There are a couple of noteworthy changes in tonight's snapshot: 1. New UsePAM directive There is a new sshd_config directive, UsePAM for systems built using "configure --with-pam". This allows one to switch off all PAM calls from sshd. This is handy if one builds with PAM but wants to use the sshd's ability to run as a non-root user. Previously this was impossible if one enabled PAM support. 2. kerberos-2 at ssh.com support Markus has added support for SSH.COM's Kerberos authentication method for protocol v.2. This has been interop tested on OpenBSD with the in-tree Heimdal Kerberos implementation, but not with MIT Kerberos. This needs review from someone who understands the MIT kerberos API properly (I don't...) There is at least one minor problem: grep for '# warning' in sshconnect2.c 3. Pubkey authentication key try order Markus has changed the order in which pubkeys are tried. From the ChangeLog:> for pubkey authentication try the user keys in the following order: > 1. agent keys that are found in the config file > 2. other agent keys > 3. keys that are only listed in the config file > this helps when an agent has many keys, where the server might > close the connection before the correct key is used.Please report problems with any of the above to bugzilla or this list. -d
Damien Miller wrote:> Please report problems with any of the above to bugzilla or this list.It looks like the SOCK_STREAM -> ai_socktype change broke AIX (at least 4.2.1, 4.3.3 & 5.1, possibly others), which was caught by the tinderbox[1]. I don't know why yet, I'll do some digging. I did notice that AIX defines BROKEN_GETADDRINFO. -Daz. # ./sshd -ddd -p 2022 [snip] debug1: private host key: #2 type 2 DSA socket: Protocol not supported Cannot bind any address. # cvs diff -r 1.239 -r 1.240 sshd.c [snip] - listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + listen_sock = socket(ai->ai_family, ai->ai_socktype, + ai->ai_protocol); # cvs up -r 1.239 sshd.c && make sshd P sshd.c [snip] # ./sshd -ddd -p 2022 [snip] debug1: private host key: #2 type 2 DSA debug1: Bind to port 2022 on 0.0.0.0. Server listening on 0.0.0.0 port 2022. Generating 768 bit RSA key. RSA key generation complete. [1] http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
In the grand tradition of replying to one's own messages, Damien Miller wrote:> 2. kerberos-2 at ssh.com support > > Markus has added support for SSH.COM's Kerberos authentication method > for protocol v.2. This has been interop tested on OpenBSD with the > in-tree Heimdal Kerberos implementation, but not with MIT Kerberos. > > This needs review from someone who understands the MIT kerberos API > properly (I don't...) There is at least one minor problem: > grep for '# warning' in sshconnect2.cI think I have fixed this particular problem. Markus also reports that the code is largely cut+paste from sshconnect1.c which has been reviewed already. -d
Seemingly Similar Threads
- OpenSSH Portable Tinderbox available to test.
- New PAM kbd-int code
- 3.6 portable ready.
- kernel update to 3.12.5-1, now: upsd[617]: getaddrinfo: Servname not supported for ai_socktype
- kernel update to 3.12.5-1, now: upsd[617]: getaddrinfo: Servname not supported for ai_socktype