OpenSSH SSH2 support
I've finished merging the latest OpenSSH changes into our version (vice versa, actually) since I'm told it's stabilized enough to be useful. OpenSSH now has SSH2 protocol support, meaning several things: * Support for DSA keys, removing the need to use RSA (and hence RSAREF), so people in commercial environments in the US can now use it, and can use >1024 bit keys * Interoperability with at least some other SSH2 clients/servers (I don't know how extensive yet, but I can log in using both the ssh and ssh2 ports) * More secure protocol than the SSH1 protocol. Unfortunately, there is no support for Kerberos 4 or OPIE (or Kerb5) in SSH2 mode yet - hopefully these will be added soon. Because of the extensive changes to the code since the version we currently have, it was quite difficult to merge in all of our local fixes - I think I've done it correctly, but can't be sure (I have no way to test Kerberos support, for example). I'm going to try and get some of these merged back upstream to make my life easier in the future. I haven't yet updated the manpages, so the instructions below will install the OpenBSD ones. Another side-effect of this patch is that it enables OPIE login support. I would like everyone who is able to to test this to make sure it still works for them (as well as testing the new features) - if you don't test it now and it breaks when I import it and you go and install it on all of your boxes, tough! Test it now! :-) Installation instructions: 1) Grab http://www.freebsd.org/~kris/ssh2.tgz and unpack it in /usr/src 2) Apply the patch which was just unpacked into /usr/src/openssh.diff 3) make world 4) To set up sshd to do SSH2, see the docs in crypto/openssh/README.openssh2 Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Small MAKEDEV bug
Bruce Evans wrote: > On Sat, 6 May 2000, Maxim Sobolev wrote: > > > I've just noticed that "sh MAKEDEV acd1" doesn't produce node for acd1 due to > > incorrect comparasion in the "while" loop. This affecting both 4.0-STABLE and > > 5.0-CURRENT. With this message I'm attaching short patch which should solve > > this little problem. > > This is the intended behaviour. "sh MAKEDEV acdN" is supposed to create > N acd devices, numbered from 0 to N-1. This broken behaviour was introduced > for cd*, mcd* and scd* in rev.1.171. It has since spread to acd*. Other > types of disks are handled correctly. How broken behaviour could be "intended"? It is unclear why *cd* devices should be different from all others types of disk devices. Users usually being confused when dealing with special cases like that. I think that there will be no problem if it would create N+1 devices at least until someone will reimplement it correctly. -Maxim To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Kris Kennaway wrote: > http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c > and http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg I've made these into a port, so you can just install the converters/dumpasn1 port and save the minor trouble of editing the stupid ^Z out of the .c file and compiling it :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Garrett Wollman wrote: > I've had this problem with recent values of OpenSSL since last > November. I haven't gotten around to playing with permutations of the I'm strongly suspecting something wrong with the encoding of the certificate. Can you grab dumpasn1.c and dumpasn1.cfg from http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c and http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg and run it on the old and new certificates to see if anything is different? To convert the Cert to DER: openssl asn1parse -in file.pem -out file.der Then: dumpasn1 file.der Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <[EMAIL PROTECTED]> To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Garrett Wollman wrote: # I've had this problem with recent values of OpenSSL since last # November. I haven't gotten around to playing with permutations of the # openssl.cnf file yet. I tried my site certificate on various versions # of Netscape and Exploder, and all of them failed in a similar manner, # but `openssl s_client' worked just fine, and all the other clients # failed identically against `openssl s_server'. I sent a note about # this to the OpenSSL mailing-list, and did not receive a single # relevant response. So what do you use as a workaround? The openssl port? The old SSLeay port? Would using DSA instead of RSA make matters better? -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
< said: > FWIW, I've had a weird (perhaps related) problem, only in the > reverse. After creating a certificate (ie: 'make certificate' in > apache), I was unable to connect to the server from a Netscape > 4.72 browser. It only told me there was a decryption error in the > apache logs. I've had this problem with recent values of OpenSSL since last November. I haven't gotten around to playing with permutations of the openssl.cnf file yet. I tried my site certificate on various versions of Netscape and Exploder, and all of them failed in a similar manner, but `openssl s_client' worked just fine, and all the other clients failed identically against `openssl s_server'. I sent a note about this to the OpenSSL mailing-list, and did not receive a single relevant response. (I guess they're not used to people who run their own certificate authorities.) [This is one of the areas in which my job requires me to play with stuff which I would not use myself for programming-freedom reasons. At least we don't have to pay Jim Bidzos for the privilege] -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same [EMAIL PROTECTED] | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rc.d startup scripts
On Sat, May 06, 2000 at 04:15:33PM -0400, Brandon D. Valentine wrote:
> You have answered your own question. What exists in ${PREFIX}/etc/rc.d
> are startup scripts, *not* shutdown or restart scripts.
Okay, then you think that all the ports rc.d *.sh scripts should be changed
only to allow startup, right?
> You mean our init system should look like RedHat's? The OS is named
> Free_BSD_ because we use not only the source code from the BSD team at
> UCB, but because we practice their OS philosophy as closely as is still
> relevant to the industry. We use BSD init, not SVR4, and I don't see
> any reason for that to be altered.
Fine, you can quote historical context to argue against doing something
similar to SVR4 init. I, however, see nothing wrong with making it easier
to manage the daemons. Of course, that does not necessarily need to go in
the rc.d scripts.
--
Will Andrews <[EMAIL PROTECTED]>
GCS/E/S @d- s+:+>+:- a--->+++ C++ UB P+ L- E--- W+++ !N !o ?K w---
?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++> DI+++ D+
G++>+++ e-> h! r-->+++ y?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: TCP becomes very broken just now
On Sat, May 06, 2000 at 11:53:23PM +0200, Samuel Tardieu wrote: > On 7/05, Andrey A. Chernov wrote: > > | Some of recent kernel TCP changes cause TCP completely not working, > | i.e. any network daemon (mountd, sendmail, cfsd) started from "rc" on > | dialup machine hangs with 3min "Can't connect' timeout and user level > | "ppp" started than hangs forever even not dialing. Please fix. > > Are you sure you're not using a very strict filter (deny all)? This would > explain everything you describe :) Yes, I use firewall, but with OPEN type at the "rc" stage, so "allow all" first. The same setup works today with kernel builded few hours before recent TCP changes. Nothing changed on my side excepting kernel and modules rebuilded from recent cvsup. -- Andrey A. Chernov <[EMAIL PROTECTED]> http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
(no subject)
subscribe freebsd-current To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Can someone explain this?
> Bruce Evans writes: > The default of 4 for -mpreferred-stack-boundary perfectly preserves > any initial misaligment of the stack. Under FreeBSD the stack is > initially misaligned (for doubles) with a probability of 1/2. There > was some discussion of fixing this when gcc-2.95 was imported, but > nothing was committed. I use the following local hack: > diff -c2 kern_exec.c~ kern_exec.c > *** kern_exec.c~ Mon May 1 15:56:40 2000 > --- kern_exec.c Mon May 1 15:56:42 2000 > *** > *** 627,630 > --- 647,659 > vectp = (char **) > (destp - (imgp->argc + imgp->envc + 2) * sizeof(char*)); > + > +/* > + * Align stack to a multiple of 0x20. > + * XXX vectp has the wrong type; we usually want a vm_offset_t; > + * the suword() family takes a void *, but should take a vm_offset_t. > + * XXX should align stack for signals too. > + * XXX should do this more machine/compiler-independently. > + */ > +vectp = (char **)(((vm_offset_t)vectp & ~(vm_offset_t)0x1F) - 4); > /* Any chance that your fix be committed? :-) The impact of misalignments on performance is considerable. Jean-Marc -- Jean-Marc ZucconiPGP Key: finger [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: TCP becomes very broken just now
On 7/05, Andrey A. Chernov wrote: | Some of recent kernel TCP changes cause TCP completely not working, | i.e. any network daemon (mountd, sendmail, cfsd) started from "rc" on | dialup machine hangs with 3min "Can't connect' timeout and user level | "ppp" started than hangs forever even not dialing. Please fix. Are you sure you're not using a very strict filter (deny all)? This would explain everything you describe :) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Can someone explain this?
> Dan Nelson writes:
> In the last episode (May 05), Jean-Marc Zucconi said:
>> Here is something I don't understand:
>>
>> $ sh -c '/usr/bin/time ./a.out'
>> 2.40 real 2.38 user 0.01 sys
>> $ /usr/bin/time ./a.out
>> 7.19 real 7.19 user 0.00 sys
>>
>> The same program is 3 times slower in the second case. The effect is
>> systematic but depends on the program being run. I have seen inverse
>> behavior with another program. Using time -l, I note that this seems
>> to be related with a higher value of 'involuntary context switches'
>> (3 times more switches in the slower case).
> It has to do with your stack. Calling the program via /bin/sh sets up
> your environment differently, so your program's stack starts at a
> different place. Try running this:
> main (int argc, char **argv)
> {
> int i;
> double x=2, y=2, z=2;
> printf ("%p\n",&i);
> for (i = 0; i < 1000; i++) z = y*x;
> return 0;
> }
> Run this commandline:
> STR= ; export STR ; while : ; do ; STR=z$STR ; /usr/bin/time ./a,out ; done
> And watch your execution time flip flop every 4 runs.
OK. The effect is indeed very clear.
> Here are some bits from the gcc infopage explaining your options if you
> want consistant speed from programs using doubles:
> `-mpreferred-stack-boundary=NUM'
> Attempt to keep the stack boundary aligned to a 2 raised to NUM
> byte boundary. If `-mpreferred-stack-boundary' is not specified,
> the default is 4 (16 bytes or 128 bits).
> The stack is required to be aligned on a 4 byte boundary. On
> Pentium and PentiumPro, `double' and `long double' values should be
> aligned to an 8 byte boundary (see `-malign-double') or suffer
> significant run time performance penalties. On Pentium III, the
> Streaming SIMD Extention (SSE) data type `__m128' suffers similar
> penalties if it is not 16 byte aligned.
> `-mno-align-double'
> Control whether GCC aligns `double', `long double', and `long
> long' variables on a two word boundary or a one word boundary.
> Aligning `double' variables on a two word boundary will produce
> code that runs somewhat faster on a `Pentium' at the expense of
> more memory.
> *Warning:* if you use the `-malign-double' switch, structures
> containing the above types will be aligned differently than the
> published application binary interface specifications for the 386.
Now the problem is that the -mpreferred-stack-boundary=NUM option does
not solve the problem :-( I still get a penalty in 50% of the cases.
Jean-Marc
--
Jean-Marc ZucconiPGP Key: finger [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Louis A. Mamakos wrote:
> Just curious, but is there any documentation installed that describes
> what the contents of the file look like? I went on a hunt for this
> recently, and found precious little documentation on openssl provided
> with the system.
The sample file is in /usr/src/crypto/openssl/apps/openssl.cnf - thats
about all there is in the way for documentation about that file.
As I noted in another response, OpenSSL manpages exist in
crypto/openssl/docs/{crypto,ssl} but we don't install them yet because
they conflict with system manpages and I'm waiting for the OpenSSL team to
fix them.
Kris
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
TCP becomes very broken just now
Some of recent kernel TCP changes cause TCP completely not working, i.e. any network daemon (mountd, sendmail, cfsd) started from "rc" on dialup machine hangs with 3min "Can't connect' timeout and user level "ppp" started than hangs forever even not dialing. Please fix. -- Andrey A. Chernov <[EMAIL PROTECTED]> http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Odd console problem
Under VMware 2... Under world and kernel of yesterday, between the sio1 and sbc0 kernel messages during console boot, various character cease to appear on the screen. (e.g. r, t, u & s). All virtual consoles appear completely unable to display these characters. Otherwise the systems appears sane. Booting an old April 20th Kernel is fine. Any ideas please, before I get in too deep...? -- Mark Knight PGP Public Key: finger [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Can someone explain this?
On Sat, 6 May 2000, Dan Nelson wrote: > In the last episode (May 05), Jean-Marc Zucconi said: > > Here is something I don't understand: > > > > $ sh -c '/usr/bin/time ./a.out' > > 2.40 real 2.38 user 0.01 sys > > $ /usr/bin/time ./a.out > > 7.19 real 7.19 user 0.00 sys > It has to do with your stack. Calling the program via /bin/sh sets up > your environment differently, so your program's stack starts at a > different place. Try running this: > Here are some bits from the gcc infopage explaining your options if you > want consistant speed from programs using doubles: > > `-mpreferred-stack-boundary=NUM' > Attempt to keep the stack boundary aligned to a 2 raised to NUM > byte boundary. If `-mpreferred-stack-boundary' is not specified, > the default is 4 (16 bytes or 128 bits). > The stack is required to be aligned on a 4 byte boundary. On > Pentium and PentiumPro, `double' and `long double' values should be > aligned to an 8 byte boundary (see `-malign-double') or suffer > significant run time performance penalties. On Pentium III, the > Streaming SIMD Extention (SSE) data type `__m128' suffers similar > penalties if it is not 16 byte aligned. The default of 4 for -mpreferred-stack-boundary perfectly preserves any initial misaligment of the stack. Under FreeBSD the stack is initially misaligned (for doubles) with a probability of 1/2. There was some discussion of fixing this when gcc-2.95 was imported, but nothing was committed. I use the following local hack: diff -c2 kern_exec.c~ kern_exec.c *** kern_exec.c~Mon May 1 15:56:40 2000 --- kern_exec.c Mon May 1 15:56:42 2000 *** *** 627,630 --- 647,659 vectp = (char **) (destp - (imgp->argc + imgp->envc + 2) * sizeof(char*)); + + /* +* Align stack to a multiple of 0x20. +* XXX vectp has the wrong type; we usually want a vm_offset_t; +* the suword() family takes a void *, but should take a vm_offset_t. +* XXX should align stack for signals too. +* XXX should do this more machine/compiler-independently. +*/ + vectp = (char **)(((vm_offset_t)vectp & ~(vm_offset_t)0x1F) - 4); /* Bruce To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: rc.d startup scripts
On Sat, 6 May 2000, Will Andrews wrote:
>Hello,
>
>I've noticed an inconsistency among our ports. It seems that not every port
>that installs rc.d startup scripts includes methods to not only startup,
>but also shutdown and/or restart, where appropriate. (Sent to -ports for
>ports hackers' opinions.)
You have answered your own question. What exists in ${PREFIX}/etc/rc.d
are startup scripts, *not* shutdown or restart scripts.
>Shouldn't this sort of thing be standardized? And maybe a similar method be
>integrated into /etc/rc for restarting base system daemons? (Sent to
>-current for src hackers' opinions.)
You mean our init system should look like RedHat's? The OS is named
Free_BSD_ because we use not only the source code from the BSD team at
UCB, but because we practice their OS philosophy as closely as is still
relevant to the industry. We use BSD init, not SVR4, and I don't see
any reason for that to be altered.
BTW, I don't read -ports.
Brandon D. Valentine
--
[EMAIL PROTECTED] Illegitimi non carborundum.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
rc.d startup scripts
Hello, I've noticed an inconsistency among our ports. It seems that not every port that installs rc.d startup scripts includes methods to not only startup, but also shutdown and/or restart, where appropriate. (Sent to -ports for ports hackers' opinions.) Shouldn't this sort of thing be standardized? And maybe a similar method be integrated into /etc/rc for restarting base system daemons? (Sent to -current for src hackers' opinions.) Please continue specific discussion on either of these in their own list, or if reply is general Cc both. -- Will Andrews <[EMAIL PROTECTED]> GCS/E/S @d- s+:+>+:- a--->+++ C++ UB P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++> DI+++ D+ G++>+++ e-> h! r-->+++ y? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Small MAKEDEV bug
On Sat, 6 May 2000, Maxim Sobolev wrote: > I've just noticed that "sh MAKEDEV acd1" doesn't produce node for acd1 due to > incorrect comparasion in the "while" loop. This affecting both 4.0-STABLE and > 5.0-CURRENT. With this message I'm attaching short patch which should solve > this little problem. This is the intended behaviour. "sh MAKEDEV acdN" is supposed to create N acd devices, numbered from 0 to N-1. This broken behaviour was introduced for cd*, mcd* and scd* in rev.1.171. It has since spread to acd*. Other types of disks are handled correctly. Bruce To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
> On Fri, 5 May 2000, Kris Kennaway wrote: > > # It's not clear that you installed the openssl.cnf file before making the > # cert - can you confirm? > > Yes I did. I put it in /etc/ssl as you suggested. Just curious, but is there any documentation installed that describes what the contents of the file look like? I went on a hunt for this recently, and found precious little documentation on openssl provided with the system. louie To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Small MAKEDEV bug
-On [2506 10:40], Maxim Sobolev ([EMAIL PROTECTED]) wrote: >- while [ $i -lt $units ]; do >+ while [ $i -le $units ]; do Tested and committed to both CURRENT and 4-STABLE. -- Jeroen Ruigrok van der Werven Network- and systemadministrator <[EMAIL PROTECTED]>VIA Net.Works The Netherlands BSD: Technical excellence at its best http://www.via-net-works.nl We must all hang together, else we shall all hang separately... To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Small MAKEDEV bug
Hi,
I've just noticed that "sh MAKEDEV acd1" doesn't produce node for acd1 due to
incorrect comparasion in the "while" loop. This affecting both 4.0-STABLE and
5.0-CURRENT. With this message I'm attaching short patch which should solve
this little problem.
-Maxim
--- MAKEDEV 2000/05/06 08:25:52 1.1
+++ MAKEDEV 2000/05/06 08:26:14
@@ -795,7 +795,7 @@
fi
if [ "${units}" -le 31 ]; then
i=0
- while [ $i -lt $units ]; do
+ while [ $i -le $units ]; do
dname=$name$i
rm -rf ${dname}* r${dname}*
mknod ${dname}a c $chr $(($i * 8)) root:operator
