openssh unix dev - Apr 2001 - Call for testing for coming 2.9 release.

If we can get people to test their platforms against the last snapshot/cvs
tree I'd be greatful. (http://www.openssh.com/portable.html)

I know NeXT platform has problems.  I'm going to spend tonight looking at
it.

Also, take a moment to see what manpage type ./configure decided for your
system and if it's 'cat' please let us know.


Thanks.

- Ben

Yo Ben!

On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
First pass, it seems fine on Slackware 7.  A few problems on Unixware 7.1.0
> Also, take a moment to see what manpage type ./configure decided for your
> system and if it's 'cat' please let us know.
Here is the config output from Unixware 7.1.0:

OpenSSH configured has been configured with the following options.
                 User binaries: /usr/local/bin
                 User binaries: /usr/local/bin
               System binaries: /usr/local/sbin
           Configuration files: /usr/local/etc
               Askpass program: /usr/local/libexec/ssh-askpass
                  Manual pages: /usr/local/man/catX
                      PID file: /usr/local/etc
      Random number collection: Builtin (timeout 200)
                Manpage format: cat
                   PAM support: no
            KerberosIV support: no
                   AFS support: no
                 S/KEY support: no
          TCP Wrappers support: no
          MD5 password support: no
   IP address in $DISPLAY hack: no
      Use IPv4 by default hack: no
       Translate v4 in v6 hack: no

             Host: i586-sco-sysv5uw7.1.0
         Compiler: cc
   Compiler flags: -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include
     Linker flags:  -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl
        Libraries: -lsocket -lnsl -lz  -lgen -lsocket -lcrypto
     Linker flags:  -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl

Man pages are now fine.  I could compile and install fine, but when I
try to start sshd I get this:

bash-2.03# sshd
error: Could not load host key: /usr/local/etc/ssh_host_dsa_key: Bad file number
Disabling protocol version 1

I deleted this file (and the .pub) and did a new "make install" to
regenerate
it.  Same results.  The key files looks OK to me.  "sshd -ddd" gives
me no
clue.

Everything else seems OK, first pass, on UNixware 7.1

openssh-SNAP-20010217 runs fine.  I did update from openssl 0.9.6 to 0.9.6a
at the same time, but I dounbt that is the problem here.  Any ideas?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org
wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
I have just performed another "cvs update" and did not receive any
changes
for the last days. The ChangeLog ends 20010420, looking a bit strange
as typically (for every kind of software :-) there is a rush of changes
when a new release is due...

Is the CVS really up to date?

ws01 27: cat CVS/Root
:pserver:cvs at bass.directhit.com:/cvs

Best regards,
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
[ IMO, lots of this is also worth a read for Markus and the rest of the
original OpenSSH folks ]

Tested on RHL62 and RHL71, built an RPM of the snapshot.

There is zero man page documentation for HostbasedAuthentication, either
in ssh.1 or sshd.8.  This has to be fixed.  Some experimental features
like HostbasedUsesNameFromPacketOnly might be left out, but the main
procedure and the files involved should be added.

HostbasedAuthentication does not seem to consider files like shosts.equiv,
just ~/.shosts.  This is a serious shortcoming in campus-like computing
environments, where traditionally hosts.equiv etc. are used.  The new
functionality could be easily added, just a few extra checks, I think.

hostbased auth in ssh client is tried after password.  Should this be
reversed (at least when this is more tested)?

You can also gather data from the server configuration, like:
---
[...]
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: Remote: Server has been configured to ignore .shosts.
debug1: authentications that can continue: publickey,password,hostbased
debug1: Remote: Server has been configured to ignore .shosts.
[...]
---

Is this notification a feature of the protocol, or some extra information
sshd gives?  Some people might call this an unnecessary disclosure (I'm
not too concerned though), and this has it's uses.

With:

$ ssh -o HostbasedAuthentication=yes -o PasswordAuthentication=no -v
pekkas at netcore.fi

---
[...]
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,hostbased
debug1: next auth method to try is publickey
debug1: try privkey: /home/psavola/.ssh/id_rsa
debug1: try pubkey: /home/psavola/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,hostbased
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,hostbased
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,hostbased
debug1: no more auth methods to try
Permission denied (publickey,password,hostbased).
debug1: Calling cleanup 0x8063580(0x0)
[...]
---

Somehow the hostbased ends up being refused after all; dunno why (can't
run sshd -d -d -d at the moment).  HostbasedAuthentication is enabled in
sshd_config.

Also: shouldn't the list of authentications that can continue reduce when
previous ones fail or does this list have some other meaning?  What I
mean, is the output like:

---
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,hostbased
debug1: next auth method to try is publickey
debug1: try privkey: /home/psavola/.ssh/id_rsa
debug1: try pubkey: /home/psavola/.ssh/id_dsa
debug1: authentications that can continue: hostbased
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: hostbased
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: [none]
debug1: no more auth methods to try
---

Also, perhaps it might be a good idea to remove noreplace from sshd_config
in contrib/redhat/openssh.spec %files?  It was added by djm, but if you
upgrade (esp. unattended), you may find yourself in a situation where your
sshd_config changes radically and you can no longer log in.

whew.  a long one.

-- 
Pekka Savola                  "Tell me of difficulties surmounted,
Netcore Oy                    not those you stumble over and fall"
Systems. Networks. Security.   -- Robert Jordan: A Crown of Swords

Hi,

On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org
wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
I tested AIX 4.3 today (snapshot of about 14:00 MET).  No issues.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert.doering at
physik.tu-muenchen.de

On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
The snapshot hasn't been updated since the May 19th.  The CVS version
has some changes from the 20th, but nothing more recent.  Is there
anything newer that we're supposed to be testing?  The version.h file
says that it is "OpenSSH_2.5.4p1", and it was last changed on the 5th
of April.  (This all refers to the bass.directhit.com site that is
referenced on the portable.html web page.)

One simple change that is needed is to fix the check for perl5 in
configure.  The check fails if "perl5" is not found because it does
not check for just "perl" (since it's calling the wrong macro).
Here's a patch:

Index: configure.in
@@ -12,7 +12,7 @@
 AC_PROG_RANLIB
 AC_PROG_INSTALL
 AC_PATH_PROG(AR, ar)
-AC_PATH_PROG(PERL, perl5 perl)
+AC_PATH_PROGS(PERL, perl5 perl)
 AC_SUBST(PERL)
 AC_PATH_PROG(ENT, ent)
 AC_SUBST(ENT)

Once this is fixed, the man pages got properly generated in "man"
format for Solaris 2.6 (x86).

I noticed that the changes that are needed to get ssh to work on
Solaris using "UseLogin true" are not present in the CVS version.
I've ported them to the version I just grabbed from CVS -- shall I
send an updated diff?

..wayne..

On Tue, 24 Apr 2001, Wayne Davison wrote:
> 
> Index: configure.in
> @@ -12,7 +12,7 @@
>  AC_PROG_RANLIB
>  AC_PROG_INSTALL
>  AC_PATH_PROG(AR, ar)
> -AC_PATH_PROG(PERL, perl5 perl)
> +AC_PATH_PROGS(PERL, perl5 perl)
>  AC_SUBST(PERL)
>  AC_PATH_PROG(ENT, ent)
>  AC_SUBST(ENT)
> 
> Once this is fixed, the man pages got properly generated in "man"
> format for Solaris 2.6 (x86).
I fixed this a few days ago.
> 
-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

Alpha Linux RedHat.

readpass.c: In function `read_passphrase':
readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards
qualifiers from pointer target type

auth-passwd.c: In function `auth_password':
auth-passwd.c:209: warning: implicit declaration of function `crypt'
auth-passwd.c:209: warning: assignment makes pointer from integer without
a cast

sftp-server.c: In function `process_read':
sftp-server.c:440: warning: long long unsigned int format, long unsigned
int arg (arg 4)
sftp-server.c: In function `process_write':
sftp-server.c:481: warning: long long unsigned int format, long unsigned
int arg (arg 4)
sftp-server.c: In function `ls_file':
sftp-server.c:724: warning: long long unsigned int format, long unsigned
int arg (arg 8)

sftp-client.c: In function `do_download':
sftp-client.c:745: warning: long long unsigned int format, long unsigned
int arg (arg 3)
sftp-client.c:778: warning: long long unsigned int format, long unsigned
int arg (arg 3)
sftp-client.c: In function `do_upload':
sftp-client.c:899: warning: long long unsigned int format, long unsigned
int arg (arg 3)
sftp-client.c:910: warning: long long unsigned int format, long unsigned
int arg (arg 3)

The one in auth-passwd.c is bad because sizeof(void *) == 8 but
sizeof(int) == 4.

On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org
wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
 
> Also, take a moment to see what manpage type ./configure decided for your
> system and if it's 'cat' please let us know.
FYI: for HP-UX (10.20), "man" format is recognized.

I have been running some short tests by now and the new version seems to
work quite well. Some points:
* The "sleep 5 &" test still let's the connection hang. I only
have a
  small amount of trouble with it. Unfortunately, some startup scripts
  (like the one for mysql) have the habit to not properly daemonize
  and thus exiting after doing some maintenance doesn't work.
  (This was/is also true for 2.5.2p2, but since I do not restart mysql
  every day, I won't note for a long time.)
* As somebody else already pointed out, "hostbased" authentication
should
  be first, because there is no reason to bother for a public key
  passphrase or password, when another option will help anyway.
  (Markus' comment about not being tested enough applies, so the final
  decision for the default value is up to the developpers team.)
  What is definitely missing is a listing of the possible options in
  the "PreferredAuthentications" syntax in ssh.1 and ssh_config.
  A slogin -v gives the correct idea to use "hostbased",
"publickey",
  and "password" as keywords, but as the nameing scheme is not
consistent
  "HostbasedAuthentication yes" vs "PreferredAuthentications
hostbased..."
  an example line in ssh_config would probably save some time to dig
  into the source :-)

Best regards,
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

On Wed, Apr 25, 2001 at 11:37:57AM +0200, Lutz Jaenicke
wrote:
>   A slogin -v gives the correct idea to use "hostbased",
"publickey",
>   and "password" as keywords, but as the nameing scheme is not
consistent
>   "HostbasedAuthentication yes" vs "PreferredAuthentications
hostbased..."
>   an example line in ssh_config would probably save some time to dig
>   into the source :-)
Oh, and it seems that the default for HostbasedAuthentication is "no"
(ssh.1 states it would be "yes")...

Best regards,
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

On Tue, Apr 24, 2001 at 01:01:14PM -0500, mouring at etoh.eviladmin.org
wrote:
> 
> 
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)
> 
> I know NeXT platform has problems.  I'm going to spend tonight looking
at
> it.
> 
> Also, take a moment to see what manpage type ./configure decided for your
> system and if it's 'cat' please let us know.
> 
> 
> Thanks.
Hi,

the following patches are necessary to build the latest OpenSSH from
CVS on Cygwin.

The patch in `Makefile.in' is needed to be able to build in another dir
than the sourcedir.

Cygwin lacks `setgroups' and the header file `arpa/nameser.h'.

I couldn't check that it runs due to a eminent lack of time. I will
try to check it 'til tomorrow.

Corinna



Index: Makefile.in
==================================================================RCS file:
/cvs/openssh_cvs/Makefile.in,v
retrieving revision 1.172
diff -u -p -r1.172 Makefile.in
--- Makefile.in	2001/04/18 18:04:22	1.172
+++ Makefile.in	2001/04/25 13:49:27
@@ -123,9 +123,9 @@ logintest: logintest.o $(LIBCOMPAT) libs
 
 $(MANPAGES)::
 	if test "$(MANTYPE)" = "cat"; then \
-		manpage=`echo $@ | sed 's/\.[1-9]$$/\.0/'`; \
+		manpage=`echo $(srcdir)/$@ | sed 's/\.[1-9]$$/\.0/'`; \
 	else \
-		manpage=$@; \
+		manpage=$(srcdir)/$@; \
 	fi; \
 	if test "$(MANTYPE)" = "man"; then \
 		$(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@.out; \
Index: uidswap.c
==================================================================RCS file:
/cvs/openssh_cvs/uidswap.c,v
retrieving revision 1.19
diff -u -p -r1.19 uidswap.c
--- uidswap.c	2001/04/08 18:38:05	1.19
+++ uidswap.c	2001/04/25 13:49:27
@@ -68,10 +68,11 @@ temporarily_use_uid(struct passwd *pw)
  		if (user_groupslen < 0)
  			fatal("getgroups: %.100s", strerror(errno));
  	}
+#ifndef HAVE_CYGWIN
   	/* Set the effective uid to the given (unprivileged) uid. */
 	if (setgroups(user_groupslen, user_groups) < 0)
 		fatal("setgroups: %.100s", strerror(errno));
-	pw->pw_gid = pw->pw_gid;
+#endif
 	if (setegid(pw->pw_gid) < 0)
  		fatal("setegid %u: %.100s", (u_int) pw->pw_gid,
  		    strerror(errno));
@@ -95,8 +96,10 @@ restore_uid(void)
 	/* Set the effective uid back to the saved uid. */
 	if (seteuid(saved_euid) < 0)
 		fatal("seteuid %u: %.100s", (u_int) saved_euid, strerror(errno));
+#ifndef HAVE_CYGWIN
 	if (setgroups(saved_egroupslen, saved_egroups) < 0)
 		fatal("setgroups: %.100s", strerror(errno));
+#endif
 	if (setegid(saved_egid) < 0)
 		fatal("setegid %u: %.100s", (u_int) saved_egid, strerror(errno));
 	temporarily_use_uid_effective = 0;
Index: openbsd-compat/inet_ntop.c
==================================================================RCS file:
/cvs/openssh_cvs/openbsd-compat/inet_ntop.c,v
retrieving revision 1.1
diff -u -p -r1.1 inet_ntop.c
--- openbsd-compat/inet_ntop.c	2001/04/12 21:35:53	1.1
+++ openbsd-compat/inet_ntop.c	2001/04/25 13:49:27
@@ -34,7 +34,9 @@ static char rcsid[] = "$OpenBSD: inet_nt
 #include "openbsd-compat/fake-socket.h"
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#ifndef HAVE_CYGWIN
 #include <arpa/nameser.h>
+#endif
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com