Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks)
On Tue, Jun 25, 2013 at 03:03:04AM +0200, Miroslav Lachman wrote: > Jeremy Chadwick wrote: > >On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: > >>-BEGIN PGP SIGNED MESSAGE- > >>Hash: SHA512 > >> > >>On 06/24/13 15:11, Miroslav Lachman wrote: > >>[...] > >>>The patch seems really simple and I know how to apply it, but I am > >>>not able to compile and install only fixed sftp command instead of > >>>the whole userland. Can you push me to the right direction? > >> > >>I think you can go to /usr/src/secure/usr.bin/sftp and do: > >> > >>make depend > >>make > >> > >>Then, as root: > >> > >>make install > > Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp > > I tried your patch and can confirm it works for me! > > >>I usually do a full world build to make sure that this doesn't break > >>something else but this change should only affect sftp(1). > > > >I'm going to make this real simple: > > > >Is the problem with symlinks in the client (sftp(1)), in the server > >(sftp-server(8)), or both? The impression I get from the original post > >that started this thread is that it's in the server part. > > No, it is the problem on the client side. The server side in all > cases is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp > client is broken and this bug is really fixed by patch provided by > Xin Li. > > We tried OpenSSH 6.2 client side from Mac OS X and it is broken too. > The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1) > > >So, I believe he'd want to poke about in src/secure/libexec/sftp-server. > >However, that may not be enough, due to the fact that sftp-server(8) > >depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do > >not know where the actual broken code lies. > > > >Someone on -security might know exactly what all needs to be built/what > >commands need to be run, but I will tell you this up front: > > > >The official security announcements for SSL or SSH-related things have > >historically told people to build world. I went and read the mailing > >list archives for -security-announcements and found proof/examples of > >this fact when issues pertain to SSL or SSH. > > > >My recommendation is just to build world. Don't risk it -- this is a > >key piece of your system, all you're trying to do is save some time. > >Don't. Just build/install world and don't screw around. > > I understand your concern and I will rebuild world if the patch > changes anything in the server part, but this is realy just a fix in > sftp client command and I want to try it quickly and to have a quick > path to go back to original version of the sftp command. > > This is on testing machine anyway, I will not do this on production > machines. Understood -- it was my misunderstanding of the issue (being on the client side, not server side), so Xin's advice is sound. Sorry for the noise on my part. -- | Jeremy Chadwick j...@koitsu.org | | UNIX Systems Administratorhttp://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks)
Jeremy Chadwick wrote: On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/24/13 15:11, Miroslav Lachman wrote: [...] The patch seems really simple and I know how to apply it, but I am not able to compile and install only fixed sftp command instead of the whole userland. Can you push me to the right direction? I think you can go to /usr/src/secure/usr.bin/sftp and do: make depend make Then, as root: make install Thank you! I didn't know I must be in /usr/src/secure/usr.bin/sftp I tried your patch and can confirm it works for me! I usually do a full world build to make sure that this doesn't break something else but this change should only affect sftp(1). I'm going to make this real simple: Is the problem with symlinks in the client (sftp(1)), in the server (sftp-server(8)), or both? The impression I get from the original post that started this thread is that it's in the server part. No, it is the problem on the client side. The server side in all cases is good old OpenSSH 5.4 on FreeBSD 8.3. Only the newer sftp client is broken and this bug is really fixed by patch provided by Xin Li. We tried OpenSSH 6.2 client side from Mac OS X and it is broken too. The same apply to openssh-portable from ports (openssh-portable-6.2.p2_3,1) So, I believe he'd want to poke about in src/secure/libexec/sftp-server. However, that may not be enough, due to the fact that sftp-server(8) depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do not know where the actual broken code lies. Someone on -security might know exactly what all needs to be built/what commands need to be run, but I will tell you this up front: The official security announcements for SSL or SSH-related things have historically told people to build world. I went and read the mailing list archives for -security-announcements and found proof/examples of this fact when issues pertain to SSL or SSH. My recommendation is just to build world. Don't risk it -- this is a key piece of your system, all you're trying to do is save some time. Don't. Just build/install world and don't screw around. I understand your concern and I will rebuild world if the patch changes anything in the server part, but this is realy just a fix in sftp client command and I want to try it quickly and to have a quick path to go back to original version of the sftp command. This is on testing machine anyway, I will not do this on production machines. Miroslav Lachman ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FreeBSD history
On Sun, Jun 16, 2013 at 10:00 AM, Andy Farkas wrote: > On 16/06/13 20:30, Jeremy Chadwick wrote: > > * Output from: strings /boot/kernel/kernel | egrep ^option Thanks. > > I stumbled across this one about a week ago: > > strings /boot/kernel/kernel | head -1 > > and was wondering about the history of where it came from / what it means. > > I can see it was added to Makefile.i386 in September 1998 but the commit > comment mentions the defunct alpha port and searching SVN for things in the > Attic is a PITA. > The key in the log message is that the kernel became a dynamic executable. In order to launch typical dynamic executable kernel would actually launch dynamic linker specified in the INTERP program header in the ELF file. By default it's /libexec/ld-elf.so.1. Dynamic linker in turn would load the app and the shared libraries it requires. Kernel is, obviously, not a typical executable. My guess is that the idea behind changing dynamic linker to /red/herring was to make it obvious that the file is not a typical app and that despite being an ELF executable, it should not be executed as a regular program. It's just a guess, though. --Artem ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks)
On Mon, Jun 24, 2013 at 03:36:24PM -0700, Xin Li wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 06/24/13 15:11, Miroslav Lachman wrote: > [...] > > The patch seems really simple and I know how to apply it, but I am > > not able to compile and install only fixed sftp command instead of > > the whole userland. Can you push me to the right direction? > > I think you can go to /usr/src/secure/usr.bin/sftp and do: > > make depend > make > > Then, as root: > > make install > > I usually do a full world build to make sure that this doesn't break > something else but this change should only affect sftp(1). I'm going to make this real simple: Is the problem with symlinks in the client (sftp(1)), in the server (sftp-server(8)), or both? The impression I get from the original post that started this thread is that it's in the server part. So, I believe he'd want to poke about in src/secure/libexec/sftp-server. However, that may not be enough, due to the fact that sftp-server(8) depends (links to) libssh.so.X, libcrypt.so.X, and libcrypto.so.X. I do not know where the actual broken code lies. Someone on -security might know exactly what all needs to be built/what commands need to be run, but I will tell you this up front: The official security announcements for SSL or SSH-related things have historically told people to build world. I went and read the mailing list archives for -security-announcements and found proof/examples of this fact when issues pertain to SSL or SSH. My recommendation is just to build world. Don't risk it -- this is a key piece of your system, all you're trying to do is save some time. Don't. Just build/install world and don't screw around. -- | Jeremy Chadwick j...@koitsu.org | | UNIX Systems Administratorhttp://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/24/13 15:11, Miroslav Lachman wrote: [...] > The patch seems really simple and I know how to apply it, but I am > not able to compile and install only fixed sftp command instead of > the whole userland. Can you push me to the right direction? I think you can go to /usr/src/secure/usr.bin/sftp and do: make depend make Then, as root: make install I usually do a full world build to make sure that this doesn't break something else but this change should only affect sftp(1). Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJRyMnoAAoJEG80Jeu8UPuz+JwH/20g7SVtpA+sbNmmZD2NQI+U e5/gj4sujz1H509V2w5shaJw2ScUoHnyURQSeDxe0sBvkcYVCn0jLg1cKfs5pyjn yLV150XTR0Dv4VPlGiVkqGrgmH6gNkBN4sQoQeC/zgSttXPRnbpjuiLVQz3LcOs7 5g4H6fKBsQX/bWEHOgaKSw63CLY8RIKohtzL5OIUEHWyzVFWeX7U/Mreh5KgE9jY C20kpDrqATJgFBphyQDOEAHC/RZLzX3xqM9JI+vYFse8ra6JttvLBBQ7drhefbrc 7OZgpb4+CTAYLtk8b80jFSALCfGs962+seMLHzghJ5F+NL4V0kW/jFODaodDQcc= =e84l -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: sshd didn't run after upgrade to FreeBSD 8.4
Scot Hetzel wrote:
On Thu, Jun 20, 2013 at 4:28 AM, Lee Dilkie wrote:
On 6/19/2013 8:24 PM, Kimmo Paasiala wrote:
Ok, this is crazy. If you put one space after the VersionAddendum
keyword you get exactly what you want, an empty VersionAddendum
string. If there's no space but a newline right after the
VersionAddendum keyword, sshd(8) complains about the line and refuses
to start. So this is ok (without the single quotes, they are just to
show the endings of the lines):
'VersionAddendum'
But this is not:
'VersionAddendum'
What are the OpenSSH devs thinking?
-Kimmo
I'd call it a bug.
crypto/openssh/servconf.c
1553 case sVersionAddendum:
1554 if (cp == NULL)
1555 fatal("%.200s line %d: Missing
argument.", filename,
1556 linenum);
1557 len = strspn(cp, WHITESPACE);
1558 if (*activep&& options->version_addendum == NULL) {
1559 if (strcasecmp(cp + len, "none") == 0)
1560 options->version_addendum = xstrdup("");
1561 else if (strchr(cp + len, '\r') != NULL)
1562 fatal("%.200s line %d: Invalid argument",
1563 filename, linenum);
1564 else
1565 options->version_addendum =
xstrdup(cp + len);
1566 }
1567 return 0;
Looks like if you specify:
VersionAddendum none
it won't display the additional info.
Thank you for your suggestion, "none" really works. I will use it as a
workaround.
I think the issue needs to be mentioned in Release Notes and/or UPDATING
anyway.
Miroslav Lachman
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Another bug in SSH in FreeBSD 8.4 (sftp cannot create relative symlinks)
Xin Li wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/21/13 16:04, Miroslav Lachman wrote: 1) Is there some way to create relative symlinks with OpenSSH 6.1? No. It seems like a regression and can not be worked around. I do have a patch (attached; against crypto/openssh/), and my test shows that it would fix the problem. 2) Was OpenSSH 6.1 tested before importing in to the base of FreeBSD 8.4 release? These two bugs seems serious to me. This code is not new: it was in OpenBSD 3 years ago, and in FreeBSD for more than 2 years (r221420 or 2011-05-04); OpenSSH 6.1 was imported last September. This issue you have just raised have been there since FreeBSD 9.0-RELEASE. So to me it seems like that the two issues are either rarely hit by the general public (counting myself in: I have never used sftp to create symbolic link remotely and have thus learned something new today), or those who hit this have choose to keep silent about it. Fortunately we have you noticed and reported the problem. As a community effort, we really *need* people to grab in-development snapshots and provide us the feedback. I have two machines with FreeBSD 9.1, SSH version is reported as SSH-2.0-OpenSSH_5.8p2_hpn13v11 and there is no problem with empty VersionAddendum. You are right about the second problem - sftp symlinks. They are broken on this version as well but I didn't tried it before on this version. 3) Is there any chance to fix these bugs in FreeBSD repository, or do we need to be "bug to bug" compatible with other systems using OpenSSH 6.x? I can not make a promise as I am not the maintainer. However, I have already reported this issue to upstream OpenBSD developers, so if this was accepted by the upstream, we will commit the change locally to fix the issue. Unfortunately, it is too late to fix this for 8.4-RELEASE, and unless we see widespread complain, I don't think the problem would affect a significant amount of users to warrant a "errata" for supported release (8.4-RELEASE, 9.1-RELEASE), however, if it would be fixed, the fix would be merged to 8-STABLE and 9-STABLE and will be shipped with future releases, if the fix enters the development branch before them. Thank you very much for your quick and kind response! I hope the fix will be accepted upstream. The patch seems really simple and I know how to apply it, but I am not able to compile and install only fixed sftp command instead of the whole userland. Can you push me to the right direction? Thank you again! Miroslav Lachman ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: FreeBSD history
On Sun, Jun 16, 2013 at 7:00 PM, Andy Farkas wrote: > On 16/06/13 20:30, Jeremy Chadwick wrote: >> * Output from: strings /boot/kernel/kernel | egrep ^option Thanks. > > I stumbled across this one about a week ago: > > strings /boot/kernel/kernel | head -1 It seems peter@ added this in r39818 during 1998-09-30. Perhaps he would know more? > Is not a celebration / announcement warranted? I've added a notice to the news page a few days ago. Thanks for the info! -- Eitan Adler ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Current problem reports assigned to freebsd-stable@FreeBSD.org
Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description o i386/179112 stable 9.1 installer panics with a kmem_malloc() failure on i 1 problem total. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
