openssh unix dev - Oct 2001 - Please test snapshots for 3.0 release

Could everyone please test the latest snapshots as we will be making a
new release soon.

If you have any patches you would like us to consider, please resend 
them to the list ASAP.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor
man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan
Geer

On Fri, 12 Oct 2001, Damien Miller wrote:
> If you have any patches you would like us to consider, please resend
> them to the list ASAP.
"make veryclean" doesn't remove scard/Makefile

--- #Makefile.in        Tue Sep 18 14:06:22 2001
+++ Makefile.in Fri Oct 12 10:56:08 2001
@@ -158,6 +158,7 @@
        rm -f *.out core
        rm -f Makefile config.h config.status ssh_prng_cmds *~
        (cd openbsd-compat; $(MAKE) distclean)
+       (cd scard; $(MAKE) distclean)

 mrproper: distclean

On Fri, 12 Oct 2001, Damien Miller wrote:
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
>
> If you have any patches you would like us to consider, please resend
> them to the list ASAP.
1) As sshd -t is used when restarting sshd with RH scripts now, I think
sshd_config is better marked with noreplace as config files should.

2) I'd probably remove '--with-ipv4-default'; it's a major
release after
all.  I haven't noticed problems with this, and if you'd have to run
'sshd
-6', IPv4 port forwarding through mapped addresses won't work.

3) Building appears to rely on the existance of rather recent openssl.
This is good from security perspective, but will make building with e.g.
0.9.5a impossible.  If this is intended to be requirement (there _have_
been security fixes), at least Requires:  openssl >= 0.9.6 or whatever
should be added and the requirement noted in the docs.

The build failed on my RHL62 with:

./libssh.a(key.o): In function `write_bignum':
key.o(.text+0x7f7): undefined reference to `OPENSSL_free'

I bet this is an issue that people might complain about.

Build works ok on RHL72 beta w/ openssh 0.9.6b.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords
-------------- next part --------------
Index: openssh.spec
==================================================================RCS file:
/cvs/openssh_cvs/contrib/redhat/openssh.spec,v
retrieving revision 1.86
diff -u -r1.86 openssh.spec
--- openssh.spec	2001/09/26 14:24:21	1.86
+++ openssh.spec	2001/09/27 15:51:33
@@ -264,8 +264,7 @@
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man8/sshd.8*
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
-#%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config
-%attr(0600,root,root) %config %{_sysconfdir}/sshd_config
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sshd_config
 %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
 %attr(0755,root,root) %config /etc/rc.d/init.d/sshd

Hello, 

after the discussion about when to send AFS tokens I've created a pacthc
which includes a new option to ssh and sshd:
If AFSPassTokenBeforeAuth is set to yes (default no)
tokens are passed as they where in releases < 2.9.9p2.

So now the admin has the choice.

Cheers
Serge



-- 
Serge Droz
Paul Scherrer Institut                mailto:serge.droz at psi.ch
CH-5232 Villigen PSI                   Phone: ++41 56 310 3637
-------------- next part --------------
diff -u openssh.orig/auth1.c openssh/auth1.c
--- openssh.orig/auth1.c	Wed Jul  4 06:21:16 2001
+++ openssh/auth1.c	Fri Oct 12 11:57:52 2001
@@ -118,6 +118,24 @@
 		/* Process the packet. */
 		switch (type) {
 
+#ifdef AFS
+	   case SSH_CMSG_HAVE_AFS_TOKEN:
+	       if ( options.afs_pass_token_before_auth ) {
+			   if (!options.afs_token_passing || !k_hasafs()) {
+				   verbose("AFS token passing disabled.");
+				   break;
+			   } else {
+				   /* Accept AFS token. */
+				   char *token_string = packet_get_string(&dlen);
+				   packet_integrity_check(plen, 4 + dlen, type);
+				   if (!auth_afs_token(authctxt, token_string))
+					   verbose("AFS token REFUSED for %.100s", authctxt->user);
+				   xfree(token_string);
+			   }
+           } else  packet_send_debug("AFS token passing disabled before
authentication.");
+           break;
+#endif /* AFS */
+
 #if defined(KRB4) || defined(KRB5)
 		case SSH_CMSG_AUTH_KERBEROS:
 			if (!options.kerberos_authentication) {
@@ -168,11 +186,11 @@
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			packet_send_debug("Kerberos TGT passing disabled before
authentication.");
 			break;
-#ifdef AFS
-		case SSH_CMSG_HAVE_AFS_TOKEN:
-			packet_send_debug("AFS token passing disabled before
authentication.");
-			break;
-#endif /* AFS */
+//#ifdef AFS
+//		case SSH_CMSG_HAVE_AFS_TOKEN:
+//		    packet_send_debug("AFS token passing disabled before
authentication.");
+//			break;
+//#endif /* AFS */
 #endif /* AFS || KRB5 */
 			
 		case SSH_CMSG_AUTH_RHOSTS:
diff -u openssh.orig/readconf.c openssh/readconf.c
--- openssh.orig/readconf.c	Wed Oct  3 19:39:39 2001
+++ openssh/readconf.c	Fri Oct 12 11:32:50 2001
@@ -103,7 +103,7 @@
 	oKerberosTgtPassing,
 #endif
 #ifdef AFS
-	oAFSTokenPassing,
+	oAFSTokenPassing,oAFSPassTokenBeforeAuth,
 #endif
 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
 	oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
@@ -149,6 +149,7 @@
 #endif
 #ifdef AFS
 	{ "afstokenpassing", oAFSTokenPassing },
+	{ "afspasstokenbeforeauth", oAFSPassTokenBeforeAuth},
 #endif
 	{ "fallbacktorsh", oFallBackToRsh },
 	{ "usersh", oUseRsh },
@@ -372,6 +373,9 @@
 	case oAFSTokenPassing:
 		intptr = &options->afs_token_passing;
 		goto parse_flag;
+	case oAFSPassTokenBeforeAuth:
+		intptr = &options->afs_pass_token_before_auth;
+		goto parse_flag;
 #endif
 	case oFallBackToRsh:
 		intptr = &options->fallback_to_rsh;
@@ -759,6 +763,7 @@
 #endif
 #ifdef AFS
 	options->afs_token_passing = -1;
+	options->afs_pass_token_before_auth = -1;
 #endif
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
@@ -842,6 +847,8 @@
 #ifdef AFS
 	if (options->afs_token_passing == -1)
 		options->afs_token_passing = 1;
+	if (options->afs_pass_token_before_auth == -1)
+		options->afs_pass_token_before_auth = 0;
 #endif
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
diff -u openssh.orig/readconf.h openssh/readconf.h
--- openssh.orig/readconf.h	Wed Oct  3 19:39:39 2001
+++ openssh/readconf.h	Fri Oct 12 11:10:56 2001
@@ -49,6 +49,7 @@
 #endif
 #ifdef AFS
 	int     afs_token_passing;	/* Try AFS token passing. */
+	int     afs_pass_token_before_auth;	/* Pass Token before Auth. */
 #endif
 	int     password_authentication;	/* Try password
 						 * authentication. */
diff -u openssh.orig/servconf.c openssh/servconf.c
--- openssh.orig/servconf.c	Wed Sep 12 18:32:15 2001
+++ openssh/servconf.c	Fri Oct 12 11:55:46 2001
@@ -79,6 +79,7 @@
 #endif
 #ifdef AFS
 	options->afs_token_passing = -1;
+	options->afs_pass_token_before_auth = -1;
 #endif
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
@@ -184,6 +185,8 @@
 #ifdef AFS	
 	if (options->afs_token_passing == -1)
 		options->afs_token_passing = k_hasafs();
+	if (options->afs_pass_token_before_auth == -1)
+		options->afs_pass_token_before_auth = 0;  
 #endif
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
@@ -233,6 +236,7 @@
 #endif
 #ifdef AFS
 	sAFSTokenPassing,
+	sAFSPassTokenBeforeAuth,
 #endif
 	sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
@@ -281,6 +285,7 @@
 #endif
 #ifdef AFS
 	{ "afstokenpassing", sAFSTokenPassing },
+	{ "afspasstokenbeforeauth", sAFSPassTokenBeforeAuth },
 #endif
 	{ "passwordauthentication", sPasswordAuthentication },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
@@ -611,6 +616,9 @@
 #ifdef AFS
 		case sAFSTokenPassing:
 			intptr = &options->afs_token_passing;
+			goto parse_flag;
+		case sAFSPassTokenBeforeAuth:
+			intptr = &options->afs_pass_token_before_auth;
 			goto parse_flag;
 #endif
 
diff -u openssh.orig/servconf.h openssh/servconf.h
--- openssh.orig/servconf.h	Wed Sep 12 18:40:06 2001
+++ openssh/servconf.h	Fri Oct 12 10:49:03 2001
@@ -89,6 +89,7 @@
 #endif
 #ifdef AFS
 	int     afs_token_passing;	/* If true, permit AFS token passing. */
+	int     afs_pass_token_before_auth;	/* If true, pass AFS token before user
authenticication. */
 #endif
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
diff -u openssh.orig/ssh.1 openssh/ssh.1
--- openssh.orig/ssh.1	Wed Oct  3 19:39:39 2001
+++ openssh/ssh.1	Fri Oct 12 12:06:14 2001
@@ -707,6 +707,13 @@
 or
 .Dq no .
 This option applies to protocol version 1 only.
+.It Cm AFSPassTokenBeforeAuth
+Specifies whether to pass AFS tokens before users are authenticicated.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+This option applies to protocol version 1 only.
 .It Cm BatchMode
 If set to
 .Dq yes ,
diff -u openssh.orig/sshconnect1.c openssh/sshconnect1.c
--- openssh.orig/sshconnect1.c	Wed Oct 10 07:03:12 2001
+++ openssh/sshconnect1.c	Fri Oct 12 11:48:01 2001
@@ -1139,6 +1139,26 @@
 		goto success;
 	if (type != SSH_SMSG_FAILURE)
 		packet_disconnect("Protocol error: got %d in response to
SSH_CMSG_USER", type);
+
+
+#ifdef AFS
+    if (   options.afs_pass_token_before_auth ) {
+	   /* Try Kerberos v4 TGT passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT))
&&
+		   options.kerberos_tgt_passing) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Ticket will be transmitted in
the clear!");
+		   send_krb4_tgt();
+	   }
+	   /* Try AFS token passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN))
&&
+		   options.afs_token_passing  && k_hasafs()) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Token will be transmitted in
the clear!");
+		   send_afs_tokens();
+	   }
+	}
+#endif /* AFS */
 	
 #ifdef KRB5
 	if ((supported_authentications & (1 << SSH_AUTH_KERBEROS))
&&
@@ -1256,19 +1276,21 @@
 #endif
 	
 #ifdef AFS
-	/* Try Kerberos v4 TGT passing if the server supports it. */
-	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT))
&&
-	    options.kerberos_tgt_passing) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			log("WARNING: Encryption is disabled! Ticket will be transmitted in the
clear!");
-		send_krb4_tgt();
-	}
-	/* Try AFS token passing if the server supports it. */
-	if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN))
&&
-	    options.afs_token_passing && k_hasafs()) {
-		if (options.cipher == SSH_CIPHER_NONE)
-			log("WARNING: Encryption is disabled! Token will be transmitted in the
clear!");
-		send_afs_tokens();
+    if ( !  options.afs_pass_token_before_auth ) {
+	   /* Try Kerberos v4 TGT passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT))
&&
+		   options.kerberos_tgt_passing) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Ticket will be transmitted in
the clear!");
+		   send_krb4_tgt();
+	   }
+	   /* Try AFS token passing if the server supports it. */
+	   if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN))
&&
+		   options.afs_token_passing  && k_hasafs()) {
+		   if (options.cipher == SSH_CIPHER_NONE)
+			   log("WARNING: Encryption is disabled! Token will be transmitted in
the clear!");
+		   send_afs_tokens();
+	   }
 	}
 #endif /* AFS */
 
diff -u openssh.orig/sshd.8 openssh/sshd.8
--- openssh.orig/sshd.8	Wed Oct  3 19:15:32 2001
+++ openssh/sshd.8	Fri Oct 12 12:07:14 2001
@@ -314,6 +314,11 @@
 Specifies whether an AFS token may be forwarded to the server.
 Default is
 .Dq yes .
+.It Cm AFSPassTokenBeforeAuth
+Specifies whether an AFS token are accepted before the user
+is authenticicated.
+Default is
+.Dq yes .
 .It Cm AllowGroups
 This keyword can be followed by a list of group names, separated
 by spaces.

>>>>> "DM" == Damien Miller <djm at mindrot.org>
writes:
 DM> Could everyone please test the latest snapshots as we will be making a
 DM> new release soon.

I am testing against RH7.2beta, including support for KRB4 (kth-1.0.7)
and AFS. Openssh CVS snapshot as of Oct 12 11:52 CEST.

Current problems:

- mkstemp on RH7.2 is detected (so the bsd-mkstemp.o will be empty),
but this version needs "XXXXXX" in the file name template, otherwise
it will return an error (EINVAL). In auth-krb4.c, the current template
includes just pid and uid, no "X"s. Due to the logic in auth-krb4.c
this error is misinterpreted as "file already present", with a
subsequent check on ownership failing. Please not that the bsd-mkstemp()
handles the situation just fine.

- a rather recent autoconf appears to be needed for AC_SYS_LARGEFILE,
RH7.2beta ships with  2.13 (too old).

- compiling openbsd-compat/ shows lots of errors, I haven't sorted
these out yet (and they could be my fault):

(cd openbsd-compat; make)
make[1]: Entering directory
`/afs/cern.ch/project/connectivity/openssh-2.cvs-tmp/openbsd-compat'
gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./..
-I/afs/cern.ch/project/connectivity/openssl-0.9.6/i386_linux24/install/include 
-I/afs/cern.ch/project/connectivity/krb4-1.0.7/i386_linux24/install/include
-I/afs/cern.ch/project/connectivity/krb4-1.0.7/i386_linux24/install/include
-DHAVE_CONFIG_H -c bsd-arc4random.c
In file included from ../openbsd-compat/openbsd-compat.h:23,
                 from ../includes.h:102,
                 from bsd-arc4random.c:25:
../openbsd-compat/strsep.h:9: parse error before `__extension__'
../openbsd-compat/strsep.h:9: parse error before `('
In file included from ../openbsd-compat/openbsd-compat.h:32,
                 from ../includes.h:102,
                 from bsd-arc4random.c:25:
../openbsd-compat/bsd-misc.h:66: redefinition of `struct timeval'
../openbsd-compat/bsd-misc.h:72: two or more data types in declaration of
`utimes'
In file included from ../openbsd-compat/openbsd-compat.h:39,
                 from ../includes.h:102,
                 from bsd-arc4random.c:25:
../openbsd-compat/fake-socket.h:13: redefinition of `struct
sockaddr_storage'
../openbsd-compat/fake-socket.h:27: redefinition of `struct in6_addr'
../openbsd-compat/fake-socket.h:28: warning: no semicolon at end of struct or
union
../openbsd-compat/fake-socket.h:28: parse error before `.'
../openbsd-compat/fake-socket.h:33: redefinition of `struct sockaddr_in6'
make[1]: *** [bsd-arc4random.o] Error 1
make[1]: Leaving directory
`/afs/cern.ch/project/connectivity/openssh-2.cvs-tmp/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

Best regards
Jan

> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
Are patches against 2.9.9p2 OK, or would you rather they were against the
latest CVS tree? I've got a set of fixes to make the SSH v1 Kerberos stuff
compile against the MIT libraries.

Cheers,

Simon.

> On Fri, 12 Oct 2001, Simon Wilkinson wrote:
> > Are patches against 2.9.9p2 OK, or would you rather they were against
the
> > latest CVS tree? 
> 
> Definitely the latest CVS tree.
Ok - I'll pull it over and update my patches.
> > I've got a set of fixes to make the SSH v1 Kerberos stuff
> > compile against the MIT libraries.
> 
> How did you do that? I thought there were fairly terminal conflicts 
> between MIT krb4 and libcrypto?
Not the krb4 stuff (which is where the library conflict is), but the new 
krb5 code. In other words - my patch makes it build with KRB5 defined.

Cheers,

Simon.

On Fri, 12 Oct 2001, Damien Miller wrote:
> Date: Fri, 12 Oct 2001 11:47:38 +1000 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: openssh-unix-dev at mindrot.org
> Subject: Please test snapshots for 3.0 release
>
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
>
> If you have any patches you would like us to consider, please resend
> them to the list ASAP.
I don't know if this has been fixed in the current snapshot... but in
2.9.9p2 the following needs to be fixed to compile cleanly on Sol8 with
Sun's compilers:

*** ./session.c_orig    Wed Oct 10 16:20:37 2001
--- ./session.c Wed Oct 10 16:22:34 2001
***************
*** 139,144 ****
--- 139,148 ----
  static void session_close(Session *);
  static int session_pty_req(Session *);

+ #ifdef LOGIN_NEEDS_UTMPX
+ void do_pre_login(Session *s);
+ #endif
+
  /* import */
  extern ServerOptions options;
  extern char *__progname;


Thanks,

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller
wrote:
> Subject: Re: Please test snapshots for 3.0 release
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
I have posted this one several times and I ask that you *please* put it
in.  Many people have asked for this one, and Markus has done all the
preparatory work in the base code so changes only need to be made to the
portable code.  It works for all systems that use /etc/shadow, most notably
Solaris and Linux.

Below is the patch updated to the latest CVS.  Don't forget to run
autoheader and autoconf before re-running configure.

- Dave Dykstra


--- auth.c.O	Fri Oct 12 14:42:38 2001
+++ auth.c	Fri Oct 12 14:57:29 2001
@@ -49,6 +49,9 @@
 #include "uidswap.h"
 #include "tildexpand.h"
 
+/* set when password has expired */
+int forced_passwd_change = 0;
+
 /* import */
 extern ServerOptions options;
 
@@ -89,8 +92,12 @@
 
 		/* Check password expiry */
 		if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0)
&&
-		    (days > (spw->sp_lstchg + spw->sp_max)))
-			return 0;
+		    (days > (spw->sp_lstchg + spw->sp_max))) {
+			if ((pw->pw_uid == 0))
+				return 0;
+
+			forced_passwd_change = 1;
+		}
 	}
 #else
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
--- auth.h.O	Thu Aug 23 13:18:52 2001
+++ auth.h	Fri Oct 12 15:00:10 2001
@@ -40,6 +40,9 @@
 #include <krb5.h>
 #endif
 
+/* set when password has expired */
+extern int forced_passwd_change;
+
 typedef struct Authctxt Authctxt;
 typedef struct KbdintDevice KbdintDevice;
 
--- session.c.O	Fri Oct 12 14:42:41 2001
+++ session.c	Fri Oct 12 15:04:29 2001
@@ -656,7 +656,31 @@
 void
 do_exec(Session *s, const char *command)
 {
-	if (forced_command) {
+	if (forced_passwd_change) {
+		char *user = s->pw->pw_name;
+		char *msg;
+
+		if (s->ttyfd != -1) {
+			msg = "Password for %.100s has expired, running 'passwd' to
reset it";
+			/*
+			 * Can't pass "user" to 'passwd' because Linux
doesn't
+			 * allow it.
+			 * Also, the prompt is friendlier without "user".
+			 */
+			command = PASSWD_PATH;
+		} else {
+			msg = "Password for %.100s has expired and cannot be changed without a
pty";
+			/*
+			 * Without a pty, Solaris 'passwd' prints "Permission
+			 * denied", but Linux attempts to change the password
+			 * and fails miserably, so echo an error message instead
+			 */
+			command = "/bin/sh -c 'echo Permission denied >&2; exit
1'";
+		}
+		log(msg, user);
+		packet_send_debug(msg, user);
+
+	} else if (forced_command) {
 		original_command = command;
 		command = forced_command;
 		debug("Forced command '%.900s'", command);
--- configure.in.O	Fri Oct 12 14:42:39 2001
+++ configure.in	Fri Oct 12 15:00:57 2001
@@ -1449,6 +1449,10 @@
 	AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path")
 fi
 
+AC_PATH_PROG(PASSWD_PATH, passwd)
+AC_DEFINE_UNQUOTED(PASSWD_PATH, "$PASSWD_PATH")
+
+
 # Check for mail directory (last resort if we cannot get it from headers)
 if test ! -z "$MAIL" ; then
 	maildir=`dirname $MAIL`
--- acconfig.h.O	Fri Oct 12 14:42:37 2001
+++ acconfig.h	Fri Oct 12 14:58:43 2001
@@ -214,6 +214,9 @@
 /* Define if rsh is found in your path */
 #undef RSH_PATH
 
+/* Define if passwd is found in your path */
+#undef PASSWD_PATH
+
 /* Define if you want to allow MD5 passwords */
 #undef HAVE_MD5_PASSWORDS

On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller
wrote:
> Subject: Re: Please test snapshots for 3.0 release
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
I have posted this one twice.  I have tested it with the latest portable
CVS, but it needs to apply to the openbsd CVS.  It applies cleanly there.
Please apply it, Markus.

- Dave Dykstra


--- compat.h.O	Fri Oct 12 15:26:49 2001
+++ compat.h	Fri Oct 12 15:27:21 2001
@@ -51,6 +51,7 @@
 #define SSH_BUG_OPENFAILURE	0x00020000
 #define SSH_BUG_DERIVEKEY	0x00040000
 #define SSH_BUG_DUMMYCHAN	0x00100000
+#define SSH_BUG_SERVERLIESSIZE	0x00200000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
--- compat.c.O	Fri Oct 12 14:42:39 2001
+++ compat.c	Fri Oct 12 15:27:50 2001
@@ -117,6 +117,8 @@
 		{ "^1\\.7 SecureFX",	SSH_OLD_SESSIONID },
 		{ "^1\\.2\\.1[89]",	SSH_BUG_IGNOREMSG },
 		{ "^1\\.2\\.2[012]",	SSH_BUG_IGNOREMSG },
+		{ "^1\\.2\\.2[3-9]",	SSH_BUG_SERVERLIESSIZE },
+		{ "^1\\.2\\.3[0-1]",	SSH_BUG_SERVERLIESSIZE },
 		{ "^1\\.3\\.2",		SSH_BUG_IGNOREMSG },	/* f-secure */
 		{ "^SSH Compatible Server",			/* Netscreen */
 					SSH_BUG_PASSWORDPAD },
--- sshconnect1.c.O	Fri Oct 12 14:42:43 2001
+++ sshconnect1.c	Fri Oct 12 15:30:16 2001
@@ -37,6 +37,7 @@
 #include "packet.h"
 #include "mpaux.h"
 #include "uidswap.h"
+#include "compat.h"
 #include "log.h"
 #include "readconf.h"
 #include "key.h"
@@ -960,7 +961,8 @@
 	sum_len += clen;
 
 	rbits = BN_num_bits(host_key->n);
-	if (bits != rbits) {
+	if (bits != rbits &&
+	    !((datafellows & SSH_BUG_SERVERLIESSIZE) && (rbits + 1 ==
bits))) {
 		log("Warning: Server lies about size of server host key: "
 		    "actual size is %d bits vs. announced %d.", rbits, bits);
 		log("Warning: This may be due to an old implementation of ssh.");
--- sshd.c.O	Fri Oct 12 14:42:43 2001
+++ sshd.c	Fri Oct 12 15:31:18 2001
@@ -1263,7 +1263,12 @@
 	packet_put_bignum(sensitive_data.server_key->rsa->n);
 
 	/* Store our public host RSA key. */
-	packet_put_int(BN_num_bits(sensitive_data.ssh1_host_key->rsa->n));
+	len = BN_num_bits(sensitive_data.ssh1_host_key->rsa->n);
+	if ((datafellows & SSH_BUG_SERVERLIESSIZE) && (len & 1)) {
+	    /* old ssh client expects even number for host key */
+	    len += 1;
+	}
+	packet_put_int(len);
 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->e);
 	packet_put_bignum(sensitive_data.ssh1_host_key->rsa->n);

On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller
wrote:
> Subject: Re: Please test snapshots for 3.0 release
>
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
I originally included these changes with my patch for changing expired
passwords, but to simplify that submission I left them out.  Attachment #1
contains the patch against the openbsd CVS, and attachment #2 contains the
patch aginst the portable CVS apply after applying my patch for changing
expired passwords.  They could be applied independently, but for
consistency through the function it would make sense for both to be
applied.

- Dave Dykstra
-------------- next part --------------
--- auth.c.O	Fri Oct 12 15:43:11 2001
+++ auth.c	Fri Oct 12 15:43:15 2001
@@ -71,10 +71,16 @@
 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
 
 	/* deny if shell does not exists or is not executable */
-	if (stat(shell, &st) != 0)
+	if (stat(shell, &st) != 0) {
+		log("User %.100s not allowed because shell %.100s does not exist",
+			pw->pw_name, shell);
 		return 0;
-	if (!((st.st_mode & S_IFREG) && (st.st_mode &
(S_IXOTH|S_IXUSR|S_IXGRP))))
+	}
+	if (!((st.st_mode & S_IFREG) && (st.st_mode &
(S_IXOTH|S_IXUSR|S_IXGRP)))) {
+		log("User %.100s not allowed because shell %.100s is not
executable",
+			pw->pw_name, shell);
 		return 0;
+	}
 
 	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
 		hostname = get_canonical_hostname(options.reverse_mapping_check);
@@ -85,8 +91,11 @@
 	if (options.num_deny_users > 0) {
 		for (i = 0; i < options.num_deny_users; i++)
 			if (match_user(pw->pw_name, hostname, ipaddr,
-			    options.deny_users[i]))
+			    options.deny_users[i])) {
+				log("User %.100s not allowed because listed in DenyUsers",
+					pw->pw_name);
 				return 0;
+			}
 	}
 	/* Return false if AllowUsers isn't empty and user isn't listed there
*/
 	if (options.num_allow_users > 0) {
@@ -95,19 +104,27 @@
 			    options.allow_users[i]))
 				break;
 		/* i < options.num_allow_users iff we break for loop */
-		if (i >= options.num_allow_users)
+		if (i >= options.num_allow_users) {
+			log("User %.100s not allowed because not listed in AllowUsers",
+				pw->pw_name);
 			return 0;
+		}
 	}
 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
 		/* Get the user's group access list (primary and supplementary) */
-		if (ga_init(pw->pw_name, pw->pw_gid) == 0)
+		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+			log("User %.100s not allowed because not in any group",
+				pw->pw_name);
 			return 0;
+		}
 
 		/* Return false if one of user's groups is listed in DenyGroups */
 		if (options.num_deny_groups > 0)
 			if (ga_match(options.deny_groups,
 			    options.num_deny_groups)) {
 				ga_free();
+				log("User %.100s not allowed because a group is listed in
DenyGroups",
+					pw->pw_name);
 				return 0;
 			}
 		/*
@@ -118,6 +135,8 @@
 			if (!ga_match(options.allow_groups,
 			    options.num_allow_groups)) {
 				ga_free();
+				log("User %.100s not allowed because none of user's group are
listed in AllowGroups",
+					pw->pw_name);
 				return 0;
 			}
 		ga_free();
-------------- next part --------------
--- auth.c.N	Fri Oct 12 15:54:56 2001
+++ auth.c	Fri Oct 12 15:56:50 2001
@@ -87,14 +87,20 @@
 		int days = time(NULL) / 86400;
 
 		/* Check account expiry */
-		if ((spw->sp_expire >= 0) && (days > spw->sp_expire))
+		if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) {
+			log("User %.100s not allowed because account expired",
+				pw->pw_name);
 			return 0;
+		}
 
 		/* Check password expiry */
 		if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0)
&&
 		    (days > (spw->sp_lstchg + spw->sp_max))) {
-			if ((pw->pw_uid == 0))
+			if ((pw->pw_uid == 0)) {
+				log("User %.100s not allowed because password expired",
+					pw->pw_name);
 				return 0;
+			}
 
 			forced_passwd_change = 1;
 		}

On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller
wrote:
> Subject: Re: Please test snapshots for 3.0 release
>
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
Needed to compile at least on sunos 4.1.4.

- Dave Dykstra


--- openbsd-compat/readpassphrase.c.O	Fri Oct 12 17:12:22 2001
+++ openbsd-compat/readpassphrase.c	Fri Oct 12 17:11:16 2001
@@ -97,11 +97,13 @@
 			term.c_lflag &= ~ECHO;
 		}
 #ifdef VSTATUS
+#ifdef _POSIX_VDISABLE
 		if (term.c_cc[VSTATUS] != _POSIX_VDISABLE) {
 			status = term.c_cc[VSTATUS];
 			term.c_cc[VSTATUS] = _POSIX_VDISABLE;
 		}
 #endif
+#endif
 		(void)tcsetattr(input, _T_FLUSH, &term);
 	}
 	if (!(flags & RPP_ECHO_ON)) {
@@ -138,8 +140,10 @@
 			term.c_lflag |= ECHO;
 		}
 #ifdef VSTATUS
+#ifdef _POSIX_VDISABLE
 		if (status != _POSIX_VDISABLE)
 			term.c_cc[VSTATUS] = status;
+#endif
 #endif
 		(void)tcsetattr(input, _T_FLUSH, &term);
 	}

On Fri, 12 Oct 2001, Dave Dykstra wrote:
:I have posted this one several times and I ask that you *please* put it
:in.  Many people have asked for this one, and Markus has done all the
:preparatory work in the base code so changes only need to be made to the
:portable code.  It works for all systems that use /etc/shadow, most notably
:Solaris and Linux.

as i said i august, i think much of this could be pushed to native.
markus indicated willingness to add something for the non BSD_AUTH case
there.

On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller
wrote:
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
scard/Makefile.in doesn't work correctly in srcdir != builddir
build environments. The following patch fixes that:

Index: scard/Makefile.in
==================================================================RCS file:
/cvs/openssh_cvs/scard/Makefile.in,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile.in
--- scard/Makefile.in	2001/09/20 18:39:37	1.2
+++ scard/Makefile.in	2001/10/13 08:52:00
@@ -11,8 +11,8 @@ VPATH=@srcdir@
 
 all:
 
-Ssh.bin:  Ssh.bin.uu
-	uudecode Ssh.bin.uu
+Ssh.bin:  $(srcdir)/Ssh.bin.uu
+	uudecode -o $@ $(srcdir)/Ssh.bin.uu
 
 clean:
 	rm -rf Ssh.bin
@@ -24,4 +24,4 @@ distclean: clean
 
 install: Ssh.bin
 	$(top_srcdir)/mkinstalldirs $(DESTDIR)$(datadir)
-	$(INSTALL) -m 0644 $(srcdir)/Ssh.bin $(DESTDIR)$(datadir)/Ssh.bin
+	$(INSTALL) -m 0644 Ssh.bin $(DESTDIR)$(datadir)/Ssh.bin

Corinna
-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com

On Fri, Oct 12, 2001 at 11:47:38AM +1000, Damien Miller
wrote:
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
Today's CVS (Oct 13) looks good on HP-UX 10.20.
	Lutz
-- 
Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

On Fri, 12 Oct 2001, Damien Miller wrote:
:Could everyone please test the latest snapshots as we will be making a
:new release soon.

for those involved in the large file support discussion or that have an
interest in that: please test the large file support, as i believe it is
working now.  i have tested hp-ux 11, but there are a number of different
#ifdef paths in loginrec.

Damien Miller <djm at mindrot.org> writes:
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
I have tested with native compilers on six different platforms, and
get lot's of warnings (mostly prototype/argument mismatches).

Too many errors to send to the list, so I have put the results here: 

 
ftp.ifi.uio.no:/pub/tmp/out/sturles/openssh-SNAP-20011012-compileresults.tar.gz

The tar has one directory for each platform tested.  Each directory
contains config.* from each configure, results of make >& make.out, a
file "VERSIONS" with version information from cc and make, and uname
with the output from "uname -a".  Enjoy.

On AIX configure seemed to work fine and exited with status 0, but it
didn't create a Makefile or config.h!  config.log and config.status
are included in the tarball.
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
AUTH_FAIL_MAX 6 is too low in some cases.  A simple fix is to increase
the value.  I have explained the bug here:

  http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99727458632585&w=2



--- auth.h.orig Wed Jul  4 06:46:57 2001
+++ auth.h      Fri Oct 12 14:04:09 2001
@@ -149,7 +149,7 @@
 check_key_in_hostfiles(struct passwd *, Key *, const char *,
     const char *, const char *);
 
-#define AUTH_FAIL_MAX 6
+#define AUTH_FAIL_MAX 8
 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"



-- 
Sturle      All eyes were on Ford Prefect. Some of them were on stalks.
~~~~~~           -- Douglas Adams, So long, and thanks for all the fish

On Fri, 12 Oct 2001, Damien Miller wrote:
> Date: Fri, 12 Oct 2001 11:47:38 +1000 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: openssh-unix-dev at mindrot.org
> Subject: Please test snapshots for 3.0 release
> 
> Could everyone please test the latest snapshots as we will be making a
> new release soon.
> 
> If you have any patches you would like us to consider, please resend 
> them to the list ASAP.
> 
Would you consider changing configure
call in openssh/contrib/redhat/openssh.spec

by replacing 
  --with-rsh=/usr/bin/rsh
with
  --without-rsh

thus not encouraging users to install rsh?
This would prevent from connecting to hosts which have rshd, which could
be considered a problem or a feature. I would consider it a feature.

The two other spec files included do not have either --with-rsh or
--without-rsh 

Best regards,

Wojtek
--------------------
Wojtek Pilorz
Wojtek.Pilorz at bdk.pl