleanup.
20000807
- (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke
- (djm) Suppress error messages on channel close shutdown() failurs
works around Linux bug. Patch from Zack Weinberg <zack at
wolery.cumb.org>
- (djm) Add some more entropy collection commands from Lutz Jaenicke
20000725
- (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF
20000721
- (djm) OpenBSD CVS updates:
- markus at cvs.openbsd.org 2000/07/16 02:27:22
[authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c]
[sshconnect1.c sshconnect2.c]
make ssh-add accept dsa keys (the agent does not)
- djm at cvs.openbsd.org 2000/07/17 19:25:02
[sshd.c]
Another closing of stdin; ok deraadt
- markus at cvs.openbsd.org 2000/07/19 18:33:12
[dsa.c]
missing free, reorder
- markus at cvs.openbsd.org 2000/07/20 16:23:14
[ssh-keygen.1]
document input and output files
20000720
- (djm) Spec file fix from Petr Novotny <Petr.Novotny at antek.cz>
--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
* Damien Miller <djm at mindrot.org> [000823 02:07]:
|
|I have just tarred up a snapshot and uploaded it to:
|http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz
Not on the testing team, but sshd and ssh build and run fine on Slackware 7
and 7.1.
I still need to specify lcrypt and link /usr/local/sbin/scp to /bin/scp, but I
have had to do this for a while under Slackware with OpenSSH.
Here are my usual configure options:
LIBS=-lcrypt ./configure \
--with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/local/sbin \
--with-md5-passwords
--
Emily Slocombe <emily at ubermachine.com>
......................................................................
"Linux - it'll eat your dog for you if you want your dog to be
eaten"
Today you sent me mail regarding [openssh] Test snapshot: *> *> I have just tarred up a snapshot and uploaded it to: *> http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz tested it on SPARC Solaris 2.6. It seems to work fine, but the Motif bug is still there: * open a ssh with X forwarding to a REMOTE host (localhost is not good). * Start a Motif application on the remote host. (Eg nedit). * Now close the application. * Oops .. the connection is gone ... ---------------------------------------------------------- tardis> nedit Connection to tardis closed by remote host. Connection to tardis closed. engelberg> ---------------------------------------------------------- cheers tobi -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker
OpenStep 4.2.. Compiles. I've not ran any amount of tests on it yet since
I'm going to bed. =) All the wait() stuff in the next-posix.[ch] should
be split out to it's own bsd-wait.[ch]. I'll take a look at that later
this week.
configure.in changes to clean up the *-next-* section.
--- configure.in.orig Wed Aug 23 01:17:38 2000
+++ configure.in Wed Aug 23 01:19:42 2000
@@ -122,15 +122,13 @@
need_dash_r=1
;;
*-next-*)
- # hardwire lastlog location (can't detect it on some versions)
conf_lastlog_location="/usr/adm/lastlog"
conf_utmp_location=/etc/utmp
+ conf_wtmp_location=/usr/adm/wtmp
+ MAIL=/usr/spool/mail
AC_DEFINE(HAVE_NEXT)
CFLAGS="$CFLAGS -I/usr/local/include"
- MAIL=/usr/spool/mail
AC_MSG_WARN([*** Tested: PA-RISC/m68k Untested: Sparc/Intel])
- AC_MSG_WARN([*** Expect 'scp' to fail!])
- AC_MSG_WARN([*** Please report any problems, thanks])
;;
*-*-solaris*)
CFLAGS="$CFLAGS -I/usr/local/include"
Login utmp/wtmp patch that slipped through from the verification of the
SunOS 4.1.x direct utmp write on NeXT:
--- loginrec.c.orig Wed Aug 23 01:05:37 2000
+++ loginrec.c Wed Aug 23 01:06:06 2000
@@ -724,7 +724,7 @@
/* FIXME: (ATL) ttyslot() needs local implementation */
-#if defined(SUNOS4) && defined(HAVE_GETTTYENT)
+#if defined(HAVE_GETTTYENT)
register struct ttyent *ty;
tty=0;
@@ -745,7 +745,7 @@
tty = ttyslot(); /* seems only to work for /dev/ttyp? style names
*/
-#endif /* SUNOS4 && HAVE_GETTTYENT */
+#endif /* HAVE_GETTTYENT */
if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644))
>= 0)
{
(void)lseek(fd, (off_t)(tty * sizeof(struct utmp)),
SEEK_SET);
On Wed, 23 Aug 2000, Damien Miller wrote:> I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > The snapshot incorporates the last month's fixes and enhancements from > the openssh-unix-dev mailing list and from the OpenBSD developers.Compiles, installs, and runs fine here on SuSE 6.4 (x86). Still using separate/modified sshd.pam.generic, though. ./configure --with-tcp-wrappers --with-md5-passwords --with-ipv4-default % ssh -V SSH Version OpenSSH_2.1.1p5, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). Nice touch. :) dtc
What do I have to do so that Cygwin support is added to OpenSSH as well? Corinna Damien Miller wrote:> > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > The snapshot incorporates the last month's fixes and enhancements from > the openssh-unix-dev mailing list and from the OpenBSD developers. > > In particular: > > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > with ssh.com's ssh-agent. (Markus Friedl) > - Fix crashes when sshd is run out of inetd > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > - Fix duplicate lastlog logging (Markus & me) > - Add -u option to sshd to make wtmp logging more like login's (Markus) > - Use pipes instead of socketpairs to avoid scp not exiting problem > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > Jaenicke) > - Lots of other fixes (see changelog below) > > Please give the snapshot a good run and report problems back to the > mailing list. > > If you have received this email twice, it is because you are on the > list of testers. I will be setting up a seperate email list over the > weekend. > > Regards, > Damien Miller > > Changelog: > > 20000823 > - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 > Avoids "scp never exits" problem. Reports from Lutz Jaenicke > <Lutz.Jaenicke at aet.TU-Cottbus.DE> and Tamito KAJIYAMA > <kajiyama at grad.sccs.chukyo-u.ac.jp> > - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers > - (djm) Add local version to version.h > - (djm) OpenBSD CVS updates: > - deraadt at cvs.openbsd.org 2000/08/18 20:07:23 > [ssh.c] > accept remsh as a valid name as well; roman at buildpoint.com > - deraadt at cvs.openbsd.org 2000/08/18 20:17:13 > [deattack.c crc32.c packet.c] > rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to > libz crc32 function yet, because it has ugly "long"'s in it; > oneill at cs.sfu.ca > - deraadt at cvs.openbsd.org 2000/08/18 20:26:08 > [scp.1 scp.c] > -S prog support; tv at debian.org > - deraadt at cvs.openbsd.org 2000/08/18 20:50:07 > [scp.c] > knf > - deraadt at cvs.openbsd.org 2000/08/18 20:57:33 > [log-client.c] > shorten > - markus at cvs.openbsd.org 2000/08/19 12:48:11 > [channels.c channels.h clientloop.c ssh.c ssh.h] > support for ~. in ssh2 > - deraadt at cvs.openbsd.org 2000/08/19 15:29:40 > [crc32.h] > proper prototype > - markus at cvs.openbsd.org 2000/08/19 15:34:44 > [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] > [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] > [fingerprint.c fingerprint.h] > add SSH2/DSA support to the agent and some other DSA related cleanups. > (note that we cannot talk to ssh.com's ssh2 agents) > - markus at cvs.openbsd.org 2000/08/19 15:55:52 > [channels.c channels.h clientloop.c] > more ~ support for ssh2 > - markus at cvs.openbsd.org 2000/08/19 16:21:19 > [clientloop.c] > oops > - millert at cvs.openbsd.org 2000/08/20 12:25:53 > [session.c] > We have to stash the result of get_remote_name_or_ip() before we > close our socket or getpeername() will get EBADF and the process > will exit. Only a problem for "UseLogin yes". > - millert at cvs.openbsd.org 2000/08/20 12:30:59 > [session.c] > Only check /etc/nologin if "UseLogin no" since login(1) may have its > own policy on determining who is allowed to login when /etc/nologin > is present. Also use the _PATH_NOLOGIN define. > - millert at cvs.openbsd.org 2000/08/20 12:42:43 > [auth1.c auth2.c session.c ssh.c] > Add calls to setusercontext() and login_get*(). We basically call > setusercontext() in most places where previously we did a setlogin(). > Add default login.conf file and put root in the "daemon" login class. > - millert at cvs.openbsd.org 2000/08/21 10:23:31 > [session.c] > Fix incorrect PATH setting; noted by Markus. > > 20000818 > - (djm) OpenBSD CVS changes: > - markus at cvs.openbsd.org 2000/07/22 03:14:37 > [servconf.c servconf.h sshd.8 sshd.c sshd_config] > random early drop; ok theo, niels > - deraadt at cvs.openbsd.org 2000/07/26 11:46:51 > [ssh.1] > typo > - deraadt at cvs.openbsd.org 2000/08/01 11:46:11 > [sshd.8] > many fixes from pepper at mail.reppep.com > - provos at cvs.openbsd.org 2000/08/01 13:01:42 > [Makefile.in util.c aux.c] > rename aux.c to util.c to help with cygwin port > - deraadt at cvs.openbsd.org 2000/08/02 00:23:31 > [authfd.c] > correct sun_len; Alexander at Leidinger.net > - provos at cvs.openbsd.org 2000/08/02 10:27:17 > [readconf.c sshd.8] > disable kerberos authentication by default > - provos at cvs.openbsd.org 2000/08/02 11:27:05 > [sshd.8 readconf.c auth-krb4.c] > disallow kerberos authentication if we can't verify the TGT; from > dugsong@ > kerberos authentication is on by default only if you have a srvtab. > - markus at cvs.openbsd.org 2000/08/04 14:30:07 > [auth.c] > unused > - markus at cvs.openbsd.org 2000/08/04 14:30:35 > [sshd_config] > MaxStartups > - markus at cvs.openbsd.org 2000/08/15 13:20:46 > [authfd.c] > cleanup; ok niels@ > - markus at cvs.openbsd.org 2000/08/17 14:05:10 > [session.c] > cleanup login(1)-like jobs, no duplicate utmp entries > - markus at cvs.openbsd.org 2000/08/17 14:06:34 > [session.c sshd.8 sshd.c] > sshd -u len, similar to telnetd > - (djm) Lastlog was not getting closed after writing login entry > - (djm) Add Solaris package support from Rip Loomis <loomisg at cist.saic.com> > > 20000816 > - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) > - (djm) Fix strerror replacement for old SunOS. Based on patch from > Charles Levert <charles at comm.polymtl.ca> > - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 > implementation. > - (djm) SUN_LEN macro for systems which lack it > > 20000815 > - (djm) More SunOS 4.1.x fixes from Nate Itkin <nitkin at europa.com> > - (djm) Avoid failures on Irix when ssh is not setuid. Fix from > Michael Stone <mstone at cs.loyola.edu> > - (djm) Don't seek in directory based lastlogs > - (djm) Fix --with-ipaddr-display configure option test. Patch from > Jarno Huuskonen <jhuuskon at messi.uku.fi> > - (djm) Fix AIX limits from Alexandre Oliva <oliva at lsd.ic.unicamp.br> > > 20000813 > - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from > Fabrice bacchella <fabrice.bacchella at marchfirst.fr> > > 20000809 > - (djm) Define AIX hard limits if headers don't. Report from > Bill Painter <william.t.painter at lmco.com> > - (djm) utmp direct write & SunOS 4 patch from Charles Levert > <charles at comm.polymtl.ca> > > 20000808 > - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install > time, spec file cleanup. > > 20000807 > - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke > - (djm) Suppress error messages on channel close shutdown() failurs > works around Linux bug. Patch from Zack Weinberg <zack at wolery.cumb.org> > - (djm) Add some more entropy collection commands from Lutz Jaenicke > > 20000725 > - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF > > 20000721 > - (djm) OpenBSD CVS updates: > - markus at cvs.openbsd.org 2000/07/16 02:27:22 > [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] > [sshconnect1.c sshconnect2.c] > make ssh-add accept dsa keys (the agent does not) > - djm at cvs.openbsd.org 2000/07/17 19:25:02 > [sshd.c] > Another closing of stdin; ok deraadt > - markus at cvs.openbsd.org 2000/07/19 18:33:12 > [dsa.c] > missing free, reorder > - markus at cvs.openbsd.org 2000/07/20 16:23:14 > [ssh-keygen.1] > document input and output files > > 20000720 > - (djm) Spec file fix from Petr Novotny <Petr.Novotny at antek.cz> > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)-- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com
This is on IRIX, compiled with MIPSPro compilers.
setenv CC cc
./configure --prefix=/usr/openssh --with-ssl-dir=/usr/local/ssl
--with-rsh=/usr/bsd/rsh
OpenSSH configured has been configured with the following options.
User binaries: /usr/local/openssh-2.1.1p1-SNAP/bin
System binaries: /usr/local/openssh-2.1.1p1-SNAP/sbin
Configuration files: /usr/local/openssh-2.1.1p1-SNAP/etc
Askpass program:
/usr/local/openssh-2.1.1p1-SNAP/libexec/ssh/ssh-askpass
Manual pages: /usr/local/openssh-2.1.1p1-SNAP/man/X
PID file: /var/run
Random number collection: Builtin (timeout 200)
Manpage format: cat
PAM support: no
KerberosIV support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: no
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: no
Translate v4 in v6 hack: no
Compiler flags: -g -I/usr/local/include -I/usr/local/ssl//include
Linker flags: -L/usr/local/ssl//lib -L/usr/local/ssl/
Libraries: -lz -lcrypto
It looks like the openssh-SNAP-20000823 is taking a lot more time
collecting entropy (or is it failing several times?) than the
OpenSSH_2.1.1p4 version did. Here's an example (both are using the same
etc/ssh_prng_cmds).
2.1.1p4% timex ssh dontask exit
real 4.49
user 0.37
sys 1.21
2.1.1p5% timex ssh dontask exit
real 24.89
user 3.10
sys 10.89
Here's full 'ssh -v' output from both versions:
2.1.1p4:
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /Home/plab/janfrode/.ssh/config
debug: Applying options for dontask
debug: Applying options for *
debug: Reading configuration data /usr/openssh/etc/ssh_config
debug: Applying options for *
debug: Command 'netstat -an' timed out
debug: Seeded RNG with 29 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: ssh_connect: getuid 1158 geteuid 0 anon 1
debug: Connecting to dontask [129.177.192.97] port 22.
debug: Connection established.
debug: Setting sat id to 1158
debug: Remote protocol version 1.99, remote software version
OpenSSH_2.1.1p5
debug: Local version string SSH-1.5-OpenSSH_2.1.1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'dontask' is known and matches the RSA host key.
debug: Command 'ps -efl' timed out
debug: Seeded RNG with 27 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication via agent with 'jfm at
krypvier.ii.uib.no'
debug: Received RSA challenge from server.
debug: Sending response to RSA challenge.
debug: Remote: RSA authentication accepted.
debug: RSA authentication accepted by server.
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting authentication agent forwarding.
debug: Sending command: exit
debug: Entering interactive session.
debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds
debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug: Exit status 0
debug: writing PRNG seed to file /Home/plab/janfrode/.ssh/prng_seed
2.1.1p5:
SSH Version OpenSSH_2.1.1p5, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /usr/people/jfm/.ssh/config
debug: Applying options for dontask
debug: Applying options for *
debug: Reading configuration data /usr/openssh/etc/ssh_config
debug: Applying options for *
debug: Command 'netstat -an' timed out
debug: Seeded RNG with 28 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: ssh_connect: getuid 1200 geteuid 0 anon 1
debug: Connecting to dontask [129.177.192.97] port 22.
debug: Connection established.
debug: Setting sat id to 1200
debug: Remote protocol version 1.99, remote software version
OpenSSH_2.1.1p5
debug: Local version string SSH-1.5-OpenSSH_2.1.1p5
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'dontask' is known and matches the RSA host key.
debug: Seeded RNG with 28 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 28 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Command 'netstat -an' timed out
debug: Command 'ps -efl' timed out
debug: Seeded RNG with 30 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Command 'ps -efl' timed out
debug: Seeded RNG with 28 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Command 'netstat -an' timed out
debug: Seeded RNG with 28 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication via agent with 'jfm at
krypvier.ii.uib.no'
debug: Received RSA challenge from server.
debug: Sending response to RSA challenge.
debug: Remote: RSA authentication accepted.
debug: RSA authentication accepted by server.
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Command 'ps -efl' timed out
debug: Seeded RNG with 28 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Requesting X11 forwarding with authentication spoofing.
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Seeded RNG with 25 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Command 'netstat -an' timed out
debug: Seeded RNG with 26 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Requesting authentication agent forwarding.
debug: Sending command: exit
debug: Entering interactive session.
debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.4 seconds
debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug: Exit status 0
debug: writing PRNG seed to file /usr/people/jfm/.ssh/prng_seed
-jf
Damien,
Compiles and installs cleanly under AIX 4.3.3 (latest patchlevel) with
IBM's latest C++ compiler.
The fixprogs script take forever on install -- I narrowed this down to
"ipcs -a" on my very busy RS/6000 taking about five minutes to
complete.
Dropped this from ssh_prng_cmds.in and all is well.
I refreshed sshd, kicked in the new ssh-agent, loaded my DSA and RSA keys
and tried a local connection. Connecting with protocol 1.5 seems okay.
Connecting with protocol 2 takes an age and once connected the performance
reminds me of my first ever dot-matix printer -- about 10 minutes per page.
Retrying without the agent does not improve the matter, nor does password
authentication. I have also tried switching session encryption from 3des
to blowfish. Connecting to my server from SecureCRT shows the same
symptoms.
Compiled with:
CFLAGS="-qlanglvl=extended -qcpluscmt -O2" ./configure
--prefix=/usr
--sysconfdir=/etc/ssh --without-pam --with-ipaddr-display
--with-ipv4-default
Reports:
OpenSSH configured has been configured with the following options.
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh/ssh-askpass
Manual pages: /usr/man/catX
PID file: /var/run
Random number collection: Builtin (timeout 200)
Manpage format: cat
PAM support: disabled
KerberosIV support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: no
MD5 password support: no
IP address in $DISPLAY hack: yes
Use IPv4 by default hack: yes
Translate v4 in v6 hack: no
Compiler flags: -qlanglvl=extended -qcpluscmt -O2 -I/usr/local/include
Linker flags: -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib
Libraries: -lnsl -lz -lcrypto
Changing the random number timeout to 100 does not appear to make any
difference.
Lots of good work has gone into this project -- I think I speak for
everyone when I say "thank-you" to all who have contributed.
Many thanks,
--------------------------------------------------------
Doug Manton, AT&T EMEA Firewall and Security Solutions
demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"
Damien Miller wrote:> > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gzAfter applying this change to Makefile.in, it configures and builds on Alpha RedHat 6.2: 24c24,27 < CFLAGS=@CFLAGS@ -I. -I$(srcdir) $(PATHS) @DEFS@ ---> CFLAGS=@CFLAGS@ -I. -I$(srcdir) $(PATHS) @DEFS@ \ > -DOPENSSL_ALGORITHM_DEFINES \ > -DOPENSSL_THREAD_DEFINES \ > -DOPENSSL_OTHER_DEFINESI configured like this: ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/openssh \ --with-random=/dev/random --with-ipv4-default \ --with-ssl-dir=/usr/local/openssl \ --with-tcp-wrappers \ --with-default-path=/usr/bin:/bin:/usr/local/openssh/bin My openssl is trusty old 0.9.5a built with RSAREF2 hacked to know that a "UINT4" is 32 bits long. I installed over the top of my 2.1.1p4 setup, restarted sshd, and tried to ssh to a Solaris 2.6 Sun running 2.1.1p4. It took several minutes to get to a shell prompt. Retrying the ssh command with "-v" showed multiple long pauses while it was seeding the random number generator. After it finally logged me in on the Sun, it all seemed to be working OK. Did I miss a step? 2.1.1p4 worked fine on my Alpha. Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207
On Wed, 23 Aug 2000, Jan-Frode Myklebust wrote:> It looks like the openssh-SNAP-20000823 is taking a lot more time > collecting entropy (or is it failing several times?) than the > OpenSSH_2.1.1p4 version did.My bad: Index: bsd-arc4random.c ==================================================================RCS file: /var/cvs/openssh/bsd-arc4random.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- bsd-arc4random.c 2000/08/16 00:35:58 1.1 +++ bsd-arc4random.c 2000/08/23 05:31:41 1.2 @@ -60,5 +60,7 @@ RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); memset(rand_buf, 0, sizeof(rand_buf)); + + rc4_ready = 1; } #endif /* !HAVE_ARC4RANDOM */ -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
On Wed, 23 Aug 2000, Corinna Vinschen wrote:> What do I have to do so that Cygwin support is added to OpenSSH as > well?My sincere apologies for my silence on your patches - a couple of things have prevented me from merging them - primarily a lack of time on my part. I will look over them again this weekend. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
On Wed, Aug 23, 2000 at 11:54:40AM +1000, Damien Miller wrote:> I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gzTested on i386 Debian GNU/Linux (woody). (Slink and Potato take a little more effort, I'll report on them in the afternoon). Compiles fine. Binaries run fine (communicates with OpenBSD (2.1) and ssh.com's 1.2.27 as well as itself).> - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > with ssh.com's ssh-agent. (Markus Friedl)Appears to work.> - Fix crashes when sshd is run out of inetdDon't have an old version to use as a control, but I can't seem to make this one crash either.> - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > - Fix duplicate lastlog logging (Markus & me) > - Add -u option to sshd to make wtmp logging more like login's (Markus) > - Use pipes instead of socketpairs to avoid scp not exiting problem > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > Jaenicke) > - Lots of other fixes (see changelog below)I'll test Linux/ARM this afternoon as well as i386 Debian Potato and Slink. -Dan -- "... the most serious problems in the Internet have been caused by unenvisaged mechanisms triggered by low-probability events; mere human malice would never have taken so devious a course!" - RFC 1122 section 1.2.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000824/90118236/attachment.bin
On Thu, Aug 24, 2000 at 09:08:32AM +1000, Damien Miller wrote:> On Wed, 23 Aug 2000, Jan-Frode Myklebust wrote: > > > It looks like the openssh-SNAP-20000823 is taking a lot more time > > collecting entropy (or is it failing several times?) than the > > OpenSSH_2.1.1p4 version did. > > My bad: > > Index: bsd-arc4random.c > ==================================================================> RCS file: /var/cvs/openssh/bsd-arc4random.c,v > retrieving revision 1.1 > retrieving revision 1.2 > diff -u -r1.1 -r1.2 > --- bsd-arc4random.c 2000/08/16 00:35:58 1.1 > +++ bsd-arc4random.c 2000/08/23 05:31:41 1.2 > @@ -60,5 +60,7 @@ > RC4_set_key(&rc4, sizeof(rand_buf), rand_buf); > > memset(rand_buf, 0, sizeof(rand_buf)); > + > + rc4_ready = 1; > } > #endif /* !HAVE_ARC4RANDOM */ > >Thanks, looks like this fixed the problem with the sshd acting like a dot-matrix printer in v2 mode also. -jf
Damien,
One other problem that has just come to light. I have switched
"UseLogin"
to "yes" and receive the following error message when attempting to
ssh
into my AIX machine:
/dev/pts/0: 3004-004 You must "exec" login from the lowest login
shell.
Switching back to 2.1.1p4 fixes this -- configured identically to the
latest snapshot (as per my last email).
Many thanks,
--------------------------------------------------------
Doug Manton, AT&T EMEA Firewall and Security Solutions
demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"
I have tested this snapshot with SCO OpenServer 5.0.5 and 5.0.0. I have confirmed most basic functionality, scp, ssh, port forwarding, X11 forwarding, logins, remote execution, etc. In fact this release fixes the problems I was having with SCO using p4. (see my post to the list titled: remote commands: Command terminated on signal 13. for details) I don't know exacly what changed that fixed my problems under SCO but they're gone. I also confirmed interoperability with p4 under linux and openssh-SNAP under SCO. Everything looks good from my seat! On Wed, Aug 23, 2000 at 11:54:40AM +1000, Damien Miller wrote:> > I have just tarred up a snapshot and uploaded it to: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000823.tar.gz > > The snapshot incorporates the last month's fixes and enhancements from > the openssh-unix-dev mailing list and from the OpenBSD developers. > > In particular: > > - ssh-agent and ssh-add now handle DSA keys. NB. this does not interop > with ssh.com's ssh-agent. (Markus Friedl) > - Fix crashes when sshd is run out of inetd > - More fixes for SunOS4 and NeXT (Nate Itkin and Charles Levert) > - Add Solaris package support in contrib/solaris/ (Rip Loomis) > - Random Early Drop connection rate limiting for sshd (Markus Friedl) > - Fix duplicate lastlog logging (Markus & me) > - Add -u option to sshd to make wtmp logging more like login's (Markus) > - Use pipes instead of socketpairs to avoid scp not exiting problem > on SunOS4 and HPUX 10. (Klaus Engelhardt, Tamito KAJIYAMA & Lutz > Jaenicke) > - Lots of other fixes (see changelog below) > > Please give the snapshot a good run and report problems back to the > mailing list. > > If you have received this email twice, it is because you are on the > list of testers. I will be setting up a seperate email list over the > weekend. > > Regards, > Damien Miller > > Changelog: > > 20000823 > - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 > Avoids "scp never exits" problem. Reports from Lutz Jaenicke > <Lutz.Jaenicke at aet.TU-Cottbus.DE> and Tamito KAJIYAMA > <kajiyama at grad.sccs.chukyo-u.ac.jp> > - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers > - (djm) Add local version to version.h > - (djm) OpenBSD CVS updates: > - deraadt at cvs.openbsd.org 2000/08/18 20:07:23 > [ssh.c] > accept remsh as a valid name as well; roman at buildpoint.com > - deraadt at cvs.openbsd.org 2000/08/18 20:17:13 > [deattack.c crc32.c packet.c] > rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to > libz crc32 function yet, because it has ugly "long"'s in it; > oneill at cs.sfu.ca > - deraadt at cvs.openbsd.org 2000/08/18 20:26:08 > [scp.1 scp.c] > -S prog support; tv at debian.org > - deraadt at cvs.openbsd.org 2000/08/18 20:50:07 > [scp.c] > knf > - deraadt at cvs.openbsd.org 2000/08/18 20:57:33 > [log-client.c] > shorten > - markus at cvs.openbsd.org 2000/08/19 12:48:11 > [channels.c channels.h clientloop.c ssh.c ssh.h] > support for ~. in ssh2 > - deraadt at cvs.openbsd.org 2000/08/19 15:29:40 > [crc32.h] > proper prototype > - markus at cvs.openbsd.org 2000/08/19 15:34:44 > [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] > [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] > [fingerprint.c fingerprint.h] > add SSH2/DSA support to the agent and some other DSA related cleanups. > (note that we cannot talk to ssh.com's ssh2 agents) > - markus at cvs.openbsd.org 2000/08/19 15:55:52 > [channels.c channels.h clientloop.c] > more ~ support for ssh2 > - markus at cvs.openbsd.org 2000/08/19 16:21:19 > [clientloop.c] > oops > - millert at cvs.openbsd.org 2000/08/20 12:25:53 > [session.c] > We have to stash the result of get_remote_name_or_ip() before we > close our socket or getpeername() will get EBADF and the process > will exit. Only a problem for "UseLogin yes". > - millert at cvs.openbsd.org 2000/08/20 12:30:59 > [session.c] > Only check /etc/nologin if "UseLogin no" since login(1) may have its > own policy on determining who is allowed to login when /etc/nologin > is present. Also use the _PATH_NOLOGIN define. > - millert at cvs.openbsd.org 2000/08/20 12:42:43 > [auth1.c auth2.c session.c ssh.c] > Add calls to setusercontext() and login_get*(). We basically call > setusercontext() in most places where previously we did a setlogin(). > Add default login.conf file and put root in the "daemon" login class. > - millert at cvs.openbsd.org 2000/08/21 10:23:31 > [session.c] > Fix incorrect PATH setting; noted by Markus. > > 20000818 > - (djm) OpenBSD CVS changes: > - markus at cvs.openbsd.org 2000/07/22 03:14:37 > [servconf.c servconf.h sshd.8 sshd.c sshd_config] > random early drop; ok theo, niels > - deraadt at cvs.openbsd.org 2000/07/26 11:46:51 > [ssh.1] > typo > - deraadt at cvs.openbsd.org 2000/08/01 11:46:11 > [sshd.8] > many fixes from pepper at mail.reppep.com > - provos at cvs.openbsd.org 2000/08/01 13:01:42 > [Makefile.in util.c aux.c] > rename aux.c to util.c to help with cygwin port > - deraadt at cvs.openbsd.org 2000/08/02 00:23:31 > [authfd.c] > correct sun_len; Alexander at Leidinger.net > - provos at cvs.openbsd.org 2000/08/02 10:27:17 > [readconf.c sshd.8] > disable kerberos authentication by default > - provos at cvs.openbsd.org 2000/08/02 11:27:05 > [sshd.8 readconf.c auth-krb4.c] > disallow kerberos authentication if we can't verify the TGT; from > dugsong@ > kerberos authentication is on by default only if you have a srvtab. > - markus at cvs.openbsd.org 2000/08/04 14:30:07 > [auth.c] > unused > - markus at cvs.openbsd.org 2000/08/04 14:30:35 > [sshd_config] > MaxStartups > - markus at cvs.openbsd.org 2000/08/15 13:20:46 > [authfd.c] > cleanup; ok niels@ > - markus at cvs.openbsd.org 2000/08/17 14:05:10 > [session.c] > cleanup login(1)-like jobs, no duplicate utmp entries > - markus at cvs.openbsd.org 2000/08/17 14:06:34 > [session.c sshd.8 sshd.c] > sshd -u len, similar to telnetd > - (djm) Lastlog was not getting closed after writing login entry > - (djm) Add Solaris package support from Rip Loomis <loomisg at cist.saic.com> > > 20000816 > - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) > - (djm) Fix strerror replacement for old SunOS. Based on patch from > Charles Levert <charles at comm.polymtl.ca> > - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 > implementation. > - (djm) SUN_LEN macro for systems which lack it > > 20000815 > - (djm) More SunOS 4.1.x fixes from Nate Itkin <nitkin at europa.com> > - (djm) Avoid failures on Irix when ssh is not setuid. Fix from > Michael Stone <mstone at cs.loyola.edu> > - (djm) Don't seek in directory based lastlogs > - (djm) Fix --with-ipaddr-display configure option test. Patch from > Jarno Huuskonen <jhuuskon at messi.uku.fi> > - (djm) Fix AIX limits from Alexandre Oliva <oliva at lsd.ic.unicamp.br> > > 20000813 > - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from > Fabrice bacchella <fabrice.bacchella at marchfirst.fr> > > 20000809 > - (djm) Define AIX hard limits if headers don't. Report from > Bill Painter <william.t.painter at lmco.com> > - (djm) utmp direct write & SunOS 4 patch from Charles Levert > <charles at comm.polymtl.ca> > > 20000808 > - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install > time, spec file cleanup. > > 20000807 > - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke > - (djm) Suppress error messages on channel close shutdown() failurs > works around Linux bug. Patch from Zack Weinberg <zack at wolery.cumb.org> > - (djm) Add some more entropy collection commands from Lutz Jaenicke > > 20000725 > - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF > > 20000721 > - (djm) OpenBSD CVS updates: > - markus at cvs.openbsd.org 2000/07/16 02:27:22 > [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] > [sshconnect1.c sshconnect2.c] > make ssh-add accept dsa keys (the agent does not) > - djm at cvs.openbsd.org 2000/07/17 19:25:02 > [sshd.c] > Another closing of stdin; ok deraadt > - markus at cvs.openbsd.org 2000/07/19 18:33:12 > [dsa.c] > missing free, reorder > - markus at cvs.openbsd.org 2000/07/20 16:23:14 > [ssh-keygen.1] > document input and output files > > 20000720 > - (djm) Spec file fix from Petr Novotny <Petr.Novotny at antek.cz> > > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > >