| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
openssh 3.9 source available?
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 openssh 3.9 source available? - Nov. 15, '04, 3:49:47 PM
|
|
|
jim
Posts: 7
Joined: Nov. 15, '04,
Status: offline
|
I tried installing openssh 3.9 and had some problems getting it to accept certs. I was hoping to look at the source and see what was going wrong, but I only found the sources for 3.8.0.1 on the ftp server. 3.8.0.1 built and works fine, but I'm curious as to what the problem is with 3.9 - are the sources available? Also, there were several versions of the binary on the ftp server, but when I downloaded them, they were all identical - is that the intention?
thanks,
jim
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 15, '04, 4:25:46 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
quote:
Also, there were several versions of the binary on the ftp server, but when I downloaded them, they were all identical - is that the intention?
They pointed all of the aliases in /pkgs/3.5 to the 3.9 version of the binary. The 3.8 binaries are still available, they just moved. You have to go to go to /pkgs/3.5-prev to find them.
I'm not sure the reason, but I believe it was intentional. Perhaps there is a security issue that 3.9 corrects and they do not want users to install 3.8 inadvertantly.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 15, '04, 7:51:09 PM
|
|
|
Rodney
Posts: 3729
Joined: Jul. 9, '02,
From: /Tools lab
Status: online
|
Old binaries are under pkgs/3.5-prev for many different packages at different version releases.
The symbolic links under pkgs/3.5 (which is the main release point) for all packages point to
the most current version. This serves a number of purposes. With packages that get security fixes
(such as openssh or libjpeg or ...) this avoids problems of people grabbing unfixed
binaries. If you want to grab it from pkgs/3.5-prev then it's caveat emptor.
Once things settle on a release then the current source gets placed up. There's no point floating
slightly different sources. It's more difficult to track than with binaries. The 3.9 release
happened a couple of weeks ago and we've been shaking out a few minor issues still.
If you're having a particular problem then let us know.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 16, '04, 8:59:11 AM
|
|
|
jim
Posts: 7
Joined: Nov. 15, '04,
Status: offline
|
How you manage your binaries is your call, but it seems that using the aliases is going to result in wasted resources for those using ftp/mget to download the tools, not to mention the potential for confusion by having incorrectly named files.
As for the problems I was having with the 3.9 release, I couldn't get authenticated using certs. I could get in using the administrator password, regardless of the user specified to the ssh command. I read through quite a few postings from people with similar problems, but none seemed to match exactly. When I built the 3.8.0.1.2 release it worked fine. With 3.9, the log file messages appeared to indicate that the server was looking in the wrong directory for the certs, but the fact that it accepted the administrator password make me wonder if it somehow was looking at the wrong passwd record. Given that it works fine with 3.8, can I can rule out the usual problems with directory permissions or the user not having the home directory correctly set up?
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 16, '04, 11:09:13 AM
|
|
|
Rodney
Posts: 3729
Joined: Jul. 9, '02,
From: /Tools lab
Status: online
|
When you installed SFU/Interix did you select that setuid should be working?
The 3.8.X series is different from the 3.9.X series in a few aspects. So I wouldn't
eliminate anything as a cause or not as a cause. Home directories should still be
setup correctly.
For whatever is happening for your installation I need some more specifics:
- what user is sshd running as?
- was it started at the command line or via a reboot?
- what is the o/p from the id command of the failing users?
- what is the machine's principal domain (pdomain ouput)?
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 16, '04, 11:27:15 AM
|
|
|
jim
Posts: 7
Joined: Nov. 15, '04,
Status: offline
|
When I installed I did not select setuid, but I changed the registry and rebooted ater reading that it was recommended for ssh. Would 3.8 work without setuid?
I started sshd from the command line when logged in via RDP as Administrator. The failures were occuring with 3.9 when I try to ssh in with -l root. The box is not part of a domain.
bash-3.00$ ps -ef | grep sshd
<nistrator 2777 1 17:06:16 - 0:00.07 /usr/local/sbin/sshd
bash-3.00$ id
uid=197108(Administrator) gid=197121(None) groups=197121(None), 65792(+Everyone)
, 131616(+Administrators), 131617(+Users), 66830(+REMOTE INTERACTIVE LOGON), 668
20(+INTERACTIVE), 66827(+Authenticated Users), 66831(+This Organization), 4095(C
urrentSession), 66048(+LOCAL), 262154(NT AUTHORITY+NTLM Authentication)
bash-3.00$ su root
bash-3.00$ id
uid=197615(root) gid=197121(None) groups=197121(None), 65792(+Everyone), 131616(
+Administrators), 4095(CurrentSession), 66048(+LOCAL), 66820(+INTERACTIVE), 6682
7(+Authenticated Users)
bash-3.00$ pdomain
A172-23-129-130
Here's some other stuff I had originally posted this in the newsgroup:
bash-3.00$ finger root
Login: root Name:
Directory: /dev/fs/C/root Shell: /usr/local/bin/bash
Never logged in.
No Mail.
No Plan.
bash-3.00$ ls -l /dev/fs/C/root/.ssh/authorized_keys
-rwxr--r--+ 1 root +Administrators 51704 Nov 10 19:08
/dev/fs/C/root/.ssh/authorized_keys
When I try to log in as root, a few strange things happen.
1) sshd appears to be looking in / for the authorized_keys file - from
messages:
Nov 13 11:14:24 testhost sshd[95]: Authentication refused: bad ownership
or modes for file /.ssh/authorized_keys
Nov 13 11:14:24 testhost sshd[95]: Failed rsa for root from
172.23.112.200 port
8965815
Nov 13 11:14:24 testhost sshd[95]: Authentication refused: bad ownership
or modes for file /.ssh/authorized_keys
Nov 13 11:14:24 testhost sshd[95]: Failed rsa for root from
172.23.112.200 port
8965815
Shouldn't sshd be looking in /dev/fs/C/root/.ssh/authorized keys?
2) The password for the root account is refused, but the Administrators
password is accepted.
Shouldn't sshd be checking against the password for root?
thanks for the help,
jim
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 16, '04, 11:54:18 AM
|
|
|
Rodney
Posts: 3729
Joined: Jul. 9, '02,
From: /Tools lab
Status: online
|
Okay, details make all the difference.
You are trying for a specific account named "root".
To reduce the amount of code changes to 3.9 it is now linking with libport.
Libport is designed work with code that has UID's of 0 (zero) for root and GID's of
0 (zero) for wheel on Unix machines. It also treats the name "root" to be the same
as local administrator (because there are programs that do have this hardcoded in it).
This has been an oft-requested feature to make things more "seamless".
Obviously, in this case, it's tripping you up. What usually happens is that people
want to say "root" and get "administrator", or have renamed "administrator" to "root".
The difference here is that you created a new account named "root" which is different
than "administrator". This is the "other end of the stick", so to speak, for addressing
the concerns from the first end of the stick.
A quick work-around to this should be specifying the user name in full (domain+name).
Long-term I'll look at it auto-detecting that there is an account really named "root".
(long-term isn't too long, it just means not today for a final sol'n).
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 16, '04, 5:13:18 PM
|
|
|
cortez_
Posts: 330
Joined: Mar. 27, '04,
From: Poland
Status: offline
|
Rodney, Do I take it right that when there's an account 'root' with administrative privledges, and 'Administrator' which is the real admin. The ssh 3.9 messes it up?
I've such setup on my machina nd with ssh 3.8 it works just fine, shall I wait with upgrading to 3.9 in this case?
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 16, '04, 9:41:39 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
quote:
Quote Rodney:
There were a lot of people renaming their Administrator account to "root".
I didn't know people were creating secondary accounts named "root".
Though I suppose this was the way to find people doing it
It seems to me that the the UNIX "root" account has no direct equivalent in Windowsland. The equivalent power in NT has been factored into System and Administrator. Both of these accounts are built-in and have pre-defined SID. System can pretty much bypass all the security mechanisms of Windows but is not an interactive login. Administrator has slightly less power in that it cannot bypass locks, etc. Administrator cannot be disabled nor deleted and is an interactive login.
Of all the accounts in Windows that are interactive, Administrator most closely resembles root which also has a predefined account and primary group ID (0:0). The Windows SID concept is much more complex than an incrementing integer. The Windows SID has a namespace component of that defines the SID binary version and makes the SID globally unique among all Windows installations.
Administrator's SID is something like S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-500. The Relative ID (SID without namespace)is always 500. The only other predefined account that is potentially interactive is Guest. As a well-known SID Administrator can be looked up via Win32 funcions which I believe are defined in winnt.h and the .NET Framework 2.0 will expose these wellknown SIDs in an enumeration WellKnownSidType. These functions allow programs to look up the Administrator account for use in defining access control lists and making security decisions without relying on its name. (This is imortant because one can obviously rename Administrator and even the default name for Administrator is different in different localalizations of Windows. French editions, for example, have Administrateur)
Basically my point is that to my mind it is appropriate to rename Administrator to root either directly or by Group Policly/Local Policy. But it does not seem correct to create another account that happens to be a member of the Administrators group and name it root while expecting it to be the same as Administrator. The key distinguishing feature of Administrator is that like root is is the predefined administrative interactive logon with a well-know security ID.
I suggest that the best practice--if one were inclined to define a "root" account for Interix--would be to rename Administrator to root. Otherwise the "root" account will not have the well-known RID 500 and I would expect to encounter wierd behaviors like the one we are discussing in this thread.
< Message edited by breiter -- Nov. 16, '04, 9:46:45 PM >
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 12:55:47 AM
|
|
|
Rodney
Posts: 3729
Joined: Jul. 9, '02,
From: /Tools lab
Status: online
|
Just to add to Brian comments:
Part of the security model with Interix is that the three well-known accounts
(well known because their SID's are the same on all machines) of System,
local Administrator and principal domain Administrator are allowed to do certain
actions that no other accounts are allowed to do. In essence, the privilege of doing
certain actions is restricted to a fixed set of accounts regardless of how many other
accounts may have the same privleges. This is for security (the fact that those other
accounts should never have such powers). These three account are tracked by their
well-known SID's/UID's so that regardless of lanaguage/locale or renaming they will
be identified correctly.
Similar to the well-known users are well-known groups. They have well-known SID's
that always map to the same UID too. Again the exact spelling will vary by language
so the SID's/UID's are or should be used. Examples are "Administrators" and "Everyone".
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 2:11:08 AM
|
|
|
cortez_
Posts: 330
Joined: Mar. 27, '04,
From: Poland
Status: offline
|
I have left the Administrator account for backup reasons, it can never be deleted and is always available when something messes up with the root account. (I had such situations before).
The root and Administrators have the same GIDs and effecively they have the same rights, so maybe the SSH should check if these two accounts exist and then choose which should be used.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 4:06:24 AM
|
|
|
Rodney
Posts: 3729
Joined: Jul. 9, '02,
From: /Tools lab
Status: online
|
quote:
The root and Administrators have the same GIDs and effecively they have the same rights, so maybe the SSH should check if these two accounts exist and then choose which should be used.
No.
This is exactly the reason I added my comments above.
The well-known accounts are different and who has which GID's doesn't matter.
Certain actions can only be done by the well-known accounts.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 8:34:35 AM
|
|
|
jim
Posts: 7
Joined: Nov. 15, '04,
Status: offline
|
Having root automatically map to Administrator for a ssh login is an interesting concept and I can see why it might be useful. Unfortunately, from a scripting point of view, it's one small part of a much larger picture - for example, chown root is still going to fail. Like Cortez, I created a root account as a member of the Administrators group and it seems to work pretty well. We have a mixed Linux/Windows environment and share a lot of scripts - in our case, mapping root to Administrator isn't going to work because the name root is referenced in other places besides ssh. Unless I'm missing something obvious, another sticky point in achieving script portabilty is the fact that chown/chgrp don't seem to default to the local host and fail unless I specify a domain or +.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 10:07:39 AM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
quote:
in our case, mapping root to Administrator isn't going to work because the name root is referenced in other places besides ssh. Unless I'm missing something obvious, another sticky point in achieving script portabilty is the fact that chown/chgrp don't seem to default to the local host and fail unless I specify a domain or +.
Maybe I'm not understanding your problem here. But what I have done is use Group or Local Policy (Computer Configuration | Windows Settings | Security Settings | Security Options | Accounts: Rename administrator account = root).
Now Administrator is named root and root has the proper well-known SID that Interix expects.
If your problem is that, for some reason, you cannot at this point reference root but have to use MACHINENAME+root then you can set the PrincipalDomain in the Registry.
Check out this other thread on user name madness.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 11:14:17 AM
|
|
|
jim
Posts: 7
Joined: Nov. 15, '04,
Status: offline
|
I'm sure this works fine if you rename the Administrator account to root, but this is not something we are going to do for other reasons that I won't go into at this time.
If the Administrator account was renamed to root, there wouldn't be any reason for the ssh modification that started this thread in the first place. The discussion was started because of problems logging in when sshd 3.9 was changed to map requests for root to Administrator instead of logging into the existing root account. My point was that if you map root to Administrator for ssh, you still end up logged in as Administrator, not root, and things like chown root are going to fail.
Thanks for the tip on setting the PrincipalDomain. If I set this key, will chgrp/chown work without having to specify a + before the name?
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 11:24:42 AM
|
|
|
cortez_
Posts: 330
Joined: Mar. 27, '04,
From: Poland
Status: offline
|
What I wanted to say is that sometimes there is a policy that for other reasons (as jim mentioned) requires to have two accounts Administrator and root. Therefore it would be good if the openssh could properly deal with such situations as the 3.8 did
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 11:39:07 AM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
quote:
ORIGINAL: jim
My point was that if you map root to Administrator for ssh, you still end up logged in as Administrator, not root, and things like chown root are going to fail.
OK so you have the "Administrator" account with RID 500 which is essentially the equivalent of the UNIX root account as far as Interix is concerned, regardless of what it might be named. And now you have another account named root which is a member of the Administrators group with some arbitrary SID.
If I understand this correctly, shd 3.9 will resolve logins for root@server to the RID 500 "Administrator" without regard to how the accounts are actaully named. 3.8 did not attempt to resolve root to the Administrator:500 SID. Maybe the best solution is to add a switch to sshd to optionally disable the code that maps root@server to RID 500.
In my opinion, though, this notion of having an account name root-but-not-administrtor is of dubious value. Even if you choose not to call it root, Administrator is (for all intents and purposes) root. Creating another account called root doesn't make it have the full behavior of root/Administrator:500. It just creates surprising boundary scenarious where things do not behave as expected.
quote:
Thanks for the tip on setting the PrincipalDomain. If I set this key, will chgrp/chown work without having to specify a + before the name?
Yeah. My understanding is that the PrincipalDomain is automatically prepended to account names that are not fully qualified, similar to setting the "Default Domain" for authentication in IIS.
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 12:14:28 PM
|
|
|
jim
Posts: 7
Joined: Nov. 15, '04,
Status: offline
|
I think the solution Rodney suggested where he checks for a local account named root before doing the mapping is the best. Putting in a switch to defeat this behavior is not a good idea with respect to backward compatiblity. If you're adding some new behavior and want to make it switchable, make the switch enable the new behavior rather then risk breaking existing scripts.
You are happy with your solution of renaming the Administrator account and that's great. However, I'm not sure I completely understand the logic as to why adding a root account in the Administrators group is of dubious value. I'm brand new to SFU so I have a lot to learn, but I do know that I added my account to the Administrators group on my laptop and have never had to log in as Administrator so this isn't a Windows limitation. I also know that I use a root account in the Administrators group to run all kinds of scripts with Cygwin and it isn't a problem there either. It's entirely possible that my previous experiences won't map well to SFU, but again, mapping root to Administrator when logging in as root and renaming the Administrator account root are entirely different things.
I tried setting a PrincipalDomain registry entry and I don't see chgrp working without a +. Am I missing something?
C:\Documents and Settings\Administrator>reg query "HKLM\SOFTWARE\MICROSOFT\Services for Unix" /f PrincipalDomain
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Services for Unix
PrincipalDomain REG_SZ A172-23-129-130
bash-3.00$ chgrp Administrators test
chgrp: Administrators: Invalid group name
thanks,
jim
|
|
|
|
|
RE: openssh 3.9 source available? - Nov. 17, '04, 12:57:04 PM
|
|
|
breiter
Posts: 346
Joined: Jun. 14, '04,
From: Washington, DC
Status: offline
|
> However, I'm not sure I completely understand the logic as to why
> adding a root account in the Administrators group is of dubious value
I guess it's really just a matter of opinion. To me, semantically,
Administrator~=root and Administrators~=wheel. (I grant you that the
wheel comparison is not as strong because membership in Administrators
automatically grants root-like permissions without supplying a root
password and, In Interix, you can su even if you're not a member of wheel.)
Personally, I am also of the opionion that administrative accounts
should generally not be logging in via ssh. I restrict my ssh logins to
members of a Windows group that contains only accounts (using AllowGroups
and PermitRootLogin no sshd_config(5)) that are not root nor members of
Administrators nor Power Users. These logins then have to use su to
elevate their permissions if necessary.
Here's another boundary condition that I bet will trip you up. I suspect
that su is tied to the Administrator SID. So that when you use su and
provide your root passord, it won't work. Though su <username>, where root
is the usersname might work for you.
> I also know that I use a root account in the Administrators group to
> run all kinds of scripts with Cygwin and it isn't a problem there
> either.
I'm not sure how closely this maps. I haven't used it in a while, but I
think Cygwin actually makes access control decisions based upon the
contents of /etc/passwd and /etc/group files and provides a utility to
synchronize or generate those files from the SAM. Whereas Interix
interacts with directly with the protected NT security subsystem sort of
like how OS X uses NetInfo.
> bash-3.00$ chgrp Administrators test
> chgrp: Administrators: Invalid group name
Hmm. Sorry I may have misunderstood your earlier question about +. I
thought you were talking about domain users and groups. I think you do
still have to use a + as part of the group name, but I don't really know why.
Maybe Rodney will clarify the historical reasons for us.
[breiter@johngalt]# chgrp +Administrators test
[breiter@johngalt]# ls -l | grep test
drwx------ 1 breiter +Administrators 0 Nov 17 12:18 test
[breiter@johngalt]# chgrp +Users test
[breiter@johngalt]# ls -l | grep test
drwx------ 1 breiter +Users 0 Nov 17 12:18 test
[breiter@johngalt]#
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
