Mailing List Archive

What is your default system path? On my Red Hat Linux 5.2 system, it's:

[jmknoble@zax:/usr/include]
$ grep -A 1 _PATH_STDPATH *.h
paths.h:#define _PATH_STDPATH\
paths.h- "/usr/bin:/bin:/usr/sbin:/sbin"
[jmknoble@zax:/usr/include]
$

For such a standard path, what i recommend doing is something like:

--with-default-path="\
/space/local/bin:\
/usr/bin:\
/bin:\
/space/local/sbin:\
/usr/sbin:\
/sbin"

The key is that the contents of --with-default-path *replace*
_PATH_STDPATH, they don't add to it.

Damien, perhaps this can be made more clear in the install docs?

--
jim knoble
jmknoble@pobox.com

På 2000-Mar-16 klokka 13:21:26 -0600 skrivet Mate Wierdl:

: I now specified
:
: --with-default-path=/space/local/bin
:
: but when I log in to the system, I get
:
: ssh wierdlm@karadi
: wierdlm@karadi.msci.memphis.edu's password:
: Warning: Remote host denied X11 forwarding.
: Last login: Thu Mar 16 12:28:52 2000 from wierdlmpc.msci.m
: Sun Microsystems Inc. SunOS 5.6 Generic August 1997
: bash: stty: command not found
: bash: stty: command not found
: bash: stty: command not found
: bash: uname: command not found
:
: I suppose I need to put some more dirs in default-path. What other
: dirs do I need to specify on my Solaris box? What is the syntax to
: specify a path? Is it correct to write
:
: --with-default-path=/space/local/bin:/usr/local/bin:/usr/bin
:
: ? Does the list of dirs affect the security of ssh somehow? Should I
: just do
:
: --with-default-path=$PATH
:
: ?
:
: Thx
:
: Mate

On Thu, Mar 16, 2000 at 05:03:33PM -0500, Jim Knoble wrote:
> What is your default system path? On my Red Hat Linux 5.2 system, it's:
>
> [jmknoble@zax:/usr/include]
> $ grep -A 1 _PATH_STDPATH *.h
> paths.h:#define _PATH_STDPATH\
> paths.h- "/usr/bin:/bin:/usr/sbin:/sbin"
> [jmknoble@zax:/usr/include]
> $

This is Solaris, and I have

grep _PATH_STDPATH /usr/include/*.h
echo $?
1

>
> For such a standard path, what i recommend doing is something like:
>
> --with-default-path="\
> /space/local/bin:\
> /usr/bin:\
> /bin:\
> /space/local/sbin:\
> /usr/sbin:\
> /sbin"

So I should put the sbin directories there too?

>
> The key is that the contents of --with-default-path *replace*
> _PATH_STDPATH, they don't add to it.
>
> Damien, perhaps this can be made more clear in the install docs?

Perhaps a word or two how default-path is used (what programs will be
searched along the path).

Also, the question remains: why $prefix/bin is not added to
default-path?


Mate

On Thu, 16 Mar 2000, Jim Knoble wrote:


> Damien, perhaps this can be made more clear in the install docs?

Done.

Thanks,
Damien

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

On Thu, 16 Mar 2000, Mate Wierdl wrote:

> On Thu, Mar 16, 2000 at 05:03:33PM -0500, Jim Knoble wrote:
> > What is your default system path? On my Red Hat Linux 5.2 system, it's:
> >
> > [jmknoble@zax:/usr/include]
> > $ grep -A 1 _PATH_STDPATH *.h
> > paths.h:#define _PATH_STDPATH\
> > paths.h- "/usr/bin:/bin:/usr/sbin:/sbin"
> > [jmknoble@zax:/usr/include]
> > $
>
> This is Solaris, and I have
>
> grep _PATH_STDPATH /usr/include/*.h
> echo $?
> 1

_PATH_STDPATH is defined in some unices and not others. In
the case of Solaris, we just override it.

> > --with-default-path="\
> > /space/local/bin:\
> > /usr/bin:\
> > /bin:\
> > /space/local/sbin:\
> > /usr/sbin:\
> > /sbin"
>
> So I should put the sbin directories there too?

It's really up to you. You want to make sure you have /usr/bin
and whereever ssh/scp clients are as a minimum. The rest is
just gravy and makes like easier for doing remote maintainance.
In Solaris, you might want to add /sbin, /usr/sbin, /usr/local/bin,
and maybe /usr/openwin/bin (for xauth). YMMV and there are
a bunch of other recommendations other people will suggest.
Pretty much all are valid as long as /usr/bin and /space/local/bin
is in your default path.

> Also, the question remains: why $prefix/bin is not added to
> default-path?

Actually, that is a good recommendation. Damien?

Ben

On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote:

> _PATH_STDPATH is defined in some unices and not others. In
> the case of Solaris, we just override it.

So what is default-path on Solaris if it is not specified for
configure?

> It's really up to you. You want to make sure you have /usr/bin
> and whereever ssh/scp clients are as a minimum. The rest is
> just gravy and makes like easier for doing remote maintainance.
> In Solaris, you might want to add /sbin, /usr/sbin, /usr/local/bin,
> and maybe /usr/openwin/bin (for xauth). YMMV and there are
> a bunch of other recommendations other people will suggest.
> Pretty much all are valid as long as /usr/bin and /space/local/bin
> is in your default path.

So default-path is the PATH ssh would use to execute commands. So
probably it is not bad to set default-path to $PATH afterall.

But I would think, it is best if the user executing ssh would have the
option to set the path (both on the command line and in the config
file). I have not seen an option like that in the man page for ssh.
Would an option like that be insecure?

Reading the the sshd man page, I see

6. Reads $HOME/.ssh/environment if it exists.

Does this mean that I can/should set PATH for scp sessions on the
*remote* system?

So how does scp work? Does it call ssh at one point? At what point
of the copying process does the default-path gets used?

Thx

Mate

On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote:
> It's really up to you. You want to make sure you have /usr/bin
> and whereever ssh/scp clients are as a minimum. The rest is

This is the part which is not clear to me: So in order to use scp,
the remote site also has to have scp. In other words, it is not
enough to have just sshd running.

But looking at how the openssh rpm is divided up, I see that scp is in
the package required by both the server and the client packages.

Mate

On Fri, 17 Mar 2000, Mate Wierdl wrote:

> On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote:
> > It's really up to you. You want to make sure you have /usr/bin
> > and whereever ssh/scp clients are as a minimum. The rest is
>
> This is the part which is not clear to me: So in order to use scp,
> the remote site also has to have scp. In other words, it is not
> enough to have just sshd running.

if you only have sshd loaded, I think you can only do port forwarding
and secure logins. If you have scp, ssh, etc (on the server side),
then you can do secure copies and secure remote shell activities.
(I'm sure someone will correct me if I'm wrong on this)


> But looking at how the openssh rpm is divided up, I see that scp is in
> the package required by both the server and the client packages.

The rpm is just a distribution. I would guess that the RPM is setup so
you don't have any extra overhead in loading the client, as opposed
to the server, if you will only be doing client activities.

Ben

På 2000-Mar-17 klokka 10:29:44 -0500 skrivet Ben Taylor:

: On Fri, 17 Mar 2000, Mate Wierdl wrote:
:
: > This is the part which is not clear to me: So in order to use scp,
: > the remote site also has to have scp. In other words, it is not
: > enough to have just sshd running.
:
: if you only have sshd loaded, I think you can only do port forwarding
: and secure logins. If you have scp, ssh, etc (on the server side),
: then you can do secure copies and secure remote shell activities.
: (I'm sure someone will correct me if I'm wrong on this)

You're mostly right. For the following, `local' means the place one is
ssh-ing from (the ``client''), and `remote' is the place one is ssh-ing
to (the ``server'').

The following table describes what is needed at the local and remote
ends:

Purpose Local Remote
------- ----- ------

Execute remote shell commands or create ssh sshd
interactive login sessions

Forward X11 connections ssh sshd

Forward arbitrary TCP/IP ports, in either ssh sshd
direction

Copy files via scp ssh, scp sshd, scp

As you can see, scp is needed at both ends of the session in order to
copy files (using scp). It's possible to copy files without using scp,
using ``only'' ssh/sshd. For example:

cat foo |ssh remote.example.net 'cat >foo'

This is actually similar in principle to the way scp is used, which is
why it's the shell who complains that scp isn't found when it's not on
sshd's default path.

: The rpm is just a distribution. I would guess that the RPM is setup so
: you don't have any extra overhead in loading the client, as opposed
: to the server, if you will only be doing client activities.

Correct. And the reverse as well. The packaging scheme allows one to
install only a client or only a server if that's what's desired.

--
jim knoble
jmknoble@pobox.com

On Fri, 17 Mar 2000, Mate Wierdl wrote:

> On Thu, Mar 16, 2000 at 07:01:16PM -0500, Ben Taylor wrote:
>
> > _PATH_STDPATH is defined in some unices and not others. In
> > the case of Solaris, we just override it.
>
> So what is default-path on Solaris if it is not specified for
> configure?

It is the one in defines.h

> Reading the the sshd man page, I see
>
> 6. Reads $HOME/.ssh/environment if it exists.
>
> Does this mean that I can/should set PATH for scp sessions on the
> *remote* system?

Yes, this should work.

> So how does scp work? Does it call ssh at one point? At what point
> of the copying process does the default-path gets used?

Yes. scp on the local machine runs scp on the remote machine via ssh.
The default path is used by the sshd on the remote machine when it
tries to execute scp.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

On Fri, 17 Mar 2000, Mate Wierdl wrote:

> This is the part which is not clear to me: So in order to use scp,
> the remote site also has to have scp. In other words, it is not
> enough to have just sshd running.

Correct.

> But looking at how the openssh rpm is divided up, I see that scp is in
> the package required by both the server and the client packages.

That is beacuse it is both :)

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)