Nabble - debian-ssh

Bug#558309: please incorporate nss patches from Fedora

2009-11-27T11:33:04Z

On Fri, Nov 27, 2009 at 08:11:19PM +0100, Andreas Barth wrote:

> Fedora provides an patch at
> https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.3p1-nss-keys.patch?revision=1.1&view=markup&sortby=rev
> that use keys from the common mozilla security framework (please see
> http://fedoraproject.org/wiki/FedoraCryptoConsolidation for the
> background). I have tested these patches with an pkcs11-smartcard
> which currently can't be used in openssh and they work for me (only
> difference for Debian is that the include headers are in different
> directories, and the obvious changes for debian/{rules,control,copyright}).
>
> As these patches are provided by Fedora / RedHat there is also some
> security support (and I assume RedHat will try to push them upstream
> as well). Would be great if this patch could be accepted.

While I applaud the idea of centralising on a single security framework,
I don't feel confident to review this myself, and I would rather wait
until upstream accepts it.

--
Colin Watson [cjwatson@...]

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#558309: please incorporate nss patches from Fedora

2009-11-27T11:11:19Z

Package: openssh
Version: 1:5.1p1-5
Severity: wishlist

Hi,

Fedora provides an patch at
https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.3p1-nss-keys.patch?revision=1.1&view=markup&sortby=rev
that use keys from the common mozilla security framework (please see
http://fedoraproject.org/wiki/FedoraCryptoConsolidation for the
background). I have tested these patches with an pkcs11-smartcard
which currently can't be used in openssh and they work for me (only
difference for Debian is that the include headers are in different
directories, and the obvious changes for debian/{rules,control,copyright}).

As these patches are provided by Fedora / RedHat there is also some
security support (and I assume RedHat will try to push them upstream
as well). Would be great if this patch could be accepted.

Cheers,
Andi

diff -u openssh-5.1p1/key.h openssh-5.1p1/key.h
--- openssh-5.1p1/key.h
+++ openssh-5.1p1/key.h
@@ -29,12 +29,18 @@
#include <openssl/rsa.h>
#include <openssl/dsa.h>

+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include <keyhi.h>
+#endif
+
typedef struct Key Key;
enum types {
KEY_RSA1,
KEY_RSA,
KEY_DSA,
KEY_NULL,
+ KEY_NSS,
KEY_UNSPEC
};
enum fp_type {
@@ -49,16 +55,30 @@

/* key is stored in external hardware */
#define KEY_FLAG_EXT 0x0001
+#define KEY_FLAG_NSS 0x0002
+
+#ifdef HAVE_LIBNSS
+typedef struct NSSKey NSSKey;
+struct NSSKey {
+ SECKEYPrivateKey *privk;
+ SECKEYPublicKey *pubk;
+};
+#endif

struct Key {
int type;
int flags;
RSA *rsa;
DSA *dsa;
+#ifdef HAVE_LIBNSS
+ NSSKey *nss;
+#endif
};

Key *key_new(int);
Key *key_new_private(int);
+Key *key_new_nss(int);
+Key *key_new_nss_copy(int, const Key *);
void key_free(Key *);
Key *key_demote(const Key *);
int key_equal(const Key *, const Key *);
diff -u openssh-5.1p1/configure openssh-5.1p1/configure
--- openssh-5.1p1/configure
+++ openssh-5.1p1/configure
@@ -714,6 +714,7 @@
PROG_TAIL
INSTALL_SSH_PRNG_CMDS
OPENSC_CONFIG
+LIBNSS
PRIVSEP_PATH
xauth_path
STRIP_OPT
@@ -1353,6 +1354,7 @@
--with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in PATH)
--with-selinux Enable SELinux support
--with-kerberos5=PATH Enable Kerberos 5 support
+ --with-nss Enable NSS support
--with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
--with-xauth=PATH Specify path to xauth program
--with-mantype=man|cat|doc Set man page type
@@ -27726,6 +27728,170 @@
fi

+# Check whether user wants NSS support
+LIBNSS_MSG="no"
+
+# Check whether --with-nss was given.
+if test "${with_nss+set}" = set; then
+ withval=$with_nss; if test "x$withval" != "xno" ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_LIBNSS 1
+_ACEOF
+
+ LIBNSS_MSG="yes"
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nss -I/usr/include/nspr"
+
+for ac_header in pk11pub.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+ # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_header_compiler=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ ac_header_preproc=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+ ( cat <<\_ASBOX
+## ------------------------------------------- ##
+## Report this to openssh-unix-dev@... ##
+## ------------------------------------------- ##
+_ASBOX
+ ) | sed "s/^/$as_me: WARNING: /" >&2
+ ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+ LIBS="$LIBS -lnss3"
+ fi
+
+fi
+
+
# Looking for programs, paths and files

PRIVSEP_PATH=/var/empty
@@ -29790,6 +29956,7 @@
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim
+LIBNSS!$LIBNSS$ac_delim
PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
xauth_path!$xauth_path$ac_delim
STRIP_OPT!$STRIP_OPT$ac_delim
@@ -29804,7 +29971,7 @@
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF

- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 13; then
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 14; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -30281,6 +30448,7 @@
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
+echo " NSS support: $LIBNSS_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff -u openssh-5.1p1/configure.ac openssh-5.1p1/configure.ac
--- openssh-5.1p1/configure.ac
+++ openssh-5.1p1/configure.ac
@@ -3456,6 +3456,20 @@
]
)

+# Check whether user wants NSS support
+LIBNSS_MSG="no"
+AC_ARG_WITH(nss,
+ [ --with-nss Enable NSS support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
+ LIBNSS_MSG="yes"
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nss -I/usr/include/nspr"
+ AC_CHECK_HEADERS(pk11pub.h)
+ LIBS="$LIBS -lnss3"
+ fi
+ ])
+AC_SUBST(LIBNSS)
+
# Looking for programs, paths and files

PRIVSEP_PATH=/var/empty
@@ -4176,6 +4190,7 @@
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
+echo " NSS support: $LIBNSS_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff -u openssh-5.1p1/key.c openssh-5.1p1/key.c
--- openssh-5.1p1/key.c
+++ openssh-5.1p1/key.c
@@ -96,6 +96,54 @@
return k;
}

+#ifdef HAVE_LIBNSS
+Key *
+key_new_nss(int type)
+{
+ Key *k = key_new(type);
+
+ k->nss = xcalloc(1, sizeof(*k->nss));
+ k->flags = KEY_FLAG_EXT | KEY_FLAG_NSS;
+
+ return k;
+}
+
+Key *
+key_new_nss_copy(int type, const Key *c)
+{
+ Key *k = key_new_nss(type);
+
+ switch (k->type) {
+ case KEY_RSA:
+ if ((BN_copy(k->rsa->n, c->rsa->n) == NULL) ||
+ (BN_copy(k->rsa->e, c->rsa->e) == NULL))
+ fatal("key_new_nss_copy: BN_copy failed");
+ break;
+ case KEY_DSA:
+ if ((BN_copy(k->dsa->p, c->rsa->p) == NULL) ||
+ (BN_copy(k->dsa->q, c->dsa->q) == NULL) ||
+ (BN_copy(k->dsa->g, c->dsa->g) == NULL) ||
+ (BN_copy(k->dsa->pub_key, c->dsa->pub_key) == NULL))
+ fatal("key_new_nss_copy: BN_copy failed");
+ break;
+ }
+
+ k->nss->privk = SECKEY_CopyPrivateKey(c->nss->privk);
+ if (k->nss->privk == NULL)
+ fatal("key_new_nss_copy: SECKEY_CopyPrivateKey failed");
+
+ k->nss->pubk = SECKEY_CopyPublicKey(c->nss->pubk);
+ if (k->nss->pubk == NULL)
+ fatal("key_new_nss_copy: SECKEY_CopyPublicKey failed");
+
+ if (c->nss->privk->wincx)
+ k->nss->privk->wincx = xstrdup(c->nss->privk->wincx);
+
+ return k;
+}
+#endif
+
+
Key *
key_new_private(int type)
{
@@ -151,6 +199,19 @@
fatal("key_free: bad key type %d", k->type);
break;
}
+#ifdef HAVE_LIBNSS
+ if (k->flags & KEY_FLAG_NSS) {
+ if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {
+ memset(k->nss->privk->wincx, 0,
+ strlen(k->nss->privk->wincx));
+ xfree(k->nss->privk->wincx);
+ k->nss->privk->wincx = NULL;
+ }
+ SECKEY_DestroyPrivateKey(k->nss->privk);
+ SECKEY_DestroyPublicKey(k->nss->pubk);
+ xfree(k->nss);
+ }
+#endif
xfree(k);
}

diff -u openssh-5.1p1/readconf.c openssh-5.1p1/readconf.c
--- openssh-5.1p1/readconf.c
+++ openssh-5.1p1/readconf.c
@@ -127,6 +127,7 @@
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
oUseBlacklistedKeys,
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
+ oUseNSS, oNSSToken,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -221,6 +222,13 @@
#else
{ "smartcarddevice", oUnsupported },
#endif
+#ifdef HAVE_LIBNSS
+ { "usenss", oUseNSS },
+ { "nsstoken", oNSSToken },
+#else
+ { "usenss", oUnsupported },
+ { "nsstoken", oNSSToken },
+#endif
{ "clearallforwardings", oClearAllForwardings },
{ "enablesshkeysign", oEnableSSHKeysign },
{ "verifyhostkeydns", oVerifyHostKeyDNS },
@@ -628,6 +636,14 @@
charptr = &options->smartcard_device;
goto parse_string;

+ case oUseNSS:
+ intptr = &options->use_nss;
+ goto parse_flag;
+
+ case oNSSToken:
+ charptr = &options->nss_token;
+ goto parse_command;
+
case oProxyCommand:
charptr = &options->proxy_command;
parse_command:
@@ -1104,6 +1120,8 @@
options->preferred_authentications = NULL;
options->bind_address = NULL;
options->smartcard_device = NULL;
+ options->use_nss = -1;
+ options->nss_token = NULL;
options->enable_ssh_keysign = - 1;
options->no_host_authentication_for_localhost = - 1;
options->identities_only = - 1;
@@ -1239,6 +1257,8 @@
options->no_host_authentication_for_localhost = 0;
if (options->identities_only == -1)
options->identities_only = 0;
+ if (options->use_nss == -1)
+ options->use_nss = 0;
if (options->enable_ssh_keysign == -1)
options->enable_ssh_keysign = 0;
if (options->rekey_limit == -1)
diff -u openssh-5.1p1/config.h.in openssh-5.1p1/config.h.in
--- openssh-5.1p1/config.h.in
+++ openssh-5.1p1/config.h.in
@@ -536,6 +536,9 @@
/* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL

+/* Define if you want NSS support. */
+#undef HAVE_LIBNSS
+
/* Define to 1 if you have the `pam' library (-lpam). */
#undef HAVE_LIBPAM

@@ -669,6 +672,9 @@
/* define if you have pid_t data type */
#undef HAVE_PID_T

+/* Define to 1 if you have the <pk11pub.h> header file. */
+#undef HAVE_PK11PUB_H
+
/* Define to 1 if you have the `poll' function. */
#undef HAVE_POLL

diff -u openssh-5.1p1/ssh.c openssh-5.1p1/ssh.c
--- openssh-5.1p1/ssh.c
+++ openssh-5.1p1/ssh.c
@@ -104,6 +104,9 @@
#ifdef SMARTCARD
#include "scard.h"
#endif
+#ifdef HAVE_LIBNSS
+#include "nsskeys.h"
+#endif

extern char *__progname;

@@ -1241,9 +1244,11 @@
int i = 0;
Key *public;
struct passwd *pw;
-#ifdef SMARTCARD
+#if defined(SMARTCARD) || defined(HAVE_LIBNSS)
Key **keys;
+#endif

+#ifdef SMARTCARD
if (options.smartcard_device != NULL &&
options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
@@ -1266,6 +1271,27 @@
xfree(keys);
}
#endif /* SMARTCARD */
+#ifdef HAVE_LIBNSS
+ if (options.use_nss &&
+ options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
+ int count;
+ for (count = 0; keys[count] != NULL; count++) {
+ memmove(&options.identity_files[1], &options.identity_files[0],
+ sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
+ memmove(&options.identity_keys[1], &options.identity_keys[0],
+ sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
+ options.num_identity_files++;
+ options.identity_keys[0] = keys[count];
+ options.identity_files[0] = nss_get_key_label(keys[count]);
+ }
+ if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)
+ options.num_identity_files = SSH_MAX_IDENTITY_FILES;
+ i += count;
+ xfree(keys);
+ }
+#endif /* HAVE_LIBNSS */
+
if ((pw = getpwuid(original_real_uid)) == NULL)
fatal("load_public_identity_files: getpwuid failed");
pwname = xstrdup(pw->pw_name);
diff -u openssh-5.1p1/ssh-add.c openssh-5.1p1/ssh-add.c
--- openssh-5.1p1/ssh-add.c
+++ openssh-5.1p1/ssh-add.c
@@ -44,6 +44,14 @@
#include <openssl/evp.h>
#include "openbsd-compat/openssl-compat.h"

+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include <secmod.h>
+#include <pk11pub.h>
+#include <keyhi.h>
+#include <cert.h>
+#endif
+
#include <fcntl.h>
#include <pwd.h>
#include <stdarg.h>
@@ -57,6 +65,7 @@
#include "rsa.h"
#include "log.h"
#include "key.h"
+#include "nsskeys.h"
#include "buffer.h"
#include "authfd.h"
#include "authfile.h"
@@ -315,6 +324,128 @@
return 0;
}

+#ifdef HAVE_LIBNSS
+static char *
+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+ char **passcache = arg;
+ char *password, *p2 = NULL;
+ char *prompt;
+
+ if (retry)
+ return NULL;
+
+ if (asprintf(&prompt, "Enter passphrase for token %s: ",
+ PK11_GetTokenName(slot)) < 0)
+ fatal("password_cb: asprintf failed");
+
+ password = read_passphrase(prompt, RP_ALLOW_STDIN);
+
+ if (password != NULL && (p2=PL_strdup(password)) == NULL) {
+ memset(password, 0, strlen(password));
+ fatal("password_cb: PL_strdup failed");
+ }
+
+ if (passcache != NULL) {
+ if (*passcache != NULL) {
+ memset(*passcache, 0, strlen(*passcache));
+ xfree(*passcache);
+ }
+ *passcache = password;
+ } else {
+ memset(password, 0, strlen(password));
+ xfree(password);
+ }
+
+ return p2;
+}
+
+static int
+add_slot_keys(AuthenticationConnection *ac, PK11SlotInfo *slot, int add)
+{
+ SECKEYPrivateKeyList *list;
+ SECKEYPrivateKeyListNode *node;
+ char *passcache = NULL;
+ char *tokenname;
+ char **xkeyname = NULL;
+
+ int count = 0;
+ int i;
+
+ if (PK11_NeedLogin(slot))
+ PK11_Authenticate(slot, PR_TRUE, &passcache);
+
+ if ((list=PK11_ListPrivKeysInSlot(slot, NULL, NULL)) == NULL) {
+ return 0;
+ }
+
+ tokenname = PK11_GetTokenName(slot);
+
+ for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
+ node=PRIVKEY_LIST_NEXT(node)) {
+ char *keyname;
+ SECKEYPublicKey *pub;
+
+ keyname = PK11_GetPrivateKeyNickname(node->key);
+ if (keyname == NULL || *keyname == '\0') {
+ /* no nickname to refer to */
+ CERTCertificate *cert;
+ char *kn;
+ cert = PK11_GetCertFromPrivateKey(node->key);
+ if (cert == NULL)
+ continue;
+ kn = strchr(cert->nickname, ':');
+ if (kn == NULL)
+ kn = cert->nickname;
+ else
+ kn++;
+ keyname = PORT_Strdup(kn);
+ CERT_DestroyCertificate(cert);
+ if (keyname == NULL)
+ continue;
+ }
+ pub = SECKEY_ConvertToPublicKey(node->key);
+ if (pub == NULL) {
+ fprintf(stderr, "No public key for: %s:%s\n",
+ tokenname, keyname);
+ continue; /* not possible to obtain public key */
+ }
+ SECKEY_DestroyPublicKey(pub);
+
+ if ((count % 10) == 0)
+ xkeyname = xrealloc (xkeyname, count + 10, sizeof (char *));
+
+ xkeyname[count++] = keyname;
+ }
+
+ PK11_Logout(slot);
+
+ for (i = 0; i < count; i++) {
+ if (ssh_update_nss_key(ac, add, tokenname, xkeyname[i],
+ passcache?passcache:"", lifetime, confirm)) {
+ fprintf(stderr, "Key %s: %s:%s\n",
+ add?"added":"removed", tokenname, xkeyname[i]);
+ } else {
+ fprintf(stderr, "Could not %s key: %s:%s\n",
+ add?"add":"remove", tokenname, xkeyname[i]);
+ }
+ PORT_Free(xkeyname[i]);
+ }
+
+ if (xkeyname != NULL)
+ free (xkeyname);
+
+ if (passcache != NULL) {
+ memset(passcache, 0, strlen(passcache));
+ xfree(passcache);
+ }
+
+ SECKEY_DestroyPrivateKeyList(list);
+
+ return count;
+}
+#endif
+
static void
usage(void)
{
@@ -342,6 +473,10 @@
AuthenticationConnection *ac = NULL;
char *sc_reader_id = NULL;
int i, ch, deleting = 0, ret = 0;
+#ifdef HAVE_LIBNSS
+ char *token_id = NULL;
+ int use_nss = 0;
+#endif

/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -359,7 +494,7 @@
"Could not open a connection to your authentication agent.\n");
exit(2);
}
- while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
+ while ((ch = getopt(argc, argv, "lLcdDnxXe:s:t:T:")) != -1) {
switch (ch) {
case 'l':
case 'L':
@@ -381,6 +516,11 @@
if (delete_all(ac) == -1)
ret = 1;
goto done;
+#ifdef HAVE_LIBNSS
+ case 'n':
+ use_nss = 1;
+ break;
+#endif
case 's':
sc_reader_id = optarg;
break;
@@ -395,6 +535,11 @@
goto done;
}
break;
+#ifdef HAVE_LIBNSS
+ case 'T':
+ token_id = optarg;
+ break;
+#endif
default:
usage();
ret = 1;
@@ -408,6 +553,40 @@
ret = 1;
goto done;
}
+#ifdef HAVE_LIBNSS
+ if (use_nss) {
+ PK11SlotList *slots;
+ PK11SlotListElement *sle;
+ int count = 0;
+ if (nss_init(password_cb) == -1) {
+ fprintf(stderr, "Failed to initialize NSS library\n");
+ ret = 1;
+ goto done;
+ }
+
+ if ((slots=PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE,
+ NULL)) == NULL) {
+ fprintf(stderr, "No tokens found\n");
+ ret = 1;
+ goto nss_done;
+ }
+
+ for (sle = slots->head; sle; sle = sle->next) {
+ int rv;
+ if ((rv=add_slot_keys(ac, sle->slot, !deleting)) == -1) {
+ ret = 1;
+ }
+ count += rv;
+ }
+ if (count == 0) {
+ ret = 1;
+ }
+nss_done:
+ NSS_Shutdown();
+ clear_pass();
+ goto done;
+ }
+#endif
if (argc == 0) {
char buf[MAXPATHLEN];
struct passwd *pw;
diff -u openssh-5.1p1/Makefile.in openssh-5.1p1/Makefile.in
--- openssh-5.1p1/Makefile.in
+++ openssh-5.1p1/Makefile.in
@@ -73,7 +73,7 @@
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o gss-genr.o umac.o kexgssc.o
+ entropy.o scard-opensc.o gss-genr.o umac.o kexgssc.o nsskeys.o

SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o
diff -u openssh-5.1p1/readconf.h openssh-5.1p1/readconf.h
--- openssh-5.1p1/readconf.h
+++ openssh-5.1p1/readconf.h
@@ -87,6 +87,8 @@
char *preferred_authentications;
char *bind_address; /* local socket address for connection to sshd */
char *smartcard_device; /* Smartcard reader device */
+ int use_nss; /* Use NSS library for keys */
+ char *nss_token; /* Look for NSS keys on token */
int verify_host_key_dns; /* Verify host key using DNS */

int num_identity_files; /* Number of files for RSA/DSA identities. */
diff -u openssh-5.1p1/debian/control openssh-5.1p1/debian/control
--- openssh-5.1p1/debian/control
+++ openssh-5.1p1/debian/control
@@ -2,7 +2,7 @@
Section: net
Priority: standard
Maintainer: Debian OpenSSH Maintainers <debian-ssh@...>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev | heimdal-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 5.0.22), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sparc], libkrb5-dev | heimdal-dev, libnss3-dev, libnspr4-dev
Standards-Version: 3.7.3
Uploaders: Colin Watson <cjwatson@...>, Matthew Vernon <matthew@...>

diff -u openssh-5.1p1/debian/changelog openssh-5.1p1/debian/changelog
--- openssh-5.1p1/debian/changelog
+++ openssh-5.1p1/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:5.1p1-5~aba+1) unstable; urgency=low
+
+ * Add nss patch from Fedora from
+ https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.3p1-nss-keys.patch?revision=1.1&content-type=text%2Fplain&view=co
+
+ -- Andreas Barth <aba@...> Fri, 27 Nov 2009 18:40:35 +0000
+
openssh (1:5.1p1-5) unstable; urgency=low

* Backport from upstream CVS (Markus Friedl):
diff -u openssh-5.1p1/debian/rules openssh-5.1p1/debian/rules
--- openssh-5.1p1/debian/rules
+++ openssh-5.1p1/debian/rules
@@ -82,6 +82,7 @@
confflags += --with-libedit
confflags += --with-kerberos5=/usr
confflags += --with-ssl-engine
+confflags += --with-nss
ifeq ($(DEB_HOST_ARCH_OS),linux)
confflags += --with-selinux
endif
@@ -215,7 +216,7 @@
dh_testdir
dh_testroot
dh_installdebconf
- dh_installdocs OVERVIEW README README.dns README.tun debian/faq.html debian/README.compromised-keys
+ dh_installdocs OVERVIEW README README.dns README.tun debian/faq.html debian/README.compromised-keys README.nss
dh_installchangelogs ChangeLog ChangeLog.gssapi
install -m644 debian/openssh-client.lintian debian/openssh-client/usr/share/lintian/overrides/openssh-client
dh_strip
only in patch2:
unchanged:
--- openssh-5.1p1.orig/authfd.c
+++ openssh-5.1p1/authfd.c
@@ -626,6 +626,45 @@
return decode_reply(type);
}

+int
+ssh_update_nss_key(AuthenticationConnection *auth, int add,
+ const char *tokenname, const char *keyname,
+ const char *pass, u_int life, u_int confirm)
+{
+ Buffer msg;
+ int type, constrained = (life || confirm);
+
+ if (add) {
+ type = constrained ?
+ SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED :
+ SSH_AGENTC_ADD_NSS_KEY;
+ } else
+ type = SSH_AGENTC_REMOVE_NSS_KEY;
+
+ buffer_init(&msg);
+ buffer_put_char(&msg, type);
+ buffer_put_cstring(&msg, tokenname);
+ buffer_put_cstring(&msg, keyname);
+ buffer_put_cstring(&msg, pass);
+
+ if (constrained) {
+ if (life != 0) {
+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
+ buffer_put_int(&msg, life);
+ }
+ if (confirm != 0)
+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
+ }
+
+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
+ buffer_free(&msg);
+ return 0;
+ }
+ type = buffer_get_char(&msg);
+ buffer_free(&msg);
+ return decode_reply(type);
+}
+
/*
* Removes all identities from the agent. This call is not meant to be used
* by normal applications.
only in patch2:
unchanged:
--- openssh-5.1p1.orig/ssh-keygen.c
+++ openssh-5.1p1/ssh-keygen.c
@@ -53,6 +53,11 @@
#include "scard.h"
#endif

+#ifdef HAVE_LIBNSS
+#include <nss.h>
+#include "nsskeys.h"
+#endif
+
/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
#define DEFAULT_BITS 2048
#define DEFAULT_BITS_DSA 1024
@@ -501,6 +506,26 @@
}
#endif /* SMARTCARD */

+#ifdef HAVE_LIBNSS
+static void
+do_nss_download(struct passwd *pw, const char *tokenname, const char *keyname)
+{
+ Key **keys = NULL;
+ int i;
+
+ keys = nss_get_keys(tokenname, keyname, NULL);
+ if (keys == NULL)
+ fatal("cannot find public key in NSS");
+ for (i = 0; keys[i]; i++) {
+ key_write(keys[i], stdout);
+ key_free(keys[i]);
+ fprintf(stdout, "\n");
+ }
+ xfree(keys);
+ exit(0);
+}
+#endif /* HAVE_LIBNSS */
+
static void
do_fingerprint(struct passwd *pw)
{
@@ -1083,7 +1108,8 @@
Key *private, *public;
struct passwd *pw;
struct stat st;
- int opt, type, fd, download = 0;
+ int opt, type, fd, download = 1;
+ int use_nss = 0;
u_int32_t memory = 0, generator_wanted = 0, trials = 100;
int do_gen_candidates = 0, do_screen_candidates = 0;
BIGNUM *start = NULL;
@@ -1116,7 +1142,7 @@
}

while ((opt = getopt(argc, argv,
- "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
+ "degiqpclnBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
switch (opt) {
case 'b':
bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
@@ -1156,6 +1182,10 @@
case 'g':
print_generic = 1;
break;
+ case 'n':
+ use_nss = 1;
+ download = 1;
+ break;
case 'P':
identity_passphrase = optarg;
break;
@@ -1187,10 +1217,10 @@
case 't':
key_type_name = optarg;
break;
- case 'D':
- download = 1;
- /*FALLTHROUGH*/
case 'U':
+ download = 0;
+ /*FALLTHROUGH*/
+ case 'D':
reader_id = optarg;
break;
case 'v':
@@ -1299,6 +1329,17 @@
exit(0);
}
}
+
+ if (use_nss) {
+#ifdef HAVE_LIBNSS
+ if (download)
+ do_nss_download(pw, reader_id, identity_file);
+ else
+ fatal("no support for NSS key upload.");
+#else
+ fatal("no support for NSS keys.");
+#endif
+ }
if (reader_id != NULL) {
#ifdef SMARTCARD
if (download)
only in patch2:
unchanged:
--- openssh-5.1p1.orig/ssh-agent.c
+++ openssh-5.1p1/ssh-agent.c
@@ -80,6 +80,10 @@
#include "scard.h"
#endif

+#ifdef HAVE_LIBNSS
+#include "nsskeys.h"
+#endif
+
#if defined(HAVE_SYS_PRCTL_H)
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
#endif
@@ -714,6 +718,114 @@
}
#endif /* SMARTCARD */

+#ifdef HAVE_LIBNSS
+static void
+process_add_nss_key (SocketEntry *e)
+{
+ char *tokenname = NULL, *keyname = NULL, *password = NULL;
+ int i, version, success = 0, death = 0, confirm = 0;
+ Key **keys, *k;
+ Identity *id;
+ Idtab *tab;
+
+ tokenname = buffer_get_string(&e->request, NULL);
+ keyname = buffer_get_string(&e->request, NULL);
+ password = buffer_get_string(&e->request, NULL);
+
+ while (buffer_len(&e->request)) {
+ switch (buffer_get_char(&e->request)) {
+ case SSH_AGENT_CONSTRAIN_LIFETIME:
+ death = time(NULL) + buffer_get_int(&e->request);
+ break;
+ case SSH_AGENT_CONSTRAIN_CONFIRM:
+ confirm = 1;
+ break;
+ default:
+ break;
+ }
+ }
+ if (lifetime && !death)
+ death = time(NULL) + lifetime;
+
+ keys = nss_get_keys(tokenname, keyname, password);
+ /* password is owned by keys[0] now */
+ xfree(tokenname);
+ xfree(keyname);
+
+ if (keys == NULL) {
+ memset(password, 0, strlen(password));
+ xfree(password);
+ error("nss_get_keys failed");
+ goto send;
+ }
+ for (i = 0; keys[i] != NULL; i++) {
+ k = keys[i];
+ version = k->type == KEY_RSA1 ? 1 : 2;
+ tab = idtab_lookup(version);
+ if (lookup_identity(k, version) == NULL) {
+ id = xmalloc(sizeof(Identity));
+ id->key = k;
+ id->comment = nss_get_key_label(k);
+ id->death = death;
+ id->confirm = confirm;
+ TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+ tab->nentries++;
+ success = 1;
+ } else {
+ key_free(k);
+ }
+ keys[i] = NULL;
+ }
+ xfree(keys);
+send:
+ buffer_put_int(&e->output, 1);
+ buffer_put_char(&e->output,
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+
+static void
+process_remove_nss_key(SocketEntry *e)
+{
+ char *tokenname = NULL, *keyname = NULL, *password = NULL;
+ int i, version, success = 0;
+ Key **keys, *k = NULL;
+ Identity *id;
+ Idtab *tab;
+
+ tokenname = buffer_get_string(&e->request, NULL);
+ keyname = buffer_get_string(&e->request, NULL);
+ password = buffer_get_string(&e->request, NULL);
+
+ keys = nss_get_keys(tokenname, keyname, password);
+ xfree(tokenname);
+ xfree(keyname);
+ xfree(password);
+
+ if (keys == NULL || keys[0] == NULL) {
+ error("nss_get_keys failed");
+ goto send;
+ }
+ for (i = 0; keys[i] != NULL; i++) {
+ k = keys[i];
+ version = k->type == KEY_RSA1 ? 1 : 2;
+ if ((id = lookup_identity(k, version)) != NULL) {
+ tab = idtab_lookup(version);
+ TAILQ_REMOVE(&tab->idlist, id, next);
+ tab->nentries--;
+ free_identity(id);
+ success = 1;
+ }
+ key_free(k);
+ keys[i] = NULL;
+ }
+ xfree(keys);
+send:
+ buffer_put_int(&e->output, 1);
+ buffer_put_char(&e->output,
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
+}
+#endif /* HAVE_LIBNSS */
+
/* dispatch incoming messages */

static void
@@ -806,6 +918,15 @@
process_remove_smartcard_key(e);
break;
#endif /* SMARTCARD */
+#ifdef HAVE_LIBNSS
+ case SSH_AGENTC_ADD_NSS_KEY:
+ case SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED:
+ process_add_nss_key(e);
+ break;
+ case SSH_AGENTC_REMOVE_NSS_KEY:
+ process_remove_nss_key(e);
+ break;
+#endif /* SMARTCARD */
default:
/* Unknown message. Respond with failure. */
error("Unknown message %d", type);
only in patch2:
unchanged:
--- openssh-5.1p1.orig/ssh-dss.c
+++ openssh-5.1p1/ssh-dss.c
@@ -39,6 +39,10 @@
#include "log.h"
#include "key.h"

+#ifdef HAVE_LIBNSS
+#include <cryptohi.h>
+#endif
+
#define INTBLOB_LEN 20
#define SIGBLOB_LEN (2*INTBLOB_LEN)

@@ -57,6 +61,34 @@
error("ssh_dss_sign: no DSA key");
return -1;
}
+#ifdef HAVE_LIBNSS
+ if (key->flags & KEY_FLAG_NSS) {
+ SECItem sigitem;
+ SECItem *rawsig;
+
+ memset(&sigitem, 0, sizeof(sigitem));
+ if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
+ SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) != SECSuccess) {
+ error("ssh_dss_sign: sign failed");
+ return -1;
+ }
+
+ if ((rawsig=DSAU_DecodeDerSig(&sigitem)) == NULL) {
+ error("ssh_dss_sign: der decode failed");
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
+ return -1;
+ }
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
+ if (rawsig->len != SIGBLOB_LEN) {
+ error("ssh_dss_sign: unsupported signature length %d",
+ rawsig->len);
+ SECITEM_ZfreeItem(rawsig, PR_TRUE);
+ return -1;
+ }
+ memcpy(sigblob, rawsig->data, SIGBLOB_LEN);
+ SECITEM_ZfreeItem(rawsig, PR_TRUE);
+ } else {
+#endif
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
@@ -80,7 +112,9 @@
BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
DSA_SIG_free(sig);
-
+#ifdef HAVE_LIBNSS
+ }
+#endif
if (datafellows & SSH_BUG_SIGBLOB) {
if (lenp != NULL)
*lenp = SIGBLOB_LEN;
only in patch2:
unchanged:
--- openssh-5.1p1.orig/README.nss
+++ openssh-5.1p1/README.nss
@@ -0,0 +1,36 @@
+How to use NSS tokens with OpenSSH?
+
+This version of OpenSSH contains experimental support for authentication using
+keys stored in tokens stored in NSS database. This for example includes any
+PKCS#11 tokens which are installed in your NSS database.
+
+As the code is experimental and preliminary only SSH protocol 2 is supported.
+The NSS certificate and token databases are looked for in the ~/.ssh
+directory or in a directory specified by environment variable NSS_DB_PATH.
+
+Common operations:
+
+(1) tell the ssh client to use the NSS keys:
+
+ $ ssh -o 'UseNSS yes' otherhost
+
+ if you want to use a specific token:
+
+ $ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost
+
+(2) or tell the agent to use the NSS keys:
+
+ $ ssh-add -n
+
+ if you want to use a specific token:
+
+ $ ssh-add -n -T 'My PKCS11 Token'
+
+(3) extract the public key from token so it can be added to the
+server:
+
+ $ ssh-keygen -n
+
+ if you want to use a specific token and/or key:
+
+ $ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
only in patch2:
unchanged:
--- openssh-5.1p1.orig/authfd.h
+++ openssh-5.1p1/authfd.h
@@ -49,6 +49,12 @@
#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26

+/* nss */
+#define SSH_AGENTC_ADD_NSS_KEY 30
+#define SSH_AGENTC_REMOVE_NSS_KEY 31
+#define SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED 32
+
+
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
#define SSH_AGENT_CONSTRAIN_CONFIRM 2

@@ -83,6 +89,8 @@
int ssh_lock_agent(AuthenticationConnection *, int, const char *);
int ssh_update_card(AuthenticationConnection *, int, const char *,
const char *, u_int, u_int);
+int ssh_update_nss_key(AuthenticationConnection *, int, const char *,
+ const char *, const char *, u_int, u_int);

int
ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
only in patch2:
unchanged:
--- openssh-5.1p1.orig/ssh-rsa.c
+++ openssh-5.1p1/ssh-rsa.c
@@ -32,6 +32,10 @@
#include "compat.h"
#include "ssh.h"

+#ifdef HAVE_LIBNSS
+#include <cryptohi.h>
+#endif
+
static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);

/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
@@ -50,6 +54,38 @@
error("ssh_rsa_sign: no RSA key");
return -1;
}
+
+ slen = RSA_size(key->rsa);
+ sig = xmalloc(slen);
+
+#ifdef HAVE_LIBNSS
+ if (key->flags & KEY_FLAG_NSS) {
+ SECItem sigitem;
+ SECOidTag alg;
+
+ memset(&sigitem, 0, sizeof(sigitem));
+ alg = (datafellows & SSH_BUG_RSASIGMD5) ?
+ SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION :
+ SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+
+ if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
+ alg) != SECSuccess) {
+ error("ssh_rsa_sign: sign failed");
+ return -1;
+ }
+ if (sigitem.len > slen) {
+ error("ssh_rsa_sign: slen %u slen2 %u", slen, sigitem.len);
+ xfree(sig);
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
+ return -1;
+ }
+ if (sigitem.len < slen) {
+ memset(sig, 0, slen - sigitem.len);
+ }
+ memcpy(sig+slen-sigitem.len, sigitem.data, sigitem.len);
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
+ } else {
+#endif
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
@@ -59,9 +95,6 @@
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);

- slen = RSA_size(key->rsa);
- sig = xmalloc(slen);
-
ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
memset(digest, 'd', sizeof(digest));

@@ -83,6 +116,9 @@
xfree(sig);
return -1;
}
+#ifdef HAVE_LIBNSS
+ }
+#endif
/* encode signature */
buffer_init(&b);
buffer_put_cstring(&b, "ssh-rsa");
only in patch2:
unchanged:
--- openssh-5.1p1.orig/nsskeys.h
+++ openssh-5.1p1/nsskeys.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef NSSKEYS_H
+#define NSSKEYS_H
+#ifdef HAVE_LIBNSS
+#include <pk11func.h>
+#include <prtypes.h>
+
+int nss_init(PK11PasswordFunc);
+Key **nss_get_keys(const char *, const char *, char *);
+char *nss_get_key_label(Key *);
+/*void sc_close(void);*/
+/*int sc_put_key(Key *, const char *);*/
+
+#endif
+#endif
only in patch2:
unchanged:
--- openssh-5.1p1.orig/nsskeys.c
+++ openssh-5.1p1/nsskeys.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+#ifdef HAVE_LIBNSS
+
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/evp.h>
+
+#include <nss.h>
+#include <keyhi.h>
+#include <pk11pub.h>
+#include <cert.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "log.h"
+#include "misc.h"
+#include "nsskeys.h"
+#include "pathnames.h"
+
+static char *
+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
+{
+ char *password = arg;
+ if (retry || password == NULL)
+ return NULL;
+
+ return PL_strdup(password);
+}
+
+int
+nss_init(PK11PasswordFunc pwfn)
+{
+ char *dbpath;
+ char buf[MAXPATHLEN];
+
+ if (NSS_IsInitialized())
+ return 0;
+
+ if ((dbpath=getenv("NSS_DB_PATH")) == NULL) {
+ struct passwd *pw;
+ if ((pw = getpwuid(getuid())) == NULL ||
+ pw->pw_dir == NULL) {
+ return -1;
+ }
+ snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
+ _PATH_SSH_USER_DIR);
+ dbpath = buf;
+ }
+
+ if (NSS_Init(dbpath) != SECSuccess)
+ return -1;
+
+ if (pwfn == NULL) {
+ pwfn = password_cb;
+ }
+
+ PK11_SetPasswordFunc(pwfn);
+
+ return 0;
+}
+
+static Key *
+make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
+{
+ Key *k;
+ switch (SECKEY_GetPrivateKeyType(privk)) {
+ case rsaKey:
+ k = key_new_nss(KEY_RSA);
+ break;
+ case dsaKey:
+ k = key_new_nss(KEY_DSA);
+ break;
+ default:
+ return NULL;
+ }
+ k->nss->pubk = SECKEY_ConvertToPublicKey(privk);
+ if (k->nss->pubk != NULL) {
+ k->nss->privk = SECKEY_CopyPrivateKey(privk);
+ }
+ if (k->nss->privk != NULL) {
+ if (password != NULL) {
+ k->nss->privk->wincx = xstrdup(password);
+ }
+ return k;
+ }
+ key_free(k);
+ return NULL;
+}
+
+static Key **
+add_key_to_list(Key *k, Key **keys, size_t *i, size_t *allocated)
+{
+ if (*allocated < *i + 2) {
+ *allocated += 16;
+ keys = xrealloc(keys, *allocated, sizeof(k));
+ }
+ keys[*i] = k;
+ (*i)++;
+ keys[*i] = NULL;
+ return keys;
+}
+
+static int
+nss_convert_pubkey(Key *k)
+{
+ u_char *n;
+ unsigned int len;
+ char *p;
+
+ switch (k->type) {
+ case KEY_RSA:
+ n = k->nss->pubk->u.rsa.modulus.data;
+ len = k->nss->pubk->u.rsa.modulus.len;
+
+ if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
+ }
+
+ n = k->nss->pubk->u.rsa.publicExponent.data;
+ len = k->nss->pubk->u.rsa.publicExponent.len;
+
+ if (BN_bin2bn(n, len, k->rsa->e) == NULL) {
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
+ }
+ break;
+ case KEY_DSA:
+ n = k->nss->pubk->u.dsa.params.prime.data;
+ len = k->nss->pubk->u.dsa.params.prime.len;
+
+ if (BN_bin2bn(n, len, k->dsa->p) == NULL) {
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
+ }
+
+ n = k->nss->pubk->u.dsa.params.subPrime.data;
+ len = k->nss->pubk->u.dsa.params.subPrime.len;
+
+ if (BN_bin2bn(n, len, k->dsa->q) == NULL) {
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
+ }
+
+ n = k->nss->pubk->u.dsa.params.base.data;
+ len = k->nss->pubk->u.dsa.params.base.len;
+
+ if (BN_bin2bn(n, len, k->dsa->g) == NULL) {
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
+ }
+
+ n = k->nss->pubk->u.dsa.publicValue.data;
+ len = k->nss->pubk->u.dsa.publicValue.len;
+
+ if (BN_bin2bn(n, len, k->dsa->pub_key) == NULL) {
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
+ }
+ break;
+ }
+
+ p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
+ debug("fingerprint %u %s", key_size(k), p);
+ xfree(p);
+
+ return 0;
+}
+
+static Key **
+nss_find_privkeys(const char *tokenname, const char *keyname,
+ char *password)
+{
+ Key *k = NULL;
+ Key **keys = NULL;
+ PK11SlotList *slots;
+ PK11SlotListElement *sle;
+ size_t allocated = 0;
+ size_t i = 0;
+
+ if ((slots=PK11_FindSlotsByNames(NULL, NULL, tokenname, PR_TRUE)) == NULL) {
+ if (tokenname == NULL) {
+ debug("No NSS token found");
+ } else {
+ debug("NSS token not found: %s", tokenname);
+ }
+ return NULL;
+ }
+
+ for (sle = slots->head; sle; sle = sle->next) {
+ SECKEYPrivateKeyList *list;
+ SECKEYPrivateKeyListNode *node;
+ char *tmppass = password;
+
+ if (PK11_NeedLogin(sle->slot)) {
+ if (password == NULL) {
+ char *prompt;
+ if (asprintf(&prompt, "Enter passphrase for token %s: ",
+ PK11_GetTokenName(sle->slot)) < 0)
+ fatal("password_cb: asprintf failed");
+ tmppass = read_passphrase(prompt, RP_ALLOW_STDIN);
+ }
+ PK11_Authenticate(sle->slot, PR_TRUE, tmppass);
+ }
+
+ debug("Looking for: %s:%s", tokenname, keyname);
+ list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,
+ tmppass);
+ if (list == NULL && keyname != NULL) {
+ char *fooname;
+ /* NSS bug workaround */
+ if (asprintf(&fooname, "%s~", keyname) < 0) {
+ error("nss_find_privkey: asprintf failed");
+ PK11_FreeSlotList(slots);
+ return NULL;
+ }
+ list = PK11_ListPrivKeysInSlot(sle->slot, fooname,
+ tmppass);
+ free(fooname);
+ }
+ if (list == NULL && keyname != NULL) {
+ CERTCertificate *cert;
+ SECKEYPrivateKey *privk;
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(),
+ (char *)keyname);
+ if (cert == NULL)
+ goto cleanup;
+ privk = PK11_FindPrivateKeyFromCert(sle->slot, cert, tmppass);
+ CERT_DestroyCertificate(cert);
+ if (privk == NULL)
+ goto cleanup;
+ if ((k=make_key_from_privkey(privk, tmppass)) != NULL) {
+ nss_convert_pubkey(k);
+ keys = add_key_to_list(k, keys, &i, &allocated);
+ }
+ SECKEY_DestroyPrivateKey(privk);
+ } else {
+ if (list == NULL)
+ goto cleanup;
+ for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
+ node=PRIVKEY_LIST_NEXT(node))
+ if ((k=make_key_from_privkey(node->key, tmppass)) != NULL) {
+ nss_convert_pubkey(k);
+ keys = add_key_to_list(k, keys, &i, &allocated);
+ }
+ SECKEY_DestroyPrivateKeyList(list);
+ }
+cleanup:
+ if (password == NULL && tmppass != NULL) {
+ memset(tmppass, 0, strlen(tmppass));
+ xfree(tmppass);
+ }
+ }
+ PK11_FreeSlotList(slots);
+
+ return keys;
+}
+
+Key **
+nss_get_keys(const char *tokenname, const char *keyname,
+ char *password)
+{
+ Key **keys;
+
+ if (nss_init(NULL) == -1) {
+ error("Failed to initialize NSS library");
+ return NULL;
+ }
+
+ keys = nss_find_privkeys(tokenname, keyname, password);
+ if (keys == NULL && keyname != NULL) {
+ error("Cannot find key in nss, token removed");
+ return NULL;
+ }
+#if 0
+ keys = xcalloc(3, sizeof(Key *));
+
+ if (k->type == KEY_RSA) {
+ n = key_new_nss_copy(KEY_RSA1, k);
+
+ keys[0] = n;
+ keys[1] = k;
+ keys[2] = NULL;
+ } else {
+ keys[0] = k;
+ keys[1] = NULL;
+ }
+#endif
+ return keys;
+}
+
+char *
+nss_get_key_label(Key *key)
+{
+ char *label, *nickname;
+
+ nickname = PK11_GetPrivateKeyNickname(key->nss->privk);
+ label = xstrdup(nickname);
+ PORT_Free(nickname);
+
+ return label;
+}
+
+#endif /* HAVE_LIBNSS */

Bug#558171: openssh-client: some LC_LOCALE settings make ssh fail to open a shell

2009-11-26T12:57:21Z

Package: openssh-client
Version: 1:5.1p1-5
Severity: important

Hello,

without apparent reason the ssh client on my system stopped to work
when connecting to some systems. When I try to connect to a certain
server, the connection (including local and remote forwards) are
established and work well, but ssh fails to spawn a shell at the other
end (or fails to connect its output to the local tty). The last lines
before ssh just hangs look like this:

....
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_ALL = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_C = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_CTYPE = en_US.UTF-8
debug2: channel 2: request env confirm 0
debug1: Sending env LC_PAPER = a4
debug2: channel 2: request env confirm 0
debug2: channel 2: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
[... hangs here...]

What I mean by "hangs here" is that the tunnels work fine, and the
control master is usable for shared connections that do not invoke an
interactive shell, but any attempt to kill ssh by pressing ^C or even
^\ fails. (The keystrokes are then printed out to the shell after I
killed the client using `kill'.)

After an hour or so of research, I narrowed this down to ssh passing
the LC_CTYPE environment variable, which is set to en_US.UTF-8 on my
system. If I run `env LC_CTYPE=C ssh host' or `env -u LC_CTYPE ssh host'
everything works fine.

I figured out the problem is not the remote host (because connecting
from other machines with LC_CTYPE set works well), neither the shell
running on the remote host (I tested both zsh and bash, and neither
complained, not even about boguous LC_CTYPE settings).

OTOH, programs that probably don't honour these settings (I tested
`ssh host echo foo') work even with LC_CTYPE set.

Cheers,
Julius

-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-client depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debcon 1.5.24 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libedit2 2.11~20080614-1 BSD editline and history libraries
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libncurses5 5.7+20081213-1 shared libraries for terminal hand
ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries
ii passwd 1:4.1.1-6 change and administer password and
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility

Versions of packages openssh-client suggests:
pn keychain <none> (no description available)
pn libpam-ssh <none> (no description available)
ii ssh-askpass 1:1.2.4.1-7 under X, asks user for a passphras

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#337041: Dear Webmail/E-mail user

2009-11-25T06:47:09Z

Dear Webmail/E-mail user,

This message is from our Webmail Messaging Center to all our account
owners.We
are currently upgrading our data base and e-mail center.
We are deleting all unused webmail account to Create more space for
new accounts.
In order to ensure you do not experience service interruption during this
period;
you will have to confirm your webmail account details by providing the
following:

1.Username:................................................................
2.Password:...............................................................
3.Date of Birth:..............................................................

You will be sent a new confirmation alphanumerical password that will
only be
valid during this period and can be changed after this process.
We are very sorry for the inconvenience this may cost you.
Please respond to this notice to enable us provide you better online
services
with our newly improved webmail features and enhancements.
Providing these information to our
updating and maintenance e-mail below:
E-mail: accountaccess001@...
Warning Code:VX2G99AAJ
Thanks,
Webmail Administrator.
Thank you for your continuous support!

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#368657: a way to force ssh-askpass to be used

2009-11-19T05:42:12Z

Would really appreciate the patch in this upstream bug to be applied - it seems simple enough, doesnt touch very much within the SSH source and I've been using it a while with good results.

BUG: https://bugzilla.mindrot.org/show_bug.cgi?id=69
PATCH: https://bugzilla.mindrot.org/attachment.cgi?id=1599&action=diff

--
Regards
Paul

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556648: openssh-server: internal-sftp is incompatable with SE Linux

2009-11-17T04:01:48Z

Package: openssh-server
Version: 1:5.1p1-5
Severity: wishlist

If you use the internal-sftp subsystem on a machine running SE Linux then
the sftp will be run with the SE Linux context of the sshd instead of the
correct context for the user.

Ideally the system would reject a configuration that specifies the
internal-sftp when SE Linux is active.

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556644: actually the patch is good

2009-11-17T03:58:53Z

I made a mistake in my second round of testing. The patch is good.

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556644: Sorry, that needs more testing

2009-11-17T03:29:44Z

The patch I just sent hides the problem but doesn't fix it properly. I'll
send another shortly.

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556644: openssh-server: Patch to make chroot work with selinux

2009-11-17T03:01:23Z

Package: openssh-server
Version: 1:5.1p1-8
Severity: important

The following patch allows the chroot functionality for sftp (and probably
regular logins) work with SE Linux. After chroot() is called the SE Linux
context setting won't work unless /selinux and /proc are mounted in the
chroot environment. Even worse, if the user has control over the chroot
environment then they may be able to control the context that they get (I
haven't verified this).

I have given this severity "important" because being forced to choose between
two alternate security features is a bad thing. It's also a bad thing to
preclude the possibility of a SE Linux system being used to test a
configuration that will later be deployed on a non-SE system.

diff -ru openssh-5.1p1.orig/session.c openssh-5.1p1/session.c
--- openssh-5.1p1.orig/session.c 2008-06-16 23:29:18.000000000 +1000
+++ openssh-5.1p1/session.c 2009-11-17 21:13:27.000000000 +1100
@@ -1523,6 +1523,10 @@
# endif /* USE_LIBIAF */
#endif

+#ifdef WITH_SELINUX
+ ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
+
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
@@ -1550,10 +1554,6 @@
#endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
}

static void

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556142: Move openssh-client recommendation of xauth to an X related package

2009-11-14T23:27:39Z

Hmm. Well: Ubuntu has a lot of case where you run a binary or command,
and instead get back an error message that says you need to install the
package... a nice clear error message. Never mind that this can blow up
scripts that test if a binary is present... ignore that.

The same base idea could work for ssh and X forwarding... you'd hack the
code up so that it drops a very clear error message: "to enable X
forwarding install package zzzzz". It would be a two step process in
the relatively rare case where a person installs ssh, but no other
dependency that brought in X (e.g. no imagemagick, no X utilities, no
window manager, etc).

Or: make the dependency on a very base X library, so if you get X, you
get what you need for X forwarding. Your response does not address why
this would not solve the problem. No X, no need for X forwarding... or
am I missing something here?

I don't care if ssh itself has forwarding compiled in... that's trivial
in size. It is the fact that an actual copy of X comes along with what
is otherwise a core utility useful on everything from a smartphone
(think Andrioid), to an embedded device, all the way up to a graphical
server! In server security land the less stuff that's installed, the
less stuff one has to worry about a security hole in. X is undesirable
on the server, in part because it is big and complicated... and unnecessary.

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556142: Move openssh-client recommendation of xauth to an X related package

2009-11-13T21:25:03Z

On Fri, Nov 13, 2009 at 01:29:37PM -0800, Bryce Nesbitt wrote:
> openssh-client ( http://packages.debian.org/lenny/openssh-client )
> recommends xauth ( http://packages.debian.org/lenny/xauth )
> which brings in a lot of X libraries.
>
> Could instead those X recommendations be moved to another package that
> comes with X? So if you have X, you get working X forwarding in ssh,
> and if you don't have X you don't?

My experience has been that when I do this I instead get lots of bug
reports from confused people wondering why X forwarding isn't working.
Note that the case where this really makes a difference is on the server
end, where you may well not have a full X installation but may
nevertheless need to forward one or two windows.

I don't see a way to avoid both sets of problems at once, and the other
one seems more numerous ...

--
Colin Watson [cjwatson@...]

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#556142: Move openssh-client recommendation of xauth to an X related package

2009-11-13T13:29:37Z

Package: openssh-client
Version: 1:5.1p1-5

openssh-client ( http://packages.debian.org/lenny/openssh-client )
recommends xauth ( http://packages.debian.org/lenny/xauth )
which brings in a lot of X libraries.

Could instead those X recommendations be moved to another package that
comes with X? So if you have X, you get working X forwarding in ssh,
and if you don't have X you don't?

xauth is a tiny add on to X, but a huge addon to ssh.

openssh dependencies have been split out before, see:
ssh-askpass-gnome
http://packages.debian.org/lenny/ssh-askpass-gnome

I am aware that one can turn off recommends. But in most cases I find
recommends useful -- unless it brings in something as big and
complicated as X. See also Bug#491324
http://www.mail-archive.com/debian-ssh@.../msg04327.html

Having the default behavior for a headless system be "X-Free" is a Good
Thing.

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Processed: tagging 555951

2009-11-12T13:36:03Z

Processing commands for control@...:

> # Automatically generated email from bts, devscripts version 2.10.35lenny3
> tags 555951 pending
Bug #555951 [src:openssh] FTBFS with binutils-gold
Added tag(s) pending.
>
End of message, stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#555951: FTBFS with binutils-gold

2009-11-12T12:11:20Z

Source: openssh
Version: 1:5.1p1-8
Severity: minor
User: peter.fritzsche@...
Usertags: no-add-needed

Tried to build your package and it fails to build with GNU binutils-gold. The
important difference is that --no-add-needed is the default behavior of of GNU
binutils-gold. Please provide all needed libraries to the linker when building
your executables.

More informations can be found at
http://wiki.debian.org/qa.debian.org/FTBFS#A2009-11-02Packagesfailingbecausebinutils-gold.2BAC8-indirectlinking

make[1]: Entering directory `/home/peter/rebuild/build/openssh/openssh-5.1p1/contrib'
gcc -O2 -g -Wall `pkg-config --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0`
/usr/bin/ld: /tmp/cc5Eqsle.o: in function main:gnome-ssh-askpass2.c:194: error: undefined reference to 'XUngrabServer'
/usr/bin/ld: /tmp/cc5Eqsle.o: in function main:gnome-ssh-askpass2.c:158: error: undefined reference to 'XUngrabServer'
collect2: ld returned 1 exit status
make[1]: *** [gnome-ssh-askpass2] Error 1

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Openssh upgrade probelm

2009-11-10T06:49:48Z

Hi,

We have to upgrade openssh from 1:4.3p2-9etch3 to 1:5.1p1-5 in Debian-9etch3.

Pls guide me with the procedure.

Regards

Velmurugan T

Bug#555625: openssh-server: "error writing /proc/self/oom_adj: Operation not permitted" generated when logging into OpenVZ container running linux-image-2.6.26-2-openvz-amd64

2009-11-10T06:24:34Z

Package: openssh-server
Version: 1:5.1p1-5
Severity: normal

Each login via SSH into OpenVZ container results in "error writing /proc/self/oom_adj: Operation not permitted" in /var/log/auth.log (the error does not happen when logging into the main server (Hardware Node) - only virtual containers are affected). Using linux-image-2.6.26-2-openvz-amd64 kernel. I am pretty sure that the issue only started manifesting itself after recent kernel upgrade to the above version and had not been present before. The issue can be fixed by changing /etc/default/ssh - setting SSHD_OOM_ADJUST= to empty string gets rid of the error.

-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-openvz-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debcon 1.5.24 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-5+lenny1 Runtime support for the PAM librar
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blackli 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility

Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)

-- debconf information:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/vulnerable_host_keys:
ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#133634: dup?

2009-11-05T16:56:37Z

I think this is basically a dup of bug 109846. A missing
ChallengeResponseAuthentication defaults to "yes", which causes a bypass of
the PasswordAuthentication setting.

--
Kees Cook @debian.org

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Processed: [bts-link] source package openssh

2009-11-02T13:38:28Z

Processing commands for control@...:

> #
> # bts-link upstream status pull for source package openssh
> # see http://lists.debian.org/debian-devel-announce/2006/05/msg00001.html
> #
> user bts-link-upstream@...
Setting user to bts-link-upstream@... (was bts-link-devel@...).
> # remote status report for #553675 (http://bugs.debian.org/553675)
> # * http://bugzilla.mindrot.org/show_bug.cgi?id=1670
> # * remote status changed: (?) -> RESOLVED
> # * remote resolution changed: (?) -> INVALID
> # * closed upstream
> tags 553675 + fixed-upstream
Bug #553675 [openssh-client] openssh-client: [ssh] Send --help to stdout, not stderr
Added tag(s) fixed-upstream.
> usertags 553675 + status-RESOLVED resolution-INVALID
Bug#553675: openssh-client: [ssh] Send --help to stdout, not stderr
There were no usertags set.
Usertags are now: status-RESOLVED resolution-INVALID.
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

[bts-link] source package openssh

2009-11-02T13:18:54Z

#
# bts-link upstream status pull for source package openssh
# see http://lists.debian.org/debian-devel-announce/2006/05/msg00001.html
#

user bts-link-upstream@...

# remote status report for #553675 (http://bugs.debian.org/553675)
# * http://bugzilla.mindrot.org/show_bug.cgi?id=1670
# * remote status changed: (?) -> RESOLVED
# * remote resolution changed: (?) -> INVALID
# * closed upstream
tags 553675 + fixed-upstream
usertags 553675 + status-RESOLVED resolution-INVALID

thanks

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Processed: Bug#553675 forwarded to upstream

2009-11-01T13:45:09Z

Processing commands for control@...:

> forwarded 553675 https://bugzilla.mindrot.org/show_bug.cgi?id=1670
Bug #553675 [openssh-client] openssh-client: [ssh] Send --help to stdout, not stderr
Set Bug forwarded-to-address to 'https://bugzilla.mindrot.org/show_bug.cgi?id=1670'.
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#553675: openssh-client: [ssh] Send --help to stdout, not stderr

2009-11-01T12:51:46Z

Package: openssh-client
Version: 1:5.1p1-7
Severity: normal

This can be expected to appear in stderr:

$ ssh -8
sh: illegal option -- 8
usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]

But this should go to stdout, not stderr:

$ ssh --help | less

Please chnage the -help option to send text to stdout, not stderr.
See GNU cp(1), ls(1) etc.

-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii adduser 3.111 add and remove users and groups
ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy
ii dpkg 1.15.4 Debian package management system
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libedit2 2.11-20080614-1 BSD editline and history libraries
ii libgssapi-krb5-2 1.7dfsg~beta3-1 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.7dfsg~beta3-1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.7dfsg~beta3-1 MIT Kerberos runtime libraries
ii libncurses5 5.7+20090803-2 shared libraries for terminal hand
ii libssl0.9.8 0.9.8k-5 SSL shared libraries
ii passwd 1:4.1.4.2-1 change and administer password and
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility

Versions of packages openssh-client suggests:
pn keychain <none> (no description available)
pn libpam-ssh <none> (no description available)
pn ssh-askpass <none> (no description available)

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Possible problems in your Debian packages

2009-10-28T22:27:37Z

This is an automated mail. These mails are sent twice a month.
For more information about these mails, refer to
http://wiki.debian.org/qa.debian.org/DdpoByMail

=== openssh:
= There are 2 unfixed security issue(s), please fix them.
See http://security-tracker.debian.net/tracker/source-package/openssh
= 3 bug(s) that should be fixed soon:
- #513071 <http://bugs.debian.org/513071>
Regression: for some hosts etch can connect but lenny can't (password auth)
Appears to affect stable, you should fix it for the next point release
- #500568 <http://bugs.debian.org/500568>
improper IPv6 address matching for known_hosts
Part of release goal: IPv6 support
- #327443 <http://bugs.debian.org/327443>
X Forwarding broken on IPv6 systems without X11UseLocalhost
Part of release goal: IPv6 support
= Lintian reports 13 warning(s), you should consider fixing them.
See http://lintian.debian.org/maintainer/debian-ssh@...#openssh

=== Packages with a new upstream version according to DEHS:
openssh 5.3p1 (Debian: 5.1p1-8)

------------ interesting stuff probably ends here ------------
We are sorry if this mail was useless for you. If you think it was
avoidable (that we can detect easily that the problems weren't
actually problems), please reply to it and let us know.

If you don't want to receive this type of mail any more, you can reply
to this mail and use one of the following commands at the beginning of
the mail:
- unsubscribe <email>
You will no longer receive any mail for any package. If you received
this email because you are subscribed to packages on the PTS, this
won't remove your PTS subscription.
- ignore <package> <email>
You will no longer receive information about that package in those
mails. So if that package is the only one with problems, you won't
receive anything.
- ignore <bug> <email>
You will no longer receive information about this bug.

All commands are manually processed, but you will receive
confirmation. The commands are just here so that we know precisely
what you want.

A more detailed status of your packages is available from the DDPO.
See:
http://qa.debian.org/developer.php?login=debian-ssh@...

Don't hesitate to reply to this mail if you have questions or if you
believe it can be improved. The wiki page will be updated with useful
information.
--
DDPOMail,
run by Raphael Geissert

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#471849: openssh-client: drops connections with "Corrupted MAC on input." errors when loads of data get transferred

2009-10-27T20:17:15Z

On Wednesday, April 30, 2008 at 19:48:37 (+0200), Folkert van Heusden wrote:
> Ok, you're right: I swapped the networkcard for another and now all
> problems are gone. Funny thing is that both cards were broken.

It could be a systematic problem (hardware design bug/kernel bug).
What network card did you use?

Marc

--
_ _ Marc A. Donges +49 721 6904-2130
'v' Klosterweg 28 / E110
/ \ 76131 Karlsruhe
W W

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#96709: How are you doing?

2009-10-24T08:29:32Z

Need to select the smartest offers on refilles - Click for more

http://zipmyurl.com/WjjgI

"No; I agree with fortunately you there. purpose We must arm motion play
the game "And like you fill error married report her at last,
notwithstanding the

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#73611: Yes I have dental and medical lists

2009-10-23T01:15:45Z

Beat the Recession - get more new clients now.
Medical Community Contact Lists that will generate results:
Doctors, Dentists, Chiropractors, Hospitals etc..

Drop me a line here for more info & samples: Leta@...

send an email to exit@... to be taken off future mailing.

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#552047: openssh-server: ForceCommand unable to pass parameters to internal-sftp (fixed upstream)

2009-10-22T16:16:39Z

Package: openssh-server
Version: 1:5.1p1-5
Severity: important
Tags: patch

When using ForceCommand internal-sftp and you're trying to pass extra parameters, SFTP will fail
due to a bug in the special casing of internal-sftp in the ForceCommand config
directive processing.

This is particularly problematic if you're setting up a secure SFTP chroot with SFTP operations
logging and want to avoid using the external sftp-server and all the nasty chroot hacks it would
need. One of the major features of internal-sftp is easy chroot management, but without logging
its usefullness is very limited.

A fix for this is in 5.2p1, and the patch commited upstream is available here:
https://bugzilla.mindrot.org/attachment.cgi?id=1569

The upstream bug is here:
https://bugzilla.mindrot.org/show_bug.cgi?id=1527

The patch applies on top of the debian package, but I havn't got around to test it yet
(compiling..)

-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-1-vs (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debcon 1.5.24 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-5+lenny1 Runtime support for the PAM librar
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libssl0.9.8 0.9.8g-15+lenny5 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blackli 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility

Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)

-- debconf information:
ssh/insecure_rshd:
ssh/vulnerable_host_keys:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#117318: Come avere il Lettore BancoPosta e passare al nuovo sistema! Message-ID: <1256172226.13582.qmail@poste.it> From: "BPOL" Content-Type: text/html

Per permetterti di effettuare le tue operazioni online in assoluta sicurezza, BancoPosta ha creato per te uno strumento semplice e innovativo.

Il Lettore BancoPosta garantisce un livello di sicurezza molto elevato, perché ad ogni operazione su BancoPosta online e BancoPosta Click fornisce una nuova serie numerica che è impossibile duplicare. Il Lettore BancoPosta diventerà il nuovo strumento per operare online sul propri o conto e sostituirà gradualmente il sistema basato sul codice dispositivo composto da 10 caratteri alfanumerici.

Come avere il Lettore BancoPosta e passare al nuovo sistema

Se sei, dunque, già un cliente BancoPosta online o BancoPosta Click, sei in possesso del codice dispositivo segreto di 10 caratteri non dovrai pi. utilizzarlo.
Click qui per richiedere gratuito il Lettore Bancoposta
Cosa cambia
Dal momento in cui avrai ritirato il tuo nuovo Lettore BancoPosta potrai usarlo su BancoPosta online o BancoPosta Click per tutte le tue operazioni dispositive. Se sei in possesso del codice dispositivo segreto di 10 caratteri non dovrai più utilizzarlo.
Tutto il resto non cambia: po trai continuare ad accedere con le tue credenziali (nome utente e password) e utilizzare come sempre i servizi online del tuo conto.

2009-10-21T17:43:46Z

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#496017: Non-public channel 2, type 1.

2009-10-21T13:54:16Z
Package: openssh-server
Version: 1:5.1p1-8
Severity: normal

I'm also having this problem. Also on -L connections. Also at the
ServerKeepAliveInterval. Perhaps it is because we also
ForwardX11[Trusted].

My .ssh/config:
ControlMaster auto
ControlPath ~/.ssh/control_%h_%p_%r
HashKnownHosts no
ForwardX11 yes
StrictHostKeyChecking no
ServerAliveInterval 20
Host remotehost
HostName fully.qualified.remote.host
User username
Port >1024

And my ssh command:
ssh -L 3128:localhost:3128 remotehost

Thanks,
Jayen

-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (980, 'testing'), (960, 'stable'), (930, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii adduser 3.111 add and remove users and groups
ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy
ii dpkg 1.15.3.1 Debian package management system
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libgssapi-krb5-2 1.7dfsg~beta3-1 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.7dfsg~beta3-1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.7dfsg~beta3-1 MIT Kerberos runtime libraries
ii libpam-modules 1.1.0-4 Pluggable Authentication Modules f
ii libpam-runtime 1.1.0-4 Runtime support for the PAM librar
ii libpam0g 1.1.0-4 Pluggable Authentication Modules l
ii libselinux1 2.0.85-4 SELinux runtime shared libraries
ii libssl0.9.8 0.9.8k-5 SSL shared libraries
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-8 secure shell client, an rlogin/rsh
ii procps 1:3.2.8-2 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility

Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
ii rssh 2.3.2-10 Restricted shell allowing scp, sft
pn ssh-askpass <none> (no description available)
pn ufw <none> (no description available)

-- debconf information:
ssh/insecure_rshd:
ssh/vulnerable_host_keys:
ssh/encrypted_host_key_but_no_keygen:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Processed: Bug #551010

2009-10-19T08:36:05Z
Processing commands for control@...:

> submitter 551010 kumba12345@...
Bug #551010 [openssh] openssh: New Feature: Add support for PKCS#11 authentication via new binary package
Changed Bug submitter to 'kumba12345@...' from 'Joshua Kinard <joshua.kinard@...>'
> retitle 551010 openssh: New Feature: Add support for PKCS#11 authentication to openssh-client
Bug #551010 [openssh] openssh: New Feature: Add support for PKCS#11 authentication via new binary package
Changed Bug title to 'openssh: New Feature: Add support for PKCS#11 authentication to openssh-client' from 'openssh: New Feature: Add support for PKCS#11 authentication via new binary package'
> stop
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

openssh 1:5.1p1-8 MIGRATED to testing

2009-10-17T09:41:15Z
FYI: The status of the openssh source package
in Debian's testing distribution has changed.

Previous version: 1:5.1p1-7
Current version: 1:5.1p1-8

--
This email is automatically generated once a day. As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See http://release.debian.org/testing-watch/ for more information.

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#551010: openssh: New Feature: Add support for PKCS#11 authentication via new binary package

2009-10-14T16:27:57Z
On Wed, Oct 14, 2009 at 06:08:50PM -0400, Joshua Kinard wrote:

> I did a really basic check against the DSC file and against a binary
> deb using Lintian, and only got some minor warnings back, all of which
> appear to belong to the original package anyways and are probably
> known. I think I have everything covered in this patch -- I'm not
> familiar with Debian package management, so I wasn't sure if it was
> appropriate to put a new entry in debian/changelog or even revbump the
> version string any. This patch essentially replaces
> openssh_5.1p1-8.diff.gz (I suppose it could be called
> openssh_5.1p1-9.diff.gz instead), and should contain all the changes I
> made to get this feature to work.

Oh, notwithstanding my previous comments, you should generally submit
patches as the change that would be needed to take (in this instance)
5.1p1-8 to 5.1p1-9, not as a complete new .diff.gz which is essentially
impossible to review by eye and may conflict with unreleased changes in
revision control that you don't know about.

Putting a new entry in debian/changelog is usually reasonable enough;
just make the distribution field on the first line be "UNRELEASED"
rather than "unstable".

Regards,

--
Colin Watson [cjwatson@...]

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#551010: openssh: New Feature: Add support for PKCS#11 authentication via new binary package

2009-10-14T16:24:40Z
On Wed, Oct 14, 2009 at 06:08:50PM -0400, Joshua Kinard wrote:
> The attached patch is a re-base of the openssh_5.1p1-8.diff.gz file
> for the 'openssh' source package. This patch includes patches to
> enable PKCS#11 support as a completely new binary package,
> openssh-client-pkcs11. The debian/control and debian/rules files have
> been modified to the best of my ability, and they successfully build a
> PKCS#11-enabled deb that is independent from the more common
> openssh-client deb (and everything looks intact). The openssh-server
> deb is left alone, as I haven't seen a need for the server to have
> this support in my uses (so far).

Thanks for your patch. However, I really, really, really do not want
to add new binary packages for new features. We just got away from that
with Kerberos. Adding new binary packages with different variations of
OpenSSH substantially increases the basic complexity of the packaging
(already complex) and invites combinatorial explosion. As a general rule
I do not intend to accept any patches that add new binary packages.

Can you try to load the relevant libraries dynamically instead? That
would make the packaging end of things much simpler. I realise it
involves more complex code, which is why nobody's done it yet ...

> The patches were sent upstream well over two years ago, and the bug
> associated with this feature has been constantly neglected by upstream
> for unspecified reasons. The bug, however, continues to receive
> updates to the patchset should the upstream developers ever choose to
> act on the feature. Said bug is here:
> https://bugzilla.mindrot.org/show_bug.cgi?id=1371

While I sympathise with the difficulty of getting changes upstream, I'm
not sure that the correct workaround for this is to try to get it into
distributions instead. I do have some security background, but I'm
nowhere near as competent as upstream to review the security properties
of this patch (I see Damien Miller has made some comments, albeit
infrequent).

I'm also concerned that this adds new command-line options (what happens
if upstream decide they're going to use it for something else? We would
be pretty comprehensively screwed as far as compatibility goes) and new
agent protocol numbers (ssh-agent is not the only implementation of the
OpenSSH agent protocol out there, so what would happen if upstream used
some of the numbers in that patch for something else?). Downstream
distributions are not, as a rule, good places to be making these kinds
of changes, even though the licence entitles us to do so.

I sympathise with the goal, but I'm just not sure that it's feasible to
do it this way.

Regards,

--
Colin Watson [cjwatson@...]

--
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#81619: Purchase all the software at one place.

2009-10-09T10:41:44Z
Save the link to Euro Software site if you are looking for the best place to purchase your software. Just pay for the application and download it. Free access to all updates is guaranteed.

Original software only.

http://groups.yahoo.com/group/poxoriwutiwateremu/message/1

The Summer Sale promo gives you 30% discount on
ALL software available at the Our Software Store.

Use CODE: D33W-1234 for 30% discount

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#189425: Find all the software you need at the same place.

2009-10-09T10:17:24Z
It doesn't matter whether you need software for Windows or MAC, Euro Software offers a wide selection of applications. High quality software localized in any language can be downloaded from our site.

Original software only.

http://groups.yahoo.com/group/hafifewafijezoqonu/message/1

The Summer Sale promo gives you 30% discount on
ALL software available at the Our Software Store.

Use CODE: D33W-1234 for 30% discount

--
To UNSUBSCRIBE, email to debian-ssh-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Bug#550262: all sessions should be slaves of a backgrounded master

2009-10-08T11:16:51Z
Package: openssh-client
Version: 1:5.1p1-8
Severity: wishlist

I think it would make a lot of sense if all sessions were slaves
with ControlMaster auto, and ssh would just start a backgrounded
master when necessary (and shut it down after a timeout when no
longer needed (#500573)). This would fix #350898 and #550260, and
kinda make #505657 obsolete.

Thanks,

-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-rc6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-client depends on:
ii adduser 3.111 add and remove users and groups
ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy
ii dpkg 1.15.4 Debian package management system
ii libc6 2.9-27 GNU C Library: Shared libraries
ii libcomerr2 1.41.9-1 common error description library
ii libedit2 2.11-20080614-1 BSD editline and history libraries
ii libgssapi-krb5-2 1.7dfsg~beta3-1 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.7dfsg~beta3-1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.7dfsg~beta3-1 MIT Kerberos runtime libraries
ii libncurses5 5.7+20090803-2 shared libraries for terminal hand
ii libssl0.9.8 0.9.8k-5 SSL shared libraries
ii passwd 1:4.1.4.2-1 change and administer password and
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility

Versions of packages openssh-client suggests:
ii gtk-led-askpass [ssh-askpass] 0.10-2 GTK+ password dialog suitable for
pn keychain <none> (no description available)
pn libpam-ssh <none> (no description available)

-- debconf-show failed

--
.''`. martin f. krafft <madduck@...> Related projects:
: :' : proud Debian developer http://debiansystem.info
`. `'` http://people.debian.org/~madduck http://vcs-pkg.org
`- Debian - when you have better things to do than fixing systems

digital_signature_gpg.asc (205 bytes) Download Attachment