Re: quick informal survey: OpenSSH broken?
On Wed, Aug 01, 2001 at 08:21:14PM +0200, Jens Schweikhardt wrote: > On Tue, Jul 31, 2001 at 03:13:58PM -0700, David O'Brien wrote: > # On Tue, Jul 31, 2001 at 01:39:14PM -0400, Robert Watson wrote: > # > what was going on, and given that scp doesn't support -1, was a bit of a > # > pain. > # > # Brian, what about adding "-1" to SCP? > > I'm late in this thread, so I don't know what has been discussed before, > but if this means to use protocol version one, scp does this already > with > > scp -o Protocol=1 ... Yes, but that is a whole lot more to have to type than `scp -1', and since we want to encorage poeple to use ssh/scp and it is typed so often, it would be nice (and oroginal since ssh has it) to add -1 to scp. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
On Tue, Jul 31, 2001 at 03:13:58PM -0700, David O'Brien wrote: # On Tue, Jul 31, 2001 at 01:39:14PM -0400, Robert Watson wrote: # > what was going on, and given that scp doesn't support -1, was a bit of a # > pain. # # Brian, what about adding "-1" to SCP? I'm late in this thread, so I don't know what has been discussed before, but if this means to use protocol version one, scp does this already with scp -o Protocol=1 ... That's what I use since freefall has implemented this POLA-violation^Wnew philosophy. Regards, Jens -- Jens Schweikhardt http://www.schweikhardt.net/ SIGSIG -- signature too long (core dumped) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
At 12:40 PM -0500 7/31/01, Alfred Perlstein wrote: >* Robert Watson <[EMAIL PROTECTED]> [010731 12:39] wrote: > > My only real observation is that with Protocol using (2) by default, > > my logins to RELENG_4 boxes using RSA key authentication are broken. > >The protocol 2,1 thing should not be MFC'd. Unless you intend this to >be your usual of breakage of ssh around -release time. :) > >Please keep it 1,2 at least for the time being. I would also prefer that the default remained 1,2 for 4.4-release. (not that the default would affect me, but I suspect that's probably a better default for the release). -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
On Tue, Jul 31, 2001 at 01:39:14PM -0400, Robert Watson wrote: > what was going on, and given that scp doesn't support -1, was a bit of a > pain. Brian, what about adding "-1" to SCP? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
* Robert Watson <[EMAIL PROTECTED]> [010731 12:39] wrote: > My only real observation is that with Protocol using (2) by default, my > logins to RELENG_4 boxes using RSA key authentication are broken. If I > stick a Protocol 1 in, it works fine, but it took me a bit to figure out > what was going on, and given that scp doesn't support -1, was a bit of a > pain. I haven't tried using OpenSSH 2.9 with Kerberos as yet, but that > would be something to test. Let me know if you need access to a > KerberosIV realm to test with. The protocol 2,1 thing should not be MFC'd. Unless you intend this to be your usual of breakage of ssh around -release time. :) Please keep it 1,2 at least for the time being. -- -Alfred Perlstein [[EMAIL PROTECTED]] Ok, who wrote this damn function called '??'? And why do my programs keep crashing in it? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
My only real observation is that with Protocol using (2) by default, my logins to RELENG_4 boxes using RSA key authentication are broken. If I stick a Protocol 1 in, it works fine, but it took me a bit to figure out what was going on, and given that scp doesn't support -1, was a bit of a pain. I haven't tried using OpenSSH 2.9 with Kerberos as yet, but that would be something to test. Let me know if you need access to a KerberosIV realm to test with. Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services On Sun, 29 Jul 2001, Brian Fundakowski Feldman wrote: > I need to know, if OpenSSH is ever going to get MFC'ed, are there any people > currently running OpenSSH 2.9 from -CURRENT's base and getting major > problems with it? Or even minor ones that actually make things more > difficult? I want to have no real outstanding issues, except simple ones > like Protocol being set to 2,1 by default (which is a reasonable default > nowadays), before I MFC OpenSSH, because I really don't want to leave anyone > screwed over in the process. > > So let me know, ASAP, what problems you all are having with OpenSSH in > -CURRENT, specifically in the FreeBSD-specific parts. I'm also not certain > of KRB4 and KRB5 auth still both work properly, and need that verified. > Thanks, everybody. > > -- > Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / > [EMAIL PROTECTED]`--' > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
At 2:02 AM -0400 7/30/01, Garance A Drosihn wrote: >I will do some tests at home tomorrow morning, and >let you know how it works out. In the following: "gilead" refers to a MacOS 10 machine in my office at work which is running MacOS 10.0.4 plus an update to OpenSSH that reports itself as OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f "pulse-10" is a MacOS 10 machine at home, which is running MacOS 10.0.4 plus Apple's "Web Sharing Update, and OpenSSH in that reports itself as OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f "f14"is the freebsd machine at home when it is running stable. "f15"is the same machine when it is running -current. pulse-10 -> f14: does not work with openssh using protocol v1 does not work with openssh using protocol v2 does not work with a program called NiftyTelnetSSH, which uses v1 DOES work if I use a program called MacSSH, which uses v2 for all three which do not work, it acts as if f14 is simply not running sshd. f14 -> f14 does work, for both ssh1 and ssh2 f14 -> pulse-10 hrm. I forgot to write down what this did. I think it worked for one protocol but not for the other, but I don't remember for sure. pulse-10 -> f15 does not work with openssh using protocol v1 does not work with openssh using protocol v2 DOES work if I use NiftyTelnetSSH, using v1 DOES work if I use MacSSH, using v2 again, for the ones which didn't work, they just acted as if f15 was not running sshd, but obviously it was or the other two programs could not have connected... f15 -> pulse-10 works for openssh using v1 works for openssh using v2 f14 -> gilead arg. again I forgot to write it down. I think that what happened is that I did one set of tests, copied my notes from home to work, and then did the second set of tests without re-copying my notes... f15 -> gilead works for openssh using v1 dies a horrible death for openssh using v2: "Disconnecting: Bad packet length -1384901965" And just to be complete: pulse-10 -> gilead (ie, both MacOS 10's, with different openssh's) openssh v1 works openssh v2 dies: "Disconnecting: Bad packet length -1741630907" So, no matter how you slice it I seem to be able to come up with problems going between MacOS 10 and openssh on freebsd. However, I can't really say that openssh in -current is particularly worse than -stable, it's just different. Also note that I was doing these tests at 8am, which was about three hours earlier than I had expected to be awake this morning. So, they probably aren't as complete or as helpful as they might have been -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
On Mon, 30 Jul 2001, Brian F. Feldman wrote: >For what it's worth, I tend to simply set "Protocol 1,2" in my .ssh/config >and for the default case, it works fine (just like it used to). I don't >want to make that policy decision, though, because we will be better off >when everyone moves to the protocol version 2, so it's reasonable for the >default to make things "difficult" to encourage the switch. I support the >OpenSSH developers' plan here. FWIW, I do the same in my .ssh/config because I work in a heterogeneous computing environment where my home directory is NFS automounted. Some operating systems come with SSH daemons still installed by default as 1,2. The newer operating systems, including most of our linux installs, are 2,1 by default. I use RSA keys to authenticate and it's easier to just have one keypair to worry about. When every machine I use has sshv2 support and does it by default, then I'll kill the RSA keys and generate DSA keys. It's quite annoying that systems which have 2,1 in their sshd_config won't detect that I have RSA keys in .ssh but no DSA keys and go ahead and select sshv1 on their own. -- Brandon D. Valentine <[EMAIL PROTECTED]> The very powerful and the very stupid have one thing in common. Instead of altering their views to fit the facts, they alter the facts to fit their views ... which can be very uncomfortable if you happen to be one of the facts that needs altering. - Doctor Who, "Face of Evil" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
"David O'Brien" <[EMAIL PROTECTED]> wrote: > On Sun, Jul 29, 2001 at 09:53:09PM -0400, Brian Fundakowski Feldman wrote: > > I need to know, if OpenSSH is ever going to get MFC'ed, are there any people > > currently running OpenSSH 2.9 from -CURRENT's base and getting major > > problems with it? Or even minor ones that actually make things more > > You've never responded to requests from people asking what it would take > to make things fall back to v1 gracefully. We all know it is a "feature" > that with a default configuration, it will try ssh2 first and if it is > not able to authenticate (say you have no .ssh/authorized_keys2 file) the > connection can fail. I don't mean to disappoint, but I don't think it will be possible to fall back without creating modifications on both sides (both renogotiation of connection on the server side and client side, because the protocols are inherently different). For what it's worth, I tend to simply set "Protocol 1,2" in my .ssh/config and for the default case, it works fine (just like it used to). I don't want to make that policy decision, though, because we will be better off when everyone moves to the protocol version 2, so it's reasonable for the default to make things "difficult" to encourage the switch. I support the OpenSSH developers' plan here. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / [EMAIL PROTECTED]`--' To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
On Sun, Jul 29, 2001 at 09:53:09PM -0400, Brian Fundakowski Feldman wrote: > I need to know, if OpenSSH is ever going to get MFC'ed, are there any people > currently running OpenSSH 2.9 from -CURRENT's base and getting major > problems with it? Or even minor ones that actually make things more You've never responded to requests from people asking what it would take to make things fall back to v1 gracefully. We all know it is a "feature" that with a default configuration, it will try ssh2 first and if it is not able to authenticate (say you have no .ssh/authorized_keys2 file) the connection can fail. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: quick informal survey: OpenSSH broken?
At 9:53 PM -0400 7/29/01, Brian Fundakowski Feldman wrote: >I need to know, if OpenSSH is ever going to get MFC'ed, are there any >people currently running OpenSSH 2.9 from -CURRENT's base and getting >major problems with it? Or even minor ones that actually make things >more difficult? [...] > >So let me know, ASAP, what problems you all are having with OpenSSH in >-CURRENT, specifically in the FreeBSD-specific parts. I'm also not >certain of KRB4 and KRB5 auth still both work properly, and need that >verified. Thanks, everybody. I have a machine at home which I dual-boot between -current and -stable. I also have a MacOS 10 machine at home, which was running the version of openssh that Scott Anguish had made available for MacOS 10 (and which was newer than what Apple had put in 10.0.4). I have had some problems ssh-ing between the two machines when the freebsd machine is running -current, but not when it is running -stable. As luck would have it, I just upgraded my MacOS 10 system at home so it has a newer version of openssh from apple, just about six hours ago. So, I don't know if that's still a problem. I also don't know for sure if the problem was with Scott's version for MacOS 10, or with the version in freebsd-current. I will do some tests at home tomorrow morning, and let you know how it works out. I am not using KRB4 or KRB5, both machines are just standalone setups. -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
quick informal survey: OpenSSH broken?
I need to know, if OpenSSH is ever going to get MFC'ed, are there any people currently running OpenSSH 2.9 from -CURRENT's base and getting major problems with it? Or even minor ones that actually make things more difficult? I want to have no real outstanding issues, except simple ones like Protocol being set to 2,1 by default (which is a reasonable default nowadays), before I MFC OpenSSH, because I really don't want to leave anyone screwed over in the process. So let me know, ASAP, what problems you all are having with OpenSSH in -CURRENT, specifically in the FreeBSD-specific parts. I'm also not certain of KRB4 and KRB5 auth still both work properly, and need that verified. Thanks, everybody. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / [EMAIL PROTECTED]`--' To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message