Mailing List Archive

The patch for building openssh w/o rsa support does not seem to work (for
me, at least). It may allow you to link at run time to openssl w/o rsa,
but it does not let you build against such an openssl.

I built openssl-0.9.5a with no-rc5, no-rsa, and no-idea. When installing,
it does not install headers for rc5, rsa, or idea (of course). (I know,
exlcuding rc5 and idea is a little out of scope for the patch in question,
but the issues are the same.)

When trying to then build openssh-2.1.0p1 against this openssl, there are
all kinds of compile time errors because of the missing headers. I went
ahead and copied the rc5, rsa, and idea headers for openssl into the
openssl include dir and tried to compile again. This time there are
a bunch of errors at link time during the build.

If rsa (and rc5 and idea, for that matter) is missing at build time, would
it not be good to have some ifdefs in the openssh code to exclude sections
of code that rely on them. I understand that this would basically turn
openssh into ssh2 only, so maybe it would be better to implement all this
as some compile time define that says ssh2 only.

-Garrick James

On Wed, May 17, 2000 at 11:47:48PM +1000, Damien Miller wrote:
> This to announce a test release of 2.1.0p1 before making it widely
> available.
...
> Please report bugs to this mailing list directly. It is open again to
> non-subscribers.

Hi,

again I am building OpenSSH-2.1.0p1 on HP-UX 10.20 :-)
[Longish post, sorry]

You have missed the patch sent from "Tom Bertelson <tbert@abac.com>"
to fix a stacksize overflow on AIX (Tom) and HP-UX (experienced by myself):

*** serverloop.c.orig Wed May 17 14:34:23 2000
--- serverloop.c Thu May 18 09:44:54 2000
***************
*** 85,91 ****
int save_errno = errno;
debug("Received SIGCHLD.");
child_terminated = 1;
- signal(SIGCHLD, sigchld_handler2);
errno = save_errno;
}

--- 85,90 ----
***************
*** 648,653 ****
--- 647,653 ----
while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
session_close_by_pid(pid, status);
child_terminated = 0;
+ signal(SIGCHLD, sigchld_handler2);
}
channel_after_select(&readset, &writeset);
process_input(&readset);


> Full Changelog:
...
> - 'fixprogs' perl script to eliminate non-working entropy commands, and
> optionally run 'ent' to measure command entropy

Sorry, I could not find "fixprogs" in the distribution. Hence:
...
if [ -f ssh_prng_cmds -a ! -z "yes" ]; then \
/usr/contrib/bin/perl fixprogs ssh_prng_cmds ; \
/opt/imake/bin/install -c -m 644 ssh_prng_cmds.out /etc/ssh/ssh_prng_cmds; \
fi
Can't open perl script "fixprogs": No such file or directory
*** Error exit code 2

Stop.
...

I am not happy with the *-*-hpux10* stuff. Starting with HP-UX 10.0
the compiler understands the "-Ae" flag for extended ANSI mode (64bit
long long). Please change line 42 in configure.in to
CFLAGS="$CFLAGS -Ae"
In lines 45,46 (and for hpux11 as well) the "/usr/local" hierarchy is
used as a standard place to look for includes and libraries. As of
HP-UX 10, the people at the "Software Porting and Archive Center for HP-UX"
http://hpux.connect.org.uk/ have decided to move ported packages into the
/opt hierarchy (with a subdirectory for each package).
Even though I still enjoy using /usr/local instead (far more practical for
exporting via NFS), the decision about adding the /usr/local hierarchy should
be left to the user.
Recommendation: remove lines 45,46 and the corresponding lines for hpux11.

[.I also think that the CFLAGS and CPPFLAGS (CPPFLAGS containing the
"-I" include paths and "-D" definitions) should be separated as with
most packages using "configure".
Hence line 24 of Makefile.in should be changed from
CFLAGS=@CFLAGS@ $(PATHS) @DEFS@
to
CFLAGS=@CFLAGS@ @CPPFLAGS@ $(PATHS) @DEFS@
"configure" itself does handle CPPFLAGS.]

In the install target the "install" command (or replacement, whatever might be
found by configure) is used with the "-d" flag to create subdirectories.
This is not portable and maybe only available with gnu-install.
Other install programs, like the one delivered with HP-UX, or the bsdinst
script do not understand the "-d" flag and either use the "mkdirhier"
script/command or "mkinstalldirs" or "mkdir" the hierarchy themself.
As far as I understand, bsdinst and mkdirhier are supplied with X11, so
licensing should be no problem, mkinstalldirs is in the public domain
(according to the comment in src/helpers/mkdir.sh, the script used by
Apache). [.This list of "install" replacements is for sure not complete :-)]

Best regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153

On Wed, May 17, 2000 at 11:47:48PM +1000, Damien Miller wrote:
> This to announce a test release of 2.1.0p1 before making it widely
> available.

> This release includes many fixes to problems reported over the last
> week. In particular:

> - spurious error and coredumps caused by the inbuilt entropy gathering
> - RSAref detection
> - Compilation fixes for Solaris and others

> It also contains (completely untested) support for compiling without
> RSA support. This may be useful to those of you in the USA. I am
> interested to hear whether and how well this works. RSAless support
> is enabled if a) OpenSSL is available, b) OpenSSL is built without
> RSAref and c) RSAref cannot be found. In future it will be a config
> option.

> Please report bugs to this mailing list directly. It is open again to
> non-subscribers.

Still having problems with X11 forwarding:

[mhw@alcove mhw]$ ssh canyon
Last login: Thu May 18 08:11:53 2000 from alcove.wittsend.com
[mhw@canyon mhw]$ set | grep XAU
XAUTHORITY=/tmp/ssh-sfsQ2629/cookies
[mhw@canyon mhw]$ xterm
channel 0: istate 4 != open
channel 0: ostate 64 != open
X connection to canyon:10.0 broken (explicit kill or server shutdown).

From sshd_config on Canyon (the server system):

X11Forwarding yes
X11DisplayOffset 10

From ssh_config on Alcove (the client side):

Host *
ForwardAgent yes
ForwardX11 yes
FallBackToRsh no

Here is what I get if I do this with with an ssh -v:

[mhw@canyon mhw]$ xterm
debug: Received X11 open request.
debug: fd 6 setting O_NONBLOCK
debug: channel 0: new [X11 connection from canyon port 1055]
debug: X11 connection uses different authentication protocol.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What's this all about?
debug: X11 rejected 0 i1/o16
debug: channel 0: read failed
debug: channel 0: input open -> drain
debug: channel 0: close_read
debug: channel 0: input: no drain shortcut
debug: channel 0: ibuf empty
debug: channel 0: input drain -> wait_oclose
debug: channel 0: send ieof
debug: channel 0: write failed
debug: channel 0: output open -> wait_ieof
debug: channel 0: send oclose
debug: channel 0: close_write
debug: X11 closed 0 i4/o64
debug: channel 0: rcvd ieof
debug: channel 0: non-open
channel 0: istate 4 != open
channel 0: ostate 64 != open
debug: channel 0: rcvd oclose
debug: channel 0: input wait_oclose -> closed
X connection to canyon:10.0 broken (explicit kill or server shutdown).
[mhw@canyon mhw]$

So there is something foo'ed in the authentication protocol.
Seems like this use to work (1.2.3, I think). What broke?

> Regards,
> Damien
>
> Full Changelog:
>
> 20000517
> - Fix from Andre Lucas <andre.lucas@dial.pipex.com>
> - Fixes command line printing segfaults (spotter: Bladt Norbert)
> - Fixes erroneous printing of debug messages to syslog
> - Fixes utmp for MacOS X (spotter: Aristedes Maniatis)
> - Gives useful error message if PRNG initialisation fails
> - Reduced ssh startup delay
> - Measures cumulative command time rather than the time between reads
> after select()
> - 'fixprogs' perl script to eliminate non-working entropy commands, and
> optionally run 'ent' to measure command entropy
> - Applied Tom Bertelson's <tbert@abac.com> AIX authentication fix
> - Avoid WCOREDUMP complation errors for systems that lack it
> - Avoid SIGCHLD warnings from entropy commands
> - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson <sxw@dcs.ed.ac.uk>
> - OpenBSD CVS update:
> - markus@cvs.openbsd.org
> [ssh.c]
> fix usage()
> [ssh2.h]
> draft-ietf-secsh-architecture-05.txt
> [ssh.1]
> document ssh -T -N (ssh2 only)
> [channels.c serverloop.c ssh.h sshconnect.c sshd.c aux.c]
> enable nonblocking IO for sshd w/ proto 1, too; split out common code
> [aux.c]
> missing include
> - Several patches from SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp>
> - INSTALL typo and URL fix
> - Makefile fix
> - Solaris fixes
> - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka
> <ksakai@kso.netwk.ntt-at.co.jp>
> - RSAless operation patch from kevin_oconnor@standardandpoors.com
> - Detect OpenSSL seperatly from RSA
> - Better test for RSA (more compatible with RSAref). Based on work by
> Ed Eden <ede370@stl.rural.usda.gov>
>
> 20000513
> - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz
> <misiek@pld.org.pl>
>
> 20000511
> - Fix for prng_seed permissions checking from Lutz Jaenicke
> <Lutz.Jaenicke@aet.TU-Cottbus.DE>
> - "make host-key" fix for Irix
>
>
>
> --
> | "Bombay is 250ms from New York in the new world order" - Alan Cox
> | Damien Miller - http://www.mindrot.org/
> | Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

On Fri, 19 May 2000, Lars Hecking wrote:

> Under Solaris 8, /var/tmp/utmp is gone, and only utmpx is
> used. There is a utmp daemon to watch/update the latter. Actually,
> a quick look into utmp(4) on Solaris 7 says the same thing, and
> the utmp daemon is there as well, but I never noticed these syslog
> messages before. The timestamp on the utmp file corresponds to the
> time of my ssh login

Does this patch help?

Index: bsd-login.c
===================================================================
RCS file: /var/cvs/openssh/bsd-login.c,v
retrieving revision 1.11
diff -u -r1.11 bsd-login.c
--- bsd-login.c 2000/05/17 12:53:34 1.11
+++ bsd-login.c 2000/05/20 02:55:51
@@ -73,7 +73,7 @@
int t = 0;
struct utmp * u;

-#ifdef HAVE_TYPE_IN_UTMP
+#if defined(HAVE_TYPE_IN_UTMP) || defined(HAVE_TYPE_IN_UTMPX)
setutent();

while((u = getutent()) != NULL) {
@@ -123,16 +123,26 @@
*/
tty = find_tty_slot(utp);

+#ifdef USE_UTMPX
+ fd = open(_PATH_UTMPX, O_RDWR|O_CREAT, 0644);
+ if (fd == -1) {
+ log("Couldn't open %s: %s", _PATH_UTMPX, strerror(errno));
+#else /* USE_UTMPX */
fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644);
if (fd == -1) {
log("Couldn't open %s: %s", _PATH_UTMP, strerror(errno));
+#endif /* USE_UTMPX */
} else {
/* If no tty was found... */
if (tty == -1) {
/* ... append it to utmp on login */
-#ifdef HAVE_TYPE_IN_UTMP
+#if defined(HAVE_TYPE_IN_UTMP) || defined(HAVE_TYPE_IN_UTMPX)
if (utp->ut_type == USER_PROCESS) {
+#ifdef USE_UTMPX
+ if ((fd = open(_PATH_UTMPX, O_WRONLY|O_APPEND, 0)) >= 0) {
+#else /* USE_UTMPX */
if ((fd = open(_PATH_UTMP, O_WRONLY|O_APPEND, 0)) >= 0) {
+#endif /* USE_UTMPX */
(void)write(fd, utp, sizeof(struct utmp));
(void)close(fd);
}
Index: configure.in
===================================================================
RCS file: /var/cvs/openssh/configure.in,v
retrieving revision 1.123
diff -u -r1.123 configure.in
--- configure.in 2000/05/17 13:29:18 1.123
+++ configure.in 2000/05/20 02:55:56
@@ -494,6 +494,7 @@
OSSH_CHECK_HEADER_FOR_FIELD(syslen, utmpx.h, HAVE_SYSLEN_IN_UTMPX)
OSSH_CHECK_HEADER_FOR_FIELD(ut_pid, utmp.h, HAVE_PID_IN_UTMP)
OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmp.h, HAVE_TYPE_IN_UTMP)
+OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX)
OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP)
OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP)
OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP)


--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

Damien Miller writes:
> On Fri, 19 May 2000, Lars Hecking wrote:
>
> > Under Solaris 8, /var/tmp/utmp is gone, and only utmpx is
> > used. There is a utmp daemon to watch/update the latter. Actually,
> > a quick look into utmp(4) on Solaris 7 says the same thing, and
> > the utmp daemon is there as well, but I never noticed these syslog
> > messages before. The timestamp on the utmp file corresponds to the
> > time of my ssh login
>
> Does this patch help?

I'm sorry, it doesn't.

May 20 17:02:47 localhost sshd[17085]: [ID 800047 auth.error] error: fcntl(-1, F_GETFL, 0): Bad file number

On Sat, 20 May 2000, Lars Hecking wrote:

> > Does this patch help?
>
> I'm sorry, it doesn't.
>
> May 20 17:02:47 localhost sshd[17085]: [ID 800047 auth.error] error:
> fcntl(-1, F_GETFL, 0): Bad file number

That's a different error to the one that you were reporting earlier.
Has the patch solved your utmp problems?

BTW the above bug is fixed in the 2.1.0p2 release.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)

Damien Miller writes:
> On Sat, 20 May 2000, Lars Hecking wrote:
>
> > > Does this patch help?
> >
> > I'm sorry, it doesn't.
> >
> > May 20 17:02:47 localhost sshd[17085]: [ID 800047 auth.error] error:
> > fcntl(-1, F_GETFL, 0): Bad file number
>
> That's a different error to the one that you were reporting earlier.

Ooops, sorry.

> Has the patch solved your utmp problems?

Looks like it. utmp is not being recreated.

> BTW the above bug is fixed in the 2.1.0p2 release.

D/l'ing right now ...

Thanks!