openssh unix dev - May 2002 - OpenSSH 3.2.2 released

OpenSSH 3.2.2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

We would like to thank the OpenSSH community for their continued
support and encouragement.

Security Changes:
================
- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation,
  see UsePrivilegeSeparation in sshd(8) and
	  http://www.citi.umich.edu/u/provos/ssh/privsep.html
  for more information.
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger

Other Changes:
=============
- improved smartcard support (including support for OpenSC, see www.opensc.org)
- improved Kerberos support (including support for MIT-Kerberos V)
- fixed stderr handling in protocol v2
- client reports failure if -R style TCP forwarding fails in protocol v2
- support configuration of TCP forwarding during interactive sessions (~C)
- improved support for older sftp servers
- improved support for importing old DSA keys (from ssh.com software).
- client side suport for PASSWD_CHANGEREQ in protocol v2
- fixed waitpid race conditions
- record correct lastlogin time

Reporting Bugs:
==============
- please read http://www.openssh.com/report.html and
  http://bugzilla.mindrot.org/

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller and Ben Lindstrom.

On Fri, May 17, 2002 at 12:36:22AM +0200, Markus Friedl
wrote:
> OpenSSH 3.2.2 has just been released. It will be available from the
> mirrors listed at http://www.openssh.com/ shortly.
Sigh.  I'm somewhat annoyed.  Sorry.

Why has the setgroups() call been added to sshd.c a week ago
w/o asking for further testing?  It doesn't exist in Cygwin.
All other setgroups() calls are #ifndef'd HAVE_CYGWIN.  Why
not this one? 

Now this error which screws up building ssh on Cygwin is in
an official release.  :-(((((

Grrr,
Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com

Le Vendredi 17 Mai 2002 00:36, Markus Friedl a ?crit :
> OpenSSH 3.2.2 has just been released. It will be available from the
> mirrors listed at http://www.openssh.com/ shortly.
Do you plan to add chrooting to OpenSSH shortly? Chrooting is, IMHO, the most 
wanted add-on feature.

Cheers,
Jean-Michel POURE

On Fri, May 17, 2002 at 12:36:22AM +0200, Markus Friedl
wrote:
> - experimental support for privilege separation,
>   see UsePrivilegeSeparation in sshd(8) and
> 	  http://www.citi.umich.edu/u/provos/ssh/privsep.html
>   for more information.
This is a very good feature and I want to thanks again Niels Provos and
others for their work on it.

I tested it during snapshot and worked well on my non-production systems but
this morning I couldn't make it work on some of my production systems. In
fact the difference is the linux kernel version : 2.4.x vs 2.2.x

UsePrivilegeSeparation work on all my slackware 8.0 linux 2.4.17 glibc 2.2.3
UsePrivilegeSeparation doesn't work on following systems with the same
result :
. slackware 7.1-cur linux 2.2.19pre16 glibc 2.2.2
. slackware 7.1 linux 2.2.19 glibc 2.1.3
. redhat 6.0 linux 2.2.19 glibc 2.1.1
. debian 3.0 linux 2.2.20 glibc 2.2.5

All configured with :
./configure --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl
--with-md5-passwords --disable-suid-ssh

Here is the sshd dump :
root at server:openssh-3.2.2p1# ./sshd -p 28 -d -D -o
'UsePrivilegeSeparation yes'
debug1: sshd version OpenSSH_3.2.2p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 28 on 0.0.0.0.
Server listening on 0.0.0.0 port 28.
Generating 768 bit RSA key.
RSA key generation complete.

debug1: Server will not fork when running in debugging mode.
setsid: Operation not permitted
Connection from 62.4.21.62 port 3247
debug1: Client protocol version 2.0; client software version OpenSSH_3.2.2p1
debug1: match: OpenSSH_3.2.2p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.2p1
mmap(65536)
debug1: Calling cleanup 0x8068954(0x0)
root at server:openssh-3.2.2p1# 

Here is what strace can see (on the debian system) :
fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1
ENOSYS (Function not implemented)
old_mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) =
-1 EINVAL (Invalid argument)
write(2, "mmap(65536)\r\n", 13mmap(65536)
)         = 13
write(2, "debug1: Calling cleanup 0x806ae9"..., 40debug1: Calling
cleanup 0x806ae9c(0x0)
) = 40
shutdown(4, 2 /* send and receive */)   = 0
close(4)                                = 0
_exit(255)                              = ?

The connexion is made with a simple 'ssh server -p 28' and the result in
the
same in sshv1/2 with publickey/password authentication.

Best regards,

Denis Ducamp.

-- 
 Denis.Ducamp at hsc.fr --- Herv? Schauer Consultants --- http://www.hsc.fr/
 Owl/Openwall/snort/hping/dsniff en fran?ais   http://www.groar.org/trad/
            Owl en fran?ais    http://www.openwall.com/Owl/fr/
 Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html

On Fri, May 17, 2002 at 03:43:30PM +0200, Denis Ducamp
wrote:
> fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
> socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0
> fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
> fcntl(7, F_SETFD, FD_CLOEXEC)           = 0
> mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) =
-1 ENOSYS (Function not implemented)
> old_mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1,
0) = -1 EINVAL (Invalid argument)
> write(2, "mmap(65536)\r\n", 13mmap(65536)
> )         = 13
> write(2, "debug1: Calling cleanup 0x806ae9"..., 40debug1: Calling
cleanup 0x806ae9c(0x0)
> ) = 40
> shutdown(4, 2 /* send and receive */)   = 0
That looks more like a kernel problem to me.  It does not know about
the mmap2 system call.  That is sort of pretty weird.  Did you you
pre-compiled binaries or did you compile it yourself?  And then
it seems that the fallback old_mmap does not like one of the
parameters.  You need to see what API changed in Linux to make this
break.

Niels.

On Fri, May 17, 2002 at 12:36:22AM +0200, Markus Friedl wrote:
> - experimental support for privilege separation,
>   see UsePrivilegeSeparation in sshd(8) and
> 	  http://www.citi.umich.edu/u/provos/ssh/privsep.html
>   for more information.
I can't get this working on AIX 5.1:

./configure --prefix=/usr/openssh --sysconfdir=/etc/openssh --disable-suid-ssh

 OpenSSH has been configured with the following options:
                      User binaries: /usr/openssh/bin
                    System binaries: /usr/openssh/sbin
                Configuration files: /etc/openssh
                    Askpass program: /usr/openssh/libexec/ssh-askpass
                       Manual pages: /usr/openssh/man/manX
                           PID file: /var/run
   Privilege separation chroot path: /var/empty
             sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin
                     Manpage format: man
                        PAM support: no
                 KerberosIV support: no
                  KerberosV support: no
                  Smartcard support: no
                        AFS support: no
                      S/KEY support: no
               TCP Wrappers support: no
               MD5 password support: no
        IP address in $DISPLAY hack: no
           Use IPv4 by default hack: no
            Translate v4 in v6 hack: no
                   BSD Auth support: no
               Random number source: ssh-rand-helper
      ssh-rand-helper collects from: Command hashing (timeout 200)

               Host: powerpc-ibm-aix5.1.0.0
           Compiler: cc
     Compiler flags: -g
 Preprocessor flags: -I/usr/local/ssl/include  -I/usr/local/include
       Linker flags: -L/usr/local/ssl/lib  -L/usr/local/lib
-blibpath:/usr/lib:/lib:/usr/local/lib
          Libraries:   -lz  -lcrypto

# /usr/openssh/sbin/sshd -p 2022 -d -D -o 'UsePrivilegeSeparation
yes'
debug1: sshd version OpenSSH_3.2.2p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 2022 on 0.0.0.0.
Server listening on 0.0.0.0 port 2022.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
setsid: Not owner
Connection from 217.13.1.91 port 38497
debug1: Client protocol version 2.0; client software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.2p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1534/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1617/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user janfrode service ssh-connection
method none
debug1: attempt 0 failures 0
Failed none for janfrode from 217.13.1.91 port 38497 ssh2Failed none
for janfrode from 217.13.1.91 port 38497 ssh2

debug1: userauth-request for user janfrode service ssh-connection
method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 50012/50012 (e=0)
debug1: trying public key file
/home/parallab/plab/janfrode/.ssh/authorized_keys
debug1: matching key found: file
/home/parallab/plab/janfrode/.ssh/authorized_keys, line 2
Found matching DSA key:
d6:73:c1:54:51:df:56:18:43:8c:ca:fd:ec:a1:c4:4b
debug1: restore_uid
Postponed publickey for janfrode from 217.13.1.91 port 38497 ssh2
debug1: userauth-request for user janfrode service ssh-connection
method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 50012/50012 (e=0)
debug1: trying public key file
/home/parallab/plab/janfrode/.ssh/authorized_keys
debug1: matching key found: file
/home/parallab/plab/janfrode/.ssh/authorized_keys, line 2
Found matching DSA key:
d6:73:c1:54:51:df:56:18:43:8c:ca:fd:ec:a1:c4:4b
debug1: restore_uid
debug1: ssh_dss_verify: signature correct
Accepted publickey for janfrode from 217.13.1.91 port 38497 ssh2
Accepted publickey for janfrode from 217.13.1.91 port 38497
ssh2debug1: monitor_child_preauth: janfrode has been authenticated by
privileged process

debug1: newkeys: mode 0
debug1: newkeys: mode 1
debug1: Entering interactive session for SSH2.
debug1: fd 8 setting O_NONBLOCK
debug1: fd 9 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/10
debug1: Ignoring unsupported tty mode opcode 13 (0xd)
debug1: Ignoring unsupported tty mode opcode 18 (0x12)
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: fd 4 setting TCP_NODELAY
debug1: channel 0: rfd 11 isatty
debug1: fd 11 setting O_NONBLOCK
setsid: Operation not permitted.
debug1: session_by_tty: session 0 tty /dev/pts/10
debug1: session_pty_cleanup: session 0 release /dev/pts/10
Connection closed by remote host.
debug1: channel_free: channel 0: server-session, nchannels 1
debug1: session_close: session 0 pid 49666
Closing connection to 217.13.1.91
debug1: session_by_tty: unknown tty /dev/pts/10
debug1: dump: used 0 session 0 200326c0 channel -1 pid 29204
debug1: dump: used 0 session 0 2003285c channel 0 pid 0
debug1: dump: used 0 session 0 200329f8 channel 0 pid 0
debug1: dump: used 0 session 0 20032b94 channel 0 pid 0
debug1: dump: used 0 session 0 20032d30 channel 0 pid 0
debug1: dump: used 0 session 0 20032ecc channel 0 pid 0
debug1: dump: used 0 session 0 20033068 channel 0 pid 0
debug1: dump: used 0 session 0 20033204 channel 0 pid 0
debug1: dump: used 0 session 0 200333a0 channel 0 pid 0
debug1: dump: used 0 session 0 2003353c channel 0 pid 0


On the client side i get the /etc/motd printed, and then the
connection is closed. Any hints to what I might be doing wrong?


  -jf