search for: xauthfile

Hi, I noticed that Markus has fixed the temporary file cleanup problems in OpenSSH cvs. What files need patching for this ? I only noticed changes in: session.c, channels.h and channels.c. -Jarno -- Jarno Huuskonen <Jarno.Huuskonen at uku.fi>

...-3.0.2p1.orig/session.c openssh-3.0.2p1/session.c --- openssh-3.0.2p1.orig/session.c Sun Dec 2 10:37:08 2001 +++ openssh-3.0.2p1/session.c Tue Feb 12 12:01:51 2002 @@ -151,6 +151,9 @@ extern int startup_pipe; extern void destroy_sensitive_data(void); +/* Local Xauthority file. */ +static char *xauthfile = NULL; + /* original command from peer. */ const char *original_command = NULL; @@ -220,6 +223,28 @@ #endif } +xauthfile_cleanup_proc(void *_pw) +{ + struct passwd *pw = _pw; + + debug("xauthfile_cleanup_proc called"); + + if (xauthfile != NULL) { + char *p; + temporaril...

...g failing http://lists.mindrot.org/pipermail/openssh-unix-dev/2009-February/027183.html I have the impression that SSH is running xauth with a filename in a temporary directory that does not exist: local:~ $ ssh -vv user at remote ... debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-VskgWb3776/xauthfile generate :0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null ... remote:~ $ /usr/bin/xauth -f /tmp/ssh-VskgWb3776/xauthfile generate :0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 /usr/bin/xauth:? error in locking authority file /tmp/ssh-VskgWb3776/xauthfile remote:~ $ mkdir /tmp/ssh-VskgWb...

$ ssh -v OpenSSH_5.1, OpenSSL 0.9.8j 07 Jan 2009 $ ssh -vvv -X example.com [ Relevant debug info: ] debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1 [OpenSSH_5.1, OpenSSL 0.9.7j 04 May 2006] debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-TLLOFKxvay/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. debug1: Requesting X11 forwarding with authentication spoofing. debug2: chan...

This change allows use of untrusted X11 forwarding (which is more secure) without requiring users to choose a finite timeout after which to refuse new connections. This matches the semantics of the X11 security extension itself, which also treat a validity timeout of 0 on an authentication cookie as indefinite. Signed-off-by: Trixie Able <table at inventati.org> --- clientloop.c | 12

.../sftp-server > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL And finally the debug output: debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-ZCkLTd4136/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-ZCkLTd4136/xauthfile list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2...

...eck for USE_VHANGUP instead of HAVE_VHANGUP. Don't call I_PUSH ioctl's under Cygwin. - readconf.c: Disable check for uid 0 when HAVE_CYGWIN is set. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file...

I have found that this server, <snip> debug1: Remote protocol version 1.99, remote software version 3.1.0 F-SECURE SSH - Process Software SSH for OpenVMS debug1: no match: 3.1.0 F-SECURE SSH - Process Software SSH for OpenVMS </snip> does not follow the IETF secsh draft [1] related to the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ message. <snip> ... Normally, the server responds

...ession.c Wed Aug 30 12:17:13 2000 @@ -943,6 +943,9 @@ while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); +#ifdef NOLOGINALLOW + if (nologin_allow(pw->pw_name) != 1) +#endif /* NOLOGINALLOW */ exit(254); } } @@ -1858,4 +1861,29 @@ server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); +} + +int +nologin_allow(char *username) +{ + char buf[256], buf2[256]; + FILE *f = NULL; + + /* Appending an "\n" to the username since that's what it'll read like + * in the file. + */ + strcpy(buf2, username); + strcat(buf2, &...

...E_VHANGUP explicitely if HAVE_CYGWIN is set. Don't call I_PUSH ioctl's under Cygwin. - readconf.c: Disable check for uid 0 when HAVE_CYGWIN is set. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file...

...care for include files. Add a define for O_BINARY. - loginrec.c: Add O_BINARY to open calls. - pty.c: Don't call I_PUSH ioctl's under Cygwin. - scp.c: Add O_BINARY to open calls. Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. We (the Cygw...

...wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-kBPMsg1836/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-kBPMsg1836/xauthfile list :0.0 . 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_...

...058,8 @@ if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + if (! check_quietlogin(s, command)) + do_motd(); #else /* HAVE_OSF_SIA */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -2027,4 +2038,27 @@ server_loop2(); if (xauthfile) xauthfile_cleanup_proc(NULL); +} + +/* + * Check for quiet login, either .hushlogin or command given. + */ +int +check_quietlogin(Session *s, const char *command) +{ + char buf[256]; + struct passwd * pw = s->pw; + struct stat st; + + /* Return 1 if .hushlogin exists or a command given. */ +...

...ng streams modules isn't functional on Windows. - [rsa.c] Don't call seed_rng() in Cygwin to avoid race condition in daemon mode. - [scp.c] Call `tcgetpgrp()' instead of `ioctl(, TIOCGPGRP,) in Cygwin. - [session.c] Rearrange environment handling for woring under Windows. Close xauthfile imediately to avoid permission problems under Windows. Don't send the `$DISPLAY/unix' stuff to the Cygwin xauth program. - [ssh.c] Try more variations of the own name in Cygwin. - [ssh.h] Disable declaration of auth_password for Cygwin here. -- Corinna Vinschen Cygwin Developer Cygnu...

...X_NTO__ */ BUF * allocbuf(bp, fd, blksize) diff -cr openssh-2.2.0p1.orig/session.c openssh-2.2.0p1.qnx/session.c *** openssh-2.2.0p1.orig/session.c Wed Aug 30 00:21:22 2000 --- openssh-2.2.0p1.qnx/session.c Tue Sep 12 09:27:19 2000 *************** *** 1861,1863 **** --- 1861,1874 ---- if (xauthfile) xauthfile_cleanup_proc(NULL); } + + + #if defined(__QNX__) && !defined(__QNXNTO__) + /* Thanks to liug at mama.indstate.edu */ + + int initgroups(char *name,gid_t id) + { + return(0); + } + + #endif /* __QNX__ && !__QNXNTO__ */ diff -cr openssh-2.2.0p1.orig/ssh.c openss...

On Thu, Jun 07, 2018 at 06:14:42PM -0700, PGNet Dev wrote: > On 6/7/18 6:08 PM, Darren Tucker wrote: > > Well the intent is you should be able to set CC and LD to whatever you > > want as long as they work. In this case, the OSSH_CHECK_LDFLAG_LINK > > test invokes autoconf's AC_LINK_IFELSE with uses CC not LD. I'm not > > sure what to do about it yet though. I

https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Bug ID: 2440 Summary: X11 connection will fail if user's home directory is read-only Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: sshd

...nction ?client_x11_get_proto?: clientloop.c:378:14: warning: ?%s? directive output may be truncated writing up to 4095 bytes into a region of size 1020 [-Wformat-truncation=] "%s %s%s list %s 2>" _PATH_DEVNULL, ^~ clientloop.c:381:20: generated ? xauthfile : "", ~~~~~~~~~ In file included from /usr/include/stdio.h:862, from /usr/include/bsd/libutil.h:46, from includes.h:141, from clientloop.c:62: /usr/include/bits/stdio2.h:64:10: note: ?__builtin___snprintf_c...