similar to: openssh-unix-dev digest, Vol 1 #505 - 15 msgs

Please enlightnen me on a subject, which is easily explained by example (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with latest openssh-portable installed): lapo at CYBERONE ~ $ scp lapo at cyberx:Luth\'ol.pcg . bash: -c: line 1: unexpected EOF while looking for matching `'' bash: -c: line 2: syntax error: unexpected end of file lapo at CYBERONE ~ $ scp lapo at

There are a couple of races in sftp-server as this patch shows: --- sftp-server.c 28 Jan 2003 18:06:53 -0000 1.1.1.2 +++ sftp-server.c 5 Feb 2003 19:19:42 -0000 @@ -832,19 +832,22 @@ process_rename(void) { u_int32_t id; - struct stat st; char *oldpath, *newpath; - int ret, status = SSH2_FX_FAILURE; + int status; id = get_int(); oldpath = get_string(NULL); newpath = get_string(NULL);

When the unprivileged child has chrooted it can no longer open /etc/resolv.conf, so if the resolver hasn't yet initialized itself then dns lookups will not be possible. This is unfortunately what normally happens, but sshd falls back gracefully. There are a couple of wrinkles: the resolver will typically try talking to a nameserver on the local host by default (using INADDR_ANY rather than

--- ssh-rand-helper.c.orig Mon Jun 18 16:48:13 2007 +++ ssh-rand-helper.c Mon Jun 18 16:47:32 2007 @@ -31,7 +31,7 @@ #include <sys/socket.h> #include <stdarg.h> -#include <stddef.h> +#include <string.h> #include <netinet/in.h> #include <arpa/inet.h> Tony. -- f.a.n.finch <dot at dotat.at> http://dotat.at/ SHANNON ROCKALL: EAST OR NORTHEAST

We're using rsync to update the tables on our email relays, and very occasionally we get an error in the logs saying that a table has the wrong permissions. This is because of race conditions in finish_transfer() which mean that it does not update files atomically. This makes rsync not entirely safe to use in our situation, where the files being synced are frequently opened for short periods

From: Randy Dunlap <randy.dunlap at oracle.com> scripts/headers_install.pl prevents "__user" from being exported to userspace headers, so just use compiler.h to make sure that __user is defined and avoid the error. unifdef: linux-next-20101112/xx64/usr/include/xen/privcmd.h.tmp: 79: Premature EOF (#if line 33 depth 1) Signed-off-by: Randy Dunlap <randy.dunlap at

From: Randy Dunlap <randy.dunlap at oracle.com> scripts/headers_install.pl prevents "__user" from being exported to userspace headers, so just use compiler.h to make sure that __user is defined and avoid the error. unifdef: linux-next-20101112/xx64/usr/include/xen/privcmd.h.tmp: 79: Premature EOF (#if line 33 depth 1) Signed-off-by: Randy Dunlap <randy.dunlap at

From: Randy Dunlap <randy.dunlap at oracle.com> scripts/headers_install.pl prevents "__user" from being exported to userspace headers, so just use compiler.h to make sure that __user is defined and avoid the error. unifdef: linux-next-20101112/xx64/usr/include/xen/privcmd.h.tmp: 79: Premature EOF (#if line 33 depth 1) Signed-off-by: Randy Dunlap <randy.dunlap at

Here's another patch for people providing ssh access to restricted environments. We allow our users to use port forwarding when logging into our mail servers so that they can use it to fetch mail over an encrypted channel using clients that don't support TLS, for example fetchmail. (In fact, fetchmail has built-in ssh support.) However we don't want them connecting to other places

We have a system on which users are given a very restricted environment (their shell is a menu) where they should not be able to run arbitrary commands. However, because their shell is not statically linked, ld.so provides a nice clutch of holes for them to exploit. The patch below adds a new configuration option to sshd which quashes their attempts to set LD_PRELOAD etc. using ~/.ssh/environment

There is a race in the setup of the ControlMaster socket in auto mode, as illustrated by the following command line: ssh -oControlMaster=auto -oControlPath=sock localhost 'sleep 1; echo 1' & ssh -oControlMaster=auto -oControlPath=sock localhost 'sleep 2; echo 2' & Both of the commands will try to start up as a control client, find that sock does not exist, and switch into

When you give sftp-server a bogus -l or -f parameter, it logs a useful error message then blunders on to call log_init() with the bogus value. log_init() then prints a less useful message to stderr and exits. The following patch tidies this up by only printing the more useful error to stderr and not blundering on afterwards. --- sftp-server.c.orig Mon Jun 18 16:37:46 2007 +++ sftp-server.c Mon

There are a couple of niggles with the sandboxing of the unprivileged child in the privsep code: the empty directory causes namespace pollution, and it requires care to ensure that it is set up properly and remains set up properly. The patch below (against the portable OpenSSH, although the patch against the OpenBSD version is very similar) replaces the fixed empty directory with one that is

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Some paths on the remote server may require authentication. If so then you will receive a password prompt when you con- nect. You can avoid the password prompt by setting the environment variable RSYNC_PASSWORD to the password you want to use or using the --password-file option. This may be use-

[I am responding on the cygwin list to a message on cygwin-announce and cc'ing to the rsync list.] From: "Lapo Luchini" <lapo@lapo.it> > I have uploaded version 2.5.2-1 of the open source utility that > provides fast incremental file transfer. > > ChangeLog as on http://rsync.samba.org : Rsync 2.5.2 has a data-destroying bug as described here:

Each time I send a message to the ML I receive this message... (thi mislead me to double-post some days ago). Could someone please unsubscribe the "blocked" address? But I guess that's not possible, as anyone else shuold have noticed this, too... =( -- Lapo 'Raist' Luchini lapo@lapo.it (PGP & X.509 keys available) http://www.lapo.it (ICQ UIN: 529796) --------------

Is there any plan to do it? Is it maybe already in and just not documented? -- Lapo 'Raist' Luchini lapo@lapo.it (PGP & X.509 keys available) http://www.lapo.it (ICQ UIN: 529796)

Uhm... rsync developers: what do you think about changing the default modify-window in the Cygwin platform? It seems to me that many problems people have are just because of the granularity of timestamp. Maybe changing the default could be the best choice. That would be documented in the "man" and in my release announcement on cygwni-annouce, of course. Just an idea, maybe it's

Saw this on the Exim List:- From: Tony Finch <dot--at-- at dotat.at> Subject: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim Date: Tue, 27 Jan 2015 17:33:45 +0000 "The Exim mail server is exploitable remotely if configured to perform extra security checks on the HELO and EHLO commands ("helo_verify_hosts" or "helo_try_verify_hosts"

Hi, I have a little request, which should be considered "very very very very low priority" but would be useful nonetheless... in Makefile.in there are two lines with additional space at end of line and my editor strip it, so I must hand-edit the cygwin-specific patch in order to create the package (nothing serious: only patch is using /usr instead of /usr/local as a default prefix and