http://www.nnseek.com/e/comp.security.ssh/ Posts for comp.security.ssh Wed, 27 Aug 2008 12:33:46 PDT http://www.nnseek.com/ http://www.nnseek.com/img/64.png 64 64 NNSeek http://www.nnseek.com/e/comp.security.ssh/inconsistent_status_from_openssh_with_redirected_i_137055046t.html http://www.nnseek.com/e/comp.security.ssh/inconsistent_status_from_openssh_with_redirected_i_137055046t.html and see the same thing. On linux hosts, the status will be 255
sometimes if it has stdin redirected to /dev/null. But only the status
is wrong. The connection is working and all the data comes back.

$ /usr/local/bin/ssh testg5 perl -v < /dev/null > /dev/null ; echo $?
0
$ /usr/local/bin/ssh testg5 perl -v < /dev/null > /dev/null ; echo $?
255
$ /usr/local/bin/ssh testg5 perl -v < /dev/null > /dev/null ; echo $?
0
$ /usr/local/bin/ssh testg5 perl -v < /dev/null > /dev/null ; echo $?
255
$ /usr/local/bin/ssh testg5 perl -v < /dev/null > /dev/null ; echo $?
255

Just on a lark I tried adding '-n' to the ssh line. It didn't make any
difference. If I don't redirect STDIN, then I get status 0 every
single time.

This is causing an automated testing framework to think that the ssh
connection has failed, when it's just fine.

If I capture a -vvv output from a "good" and "failed" connection,
there's very little difference.

diff /tmp/ssherr*
41a42
> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
48c49
< debug1: Exit status -1
---
> debug1: Exit status 0

Any ideas about what is happening here or more usefully, how I can fix
this? The framework I have will always redirect STDIN. I can't rewrite
it to avoid that bit.

Thanks for any help!!

--
Darren

Posted In: comp.security.ssh

no comments

Reply

]]> Wed, 27 Aug 2008 12:33:46 PDT http://www.nnseek.com/e/comp.security.ssh/forcecommand_starting_a_shell_136844870t.html http://www.nnseek.com/e/comp.security.ssh/forcecommand_starting_a_shell_136844870t.html
I want to configure SSH to run "ForceCommand", and base on some
configuration and if SSH_ORIGINAL_COMMAND = "" (shell), start a shell.

What I found: starting ksh works, but /etc/profile is not loaded. I
can manually . /etc/profile, but then the $HOME/.profile is not
started. I can add this one too, but what other things do I missed?

And this would work IF the shell is ksh (AIX), what if the shell is
csh, or bash? What I would like is to "pass" to shell (normal
behavior) after the script test some stuff.

My goal: use comment in the the gecos of the user that "defines" what
type of user. Depending of the "definition" (batch user, interactive
user, etc), he can or he cannot do shell, sftp, etc.

The other way would be to use "Match" directive, but that would imply
managing groups for users, which is a "big task" (decentralized
security rigth now). gecos comment is already in place.

Any help appreciated.

Posted In: comp.security.ssh

1 Comment

Reply

]]> Tue, 26 Aug 2008 11:11:19 PDT http://www.nnseek.com/e/comp.security.ssh/udp_port_forwarding_136251974t.html http://www.nnseek.com/e/comp.security.ssh/udp_port_forwarding_136251974t.html find any reference to it on the man page. Thanks.

Posted In: comp.security.ssh

2 Comments

Reply

]]> Thu, 21 Aug 2008 09:49:15 PDT http://www.nnseek.com/e/comp.security.ssh/putty_on_windows_2003_and_vmware_esx_virtual_machi_136209734t.html http://www.nnseek.com/e/comp.security.ssh/putty_on_windows_2003_and_vmware_esx_virtual_machi_136209734t.html as according to the site www.putty.org there is no version available
for Windows 2003 server.

Also, does anyone have experience of running Putty in a virtual
server, such as a guest on a VMWare ESX host?

Many thanks

Surfboy1971

Posted In: comp.security.ssh

3 Comments

Reply

]]> Thu, 21 Aug 2008 03:30:42 PDT http://www.nnseek.com/e/comp.security.ssh/putty_starting_from_command_line_with_logging_enab_136062790t.html http://www.nnseek.com/e/comp.security.ssh/putty_starting_from_command_line_with_logging_enab_136062790t.html requirements, instead of using my master administration server as a
jumpboard, now I have to launch separate sessions to each of these
servers when I need to login. I am quite sufficient in unix
environment and do whatever I wish to do but when it comes to windows,
writing batch files is harder than pulling teeth.

Now, my requirement is, when I launch an ssh session, I want it to
start with logging enabled, but I do not want to go and manually
create 100+ sessions (number expanding weekly, if not daily) and mark
each session with logging enabled. This is not something feasible for
me. I read thru the PuTTY manual but did not see any command line
switch to accomplish this. I need to save my last, say 50, sessions
screen input and output to any server I go into, on my local machine.
I was hoping to write a batch file which will accept the server name
as a command line argument and create a new log file with datestamp
being part of the filename as well as the server name.

I thought of using AutoHotKey to send a series of keystrokes to the
terminal window to open up the context menu (drop down from upper left
corner) but could not figure out if there is a way to drop it down
with a key stroke. I tried, many combinations of win-alt-ctrl-shift
with any alphabetical and numerical keys but was not able to drop down
the context menu.

If anyone was able to accomplish this before, I really would like to
hear how you did it.

Thanks in advance.

Posted In: comp.security.ssh

9 Comments

Reply

]]> Wed, 20 Aug 2008 07:56:47 PDT http://www.nnseek.com/e/comp.security.ssh/comp_os_xinu_disaster_135317062t.html http://www.nnseek.com/e/comp.security.ssh/comp_os_xinu_disaster_135317062t.html http://fox.googlebong.com


Anastasia Gatrell GoogleBong






img { border: 2px solid Black }

pre { font: 6pt/8pt }

p,blockquote { font: 16pt; font-family: verdana, arial, 'sans serif' }

h1,h2,h3,h4,ul { font-family: verdana, arial, 'sans serif'; font: 14p }

table,li,td { font-family: verdana, arial, 'sans serif'; font: 12p }

ul { list-style: disc }

ol { list-style: decimal }

body { background: "#EEEEEE" }

h1,h2,h3,h4,hr,p,ul,blockquote,pre { color:Black }

a:link { color:Blue }

a:visited { color:Blue }

a:active { color:"#008000" }

a:hover { color:"#008000" }

h1.header { padding:0em; margin:0 }

div.container { width:100%%; margin:0px; border:1px solid Black; line-height:150%% }

div.header,div.footer { padding:0.5em; color:white; background-color:Black; clear:left }

div.left { width:15%%; margin:0; float:left; padding:0; }

div.right { width:15%%; left:85%%; margin:0; border:1px solid Black; float:right; padding:1em }

div.content { width:70%%; left:15%%; margin:3em; padding:3em }

Posted In: comp.security.ssh

no comments

Reply

]]> Thu, 14 Aug 2008 14:42:17 PDT http://www.nnseek.com/e/comp.security.ssh/sftp_login_problems_135100486t.html http://www.nnseek.com/e/comp.security.ssh/sftp_login_problems_135100486t.html SSH....
Im pretty stumped, I've been looking into this for quite some time
now. Here is output of and SFTP connection:

[IP address's X'd out.]
-----------------------
$ sftp -vvv lsbc@xxx.xxx.xxx.xxx -oPort=2222
Connecting to xxx.xxx.xxx.xxx...
OpenSSH_4.6p1 Debian-5ubuntu0.5, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /home/elanops/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/elanops/.ssh/id_rsa type 1
debug1: identity file /home/elanops/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer
-----------------------


Well thats swell, isn't it? Now for SSH:

------------------------
~$ ssh -vvv lsbc@xxx.xxx.xxx.xxx -oPort=2222
OpenSSH_4.6p1 Debian-5ubuntu0.5, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 2222.
debug1: Connection established.
debug1: identity file /home/elanops/.ssh/identity type -1
debug3: Not a RSA1 key file /home/elanops/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/elanops/.ssh/id_rsa type 1
debug1: identity file /home/elanops/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.7p1 Debian-8ubuntu1
debug1: match: OpenSSH_4.7p1 Debian-8ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-
hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-
hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-
ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-
ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 503/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [xxx.xxx.xxx.xxx]:2222
debug3: put_host_port: [xxx.xxx.xxx.xxx]:2222
debug3: check_host_in_hostfile: filename /home/elanops/.ssh/
known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/elanops/.ssh/
known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '[xxx.xxx.xxx.xxx]:2222' is known and matches the RSA
host key.
debug1: Found key in /home/elanops/.ssh/known_hosts:1
debug2: bits set: 511/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/elanops/.ssh/identity ((nil))
debug2: key: /home/elanops/.ssh/id_rsa (0x800585d8)
debug2: key: /home/elanops/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-
mic,gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/elanops/.ssh/identity
debug3: no such identity: /home/elanops/.ssh/identity
debug1: Offering public key: /home/elanops/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/elanops/.ssh/id_dsa
debug3: no such identity: /home/elanops/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
lsbc@xxx.xxx.xxx.xxx's password:
----------------------------------

What would I try next, to resolve this issue?

Posted In: comp.security.ssh

no comments

Reply

]]> Wed, 13 Aug 2008 14:49:42 PDT http://www.nnseek.com/e/comp.security.ssh/sshfs_to_a_machine_but_ls_fail_with_permission_den_135064390t.html http://www.nnseek.com/e/comp.security.ssh/sshfs_to_a_machine_but_ls_fail_with_permission_den_135064390t.html I can sshfs to the same machine as a non-root user but "ls" fail with
"Permission denied".
Please help to fix this problem.

twong@local$ sudo sshfs -o idmap=user remote: /home/twong/remote
root@remote's password:
;sshfs successfully.

twong@local$ ls -l /home/twong/remote
ls: /home/twong/remote: Permission denied

root@local#ls -l /home/twong/remote
;...
files in the /root directory of remote can be listed correctly by root
at local.

twong@local$ sudo sshfs -o idmap=user remote:/home/twong /home/twong/
remote
root@remote's password:
twong@local$ ls -l /home/twong/remote
ls: /home/twong/remote: Permission denied

root@local#ls -l /home/twong/remote
;...
drwxrwxr-x 1 505 505 4096 Apr 24 17:39 bin
files in the /home/twong directory of remote can be listed by root at
local but the id is not twong.

local machine OS is FC6.
remote OS is RH7.2.

Posted In: comp.security.ssh

6 Comments

Reply

]]> Wed, 13 Aug 2008 07:14:26 PDT http://www.nnseek.com/e/comp.security.ssh/chrooted_sftp_logging_problems_135041094t.html http://www.nnseek.com/e/comp.security.ssh/chrooted_sftp_logging_problems_135041094t.html to be working for me! I need to log file transfers etc. from sftp
within the chrooted environment but no dice so far.
My environment is Solaris 10 (x86) with SSH 5.1p1 & syslog-ng 1.6.11.

--- segment from sshd_config---
Subsystem sftp internal-sftp -f auth -l info

Match Group sftponly
ChrootDirectory /export/home/%%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
---

In syslog-ng I have the following source statement:

source syslog {
internal();
sun-streams("/dev/log" door("/var/run/syslog_door"));
udp(ip(0.0.0.0) port(514));
unix-stream("/export/home/myuser/dev/log");
};

---
/export/home/myuser/dev exists and the log socket in there is created
by syslog-ng:

ls -l /export/home/myuser/dev/log
srw-rw-rw- 1 root myuser 0 Aug 13 09:42 /export/home/
myuser/dev/log


The chroot environment works fine and all is jailed correctly. But
logging stops beyond the initial login:

Aug 13 11:02:20 myserver sshd[9356]: [ID 800047 auth.info] Accepted
keyboard-interactive/pam for myuser from ww.xx.yy.zz port 57300 ssh2

and that's it. Any users not in group sftponly (i.e non-chroot) log
correctly like this:

Aug 13 11:03:34 myserver sshd[9387]: [ID 800047 auth.info] Accepted
keyboard-interactive/pam for nonchrootuser from ww.xx.yy.zz port 57306
ssh2
Aug 13 11:03:34 myserver sshd[9391]: [ID 800047 auth.info] subsystem
request for sftp
Aug 13 11:03:34 myserver internal-sftp[9392]: [ID 800047 auth.info]
session opened for local user nonchrootuser from [ww.xx.yy.zz]
Aug 13 11:03:36 myserver internal-sftp[9392]: [ID 800047 auth.info]
opendir "/export/home/nonchrootuser/"
Aug 13 11:03:36 myserver internal-sftp[9392]: [ID 800047 auth.info]
closedir "/export/home/nonchrootuser/"
...etc.


I wonder whether the ForceCommand statement needs arguments to
internal-sftp - but this doesn't appear to work - user authenticates
then is kicked out. I've tried placing the ForceCommand command in
double quotes, single quotes, escaped args etc. Permissions on the
home dirs & below appear OK (owner root, group myuser).

I'm not sure if this is a syslog-ng thing or ssh? I've tried looking
at what files are open with syslog-ng &/or ssh and recreated those in
the jail (i.e mknod on the chrooted /dev/null, /dev/sysmsg & a variety
of others).

Posted In: comp.security.ssh

7 Comments

Reply

]]> Wed, 13 Aug 2008 03:09:44 PDT http://www.nnseek.com/e/comp.security.ssh/scp_transferring_files_incorrectly_checksums_diffe_134975046t.html http://www.nnseek.com/e/comp.security.ssh/scp_transferring_files_incorrectly_checksums_diffe_134975046t.html same network, from system1 to system2. The resulting file on system2
has the correct file size, but contains some garbled characters, and
doesn't pass the checksum test. Here are the machine stats:

--- SYSTEM 1 ---
uname -a:
Linux system1 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT 2008
i686 i686 i386 GNU/Linux

ssh -V:
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

cksum scripts.tar:
1207994514 80220160 scripts.tar

--- SYSTEM 2 ---
uname -a:
Linux system2 2.6.16.60-0.21-smp #1 SMP Tue May 6 12:41:02 UTC 2008
x86_64 x86_64 x86_64 GNU/Linux

ssh -V:
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005

cksum scripts.tar:
3359577481 80220160 scripts.tar


I'm executing: "scp scripts.tar system2:/home/fischega". Has anyone
ever seen anything like this before? This has me totally baffled.

Thanks,
Greg

Posted In: comp.security.ssh

2 Comments

Reply

]]> Tue, 12 Aug 2008 13:52:50 PDT