search for: newal

On 03/15/2019 12:49 AM, Jeremy Lin wrote: > [...] connecting to hosts where the host key > changes frequently. I realize this is a fairly niche use case [...] Doesn't StrictHostKeyChecking=no do what is wanted?

On 6 February 2018 at 20:09, David Newall <openssh at davidnewall.com> wrote: > Do we need to do anything? It's not clear to me how SSH is vulnerable to > Spectre -- that is, how SSH can be used to execute a Spectre attack? I am more concerned with it being the target of a Spectre style attack. There's some long liv...

On 13/04/18 07:59, Josh Soref wrote: > Randall S. Becker <rsbecker at nexbridge.com> wrote: > >> -REGRESSTMP = "$(PWD)/regress" >> +REGRESSTMP = `pwd` >> >> ? tests interop-tests t-exec unit: regress-prep regress-binaries >> $(TARGETS) >> > It looks like the problem is that pwd is in uppercase, not so much the > distinction between

On Mon, 4 Nov 2019 at 14:07, David Newall <openssh at davidnewall.com> wrote: > [about scp] That's just awful, and I should have > thought it was not at all necessary. Am I missing something? > If you're saying that the scp protocol is an unfixable mess then the openssh team has been agreeing[0] with you for at l...

On Fri, 2018-01-05 at 16:00 +1030, David Newall wrote: > On 05/01/18 02:44, Thomas G?ttler wrote: > > I set up a chroot sftp server [...] > > Is there a way to get both? > > > > - chroot > > > > - writable root > > The source code (sftpd.c) seems to require that the root directory > be >...

On 31/12/17 13:52, Peter Moody wrote: >> By making it impossible for people to use SSH > nb, it's not impossible to use opessh. it might not be possible to use > a*modern* openssh client to connect to an old, unpatched unmaintained > (by the vendor) sshd. i'd argue that's not the client's fault. Of course it's the client's fault.? The client worked, was

Hello all, My scripts, which read stdout from ssh, weren't seeing EOF from the remote session.? It was being sent, but lost.? I tracked it down to the following code, in ssh.c, at ssh_session2_open: ??????? if (stdin_null_flag) { ??????????????? in = open(_PATH_DEVNULL, O_RDONLY); ??????? } else { ??????????????? in = dup(STDIN_FILENO); ??????? } ??????? out = dup(STDOUT_FILENO);

On 14/10/17 07:44, Damien Miller wrote: > On Fri, 13 Oct 2017, David Newall wrote: >> On 13/10/17 16:22, Damien Miller wrote: >> > At a minimum, I think we'd have to dup2 a fd to /dev/null to >> > STDOUT_FILENO so writes to stdout (e.g. from ill-behaved >> > libraries) have somewhere to go. >> >> Would that really be...

On 12/10/17 12:54, Clark Wang wrote: > How did you hit the problem? "ssh host echo hello | cat" works fine > for me. That's because ssh exited, not because of EOF. Consider the following: ?? ssh localhost 'exec cat > /dev/null' | { read l; echo ${l:-EOF}; } One should see "EOF" immediately (for values of immediate that include startup latency), but

On 02/01/18 03:29, Michael Str?der wrote: > How high is the risk that this unmaintained device is added to > yet-another-bot-net in the Internet-of-shitty-devices or is used to > enter parts of your network. I think that is what is called a straw-man argument.? If a device can be compromised in the way you suggest, then I am sure it will be replaced, but it will be replaced because it

On Fri, 2018-01-05 at 21:42 +1030, David Newall wrote: > On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems...

On 13/10/17 16:22, Damien Miller wrote: > At a minimum, I think we'd have to dup2 a fd to /dev/null to > STDOUT_FILENO so writes to stdout (e.g. from ill-behaved > libraries) have somewhere to go. Would that really be useful?? Output from Ill-behaved libraries, written fd 1, already go to the same place.? Don't forget, dup does not create a new file, it creates a duplicate

On Fri, 20 Oct 2017, David Newall wrote: > WHAT CAN I DO TO HELP STEWARD THIS CHANGE INTO THE MASTER SOURCE? > What do I need to do? Stop yelling and go file a bug at https://bugzilla.mindrot.org/ As I mentioned previously, your suggested change is wrong and we'd (at least) need to replace fd 1 with /dev/null prior to...

On Wed, Jul 11, 2018 at 6:58 PM, David Newall <openssh at davidnewall.com> wrote: > I remember, when Sun first released NFS they used UDP for transport because > "performance", and then, not so very long later, had to implement TCP > transport because "reliability". network reliability has changed quite a...

On 31/12/17 16:44, Peter Moody wrote: > On Sat, Dec 30, 2017 at 9:47 PM, David Newall<openssh at davidnewall.com> wrote: >> Of course it's the client's fault. The client worked, was changed, and thus >> stopped working. > don't upgrade your client. problem solved. you're at fault for not > pinning your dependencies when you have hard depend...

On Mon, 4 Nov 2019, David Newall wrote: > On 4/11/19 3:29 am, Demi M. Obenour wrote: > > I have not been able to get scp(1) to download a file with a newline > > in its name. I know that scp(1) requires that remote filenames be > > escaped for the shell, but that leads to protocol errors. > > I see s...

...not, of itself, use stdout; it has no reason to keep stdout open.? As far as I can tell, the change I am proposing has no deleterious effect. WHAT IS THE EXACT CHANGE? This patch allows a program reading ssh's output to see an EOF from the remote session. Good for scripting. Author: David NewallPatch-Name: scriptable-ssh.patch --- diff -u a/ssh.c b/ssh.c --- a/ssh.c +++ b/ssh.c @@ -1837,11 +1837,11 @@ } else { in = dup(STDIN_FILENO); } - out = dup(STDOUT_FILENO); - err = dup(STDERR_FILENO); + out = STDOUT_FILENO; + err = STDERR_FILENO; - if (in < 0 || out < 0 || err < 0) - fa...

On Fri, 2018-03-16 at 19:07 +1030, David Newall wrote: > > There is no reply about this demand since the firt proposition > > has if nobody in dev team cares about it :( > > I'm curious about the first section of the diff, which exports > SSH_GSSAPI_DISPLAYNAME to PAM. Is that useful? Am I right that the > PAM...

On 22/11/18 10:09 pm, Philipp Marek wrote: > if it happens that your local terminal emulation is not available > on the remote machine(s), what would be the right place to fix it? Is it a trick question?? Isn't the remote machine the only place that you can fix ?? Setting TERM on the local machine won't magically make a Wyse 60 understand VT220 control codes. Why not wrap ssh

On 02/01/18 02:22, Peter Moody wrote: > I would prefer that: > > * commercial vendors patched the software they sold We all would prefer that, but I think you know that in reality, very few customers have enough leverage to achieve that.? I have a number of IBM servers for which access to the remote console now requires old versions of Java and old browsers.? That's IBM.? If