openssh unix dev - Sep 2002 - privsep versus compression

Hi,
  I'm unable to get Kerberos4 authentication working with openssh-3.4p1.
I'm getting a message that privsep is not available on my platform (Irix
6.5.15) and another message stating that compression and privsep are
mutually exclusive. But, ssh decided to turn off compression, I think
because of servconf.c. I think it would be more usefull to have
compression enabled and disable privsep as the encryption is almost
useless when data is not compressed first. I think compression should
never be disabled otherwise kerberos will be also efectively disabled.
Any opinions?


  Below I'm just showing the section I'm talking about. It's not a
PATCH
to be applied. ;)


diff -u -w -r openssh-3.2.3p1/servconf.c openssh/servconf.c
--- openssh-3.2.3p1/servconf.c  2002-05-15 23:37:34.000000000 +0200
+++ openssh/servconf.c  2002-09-05 06:35:15.000000000 +0200
[...]
@@ -250,9 +256,19 @@
        if (options->authorized_keys_file == NULL)
                options->authorized_keys_file =
_PATH_SSH_USER_PERMITTED_KEYS;

-       /* Turn privilege separation _off_ by default */
+       /* Turn privilege separation on by default */
        if (use_privsep == -1)
-               use_privsep = 0;
+               use_privsep = 1;
+
+#ifndef HAVE_MMAP
+       if (use_privsep && options->compression == 1) {
+               error("This platform does not support both privilege "
+                   "separation and compression");
+               error("Compression disabled");
+               options->compression = 0;
+       }
+#endif
+
 }
[...]



diff -u -w -r openssh-3.2.3p1/session.c openssh/session.c
--- openssh-3.2.3p1/session.c   2002-05-13 02:48:58.000000000 +0200
+++ openssh/session.c   2002-09-04 08:45:10.000000000 +0200
[...]
@@ -165,8 +252,8 @@
        Session *s;
        char *command;
        int success, type, screen_flag;
-       int compression_level = 0, enable_compression_after_reply = 0;
-       u_int proto_len, data_len, dlen;
+       int enable_compression_after_reply = 0;
+       u_int proto_len, data_len, dlen, compression_level = 0;

        s = session_new();
        s->authctxt = authctxt;
@@ -192,6 +279,10 @@
                                    compression_level);
                                break;
                        }
+                       if (!options.compression) {
+                               debug2("compression disabled");
+                               break;
+                       }
                        /* Enable compression after we have responded with
SUCCESS. */
                        enable_compression_after_reply = 1;
                        success = 1;
[...]



-- 
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585

Please look at the -cvs tree.  We have handled most of the mmap() issues
for any OS that is written in the last 6 years.

- Ben



On Mon, 16 Sep 2002, [iso-8859-2] Martin MOKREJ? wrote:
> Hi,
>   I'm unable to get Kerberos4 authentication working with
openssh-3.4p1.
> I'm getting a message that privsep is not available on my platform
(Irix
> 6.5.15) and another message stating that compression and privsep are
> mutually exclusive. But, ssh decided to turn off compression, I think
> because of servconf.c. I think it would be more usefull to have
> compression enabled and disable privsep as the encryption is almost
> useless when data is not compressed first. I think compression should
> never be disabled otherwise kerberos will be also efectively disabled.
> Any opinions?
>
>
>   Below I'm just showing the section I'm talking about. It's
not a PATCH
> to be applied. ;)
>
>
> diff -u -w -r openssh-3.2.3p1/servconf.c openssh/servconf.c
> --- openssh-3.2.3p1/servconf.c  2002-05-15 23:37:34.000000000 +0200
> +++ openssh/servconf.c  2002-09-05 06:35:15.000000000 +0200
> [...]
> @@ -250,9 +256,19 @@
>         if (options->authorized_keys_file == NULL)
>                 options->authorized_keys_file =
_PATH_SSH_USER_PERMITTED_KEYS;
>
> -       /* Turn privilege separation _off_ by default */
> +       /* Turn privilege separation on by default */
>         if (use_privsep == -1)
> -               use_privsep = 0;
> +               use_privsep = 1;
> +
> +#ifndef HAVE_MMAP
> +       if (use_privsep && options->compression == 1) {
> +               error("This platform does not support both privilege
"
> +                   "separation and compression");
> +               error("Compression disabled");
> +               options->compression = 0;
> +       }
> +#endif
> +
>  }
> [...]
>
>
>
> diff -u -w -r openssh-3.2.3p1/session.c openssh/session.c
> --- openssh-3.2.3p1/session.c   2002-05-13 02:48:58.000000000 +0200
> +++ openssh/session.c   2002-09-04 08:45:10.000000000 +0200
> [...]
> @@ -165,8 +252,8 @@
>         Session *s;
>         char *command;
>         int success, type, screen_flag;
> -       int compression_level = 0, enable_compression_after_reply = 0;
> -       u_int proto_len, data_len, dlen;
> +       int enable_compression_after_reply = 0;
> +       u_int proto_len, data_len, dlen, compression_level = 0;
>
>         s = session_new();
>         s->authctxt = authctxt;
> @@ -192,6 +279,10 @@
>                                     compression_level);
>                                 break;
>                         }
> +                       if (!options.compression) {
> +                               debug2("compression disabled");
> +                               break;
> +                       }
>                         /* Enable compression after we have responded with
SUCCESS. */
>                         enable_compression_after_reply = 1;
>                         success = 1;
> [...]
>
>
>
> --
> Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at
gsf.de>
> PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
> MIPS / Institute for Bioinformatics <http://mips.gsf.de>
> GSF - National Research Center for Environment and Health
> Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
> tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585
>
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

> Please look at the -cvs tree.  We have handled most of the mmap() issues
> for any OS that is written in the last 6 years.
>
> - Ben
Hi,
  I tried current cvs on Solaris 2.6 (not on the problematic Irix
6.5.15 yet) but I got:

/configure --prefix=/usr/local --with-kerberos4=/usr/athena
--with-afs=/usr/afsws --with-tcp-wrappers
--with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh
--with-privsep --with-zlib --with-pam
$ make
[...]
configure: creating ./config.status
config.status: creating Makefile
config.status: creating openbsd-compat/Makefile
config.status: creating scard/Makefile
config.status: creating ssh_prng_cmds
config.status: creating config.h
config.status: error: cannot find input file: config.h.in


When I tried openssh-SNAP-20020916.tar.gz and run make after same configure
line,
I got:

(cd openbsd-compat && make)
make[1]: Entering directory `/scratch/openssh/openbsd-compat'
make[1]: *** No rule to make target `../config.h', needed by
`bsd-arc4random.o'.  Stop.
make[1]: Leaving directory `/scratch/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2


  In both cases I used "aclocal; automake; autoconf" to get out the
configure script.
-- 
Martin Mokrejs <mmokrejs at natur.cuni.cz>, <m.mokrejs at gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585