Development of OpenSSH

Faysal Banna | 2 Jun 2007 15:29

Picon

ssh tunnel proxy setup

Hi all..
am trying to incorporate a tunnel from over a slow setup ........

/-------------------------/                                                                                        
/-------------------------------/
|     host1                  |=========//Tunnel ssh 
//====================|           Host2                   |
|     squid parent       |                               
                                                        | squid 
http_port 3128     |
|     127.0.0.1:8080   
|                                                                                       
|           acl accept all        |
\-------------------------\                                                                                        
\-------------------------------\

Host1 configuration :
ssh -L 8080:127.0.0.1:3128 -C   -N -f  client <at> host2

The tunnel goes through the link and forwards port 8080 to 3128 from 
host1 to host2
main reason is that the actual link size is 2Mbit/s and i need to pass 
the data in compression to gain maximum http transparent proxied data 
transfer from Host2 to Host1.
It works fine as long as i don't have heavy load but when i connect 
Host1 to the local home network i start having some delay after a 
certain amount of time i believe when the clients establish sessions 
through squid which redirected to parents over the Tunnel session created .
i have separated the logs squid log shows normal connectivity but on the 
console after ssh established i got this message

(Continue reading)

Faysal Banna | 2 Jun 2007 23:09

Picon

Channel setup

Hi all
am setting up a Forward Tunnel from one machine to another machine
can anyone Guide me what this might be its degrading performance on a 
busy server load

channel 968: open failed: administratively prohibited: open failed
channel 969: open failed: administratively prohibited: open failed
channel 973: open failed: administratively prohibited: open failed
channel 975: open failed: administratively prohibited: open failed
channel 976: open failed: administratively prohibited: open failed
channel 977: open failed: administratively prohibited: open failed
channel 978: open failed: administratively prohibited: open failed
channel 980: open failed: administratively prohibited: open failed
channel 981: open failed: administratively prohibited: open failed
channel 982: open failed: administratively prohibited: open failed
channel 983: open failed: administratively prohibited: open failed
channel 984: open failed: administratively prohibited: open failed
channel 987: open failed: administratively prohibited: open failed
channel 988: open failed: administratively prohibited: open failed
channel 989: open failed: administratively prohibited: open failed
channel 990: open failed: administratively prohibited: open failed
channel 991: open failed: administratively prohibited: open failed
channel 997: open failed: administratively prohibited: open failed
channel 1001: open failed: administratively prohibited: open failed
channel 1002: open failed: administratively prohibited: open failed
channel 1003: open failed: administratively prohibited: open failed
channel 1004: open failed: administratively prohibited: open failed
channel 1006: open failed: administratively prohibited: open failed
channel 1007: open failed: administratively prohibited: open failed
channel 1009: open failed: administratively prohibited: open failed

(Continue reading)

Faysal Banna | 2 Jun 2007 23:21

Picon

Tunnel connection channel Setup with proxy server

Hi all..
am trying to incorporate a tunnel from over a slow setup ........

/-------------------------/                                                                                        
/-------------------------------/
|     host1                  |=========//Tunnel ssh 
//====================|           Host2                   |
|     squid parent       |                               
                                                       | squid http_port 
3128     |
|     127.0.0.1:8080   
|                                                                                       
|           acl accept all        |
\-------------------------\                                                                                        
\-------------------------------\

Host1 configuration :
ssh -L 8080:127.0.0.1:3128 -C   -N -f  client <at> host2

The tunnel goes through the link and forwards port 8080 to 3128 from 
host1 to host2
main reason is that the actual link size is 2Mbit/s and i need to pass 
the data in compression to gain maximum http transparent proxied data 
transfer from Host2 to Host1.
It works fine as long as i don't have heavy load but when i connect 
Host1 to the local home network i start having some delay after a 
certain amount of time i believe when the clients establish sessions 
through squid which redirected to parents over the Tunnel session created .
i have separated the logs squid log shows normal connectivity but on the 
console after ssh established i got this message

(Continue reading)

Darren Tucker | 4 Jun 2007 16:16

Picon

Picon

Re: [PATCH] Add support for ldns

Simon Vallet wrote:
> nobody on this one ?

Sorry for the delay.  I started looking at this and then got sidetracked 
(as usual).

> I really think autonomous signature validation capabilities are a useful
> feature in an ssh client. In a mobile scenario, simply trusting the next
> DNS hop seems only marginally better as having no signed records at all.
> 
> I'm willing to spend more time on this patch if necessary, so any
> feedback is welcome

I have no objection to this in principle.  LDNS seems to be under a 
3-clause BSD style license so there's no potential license hassles.

About the patch itself, I would probably wait until the required 
features make it into a released version of the software so there's more 
likelihood of the interface being stable.  I would also like someone 
more familiar with DNSSEC than me to sanity check it.

You added the additional functionality to one of the files that we try 
to keep in sync with its OpenBSD counterpart, so that's a potential 
maintenance hassle.  I think it would be better in its own file, which 
according to the existing convention would be bsd-getrrsetbyname.c.

Also, I'm not wild about the use of debug() calls in the compat library 
but I can see why you've used them.  We try to avoid them in code that 
replaces library functions so the code is usable in other things.

(Continue reading)

Pat Cornick | 1 Jun 2007 15:17

Picon

Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id


Hi,

I had a question and can not find out on the web where anyone might have
done this.  I am sftping
between one AIX machine and another using automatic login.  I have created
the id_rsa.pub on the
source server and added it to the /.ssh/authorized_keys file on the target
server.  The problem we
are having seems to be that because the target id is a DCE(DFS) id and it's
home directory is
/fs/home/bondbpex  instead of /home/bondbpex it can't find the
/.ssh/authorized_keys file.  The
permissions on the .ssh directory is 700 and the authorized_keys file is
600.  Is this possible to be able
to do this?  Thanks for any help you can give me.

/home/bondbrdg> sftp -v -v -v bondbpex <at> d03ftp101.boulder.ibm.com
Connecting to d03ftp101.boulder.ibm.com...
OpenSSH_4.3p2, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): Could not
load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
System error: No such file or directory

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to d03ftp101.boulder.ibm.com [9.17.187.85] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /home/bondbrdg/.ssh/id_rsa.

(Continue reading)

Peter Stuge | 4 Jun 2007 21:18

Re: Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id

On Fri, Jun 01, 2007 at 09:17:39AM -0400, Pat Cornick wrote:
> The problem we are having seems to be that because the target id is
> a DCE(DFS) id and it's home directory is /fs/home/bondbpex  instead
> of /home/bondbpex it can't find the /.ssh/authorized_keys file.

So put authorized_keys in the correct directory then.

> The permissions on the .ssh directory is 700 and the
> authorized_keys file is 600.

That's all good. Check that the owner is correct too.

> Is this possible to be able to do this?

Yes, it works.

> /home/bondbrdg> sftp -v -v -v bondbpex <at> d03ftp101.boulder.ibm.com

This shows no problem. We also need sshd -ddd output from d03ft101.

//Peter

Darren Tucker | 5 Jun 2007 00:11

Picon

Picon

Re: Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id

Pat Cornick wrote:
> Hi,
> 
> I had a question and can not find out on the web where anyone might have
> done this.  I am sftping
> between one AIX machine and another using automatic login.  I have created
> the id_rsa.pub on the
> source server and added it to the /.ssh/authorized_keys file on the target
> server.  The problem we
> are having seems to be that because the target id is a DCE(DFS) id and it's
> home directory is
> /fs/home/bondbpex  instead of /home/bondbpex it can't find the
> /.ssh/authorized_keys file.

As long as getpwnam() and friends return the correct home dir that 
should work.

> The
> permissions on the .ssh directory is 700 and the authorized_keys file is
> 600.  Is this possible to be able
> to do this?  Thanks for any help you can give me.

Is the home directory not mounted until the user presents a kerberos 
ticket or a password that can get one?  If so then sshd isn't going to 
be able to read the authorized_keys file in the user's home dir.

What you can do is set AuthorizedKeysFile in sshd_config to point to a 
local filesystem (eg /etc/ssh/keys or something) but that's a 
system-wide parameter so it will affect all users.  It would not be hard 
to make the Match keyword in recent versions support AuthorizedKeysFile

(Continue reading)

Pat Cornick | 6 Jun 2007 15:25

Picon

Re: Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id

Hi Darren,

Thanks for your help on this.  We will be changing the id to a local AIX id
to get this to work.
Take care.

Regards,
Pat

                                                                           
             Darren Tucker                                                 
             <dtucker <at> zip.com.                                             
             au>                                                        To 
                                       Pat Cornick/Endicott/IBM <at> IBMUS      
             06/04/2007 06:11                                           cc 
             PM                        openssh-unix-dev <at> mindrot.org        
                                                                   Subject 
                                       Re: Need to sftp with automatic     
                                       login from 1 aix machine to         
                                       another, the id on the target is a  
                                       DCE(DFS) id                         

Pat Cornick wrote:
> Hi,
>
> I had a question and can not find out on the web where anyone might have
> done this.  I am sftping
> between one AIX machine and another using automatic login.  I have
created
> the id_rsa.pub on the

(Continue reading)

Peter Stuge | 7 Jun 2007 18:44

Re: sftp-server with defaultroot

On Mon, May 21, 2007 at 07:36:17PM +0200, Marten Lehmann wrote:
> Why doesn't the openssh sftp-server include this? Are there plans
> to do it? Are there certain reasons not to include?

This functionality needs to be in the shell, since the user's shell
is always used by sshd to execute whatever program is requested.
(Interactive, single command or subsystem.)

See e.g. rssh

//Peter

Damien Miller | 11 Jun 2007 06:43

Recent MAC improvements

Hi,

There has been some recent work to improve the speed of the Message
Authentication Codes (MACs) that are used in OpenSSH.

The first improvement is a change from Markus Friedl to reuse the MAC
context, rather than reinitialising it for every packet. This saves two
calls to the underlying hash function (e.g. SHA1) for each packet. My
tests found that this yielded at 12-16% speedup for bulk transfers to
localhost using HMAC-MD5 and arcfour256. HMAC-SHA1 should see an even
bigger improvement, because SHA1 is a more expensive hash function.

The second improvement is Peter Valchev's addition of a new MAC: Ted
Krovetz' UMAC-64[1]. This MAC uses a very different approach than the
HMACs that OpenSSH currently supports, and it comes with a nice security
proof that guarantees its resistance so long as its underlying block
cipher (AES) remains cryptologically intact. Testing (bulk transfers to
localhost using arcfour256) found UMAC-64 to perform 20% better than
HMAC-MD5, and 28% faster than HMAC-SHA1. This new MAC may be selected
by specifying "MACs=umac-64 <at> openssh.com" in a server or client config.

These changes need testing on as many platforms as possible. In particular
we are interested in the following corner cases:

- Old OpenSSL version (0.9.5ish)
- Testing between big and little endian machines (i386 vs. sparc for example)
- Testing between previous OpenSSH versions and -current
- Testing on strict alignment architectures like Alpha and Itanium

Please report your findings to the mailing list.

(Continue reading)

Group

gmane.network.openssh.devel.

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7

Articles in period: 61

June 2007

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Announce: Portable OpenSSH 6.2p2 released (16 May 2013)
[PATCH] Expose remote forwarding ports as environment variable (15 May 2013)
key rotation on ssh servers (15 May 2013)
Support for "ssh-rsa-sha256" and "ssh-dss-sha256" ?‏ (15 May 2013)
Support for "ssh-rsa-sha256" and "ssh-dss-sha256" ? (15 May 2013)
FW: (18 Apr 2013)
[PATCH] Specify PAM Service name in sshd_config (13 May 2013)
Session rekeying support in OpenSSH (13 May 2013)
Candidate tarball for openssh-6.2p2 (10 May 2013)
ssh ethernet tunnel performance problem (9 May 2013)
SSH key exchange algorithm negotiation payload growth (7 May 2013)
Some potential bugs in Openssh-6.2p1 (7 May 2013)
Debugging SFTP question (6 May 2013)
Debugging SFTP question (4 May 2013)
AUTO: [auto] Chris Meyer is out of the office (returning 04/29/2013) (27 Apr 2013)
how to check whether the ssh tunnel is up (26 Apr 2013)
openssh cross compilation issue (25 Apr 2013)
OpenSSH_6.1p1 sends a SSH packet bigger than 32K (19 Apr 2013)
Auth_Banner question (19 Apr 2013)
update config.guess and config.sub to support aarch64 (16 Apr 2013)
Need your inputs on issue: stale sessions in openssh (16 Apr 2013)

Archives

73	May 2013
109	April 2013
118	March 2013
69	February 2013
80	January 2013
58	December 2012
65	November 2012
67	October 2012
37	September 2012
67	August 2012
27	July 2012
39	June 2012
138	May 2012
37	April 2012
102	March 2012
85	February 2012
83	January 2012
37	December 2011
37	November 2011
80	October 2011
91	September 2011
76	August 2011
88	July 2011
68	June 2011
131	May 2011
29	April 2011
43	March 2011
123	February 2011
159	January 2011
62	December 2010
45	November 2010
46	October 2010
31	September 2010
87	August 2010
96	July 2010
86	June 2010
32	May 2010
160	April 2010
157	March 2010
118	February 2010
147	January 2010
44	December 2009
25	November 2009
82	October 2009
82	September 2009
60	August 2009
56	July 2009
38	June 2009
26	May 2009
130	April 2009
184	March 2009
161	February 2009
69	January 2009
61	December 2008
103	November 2008
52	October 2008
47	September 2008
101	August 2008
169	July 2008
98	June 2008
89	May 2008
54	April 2008
119	March 2008
93	February 2008
87	January 2008
80	December 2007
90	November 2007
89	October 2007
124	September 2007
90	August 2007
73	July 2007
61	June 2007
64	May 2007
115	April 2007
102	March 2007
75	February 2007
66	January 2007
26	December 2006
97	November 2006
64	October 2006
157	September 2006
96	August 2006
130	July 2006
42	June 2006
109	May 2006
147	April 2006
81	March 2006
176	February 2006
142	January 2006
77	December 2005
138	November 2005
93	October 2005
58	September 2005
127	August 2005
103	July 2005
117	June 2005
132	May 2005
164	April 2005
189	March 2005
128	February 2005
65	January 2005
114	December 2004
158	November 2004
95	October 2004
106	September 2004
170	August 2004
173	July 2004
152	June 2004
222	May 2004
193	April 2004
189	March 2004
140	February 2004
240	January 2004
175	December 2003
208	November 2003
291	October 2003
524	September 2003
213	August 2003
157	July 2003
211	June 2003
485	May 2003
284	April 2003
350	March 2003
340	February 2003
414	January 2003
236	December 2002
263	November 2002
317	October 2002
320	September 2002
385	August 2002
784	July 2002
852	June 2002
535	May 2002
596	April 2002
136	March 2002
1	February 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template