Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
1.2.3-1 package for Debian GNU/Linux released
phil at hands
Apr 13, 2000, 5:16 PM
Post #1 of 5 (950 views)
Permalink
Hi,

I just got round to releasing 1.2.3 Debian package (which should
hopefully make it into the freeze for Debian 2.2, aka potato)

It should hit the Debian non-US mirrors soon, but if you cannot wait,
it's also here:

http://www.hands.com/~phil/debian/openssh/

[. Damien, you might want to check out the patch, its got a few things
that should probably go upstream. I'll annotate it if you need me
to, so just ask. ]

Cheers, Phil.
Re: 1.2.3-1 package for Debian GNU/Linux released [ In reply to ]
djm at mindrot
Apr 14, 2000, 5:51 AM
Post #2 of 5 (950 views)
Permalink
On 14 Apr 2000, Philip Hands wrote:

> Hi,
>
> I just got round to releasing 1.2.3 Debian package (which should
> hopefully make it into the freeze for Debian 2.2, aka potato)
>
> It should hit the Debian non-US mirrors soon, but if you cannot wait,
> it's also here:
>
> http://www.hands.com/~phil/debian/openssh/
>
> [. Damien, you might want to check out the patch, its got a few things
> that should probably go upstream. I'll annotate it if you need me
> to, so just ask. ]

Got it - a couple of questions / comments:

1. I evidently don't speak Makefile jive as well as some - what does
the following change do?

-all: $(TARGETS) $(MANPAGES) $(CONFIGFILES)
+all: $(TARGETS) $(MANPAGES:%=%.out) $(CONFIGFILES:%=%.out)

2. Why the vhangup() in pty.c? What does this fix?

3. Why the excision of the BUF code in scp.c?

4. I would prefer the shadow password checking to occur during
password auth - I consider the other forms of auth to be totally
seperate, but I can see your reasoning. If you move this code to a
seperate function in auth-passwd.c which could be called before or
during password auth I will include it.

Thanks,
Damien


--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)
Re: 1.2.3-1 package for Debian GNU/Linux released [ In reply to ]
phil at hands
Apr 14, 2000, 5:24 PM
Post #3 of 5 (947 views)
Permalink
Damien Miller <djm@mindrot.org> writes:

> On 14 Apr 2000, Philip Hands wrote:
>
> > Hi,
> >
> > I just got round to releasing 1.2.3 Debian package (which should
> > hopefully make it into the freeze for Debian 2.2, aka potato)
> >
> > It should hit the Debian non-US mirrors soon, but if you cannot wait,
> > it's also here:
> >
> > http://www.hands.com/~phil/debian/openssh/
> >
> > [. Damien, you might want to check out the patch, its got a few things
> > that should probably go upstream. I'll annotate it if you need me
> > to, so just ask. ]
>
> Got it - a couple of questions / comments:
>
> 1. I evidently don't speak Makefile jive as well as some - what does
> the following change do?
>
> -all: $(TARGETS) $(MANPAGES) $(CONFIGFILES)
> +all: $(TARGETS) $(MANPAGES:%=%.out) $(CONFIGFILES:%=%.out)

This means tack .out on the end of all the individual file names, so
if $(MANPAGES) is ``ssh.1 sshd.8'' then $(MANPAGES:%=%.out) is
``ssh.1.out sshd.8.out''

This means that when they are later generated, it's the target file
that you're depending upon, not the source, which makes the
dependencies work properly (or that's the way i remember it, it's a
while since I wrote it).

> 2. Why the vhangup() in pty.c? What does this fix?

http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=55379

> 3. Why the excision of the BUF code in scp.c?

http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=53697
and
http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=52071

> 4. I would prefer the shadow password checking to occur during
> password auth - I consider the other forms of auth to be totally
> seperate, but I can see your reasoning.

Yeah, it's a shame that we need to mix them up, but without this you
don't get account expiry, locked accounts etc. which leaves ssh as a
loophole.

> If you move this code to a seperate function in auth-passwd.c which
> could be called before or during password auth I will include it.

OK.

BTW you might want to quickly scan the (embarrassingly vast) list of
bugs reported against Debian ssh:

http://www.debian.org/Bugs/db/pa/lssh.html

I've been rather busy with the day job lately, so have not been doing
much about these. At first glance, many of them are pretty valid
upstream problems, so if you want to deal with some of them direct,
mail me the numbers and I'll mark them as forwarded (so we don't end
up duplicating effort).

Cheers, Phil.
--
Mind-numbingly stupid UK law alert!
Act now to stop it http://www.stand.org.uk/
Re: 1.2.3-1 package for Debian GNU/Linux released [ In reply to ]
markus.friedl at informatik
Apr 15, 2000, 9:32 AM
Post #4 of 5 (946 views)
Permalink
On Sat, Apr 15, 2000 at 02:24:13AM +0100, Philip Hands wrote:
> Yeah, it's a shame that we need to mix them up, but without this you
> don't get account expiry, locked accounts etc. which leaves ssh as a
> loophole.

then it should be moved to allowed_user().

-m
Re: 1.2.3-1 package for Debian GNU/Linux released [ In reply to ]
djm at mindrot
Apr 20, 2000, 4:53 AM
Post #5 of 5 (946 views)
Permalink
On 15 Apr 2000, Philip Hands wrote:

Attached is the diff that I have applied so far. Executive summary:

- You can set the SSH_PAM_SERVICE thru CFLAGS
- use vhangup in pty.c
- use '+' in ssh-agent getopt

> > 3. Why the excision of the BUF code in scp.c?
>
> http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=53697

Forgive my ignorance, but why should writes larger than PIPE_BUF
size cause failures? Is it a problem with atomicity?

In any case, I won't merge the removal of all the buffer code as a
solution - I would rather add a hack to the allocation routine.

Keeping the diff size down is good for quality as well as my own
sanity. The OpenBSD team do a great job of auditing and cleaning up
the code, I don't want to go fudging that up :)

> > 4. I would prefer the shadow password checking to occur during
> > password auth - I consider the other forms of auth to be totally
> > seperate, but I can see your reasoning.
>
> Yeah, it's a shame that we need to mix them up, but without this you
> don't get account expiry, locked accounts etc. which leaves ssh as a
> loophole.
>
> > If you move this code to a seperate function in auth-passwd.c which
> > could be called before or during password auth I will include it.
>
> OK.

You should grab a copy of the test release at
http://violet.ibs.com.au/openssh/files/test/ It tracks a few large
changes to the OpenBSD tree, including the splitting of auth code into
a seperate file.

> BTW you might want to quickly scan the (embarrassingly vast) list of
> bugs reported against Debian ssh:
>
> http://www.debian.org/Bugs/db/pa/lssh.html
>
> I've been rather busy with the day job lately, so have not been doing
> much about these. At first glance, many of them are pretty valid
> upstream problems, so if you want to deal with some of them direct,
> mail me the numbers and I'll mark them as forwarded (so we don't end
> up duplicating effort).

I too have been pretty busy with Other Things, but I will try to look
at these as time permits. It would be appreciated if you could forward
any particularly pernicious bugs to me direct, esp any security
problems.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

Attached Files:

  • text/plain p1 (3.75 KB)

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal