Using SSH from 5.0.7 on earlier releases
Don Yakubowski
package from 5.0.7 media onto earlier
licensed and registered Open Server 5.0.4 and up? Aside from paths being
different, is there any reason why
this can't be done?
--
Don Yakubowski
Tri-Comp Systems Ltd.
Anonymous
to load the prngd and zlib packages first.
ftp://ftp2.caldera.com/pub/skunkware/osr5/shells/openssh/prngd-0.9.23-VOLS.tar
ftp://ftp2.caldera.com/pub/skunkware/osr5/shells/openssh/zlib-1.1.4-VOLS.tar
ftp://ftp2.caldera.com/pub/skunkware/osr5/shells/openssh/openssh-3.4p1-VOLS.tar
5.0.7 is running OpenSSH 3.5p1 but I'm guessing 3.5p1 should be close
enough.
Jay
Dale Stover
I am running SCO OpenServer 5.0.5...
I just installed the OpenSSH from the volumes you listed. I installed
prngd, then zlib and finally openssh. The SSHD is running but when I try
to ssh into the server I get the following message: "no matching comp
found: client zlib server none".
When I boot the system, I see "prngd" is running and "sshd" is listening on
port 22.
When "sshd" starts it gives the following message: "This platform does not
support both privilege separation and compression. Compression disabled.
done."
Any suggestions??
THANKS
Dale Stover
Anonymous
psupplement. I have recieved the message "This platform does not support
both privilege separation and compression. Compression disabled done." I
believe that one is not a problem.
I'm can't say I'm an expert on this but since the zlib library deals
with compression maybe explictly telling sshd not to used compression
my get you working.
See what setting "Compression no" in the file /usr/local/etc/sshd_config
does.
Also I'd suggest running sshd in debug mode to see if you can get some
more verbose error messages.
Jay
Dale Stover
I have openssh-3.4p1-2 running on a RedHat Linux 8.0 server and it works
fine.
I had installed the rs505a patches on the SCO OpenServer 5.0.5 on original
install.
I disabled COMPRESSION on the SCO server....no help
I enabled DEBUG on SSHD...here is the debug detail
./S99opensshd start
Generating host keys ... starting /usr/local/sbin/sshd... This platform does
not
support both privilege separation and compression
Compression disabled
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 123.123.123.1123 port 2538
debug1: Client protocol version 2.0; client software version
SecureNetTerm-3.1
debug1: no match: SecureNetTerm-3.1
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.4p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijnda...@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc,blowfish-cb
c,cast128-cbc,arcfour,rijndael256-cbc,rijndael128-cbc,rijndael192-cbc
debug2: kex_parse_kexinit:
aes256-cbc,aes192-cbc,3des-cbc,aes128-cbc,blowfish-cb
c,cast128-cbc,arcfour,rijndael256-cbc,rijndael128-cbc,rijndael192-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,hmac-ri...@openssh.com
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,hmac-ri...@openssh.com
debug2: kex_parse_kexinit: zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-sha1
no matching comp found: client zlib server none
debug1: Calling cleanup 0x806ec94(0x0)
debug2: Network child is on pid 15566
debug1: Calling cleanup 0x806ec94(0x0)
./S99opensshd: Error 255 starting /usr/local/sbin/sshd... bailing.
Nothing jumps out for me....any ideas?
THANKS
Dale
Dale Stover
news:vb2t6le...@corp.supernews.com...
Well,
I did some more testing....
I can SSH from the SCO server to my RedHat server.
I can SSH from the SCO server to another RedHat server.
I can SSH from the RedHat server to the SCO server.
I can SSH from my PC to my RedHat server.
I cannot SSH from my PC to my SCO server.
I guess "debug1: no match: SecureNetTerm-3.1" means the SCO version of SSH
does not support this PC terminal emulator or I need to change a setting
somewhere.
Any suggestions??
Thanks
Dale
Brian K. White
try turning off compression in the client? (netterm)
btw: I have never had a problem using both prngd and zlib at the same
time on any of 5.0.4, 5.0.5, and 5.0.6 using the ssh found here:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/openssh-3.1p1-VOLS.tar
and this script will install it automatically on 5.0.4 ,5, & 6.
automatically satisfying the different prerequisites on each. It does
a *lot* of tedious stuff automatically and turns a solid half hour of
work into about 3 to 5 minutes of watching the machine work. :)
http://www.aljex.com/bkw/sco/index.html#setup_ssh
_don't_ run it on 5.0.7!
I also don't know how it would deal with an already-existing openssh
install. it only uses custom to install packages and it correctly
handles all possible cases for prngd and zlib. I'd remove the existing
openssh before running this if you wanted to try it out, but leave
Glib, zlib, and prngd alone, it will update (or avoid updating) each
of those as necessary, prompting you to OK each step.
alternatively, at least jpr and myself have 3.5p1 binaries up that
have working compression, but I think neither of our builds uses prngd
or any of the other optional entropy-collection daemons. (mine
doesn't)
http://www.aljex.com/bkw/sco/index.html#ssh
ftp://ftp.jpr.com/pub/
Jean-Pierre Radley
|
| btw: I have never had a problem using both prngd and zlib at the same
| time on any of 5.0.4, 5.0.5, and 5.0.6 using the ssh found here:
| ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.10/openssh-3.1p1-VOLS.tar
|
| and this script will install it automatically on 5.0.4 ,5, & 6.
| automatically satisfying the different prerequisites on each. It does
| a *lot* of tedious stuff automatically and turns a solid half hour of
| work into about 3 to 5 minutes of watching the machine work. :)
|
| http://www.aljex.com/bkw/sco/index.html#setup_ssh
|
| _don't_ run it on 5.0.7!
|
| I also don't know how it would deal with an already-existing openssh
| install. it only uses custom to install packages and it correctly
| handles all possible cases for prngd and zlib. I'd remove the existing
| openssh before running this if you wanted to try it out, but leave
| Glib, zlib, and prngd alone, it will update (or avoid updating) each
| of those as necessary, prompting you to OK each step.
|
| alternatively, at least jpr and myself have 3.5p1 binaries up that
| have working compression, but I think neither of our builds uses prngd
| or any of the other optional entropy-collection daemons. (mine
| doesn't)
Mine does.
| http://www.aljex.com/bkw/sco/index.html#ssh
| ftp://ftp.jpr.com/pub/
--
JP
Anonymous
It may work easier but, OpenSSH version 3.1 has two security advisories
that apply to it. Details are here http://www.openssh.com/security.html.
One is a local exploit that could allow for root access. Version 3.4
currently does not have any security issues.
Dale, I agree with Alex about looking at your client settings for
Netterm. I've been using PuTTY as my windows ssh client.
(http://www.chiark.greenend.org.uk/~sgtatham/putty/)
Jay
Nachman Yaakov Ziskind
> It may work easier but, OpenSSH version 3.1 has two security advisories
> that apply to it. Details are here http://www.openssh.com/security.html.
> One is a local exploit that could allow for root access. Version 3.4
> currently does not have any security issues.
>
> Dale, I agree with Alex about looking at your client settings for
> Netterm. I've been using PuTTY as my windows ssh client.
> (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
>
> Jay
By the by, I really don't like PuTTY's tiny screen. Does anyone have a better
(free) alternative?
--
_________________________________________
Nachman Yaakov Ziskind, EA, LLM aw...@egps.com
Attorney and Counselor-at-Law http://yankel.com
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants
John Schmidt
On 2 May 2003, Nachman Yaakov Ziskind wrote:
> By the by, I really don't like PuTTY's tiny screen. Does anyone have a
> better (free) alternative?
You can change the screen size in PuTTY merely by changing the
font size in Change Settings -> Window -> Appearance.
JS
Dale Stover
news:Pine.LNX.4.44.030502...@news.mebay.biz...
Ok guys...thanks for the suggestion on changing the settings of my
client......My client was running SSH2...when I changed it to SSH1 it worked
fine.
Thanks for the help.....
btw...I have some clients running OpenServer 5.0.4 and I would like to
install SSH on their systems as well. I did notice on the FTP site:
ftp://ftp2.caldera.com/pug/skunkware/osr5/shells/openssh that there is a
SSHD for pre 5.0.5. What does anybody know about this and should I stay with
the packages in OPENSSH directory and install on all 5.0.x versions of
OpenServer?
Thanks for your suggestions
Dale Stover
Rainer Zocholl
>I am running SCO OpenServer 5.0.5...
>I just installed the OpenSSH from the volumes you listed. I installed
>prngd, then zlib and finally openssh. The SSHD is running but when I
>try to ssh into the server I get the following message: "no matching
>comp found: client zlib server none".
You forgot to announce the new libs.
>When I boot the system, I see "prngd" is running and "sshd" is
>listening on port 22.
>When "sshd" starts it gives the following message: "This platform does
>not support both privilege separation and compression. Compression
>disabled. done."
>Any suggestions??
That's only a warning, no error.
If you MUST have compression you have to recompile sshd
not to use "privilege separation".
But normaly it is the better way to "privilege separation".
Too you may want to fix that ugly init.d-script(s) skunkware installed,
so that it is made sure that prngd is really started!
There is an ugly test for an existing .pid file.
That means: If your server had crashed hard, you can't get on it because
the (invalid) pid file is still there, prohibiting prngd to start...
no prngd no sshd, no sshd no login...ugly.
Very ugly, very annyoing, very easy to work arround, very superfous,
becaue prngd is not startable twice...(And of cause a
"ps -ef | grep prgnd | grep -v 'grep prgnd'" is a more
secure way to determine the PID for the "stop" command kill.)
Rainer Zocholl
>Ok guys...thanks for the suggestion on changing the settings of my
>client......My client was running SSH2...when I changed it to SSH1 it
>worked fine.
When ever possible, use/enable (only!) SSH2.
Especially if you are going thru the internet to the server.
In your trusty LAN SSH1 with NEW/patched servers might be acceptable, if
your security policy says so.
John Schmidt
On 3 May 2003, Rainer Zocholl wrote:
> If you MUST have compression you have to recompile sshd
> not to use "privilege separation".
There's no recompilation needed. Privelege separation can be
enabled or disabled in the sshd configuration file.
JS
Dan Skinner
> Anonymous wrote (on Fri, May 02, 2003 at 03:07:58PM +0000):
>
> > It may work easier but, OpenSSH version 3.1 has two security advisories
> > that apply to it. Details are here http://www.openssh.com/security.html.
> > One is a local exploit that could allow for root access. Version 3.4
> > currently does not have any security issues.
> >
> > Dale, I agree with Alex about looking at your client settings for
> > Netterm. I've been using PuTTY as my windows ssh client.
> > (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
> >
> > Jay
>
> By the by, I really don't like PuTTY's tiny screen. Does anyone have a better
> (free) alternative?
Why don't you just make the PuTTY screen bigger?
Add width, add lines, or make font bigger or different.
Regards...Dan.
Dale Stover
How do you enable/use SSH2 on the SCO server? Also, will these same
libraries/volumes work on all versions of OpenServer 5.0.x ??
Thanks
Dale Stover
John Schmidt
On Tue, 6 May 2003, Dale Stover wrote:
> How do you enable/use SSH2 on the SCO server?
I built the latest OpenSSH (and required libraries) from source
for my 5.0.4 boxes using the SCO compiler. Everything built
cleanly and easily. The documuntaion included with the source
will walk you through configuration.
To use it, just add a startup file to /etc/rc2.d. And don't
forget to disable telnet and ftp in inetd.conf, or the whole
exercise is kind of futile.
> Also, will these same
> libraries/volumes work on all versions of OpenServer 5.0.x ??
They *should*, although it'll probably be safer if you build your
stuff on the oldest OSR5 version you have, then install it from
there onto your boxes with newer versions. Backwards compatibilty
is a lot easier to achieve than forward.
JS