[Bug 2319] [PATCH REVIEW] U2F authentication

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2319

--- Comment #21 from Damien Miller  ---
A few people have asked (well, complained) why this hasn't been
committed.

The answer is basically that:

1) Tt depends on a GPL library which is a licensing conflict we don't
want.

2) The spec is insufficient - we need more than "put this blob from the
library that's specified for Javascript on the wire".

3) The spec as it stands has some problems. As someone who knows more
than U2F that I said (privately):

> The draft, as I read it, does not do any validation of the 
> username provided prior to sending a list of key handles for the
> user. This is somewhat of a security concern, since it reduces the
> "2F" in universal second factor to a single factor. Personally,
> I'm willing to overlook that one a little: if we believe attackers
> can easily get at your passwords, then this loss is a small one.
>
> The other concern I have with their approach is that it doesn't
> protect the user's privacy. The regular SSH protocol relies 
> on a leap of faith, in that neither the client nor the server
> have any way to authenticate one another the first time they're
> introduced, so one must assume that there's no attacker present
> at that time. Still, it's customary for an SSH client to generate
> a new key pair for every server it's introduced to, in order for
> one server not to be able to correlate one user with another. One
> SSH server could reveal a user's public key to another, but that
> wouldn't compromise the user's privacy: the client would not use
> the key pair for server A with server B.
>
> In U2F, the assumption is that the U2F devices themselves 
> may be storage-less. As a result, the server sends a "key
> handle" to remind the U2F device which key pair to use. The
> application parameter is a means by which the key pair is bound
> to a particular place. It's the web origin in the case of web
> authentication flows. The keys are cryptographically bound to the
> application parameter, such that no server that is associated with
> a different application parameter can exercise the key. (This
> protection relies on a trusted piece of software, i.e. the web 
> browser in the case of the web, to tell the U2F device which 
> server it is.) In this way, the key handles are safe: even if
> server A reveals the key handle for Alice to server B, server B
> can't learn that the key pair is in fact associated with an entity
> of interest to B, because B can't exercise Alice's key handle for
> server A.
> 
> By using a static application parameter, their protocol leaves
> users exposed to a new attack.

(some of the details about how SSH works wrt user key exposure in the
above are incorrect, but the broader point still stands.)

... which brings me to 4) I'm not familiar enough with U2F to review
it. 

Without a proper specification that has been reviewed by people who are
properly familiar with U2F and a way to remove the licensing conflict,
please do not expect any progress here.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
Bug 2647 depends on bug 2653, which changed state.

Bug 2653 Summary: Including files without read access in ssh configuration 
fails without error
https://bugzilla.mindrot.org/show_bug.cgi?id=2653

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2653] Including files without read access in ssh configuration fails without error

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2653

Damien Miller  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|ASSIGNED|RESOLVED

--- Comment #2 from Damien Miller  ---
appled - thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
Bug 2647 depends on bug 2637, which changed state.

Bug 2637 Summary: GSSAPIStrictAcceptorCheck should default to 'yes'
https://bugzilla.mindrot.org/show_bug.cgi?id=2637

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2583] ssh-keyscan: fatal error in conread() when scanning ssh1 keys without ssh1 support

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2583

Damien Miller  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Blocks||2647
 CC||d...@mindrot.org
 Resolution|--- |FIXED

--- Comment #1 from Damien Miller  ---
Thanks, I've committed a fix that bans RSA1 keys where they are
supposed to be banned:

[djm@haru ssh]$ ssh-keyscan -t rsa1 127.0.0.1 
Unknown key type "rsa1"


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2637] GSSAPIStrictAcceptorCheck should default to 'yes'

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2637

Darren Tucker  changed:

   What|Removed |Added

   Attachment #2889|ok?(dtuc...@zip.com.au) |ok+
  Flags||

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2637] GSSAPIStrictAcceptorCheck should default to 'yes'

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2637

Damien Miller  changed:

   What|Removed |Added

 Blocks||2647


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2637] GSSAPIStrictAcceptorCheck should default to 'yes'

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2637

Damien Miller  changed:

   What|Removed |Added

 CC||d...@mindrot.org,
   ||dtuc...@zip.com.au
   Attachment #2889||ok?(dtuc...@zip.com.au)
  Flags||

--- Comment #2 from Damien Miller  ---
Comment on attachment 2889
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2889
GSSAPIStrictAcceptorCheck=yes by default

This seems reasonable to me.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2646] zombie processes when using privilege separation

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2646

Damien Miller  changed:

   What|Removed |Added

 CC||d...@mindrot.org

--- Comment #9 from Damien Miller  ---
(In reply to Akshay from comment #7)

I think this is a bug in your init program. We could probably tell more
clearly if you include PPID in your process lists (e.g. "ps ajf").

Here are is the process list from when the session is active:

> root@4871a0e3589e:/# ps auxf
> USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
> COMMAND
> root 8  0.0  0.0  26468  3772 ?S+   01:14   0:00
> /usr/sbin/sshd -D -r

^^ this sshd process (pid=8) is listening to the network.

> root19  0.0  0.0  29028  4084 ?Ss   01:14   0:00  \_
> sshd: nsadmin [priv]

^^ this one (pid=19) is the privilege separation monitor process.

> nsadmin 21  0.0  0.0  29028  2668 ?S01:14   0:00
> \_ sshd: nsadmin@pts/0

^^ this one is the low-privilege child process.

> Later, (after login then logout)...
> 
> root@4871a0e3589e:/# ps auxf
> USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
> COMMAND
> root 8  0.0  0.0  26468  3772 ?S+   01:14   0:00
> /usr/sbin/sshd -D -r

^^ the listener process is still here.

> nsadmin 21  0.0  0.0  0 0 ?Z01:14   0:00
> [sshd] 

This process was previously a child of the monitor process on pid=19,
but its parent has already exited, so it's not around to call waitpid()
to reap it.

In this situation, init is supposed to do the reaping since pid=21 is
clearly orphaned. See https://en.wikipedia.org/wiki/Zombie_process for
a bit more detail on how this is supposed to flow.

This might be your problem:
https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2653] Including files without read access in ssh configuration fails without error

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2653

Darren Tucker  changed:

   What|Removed |Added

   Attachment #2928|ok?(dtuc...@zip.com.au) |ok+
  Flags||

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Damien Miller  changed:

   What|Removed |Added

 Depends on||2653


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2653
[Bug 2653] Including files without read access in ssh configuration
fails without error
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2653] Including files without read access in ssh configuration fails without error

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2653

Damien Miller  changed:

   What|Removed |Added

 Blocks||2647


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2653] Including files without read access in ssh configuration fails without error

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2653

Damien Miller  changed:

   What|Removed |Added

   Attachment #2920|0   |1
is obsolete||
 Status|NEW |ASSIGNED
   Assignee|unassigned-b...@mindrot.org |d...@mindrot.org
 CC||d...@mindrot.org,
   ||dtuc...@zip.com.au
   Attachment #2928||ok?(dtuc...@zip.com.au)
  Flags||

--- Comment #1 from Damien Miller  ---
Created attachment 2928
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2928=edit
fatal() on Include errors other than ENOENT

read_config_file_depth() only ever returns failure on fopen() errors,
everything else goes via fatal(), so we can simplify this a bit.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
Bug 2647 depends on bug 2654, which changed state.

Bug 2654 Summary: regress/agent-getpeereid.sh uses wrong ssh-add program
https://bugzilla.mindrot.org/show_bug.cgi?id=2654

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Damien Miller  changed:

   What|Removed |Added

 Depends on||2654


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2654
[Bug 2654] regress/agent-getpeereid.sh uses wrong ssh-add program
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Darren Tucker  changed:

   What|Removed |Added

 Depends on||2656


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2656
[Bug 2656] Documentation does not mention "%k" as a supported token for
AuthorizedKeysCommand
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2656] Documentation does not mention "%k" as a supported token for AuthorizedKeysCommand

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2656

Darren Tucker  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 CC||dtuc...@zip.com.au
 Blocks||2647
 Status|NEW |RESOLVED

--- Comment #1 from Darren Tucker  ---
Fixed, thanks.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
Bug 2647 depends on bug 2656, which changed state.

Bug 2656 Summary: Documentation does not mention "%k" as a supported token for 
AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=2656

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2658] Make integrity tests more robust against timeouts

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2658

Darren Tucker  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #1 from Darren Tucker  ---
Applied, thanks.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647
Bug 2647 depends on bug 2658, which changed state.

Bug 2658 Summary: Make integrity tests more robust against timeouts
https://bugzilla.mindrot.org/show_bug.cgi?id=2658

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Darren Tucker  changed:

   What|Removed |Added

 Depends on||2658


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2658
[Bug 2658] Make integrity tests more robust against timeouts
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2658] Make integrity tests more robust against timeouts

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2658

Darren Tucker  changed:

   What|Removed |Added

 Blocks||2647
 CC||dtuc...@zip.com.au


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2659] Fix race conditions in forwarding tests

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2659

Darren Tucker  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #2 from Darren Tucker  ---
Applied, thanks.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Darren Tucker  changed:

   What|Removed |Added

 Depends on||2660


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2660
[Bug 2660] Create mux socket for regress in temp directory
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2660] Create mux socket for regress in temp directory

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2660

Darren Tucker  changed:

   What|Removed |Added

 Blocks||2647
 CC||dtuc...@zip.com.au


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Darren Tucker  changed:

   What|Removed |Added

 Depends on||2142


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2142
[Bug 2142] openssh sandboxing using libseccomp
-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2142] openssh sandboxing using libseccomp

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2142

Darren Tucker  changed:

   What|Removed |Added

 Blocks||2647
 CC||dtuc...@zip.com.au


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2647] Tracking bug for OpenSSH 7.5 release

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2647

Darren Tucker  changed:

   What|Removed |Added

 Depends on||2659


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2659
[Bug 2659] Fix race conditions in forwarding tests
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2659] Fix race conditions in forwarding tests

2017-01-05 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2659

Darren Tucker  changed:

   What|Removed |Added

 CC||dtuc...@zip.com.au
 Blocks||2647


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2647
[Bug 2647] Tracking bug for OpenSSH 7.5 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs