bugzilla-daemon | 1 Apr 06:13 2002

[Bug 119] Occassionally, SSH failed to connect and timeout after 2 hrs!

http://bugzilla.mindrot.org/show_bug.cgi?id=119

------- Additional Comments From anguslau <at> hongkong.com  2002-04-01 14:13 -------
Before I make ssh connection, the time is 'Tue Feb 12 04:10:04 HKT 2002'. 
After the ssh failed to connect (ssh_exchange_identification: read: Connection 
reset by peer), the time is Tue Feb 12 06:11:39 HKT 2002. ssh waits for 2 hrs 
before declaring the connection fails!

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-unix-dev <at> mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

bugzilla-daemon | 1 Apr 09:49 2002

[Bug 189] pam_setcred() failures should not be treated as fatal

http://bugzilla.mindrot.org/show_bug.cgi?id=189

------- Additional Comments From stevesk <at> pobox.com  2002-04-01 17:49 -------
why should pam_setcred() failures not be treated as fatal?

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-unix-dev <at> mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

Jon Peatfield | 1 Apr 09:54 2002
Picon
Picon

path to find ssh-rand-helper

Before I actually implement the small changes needed to allow the
location of ssh-rand-helper to be specified in the config file, I'd
like to check that in doing so I won't be opening up a huge security
hole.

My brief reading of the code suggests that in entropy.c:seed_rng() the
ssh-rand-helper is run as the original uid (for binaries which were
setuid in the first place of course), so I can't spot any obvious
holes (but I may not be devious enough).

Since almost all the other paths can be overridden in the config (or
with -o), and the config file location can also be controlled from the
command line (-F for ssh, -f for sshd), I can't see any good reason
why the ssh-rand-helper location can't also be...

[ I will then nobble ssh-rand-helper to take the prng_cmds from a
user-specified source and I'll have a way to give people a small set
of files to install anywhere (with a helper shell script to specify
all the paths etc) ]

--

-- 
Jon Peatfield,  DAMTP,  Computer Officer,   University of Cambridge
Telephone: +44 1223  3 37852    Mail: J.S.Peatfield <at> damtp.cam.ac.uk
_______________________________________________
openssh-unix-dev <at> mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

bugzilla-daemon | 1 Apr 11:11 2002

[Bug 195] New: Openssh3.1.0 "make" failure

http://bugzilla.mindrot.org/show_bug.cgi?id=195

           Summary:  Openssh3.1.0 "make" failure
           Product: Portable OpenSSH
           Version: 3.0.1p1
          Platform: ix86
        OS/Version: OpenBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Build system
        AssignedTo: openssh-unix-dev <at> mindrot.org
        ReportedBy: arctor002 <at> hotmail.com

Attempting to build OpenSSH 3.1.0 on OpenBSD 2.9 fails. The 2.9 patch info is 
unnecesarily buried.

Sorry for the hassle from me, gentlemen, but information on the OBSD 2.9 patch 
for OpenSSH 3.1 is buried. This is exactly the sort of thing that belongs in 
the FAQ (I would think), so if it's possible, please either update the FAQ at 
openssh.org or pass along some feedback to the OpenBSD people. I know I can't 
be the only anklebiter to have this problem.

Thanks for your time.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-unix-dev <at> mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
(Continue reading)

bugzilla-daemon | 1 Apr 17:35 2002

[Bug 196] New: wront sent message id on upload

http://bugzilla.mindrot.org/show_bug.cgi?id=196

           Summary: wront sent message id on upload
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: major
          Priority: P2
         Component: sftp
        AssignedTo: openssh-unix-dev <at> mindrot.org
        ReportedBy: chombier <at> mac.com

In sftp_client.c, do_upload() function, the 'id' variable is used for both the 
sent and the received message ids, this corrupts the id of the messages 
to send and randomly generates upload failures.

The fix is to use another variable to extract the received message id, 
status_id, as done in do_download()

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-unix-dev <at> mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

James Dennis | 1 Apr 18:21 2002
Picon

chroot.diff

Hello,

I'm not sure if this is the list to mail, but I have updated chroot.diff for openssh 3.1. I thought more people
are most likely using this and figured some people may lack the ability to update it themselves as certain
functions were modified enough to require new function prototypes etc... I'd be happy to modify this
again for future releases if you'd like.

As I'm not on this mailing list please cc jdennis <at> law.harvard.edu.

--

-- 
James Dennis
Codito, ergo sum
Attachment (chroot.diff): application/octet-stream, 3461 bytes
James Dennis | 1 Apr 18:25 2002
Picon

chroot.diff

Looks like I diff'd 'em backwards. Whoops!
--

-- 
James Dennis
Codito, ergo sum
Attachment (chroot.diff): application/octet-stream, 3461 bytes
Richard Bonomo | 1 Apr 19:38 2002
Picon

entropy problems IRIX


Hello!

I am running openSSH 2.9x on an IRIX 6.5.x platform.
This was recently installed using SGI-supplied
"freeware" binaries.

I find that as time goes on, it takes more attempts
to establish an ssh connection from the IRIX platform
to another machine, as it fails with "not enough entropy
in PRNG."  I posted a note asking for assistance, and
received a reply suggesting I install PRNGd, which
I did.  Unfortunately, I looks like the binaries
were not compiled with PRNGd support.

Before I attempt to download and compile a fresh
version of this utility (which tends to be
problematic with our installations), I would
like to know if there is some way of tweaking
openssh's internal "entropy generator" to fix
this problem.  Does anyone know?

Thank you.

Richard B.

--

-- 
************************************************
Richard Bonomo
UW Space Astronomy Laboratory
(Continue reading)

Ben Lindstrom | 1 Apr 19:44 2002

Re: path to find ssh-rand-helper


Since ssh-keygen does not read (and should not) the sshd_config nor
ssh_config files.  Adding in that ability to the configuration file
is really useless in the larger scheme.

I would personally rather seen a nice clearly documented mini-howto or FAQ
entry explaning how to setup prng or egd w/ OpenSSL.  That way
ssh-rand-helper is not ran since OpenSSL can internally sead itself.

ssh-rand-helper should be viewed as your last line of defence on a box
that lacks kernel entropy devices (read: No root access user installing
the ssh client).

On Mon, 1 Apr 2002, Jon Peatfield wrote:

> Before I actually implement the small changes needed to allow the
> location of ssh-rand-helper to be specified in the config file, I'd
> like to check that in doing so I won't be opening up a huge security
> hole.
>
> My brief reading of the code suggests that in entropy.c:seed_rng() the
> ssh-rand-helper is run as the original uid (for binaries which were
> setuid in the first place of course), so I can't spot any obvious
> holes (but I may not be devious enough).
>
> Since almost all the other paths can be overridden in the config (or
> with -o), and the config file location can also be controlled from the
> command line (-F for ssh, -f for sshd), I can't see any good reason
> why the ssh-rand-helper location can't also be...
>
(Continue reading)

Ben Lindstrom | 1 Apr 19:47 2002

Re: entropy problems IRIX


in the ${PREFIX}/etc/ssh_prng_cmds lists all commands that are used
for gathering entropy.  If you run a ssh -v -v -v (or sshd -d -d -d
respectively) you will see what commands are failing and succeeding and
that may help you to tweak it.

However remember anything below 3.1 has a security adv out on it.  Which
basicly sums up being a post-authentication root hole.  You really should
upgrade to 3.1.

- Ben

On Mon, 1 Apr 2002, Richard Bonomo wrote:

>
> Hello!
>
> I am running openSSH 2.9x on an IRIX 6.5.x platform.
> This was recently installed using SGI-supplied
> "freeware" binaries.
>
> I find that as time goes on, it takes more attempts
> to establish an ssh connection from the IRIX platform
> to another machine, as it fails with "not enough entropy
> in PRNG."  I posted a note asking for assistance, and
> received a reply suggesting I install PRNGd, which
> I did.  Unfortunately, I looks like the binaries
> were not compiled with PRNGd support.
>
> Before I attempt to download and compile a fresh
(Continue reading)


Gmane