openssh unix dev - Aug 2004 - Pending OpenSSH release, call for testing.

Hi All.
	OpenSSH is getting ready for a release soon, so we are asking for all 
interested parties to test a snapshot.

	Changes include:

* sshd will now re-exec itself for each new connection (the "-e"
option
is required when running sshd in debug mode).

* PAM password authentication has been (re)added.

* Interface improvements to sftp(1)

* Many bug fixes and improvements, for details see the ChangeLog and
http://bugzilla.mindrot.org/show_bug.cgi?id=822

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable snapshots are available at:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
or one of its mirrors listed at http://www.openssh.com/portable.html#ftp

	Please test!  Running the regression tests supplied with Portable does 
not require installation and is a simply:
$ ./configure && make tests

	Testing on suitable non-production systems is also appreciated.  Please 
send reports of success or failure to openssh-unix-dev.

	Thanks,
		-Daz.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Thu, 12 Aug 2004, Darren Tucker wrote:
> 	OpenSSH is getting ready for a release soon, so we are asking for all
> interested parties to test a snapshot.
Because of PAM password authentication, I've been running since the 29th the
20040728 snapshot on a cluster now in pre-production testing.  I have no
problems to report other than my need to look further into bug #52.

Thanks.

Marc.

+----------------------------------+-----------------------------------+
|  Marc Aurele La France           |  work:   1-780-492-9310           |
|  Computing and Network Services  |  fax:    1-780-492-1729           |
|  352 General Services Building   |  email:  tsi at ualberta.ca          |
|  University of Alberta           +-----------------------------------+
|  Edmonton, Alberta               |                                   |
|  T6G 2H1                         |     Standard disclaimers apply    |
|  CANADA                          |                                   |
+----------------------------------+-----------------------------------+
XFree86 developer and VP.  ATI driver and X server internals.

Hi Darren,

On Aug 12 23:55, Darren Tucker wrote:
> Hi All.
> 	OpenSSH is getting ready for a release soon, so we are asking for 
> 	all interested parties to test a snapshot.
there's a typo in bsd-misc.c, which creates a common symbol __progname
even if the system provides one.  That's a problem when linking on Cygwin,
since in that case the linker creates the symbol instead of matching it
against the dll exported symbol __imp____progname.  Patch attached.

The testsuite fails on Cygwin in the "pass multiple env, accept multiple
env"
test in envpass.sh.  I don't know why since it's no problem to send
env. variables usually.


Corinna


Index: openbsd-compat/bsd-misc.c
==================================================================RCS file:
/cvs/openssh_cvs/openbsd-compat/bsd-misc.c,v
retrieving revision 1.23
diff -p -u -r1.23 bsd-misc.c
--- openbsd-compat/bsd-misc.c   17 Jul 2004 04:07:42 -0000      1.23
+++ openbsd-compat/bsd-misc.c   12 Aug 2004 16:18:17 -0000
@@ -19,7 +19,7 @@
 
 RCSID("$Id: bsd-misc.c,v 1.23 2004/07/17 04:07:42 dtucker Exp $");
 
-#ifndef HAVE__PROGNAME
+#ifndef HAVE___PROGNAME
 char *__progname;
 #endif
 

-- 
Corinna Vinschen
Cygwin Co-Project Leader
Red Hat, Inc.

Darren Tucker wrote:
> Hi All.
>     OpenSSH is getting ready for a release soon, so we are asking for 
> all interested parties to test a snapshot.
Appears to work on Solaris 9 with GSSAPI using MIT krb5-1.3.2.
> 
>     Changes include:
> 
> * sshd will now re-exec itself for each new connection (the "-e"
option
> is required when running sshd in debug mode).
> 
> * PAM password authentication has been (re)added.
> 
> * Interface improvements to sftp(1)
> 
> * Many bug fixes and improvements, for details see the ChangeLog and
> http://bugzilla.mindrot.org/show_bug.cgi?id=822
> 
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
> 
> Portable snapshots are available at:
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
> or one of its mirrors listed at http://www.openssh.com/portable.html#ftp
> 
>     Please test!  Running the regression tests supplied with Portable 
> does not require installation and is a simply:
> $ ./configure && make tests
> 
>     Testing on suitable non-production systems is also appreciated.  
> Please send reports of success or failure to openssh-unix-dev.
> 
>     Thanks,
>         -Daz.
> 
-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Passes all tests on Solaris 8, including the ability to reset expired
passwords both with UsePAM on and off. One oddity in the configure
was the following message:

checking sys/ptms.h usability... no
checking sys/ptms.h presence... yes
configure: WARNING: sys/ptms.h: present but cannot be compiled
configure: WARNING: sys/ptms.h:     check for missing prerequisite headers?
configure: WARNING: sys/ptms.h: see the Autoconf documentation
configure: WARNING: sys/ptms.h:     section "Present But Cannot Be
Compiled"
configure: WARNING: sys/ptms.h: proceeding with the preprocessor's result
configure: WARNING: sys/ptms.h: in the future, the compiler will take precedence
configure: WARNING:     ## ------------------------------------------ ##
configure: WARNING:     ## Report this to the AC_PACKAGE_NAME lists.  ##
configure: WARNING:     ## ------------------------------------------ ##
checking for sys/ptms.h... yes

Built with the following options:

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
   (If PATH is set in /etc/default/login it will be used instead. If
   used, ensure the path to scp is present, otherwise scp will not work.)
                    Manpage format: man
                       PAM support: yes
                 KerberosV support: no
                 Smartcard support: no
                     S/KEY support: no
              TCP Wrappers support: yes
              MD5 password support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY

              Host: sparc-sun-solaris2.8
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags:
      Linker flags:
         Libraries: -lwrap -lpam -ldl -lresolv -lcrypto -lrt -lz -lsocket
-lnsl

SVR4 style packages are supported with "make package"\n
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

WARNING: the operating system that you are using does not
appear to support either the getpeereid() API nor the
SO_PEERCRED getsockopt() option. These facilities are used to
enforce security checks to prevent unauthorised connections to
ssh-agent. Their absence increases the risk that a malicious
user can connect to your agent.

			Bill Knox
			Lead Operating Systems Programmer/Analyst
			The MITRE Corporation

On Thu, 12 Aug 2004, Darren Tucker wrote:
> Date: Thu, 12 Aug 2004 23:55:20 +1000
> From: Darren Tucker <dtucker at zip.com.au>
> To: openssh-unix-dev at mindrot.org
> Subject: Pending OpenSSH release, call for testing.
>
> Hi All.
> 	OpenSSH is getting ready for a release soon, so we are asking for all
> interested parties to test a snapshot.
>
> 	Changes include:
>
> * sshd will now re-exec itself for each new connection (the "-e"
option
> is required when running sshd in debug mode).
>
> * PAM password authentication has been (re)added.
>
> * Interface improvements to sftp(1)
>
> * Many bug fixes and improvements, for details see the ChangeLog and
> http://bugzilla.mindrot.org/show_bug.cgi?id=822
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable snapshots are available at:
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/
> or one of its mirrors listed at http://www.openssh.com/portable.html#ftp
>
> 	Please test!  Running the regression tests supplied with Portable does
> not require installation and is a simply:
> $ ./configure && make tests
>
> 	Testing on suitable non-production systems is also appreciated.  Please
> send reports of success or failure to openssh-unix-dev.
>
> 	Thanks,
> 		-Daz.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

On Aug 12, 2004, at 9:55 AM, Darren Tucker wrote:
> Hi All.
> 	OpenSSH is getting ready for a release soon, so we are asking for all 
> interested parties to test a snapshot.
All passed on Mac OS X 10.3.5, with the exception of agent-getpeereid 
(not supported), agent-ptrace (failed when SUDO is set). I did have the 
multiplex.sh (transfer) hang on me during my first run of make tests, 
but it went through without a hitch on the next pass.

andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2365 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040813/ae5a9782/attachment.bin

On Aug 13 11:20, Ben Lindstrom wrote:
> On Fri, 13 Aug 2004, Corinna Vinschen wrote:
> 
> [..]
> > +free_windows_environment(char **p)
> > +{
> > +	xfree(p);
> >  }
> >
> 
> Memory leak galore... please free each pointer on that pointer list.
Nope.  These pointers are pointers into the global environ array.

Corinna

-- 
Corinna Vinschen
Cygwin Co-Project Leader
Red Hat, Inc.

Once upon a time, Darren Tucker <dtucker at zip.com.au>
said:
> 	OpenSSH is getting ready for a release soon, so we are asking for 
> 	all interested parties to test a snapshot.
The 2004-08-13 snapshot looks good on Tru64.  For once, I tested it
_before_ the release. :-)

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

> 	OpenSSH is getting ready for a release soon, so we are asking for
> all interested parties to test a snapshot.
Regression testing still does not completely successfully on Gentoo 
(current ~x86 build):

run test dynamic-forward.sh ...
Waiting for forwarded connections to terminate...
The following connections are open:
  #1 direct-tcpip: listening port 4243 for localhost port 4242, connect 
from 127.0.0.1 port 33749 (t4 r2 i0/0 o3/0 fd 10/10 cfd -1)
FATAL: Unable to connect to relay host, errno=111
ssh_exchange_identification: Connection closed by remote host
cmp: EOF on /home/jason/code/openssh/regress/ls.copy
corrupted copy of /bin/ls
FATAL: Unable to connect to relay host, errno=111
ssh_exchange_identification: Connection closed by remote host
cmp: EOF on /home/jason/code/openssh/regress/ls.copy
corrupted copy of /bin/ls
FATAL: Unable to connect to relay host, errno=111
ssh_exchange_identification: Connection closed by remote host
cmp: EOF on /home/jason/code/openssh/regress/ls.copy
corrupted copy of /bin/ls
FATAL: Unable to connect to relay host, errno=111
ssh_exchange_identification: Connection closed by remote host
cmp: EOF on /home/jason/code/openssh/regress/ls.copy
corrupted copy of /bin/ls
failed dynamic forwarding
make[1]: *** [t-exec] Error 1
make[1]: Leaving directory `/home/jason/code/openssh/regress'
make: *** [tests] Error 2

  I traded some e-mails with Darren about this for 3.8 but we never came 
up with a solution other than it seemed to have something to do with 
connect.  Normaly everyday usage doesn't seem to be affected.  Anyone 
else out there with Gentoo able to complete 'make tests' to rule out my 
box being crazy?
 
-- 
Jason McCormick 
jason at devrandom.org
GPG Key ID: 96D6CF63

On Thu, 12 Aug 2004 23:55:20 +1000, Darren Tucker wrote:
>	OpenSSH is getting ready for a release soon, so we are asking for 
>all interested parties to test a snapshot.
>	Changes include:
>* PAM password authentication has been (re)added.
I tested this on Solaris 8/sparc with all current recommended patches. 
As far as I can see everything works fine.

I'm currently in the process of implementing something like an intruder 
lockout mechanism based on some hacking to pam_tally.so from Linux-PAM-
0.77. Please do not comment that this is an invitation to DOS attacks. I 
know it. The suits won't understand and call it "a known risk".

I would expect any text to appear on the client terminal that the server 
sends through the PAM conversation function with msg_type PAM_ERROR_MSG 
or PAM_TEXT_INFO. Well, at least with telnet this works already. But who 
wants telnet anyway? :-) 

By some fiddling with debug() I can prove that the text sent by the PAM 
module is seen by sshpam_passwd_conv() on the server side, but I can't 
see that text on the client side. Can anyone please give me a pointer 
where to look?

Regards,
        Robert

Darren Tucker wrote:
> Hi All.
>     OpenSSH is getting ready for a release soon, so we are asking for 
> all interested parties to test a snapshot.
> 
The call to ssh_gssapi_krb5_storecreds()  will call do_pam_putenv() to add
the KRB5CCNAME to the PAM environment. But this call is too late
to be useful for any PAM modules.

The call to ssh_gssapi_storecreds needs to be moved from
the do_exec to the do_setusercontext before the call to do_pam_session.

If this is done, I can remove the last of my local changes from OpenSSH.
This change was to call to a routine to get an AFS PAG and token using
the Kerberos cache obtained by either GSSAPI, Krb5 or PAM.

I have this working as a PAM session routine on Solaris.

This would also mean that eventually the USE_AFS code could also be
dropped as this can be done by PAM. It also takes away the pressure
of trying to get OS vendors to compile OpenSSH with USE_AFS, thus
making it easier to use OpenSSH and OpenAFS using the vendor's
supplied OPenSSH executables.

Attached is a modification to move the ssh_gssapi_storecreds call.
I can submit this as a bug if needed.

Thanks.


-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: session.patch
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040816/ad8b31b2/attachment.ksh

Ben Lindstrom writes:

[complaining about "head -2000" not working]
> Kinda sucks that FSF had to break rank.  I'm sure a
> lot of people are going to run into this problem in
> the near future.
Simply put, the FSF is wrong. I just looked at the
latest revision of the standard.

The standard requires that _users_ of head not
rely on "head -2000" usage. The standard does not
in any way prohibit the head implementation from
supporting non-conformant users.

That is, an implementation is allowed to add
vendor-specific options that are not in the standard.
So we want: -1, -2, -3, -4, ... and so on.

To open a file named "-4", you need the "--" option.
If the "head -2000" syntax isn't supported, it would
be an error. You'd do "head -- -2000" to open a file
with the name "-2000".

So, let bug-coreutils at gnu.org know. Here's the standard:
http://www.opengroup.org/onlinepubs/009695399/utilities/head.html
> Kinda like the whole crap around 'nslookup' and the
> removal of '-' in Linux's 'ps' program.  Stupid
> things done for stupid reasons.
The '-' was not removed from Linux ps. Linux ps fully
conforms to the standards, as well as supporting
old BSD syntax as much as possible. Try it:

ps -ef
ps -el
ps -elf
ps -u root
ps -uroot    # now guess what "ps -uax" means

It's just like Solaris, HP-UX, UnixWare, IRIX,
and every other POSIX or real UNIX system.

Just like with AIX and Tru64, you can leave off the
'-' if you want the non-standard BSD options. Most
BSD users would leave off the '-' anyway; why type
the extra character?

I wrote the new ps, and I use "ps aux" all the time.
It's not getting killed. I might kill the ability to
fall back to BSD parsing when you do "ps -aux" and
a user named "x" doesn't exist, allowing you to get
a proper error message -- maybe you wanted user "X",
or you forgot to create a user named "x".

Heck, I even allow mixing the options:

ps -uroot u
ps u -u root
ps -e e f -f
ps -ef ef

Darren Tucker wrote:
>     OpenSSH is getting ready for a release soon, so we are asking for 
> all interested parties to test a snapshot.
I want to thank everyone for their efforts in testing, it was much 
appreciated.

I have attempted to collect all of the stuff uncovered during testing 
but was not critical enough to make the release.  I think they've all 
now been committed except for those listed below.  If you found 
something that's not on that list and not in tomorrow's snapshot then 
please assume it's been missed and re-send it.

Remaining known issues are:

* tests hanging during $TEST_SHELL -n script (Tru64, Solaris 2.6)
Setting TEST_SHELL=ksh in the configure block seems to be the right 
solution to this?

* head -1/head -n1 with recent GNU utils (bug #912)
Need to decide on what to do.  head -n may not work on older platforms.

* Only copy basic Windows environment (bug #915)
Patch awaiting review.

* ssh_gssapi_storecreds called to late for PAM (bug #918)
Someone who knows krb5/gssapi want to comment on that one?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Could you add to this release a patch which allows gssapi to be used on a
multihomed server please ?
  
There have been several proposals in the past to fix this in    
ssh_gssapi_acquire_cred  
.  
.  
-       if (gethostname(lname, MAXHOSTNAMELEN))  
-               return (-1);  
+        lname = get_local_hostname(packet_get_connection_in()); 
. 
.  
 
Thank you  
Markus  
  
On Monday 30 August 2004 21:44, Douglas E. Engert wrote: 
> Darren Tucker wrote:  
> > Darren Tucker wrote:  
> >>     OpenSSH is getting ready for a release soon, so we are asking
for
> >> all interested parties to test a snapshot.  
> >  
> > * ssh_gssapi_storecreds called to late for PAM (bug #918)  
> > Someone who knows krb5/gssapi want to comment on that one?  
>  
> (I wrote the bug report, but can comment on it as well.)  
>  
> The idea is to pass on to a pam session routine  
> the KRB5CCNAME environment variable. This can be used with a  
> pam_openafs session routine to get a PAG and AFS token for example.  
>  
> The KRB5CCNAME is the pointer to the Kerberos ticket cache with the  
> delegated credeltials from GSSAPI. the AFS aklog can use this to  
> get an AFS token.  
>  
> gss-serv-krb5.c already had a call to do_pam_putenv to add the  
> KRB5CCNAME to the pam_environment. This was in 3.8. But the  
> call to ssh_gssapi_storecreds in session.c which eventually calls the  
> do_pam_putenv is called AFTER the do_pam_session. Thus the  
> KRB5CCNAME is not passed in to the pam session routine.  
>  
> This mod moves the call to ssh_gssapi_storecreds before the  
> call to do_pam_session.  
>  
> In the following traces, the pam_sm_open_session lines are written to  
> stderr by my test pam routine.  
>  
> A sample trace without this mod:  
>  
> Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 40883 ssh2  
> pam_sm_open_session flag=0  
> pam_sm_open_session pid=16163 uid=0 euid=0  
> pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu  
> pam_sm_open_session Kenv=(none)          <------------ no KRB5CCNAME  
> debug1: PAM: reinitializing credentials  
>  
> With this mod:  
>  
> Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 1261 ssh2  
> debug1: temporarily_use_uid: 100/100 (e=0/100)  
> debug1: restore_uid: 0/100  
> pam_sm_open_session flag=0  
> pam_sm_open_session pid=15900 uid=0 euid=0  
> pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu  
> pam_sm_open_session Kenv=FILE:/tmp/krb5cc_100_y15900 <---- found
KRB5CCNAME
> debug1: PAM: reinitializing credentials  
>  
> Note: If this mod is added, even if the kafs lib is not available,  
> sshd can still be used with AFS. This would allow one  
> to use a vendor's build of OpenSSH even if not built with AFS.  
> One would not need to do a rebuild!  All that is need is for OpenAFS  
> to provide the pam session routine, thus making for a clean separation  
> of OpenSSH and OpenAFS. Eventually the USE_AFS code could be removed  
> from OpenSSH.  
>  
> Unfortunately, if the system does not have PAM, then one would  
> still needs to use the older methods.  
>  
> There are three ways a Kerberos ticket cache could be ceated  
> in OpenSSH:  
>   (1) delegated by the GSSAPI,  
>   (2) by ChallengeResponse and PAM,  
>   (3) created by the auth-krb5 from entering a user/password,  
>  
> (1) is coverd by the above.  
> (2) can be taken care of internally by pam_krb5  
> (3) needs an aditional mod.  
>  
> I can submit this mod as a bug for case (3) if you want.  
>  
>  
> --- ,auth-krb5.c	Sat Aug 14 08:55:37 2004  
> +++ auth-krb5.c	Mon Aug 30 14:31:30 2004  
> @@ -187,6 +187,11 @@  
>   	snprintf(authctxt->krb5_ccname, len, "FILE:%s",  
>   	    authctxt->krb5_ticket_file);  
>  
> +#ifdef USE_PAM  
> +	if (options.use_pam)  
> +		do_pam_putenv("KRB5CCNAME",authctxt->krb5_ccname);  
> +#endif  
> +  
>    out:  
>   	restore_uid();

I haven't thought of inetd usage, I have to see how to get the right
hostname in that
case. 
 
I also don't know if my patch is the best solution to it as I have seen
other approaches
which uses GSS_C_NO_NAME. 
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108023034206980&w=2 
 
Thanks 
Markus 
 
On Sat Sep 11 14:42 , Darren Tucker <dtucker at zip.com.au> sent: 
 
>Markus Moeller wrote: 
>> Could you add to this release a patch which allows gssapi to be used on
a
multihomed server please ?   
>>    
>> There have been several proposals in the past to fix this in     
>> ssh_gssapi_acquire_cred   
>> .   
>> .   
>> -       if (gethostname(lname, MAXHOSTNAMELEN))   
>> -               return (-1);   
>> +        lname = get_local_hostname(packet_get_connection_in());  
> 
>Won't that break Kerberos authenticaton for sshd in inetd mode? 
> 
>--  
>Darren Tucker (dtucker at zip.com.au) 
>GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69 
>     Good judgement comes with experience. Unfortunately, the experience 
>usually comes from bad judgement.