Call for testing: OpenSSH 7.3

[Damien Miller]

Hi,

OpenSSH 5.3 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This release contains some
substantial new features and a number of bugfixes.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via anonymous CVS using the
instructions at http://www.openssh.com/portable.html#cvs or
via Git at https://anongit.mindrot.org/openssh.git/

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also
appreciated. Please send reports of success or failure to
openssh-...@mindrot.org.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Changes since OpenSSH 7.2
=========================

This is primarily a bugfix release.

Security
--------

* sshd(8): Mitigate a potential denial-of-service attack against
the system's crypt(3) function via sshd(8). An attacker could
send very long passwords that would cause excessive CPU use in
crypt(3). sshd(8) now refuses to accept password authentication
requests of length greater than 1024 characters. Independently
reported by Tomas Kuthan (Oracle) and curesec via coredump at
autistici.org.

* sshd(8): Mitigate timing differences in password authentication
that could be used to discern valid from invalid account names
when long passwords were sent and particular password hashing
algorithms are in use on the server. CVE-2016-6210, reported by
EddieEzra.Harari at verint.com

* ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
are disabled by default and only included for legacy compatibility.

* ssh(1), sshd(8): Improve ordering ordering of MAC verification for
Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
MAC before decrypting any ciphertext. This removes the possibility
of timing differences leaking facts about the plaintext, though no
such leakage has been observed. Reported by Jean Paul Degabriele,
Kenny Paterson, Torben Hansen and Martin Albrecht.

* sshd(8): (portable only) Ignore PAM environment vars when
UseLogin=yes. If PAM is configured to read user-specified
environment variables and UseLogin=yes in sshd_config, then a
hostile local user may attack /bin/login via LD_PRELOAD or
similar environment variables set via PAM. CVE-2015-8325,
found by Shayan Sadigh.

New Features
------------

* ssh(1): Add a ProxyJump option and corresponding -J command-line
flag to allow simplified indirection through a one or more SSH
bastions or "jump hosts".

* ssh(1): Add an IdentityAgent option to allow specifying specific
agent sockets instead of accepting one from the environment.

* ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
optionally overridden when using ssh -W. bz#2577

* ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
per draft-sgtatham-secsh-iutf8-00.

* ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.

* ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
signatures in certificates;

* ssh(1): Add an Include directive for ssh_config(5) files.

* ssh(1): Permit UTF-8 characters in pre-authentication banners sent
from the server. bz#2058

Bugfixes
--------

* ssh(1), sshd(8): Reduce the syslog level of some relatively common
protocol events from LOG_CRIT. bz#2585

* sshd(8): Refuse AuthenticationMethods="" in configurations and
accept AuthenticationMethods=any for the default behaviour of not
requiring multiple authentication. bz#2398

* sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
ATTEMPT!" message when forward and reverse DNS don't match. bz#2585

* ssh(1): Close ControlPersist background process stderr except
in debug mode or when logging to syslog. bz#1988

* misc: Make PROTOCOL description for direct-st...@openssh.com
channel open messages match deployed code. bz#2529

* ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
failures when both ExitOnForwardFailure and hostname
canonicalisation are enabled. bz#2562

* sshd(8): Remove fallback from moduli to obsolete "primes" file
that was deprecated in 2001. bz#2559.

* sshd_config(5): Correct description of UseDNS: it affects ssh
hostname processing for authorized_keys, not known_hosts; bz#2554

* ssh(1): Fix authentication using lone certificate keys in an agent
without corresponding private keys on the filesystem. bz#2550

* sshd(8): Send ClientAliveInterval pings when a time-based
RekeyLimit is set; previously keepalive packets were not being
sent. bz#2252

Portability
-----------

* ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
not supported by OpenSSL. bz#2466

* misc: Fix compilation failures on some versions of AIX's compiler
related to the definition of the VA_COPY macro. bz#2589

* sshd(8): Whitelist more architectures to enable the seccomp-bpf
sandbox. bz#2590

* ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
using setpflags(__PROC_PROTECT, ...). bz#2584

* sshd(8): On Solaris, don't call Solaris setproject() with
UsePAM=yes it's PAM's responsibility. bz#2425

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[The Doctor]

On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller wrote:
> Hi,
>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing

^

Huh?

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Language is the source of misunderstandings. -Antoine de Saint-Exupery

[Damien Miller]

On Fri, 22 Jul 2016, Damien Miller wrote:

> Hi,
>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing

s/5.3/7.3/ and I'd better get myself another cup of tea

[Darren Tucker]

On Fri, Jul 22, 2016 at 2:51 PM, The Doctor <doc...@doctor.nl2k.ab.ca> wrote:
> On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller wrote:

[...]

>> OpenSSH 5.3 is almost ready for release, so we would appreciate testing

> ^
> Huh?

Either a clone of Damien has been frozen Austin Powers style since
2009 and has only just been thawed out or maybe it was a typo. Tough
to tell.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Damien Miller]

On Fri, 22 Jul 2016, Darren Tucker wrote:

> On Fri, Jul 22, 2016 at 2:51 PM, The Doctor <doc...@doctor.nl2k.ab.ca> wrote:
> > On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller wrote:
> [...]
> >> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> > ^
> > Huh?
>
> Either a clone of Damien has been frozen Austin Powers style since
> 2009 and has only just been thawed out or maybe it was a typo. Tough
> to tell.

More like Encino Man

[The Doctor]

On Fri, Jul 22, 2016 at 04:53:46PM +1000, Damien Miller wrote:
> On Fri, 22 Jul 2016, Darren Tucker wrote:
>
> > On Fri, Jul 22, 2016 at 2:51 PM, The Doctor <doc...@doctor.nl2k.ab.ca> wrote:
> > > On Fri, Jul 22, 2016 at 02:40:04PM +1000, Damien Miller wrote:
> > [...]
> > >> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> > > ^
> > > Huh?
> >
> > Either a clone of Damien has been frozen Austin Powers style since
> > 2009 and has only just been thawed out or maybe it was a typo. Tough
> > to tell.
>
> More like Encino Man

FreeBSD 10.3 amd64 Openssl 1.0.2i-dev checks out no problem

What is happening to openssl 1.1 suppolrt?

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism
Language is the source of misunderstandings. -Antoine de Saint-Exupery

[Damien Miller]

On Fri, 22 Jul 2016, The Doctor wrote:

> > More like Encino Man
>
> FreeBSD 10.3 amd64 Openssl 1.0.2i-dev checks out no problem
>
> What is happening to openssl 1.1 suppolrt?

No progress yet - it's quite a bit of work as they APIs are quite different.

I hope to look at it in the next release.

-d

[C0r3dump3d]

Hi, I have tested the mitigation timing differences in password
authentication (CVE-2016-6210). I have compiled
openssh-SNAP-20160722.tar.gz in a Debian 8 and use my tool Osueta
(https://github.com/c0r3dump3d/osueta) against the system.

Ok, I have seen that you calculate all the password hash exist or not
exist the user, and with this you can not discriminate the presence or
absence of that user, but now it's more easy to establish the DOS
condition in the access to the Openssh server and exhausting the CPU
resources, any dummy user it can be used!

For example:

osueta -H 192.168.100.204 -U asdf -v no -d 15 -p 22 --dos yes -t 40

Users found Time delay in seconds
--------------------------------------
asdf 27

I have attached screenshots with the CPU resource exhaustion and the DOS
in the access to the Openssh server.

The test machine it's a Debian 8 VM in KVM with 4 Core and 2GB of RAM.

For CVE-2016-6210 user enumeration really it's mitigate but for the
problem of DOS as I say seems much easier to exploit!!

Regards.

Andres Rojas
http://www.devconsole.info

El 22/07/16 a las 06:40, Damien Miller escribió:
> Hi,

>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing

> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>

> _______________________________________________

[Corinna Vinschen]

On Jul 22 14:40, Damien Miller wrote:
> Hi,
>

> OpenSSH 7.3 is almost ready for release, so we would appreciate testing

This version doesn't build on Cygwin anymore. The reason is that
various configure tests fail.

The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac.

After setting this value in configure, confdefs.h contains

#define IPPORT_RESERVED 0

netinet/in.h defines IPPORT_RESERVED as enum, just as on other systems:

enum
{
[...]
IPPORT_RESERVED = 1024,
[...]
};

Since confdefs.h is evaluated *before* including any headers during
configure, we have the following situation:

#define IPPORT_RESERVED 0
#include <netinet/in.h>
--> enum { IPPORT_RESERVED = 1024 };

which evaluates to

enum { 0 = 1024 };

which then leads to a compiler error:

conftest.c:66:25: error: expected identifier before numeric constant

and thus to a broken configuration.

The same problem occurs when trying to build the source since config.h
is included via includes.h prior to the system headers.

So the simplification from NO_IPPORT_RESERVED_CONCEPT to just
defining IPPORT_RESERVED as 0 doesn't work as desired.

Can we revert this to the former NO_IPPORT_RESERVED_CONCEPT, please?

I created the below patch which is less intrusive than the original
patch. I tested that it works as desired and OpenSSH 7.3 builds
on Cygwin.

I have not *tested* OpenSSH7.3 on Cygwin yet. I'll report back in a
followup mail.


Thanks,
Corinna

--
Corinna Vinschen
Cygwin Maintainer
Red Hat

[Darren Tucker]

On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <core...@autistici.org> wrote:
> but now it's more easy to establish the DOS
> condition in the access to the Openssh server and exhausting the CPU
> resources, any dummy user it can be used!

The snapshot you're using (openssh-SNAP-20160722.tar.gz) was
unfortunately made in the time after the code to cap the password size
at 1k was committed to OpenBSD
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-passwd.c.diff?r1=1.44&r2=1.45)
but before it was synced into -Portable
(https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97).
As a result your very large password strings are still making it into
crypt(3).

Please either grab the code directly from git (you'll need to run
"autoreconf" yourself) or try tomorrow's snapshot and retest it.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Corinna Vinschen]

All tests pass on current Cygwin with this patch applied.

[Darren Tucker]

On Fri, Jul 22, 2016 at 12:05:53PM +0200, Corinna Vinschen wrote:
[...]

> This version doesn't build on Cygwin anymore. The reason is that
> various configure tests fail.
>
> The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac.

Sigh.

How about putting it in defines.h instead? includes.h includes
netinet/in.h from whence the definition of IPPORT_RESERVED is, on Cygwin
at least, seems to be protected against multiple inclusion. Putting it
there means only one definition in a file that we don't sync with OpenBSD.

diff --git a/configure.ac b/configure.ac
index 21ef389..2cd6a6f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -589,8 +589,9 @@ case "$host" in
[Define if you want to disable shadow passwords])
AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
[Define if X11 doesn't support AF_UNIX sockets on that system])
- AC_DEFINE([IPPORT_RESERVED], [0],
- [Cygwin has no notion of ports only accessible to superusers])
+ AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1],
+ [Define if the concept of ports only accessible to
+ superusers isn't known])
AC_DEFINE([DISABLE_FD_PASSING], [1],
[Define if your platform needs to skip post auth
file descriptor passing])
diff --git a/defines.h b/defines.h
index a438ddd..c099df6 100644
--- a/defines.h
+++ b/defines.h
@@ -43,6 +43,17 @@ enum
#endif

/*
+ * Cygwin doesn't really have a notion of reserved ports but for backward
+ * compatibility they define it to 1024 in netinet/in.h inside an enum. We
+ * don't actually want that restriction so we want to set that to zero, but
+ * we can't do it direct in config.h because it'll cause a conflicting
+ * definition the first time we include netinet/in.h.
+ */
+#ifdef NO_IPPORT_RESERVED_CONCEPT
+#define IPPORT_RESERVED 0
+#endif
+
+/*
* Definitions for IP type of service (ip_tos)
*/
#include <netinet/in_systm.h>

[C0r3dump3d]

Hi, I have tried the git version and now it's Ok, no user enumeration
and no DOS!!

If it's possible for the credits of the bug please include my partner
and me:

Andres Rojas -- core...@autistici.org
Javier Nieto -- jni...@gmail.com

Thank you very much



El 22/07/16 a las 12:23, Darren Tucker escribió:

> On Fri, Jul 22, 2016 at 7:05 PM, C0r3dump3d <core...@autistici.org> wrote:
>> but now it's more easy to establish the DOS
>> condition in the access to the Openssh server and exhausting the CPU
>> resources, any dummy user it can be used!
>
> The snapshot you're using (openssh-SNAP-20160722.tar.gz) was
> unfortunately made in the time after the code to cap the password size
> at 1k was committed to OpenBSD
> (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-passwd.c.diff?r1=1.44&r2=1.45)
> but before it was synced into -Portable
> (https://anongit.mindrot.org/openssh.git/commit/?id=fcd135c9df440bcd2d5870405ad3311743d78d97).
> As a result your very large password strings are still making it into
> crypt(3).
>
> Please either grab the code directly from git (you'll need to run
> "autoreconf" yourself) or try tomorrow's snapshot and retest it.
>

[Corinna Vinschen]

On Jul 22 21:37, Darren Tucker wrote:
> On Fri, Jul 22, 2016 at 12:05:53PM +0200, Corinna Vinschen wrote:
> [...]
> > This version doesn't build on Cygwin anymore. The reason is that
> > various configure tests fail.
> >
> > The culprit is the new definition of IPPORT_RESERVED to 0 in configure.ac.
>
> Sigh.
>
> How about putting it in defines.h instead? includes.h includes
> netinet/in.h from whence the definition of IPPORT_RESERVED is, on Cygwin
> at least, seems to be protected against multiple inclusion. Putting it
> there means only one definition in a file that we don't sync with OpenBSD.

Hmm. If that only affects Cygwin, and if defines.h is not synced anyway,
what about getting rid of the configure stuff entirely?

Tested counterproposal:

diff --git a/configure.ac b/configure.ac
index 21ef389..e64386f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -589,8 +589,6 @@ case "$host" in

[Define if you want to disable shadow passwords])
AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
[Define if X11 doesn't support AF_UNIX sockets on that system])
- AC_DEFINE([IPPORT_RESERVED], [0],
- [Cygwin has no notion of ports only accessible to superusers])

AC_DEFINE([DISABLE_FD_PASSING], [1],
[Define if your platform needs to skip post auth
file descriptor passing])
diff --git a/defines.h b/defines.h

index a438ddd..d1ad6a7 100644

--- a/defines.h
+++ b/defines.h
@@ -43,6 +43,17 @@ enum
#endif

/*
+ * Cygwin doesn't really have a notion of reserved ports but for backward
+ * compatibility they define it to 1024 in netinet/in.h inside an enum. We
+ * don't actually want that restriction so we want to set that to zero, but
+ * we can't do it direct in config.h because it'll cause a conflicting
+ * definition the first time we include netinet/in.h.
+ */

+#ifdef HAVE_CYGWIN

+#define IPPORT_RESERVED 0
+#endif
+
+/*
* Definitions for IP type of service (ip_tos)
*/
#include <netinet/in_systm.h>

As for the comment preceeding the definition, I didn't change it from
your text in my proposal. However.

I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
terms of the implementation of bindresvport_sa and rcmd. It's not just
backward compatibility. There are also applications out there which
still expect this value to make sense.

The *real* problem here is that OpenSSH checks for uid 0 before allowing
to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
decide if the current user is allowed to bind that port.

From my POV this check in OpenSSH is gratuitious and it's the real reason
we have this problem at all.

[Darren Tucker]

On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vins...@redhat.com> wrote:
[...]

> Hmm. If that only affects Cygwin, and if defines.h is not synced anyway,
> what about getting rid of the configure stuff entirely?
>
> Tested counterproposal:

Looks reasonable. It's late here so I'm going to look at it tomorrow.

> As for the comment preceeding the definition, I didn't change it from
> your text in my proposal. However.
>
> I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
> terms of the implementation of bindresvport_sa and rcmd. It's not just
> backward compatibility. There are also applications out there which
> still expect this value to make sense.

Fair point.

> The *real* problem here is that OpenSSH checks for uid 0 before allowing
> to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
> decide if the current user is allowed to bind that port.
> From my POV this check in OpenSSH is gratuitious and it's the real reason
> we have this problem at all.

In the case of sshd running with privsep off, the process doing the
binding is still running as root and I suspect those checks date back
to when it was always running as root. It could probably
temporarily_use_uid() though.

Thanks.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Hisashi T Fujinaka]

In NetBSD-current(ish):

test_sshkey: ..................................[1] Segmentation fault (core dumped) ${V} /home/htodd...
*** Error code 139

And gdb bt shows:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000041174e in cert_parse (key=0x756584f120c0, certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
1896 key->cert->principals[key->cert->nprincipals++] = principal;
(gdb) bt
#0 0x000000000041174e in cert_parse (key=0x756584f120c0, certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
#1 sshkey_from_blob_internal (b=b@entry=0x756584f161b0, keyp=keyp@entry=0x7f7fff8c0220, allow_cert=allow_cert@entry=1)
at sshkey.c:2117
#2 0x0000000000411951 in sshkey_from_blob (blob=<optimized out>, blen=blen@entry=422, keyp=keyp@entry=0x7f7fff8c0220)
at sshkey.c:2150
#3 0x0000000000411a97 in sshkey_read (ret=ret@entry=0x756584f12080, cpp=cpp@entry=0x7f7fff8c0280) at sshkey.c:1302
#4 0x0000000000414baa in sshkey_try_load_public (k=k@entry=0x756584f12080,
filename=0x756584f16070 "/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub",
commentp=commentp@entry=0x0) at authfile.c:319
#5 0x0000000000415309 in sshkey_load_cert (filename=<optimized out>, keyp=keyp@entry=0x7f7fff8c4330) at authfile.c:425
#6 0x0000000000409f41 in sshkey_tests () at regress/unittests/sshkey/test_sshkey.c:527
#7 0x0000000000405dc3 in tests () at regress/unittests/sshkey/tests.c:24
#8 0x000000000042a2e1 in main (argc=3, argv=0x7f7fff8c4420) at regress/unittests/test_helper/test_helper.c:162
(gdb)

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

[Corinna Vinschen]

On Jul 22 23:32, Darren Tucker wrote:
> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vins...@redhat.com> wrote:
> [...]
> > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway,
> > what about getting rid of the configure stuff entirely?
> >
> > Tested counterproposal:
>
> Looks reasonable. It's late here so I'm going to look at it tomorrow.

Thank you.

> > As for the comment preceeding the definition, I didn't change it from
> > your text in my proposal. However.
> >
> > I'd like to outline that IPPORT_RESERVED == 1024 still makes sense in
> > terms of the implementation of bindresvport_sa and rcmd. It's not just
> > backward compatibility. There are also applications out there which
> > still expect this value to make sense.
>
> Fair point.
>
> > The *real* problem here is that OpenSSH checks for uid 0 before allowing
> > to bind a socket to a port < IPPORT_RESERVED, rather than letting the OS
> > decide if the current user is allowed to bind that port.
> > From my POV this check in OpenSSH is gratuitious and it's the real reason
> > we have this problem at all.
>
> In the case of sshd running with privsep off, the process doing the
> binding is still running as root and I suspect those checks date back
> to when it was always running as root. It could probably
> temporarily_use_uid() though.

I think this is a very good idea.

As has been discussed more than once on this list, Cygwin^WWindows isn't
the only OS allowing more than a single administrativ account.
Alternatively the system supports fine-grained account-based permissions
or per-executable capabilities.

For example, think raw sockets and ping/ping6. You don't have to be
admin to open a raw socket if the OS supports capabilities, nor does the
application has to be a setuid application, as on Linux:

$ ls -l /usr/bin/ping
-rwxr-xr-x 1 root root 44752 Nov 19 2015 /usr/bin/ping
$ getcap /usr/bin/ping
ping = cap_net_admin,cap_net_raw+ep

Checking for uid 0 only makes limited sense, and only on very
traditional UNIX systems.

[Hisashi T Fujinaka]

After making /var/empty, tests ran fine on netbsd-7.

[Damien Miller]

On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:

> In NetBSD-current(ish):
>
> test_sshkey: ..................................[1] Segmentation fault (core
> dumped) ${V} /home/htodd...
> *** Error code 139
>
> And gdb bt shows:
>
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 0x000000000041174e in cert_parse (key=0x756584f120c0,
> certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
> 1896 key->cert->principals[key->cert->nprincipals++] =
> principal;

Thanks for reporting this. I don't understand how it could fail at that
point. Could you rerun the failing test and see what the values of
key, *key, key->cert and *key->cert are? It's possible to run just the
sshkey unit test using:

./regress/unittests/sshkey/test_sshkey -d regress/unittests/sshkey/testdata

from the top-level directory.

-d

[Hisashi T Fujinaka]

I think I forgot to send this to the mailing list too.

On Sat, 23 Jul 2016, Damien Miller wrote:

On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:

> In NetBSD-current(ish):
>
> test_sshkey: ..................................[1] Segmentation fault
> (core
> dumped) ${V} /home/htodd...
> *** Error code 139
>
> And gdb bt shows:
>
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 0x000000000041174e in cert_parse (key=0x756584f120c0,
> certbuf=0x756584f16200, b=0x756584f161b0) at sshkey.c:1896
> 1896 key->cert->principals[key->cert->nprincipals++] =
> principal;

Thanks for reporting this. I don't understand how it could fail at that
point. Could you rerun the failing test and see what the values of
key, *key, key->cert and *key->cert are? It's possible to run just the
sshkey unit test using:

./regress/unittests/sshkey/test_sshkey -d regress/unittests/sshkey/testdata

from the top-level directory.

Program terminated with signal SIGSEGV, Segmentation fault.

#0 0x000000000041174e in cert_parse (key=0x7037f9b120c0,
certbuf=0x7037f9b16200, b=0x7037f9b161b0) at sshkey.c:1896

1896 key->cert->principals[key->cert->nprincipals++] =
principal;

(gdb) bt
#0 0x000000000041174e in cert_parse (key=0x7037f9b120c0,
certbuf=0x7037f9b16200, b=0x7037f9b161b0) at sshkey.c:1896
#1 sshkey_from_blob_internal (b=b@entry=0x7037f9b161b0,
keyp=keyp@entry=0x7f7fff104970, allow_cert=allow_cert@entry=1)

at sshkey.c:2117
#2 0x0000000000411951 in sshkey_from_blob (blob=<optimized out>,

blen=blen@entry=422, keyp=keyp@entry=0x7f7fff104970)
at sshkey.c:2150
#3 0x0000000000411a97 in sshkey_read (ret=ret@entry=0x7037f9b12080,
cpp=cpp@entry=0x7f7fff1049d0) at sshkey.c:1302
#4 0x0000000000414baa in sshkey_try_load_public (k=k@entry=0x7037f9b12080,
filename=0x7037f9b16070

"/home/htodd/openssh-portable/regress/unittests/sshkey/testdata/rsa_1-cert.pub",
commentp=commentp@entry=0x0) at authfile.c:319
#5 0x0000000000415309 in sshkey_load_cert (filename=<optimized out>,

keyp=keyp@entry=0x7f7fff108a80) at authfile.c:425

#6 0x0000000000409f41 in sshkey_tests () at
regress/unittests/sshkey/test_sshkey.c:527
#7 0x0000000000405dc3 in tests () at regress/unittests/sshkey/tests.c:24

#8 0x000000000042a2e1 in main (argc=3, argv=0x7f7fff108b68) at
regress/unittests/test_helper/test_helper.c:162
(gdb) p key
$1 = (struct sshkey *) 0x7037f9b120c0
(gdb) p key->cert
$2 = (struct sshkey_cert *) 0x7037f9b1b080
(gdb) p *key->cert
$3 = {certblob = 0x7037f9b162a0, type = 2, serial = 5, key_id =
0x7037f9b18090 "julius", nprincipals = 1,
principals = 0xfffffffff9b180a0, valid_after = 915145200, valid_before =
1293836400, critical = 0x7037f9b162f0,
extensions = 0x7037f9b16340, signature_key = 0x0}

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

[Damien Miller]

On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:

> regress/unittests/test_helper/test_helper.c:162
> (gdb) p key
> $1 = (struct sshkey *) 0x7037f9b120c0
> (gdb) p key->cert
> $2 = (struct sshkey_cert *) 0x7037f9b1b080
> (gdb) p *key->cert
> $3 = {certblob = 0x7037f9b162a0, type = 2, serial = 5, key_id = 0x7037f9b18090
> "julius", nprincipals = 1,
> principals = 0xfffffffff9b180a0, valid_after = 915145200, valid_before =

Thanks for taking the time to debug this.

The key->cert->principals pointer looks wrong - does NetBSD libc
provide a reallocarray function? We detect its presence during
configure:

checking for reallocarray... no

(that's on Linux)

Could you try commenting out the HAVE_REALLOCARRAY line in config.h
make clean, make and rerun the test?

-d

[Hisashi T Fujinaka]

On Sat, 23 Jul 2016, Damien Miller wrote:

> On Fri, 22 Jul 2016, Hisashi T Fujinaka wrote:
>
>> regress/unittests/test_helper/test_helper.c:162
>> (gdb) p key
>> $1 = (struct sshkey *) 0x7037f9b120c0
>> (gdb) p key->cert
>> $2 = (struct sshkey_cert *) 0x7037f9b1b080
>> (gdb) p *key->cert
>> $3 = {certblob = 0x7037f9b162a0, type = 2, serial = 5, key_id = 0x7037f9b18090
>> "julius", nprincipals = 1,
>> principals = 0xfffffffff9b180a0, valid_after = 915145200, valid_before =
>
> Thanks for taking the time to debug this.
>
> The key->cert->principals pointer looks wrong - does NetBSD libc
> provide a reallocarray function? We detect its presence during
> configure:
>
> checking for reallocarray... no
>
> (that's on Linux)
>
> Could you try commenting out the HAVE_REALLOCARRAY line in config.h
> make clean, make and rerun the test?

That works. Weird how I need that on -current but not on -7.

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

[Darren Tucker]

On Sat, Jul 23, 2016 at 2:30 PM, Hisashi T Fujinaka <ht...@twofifty.com> wrote:
[...]

>> Could you try commenting out the HAVE_REALLOCARRAY line in config.h
>> make clean, make and rerun the test?
>
> That works. Weird how I need that on -current but not on -7.

Looks like reallocarray was added after 7: it's in
http://netbsd.gw.com/cgi-bin/man-cgi?reallocarray++NetBSD-current but
it's not in http://netbsd.gw.com/cgi-bin/man-cgi?reallocarray++NetBSD-7.0.1.
Maybe there's a bug in it? I note that the man page says the
prototype needs "_OPENBSD_SOURCE", maybe the lack of prototype gets
the return truncated to int? maybe try ./configure
--with-cflags=-D_OPENBSD_SOURCE ?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Darren Tucker]

On Sat, Jul 23, 2016 at 2:45 AM, Corinna Vinschen <vins...@redhat.com> wrote:
> On Jul 22 23:32, Darren Tucker wrote:
>> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vins...@redhat.com> wrote:
>> [...]
>> > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway,
>> > what about getting rid of the configure stuff entirely?
>> >
>> > Tested counterproposal:

I've committed this.

I'll look at the other changes after the release.

[...]

> As has been discussed more than once on this list, Cygwin^WWindows isn't
> the only OS allowing more than a single administrativ account.
> Alternatively the system supports fine-grained account-based permissions
> or per-executable capabilities.

Agreed, capabilities is what I was thinking of when I replied.

[...]

> Checking for uid 0 only makes limited sense, and only on very
> traditional UNIX systems.

In its defense, I suspect that's all it ran on at the time it was written.

Thanks.

[Corinna Vinschen]

On Jul 23 19:58, Darren Tucker wrote:
> On Sat, Jul 23, 2016 at 2:45 AM, Corinna Vinschen <vins...@redhat.com> wrote:
> > On Jul 22 23:32, Darren Tucker wrote:
> >> On Fri, Jul 22, 2016 at 10:18 PM, Corinna Vinschen <vins...@redhat.com> wrote:
> >> [...]
> >> > Hmm. If that only affects Cygwin, and if defines.h is not synced anyway,
> >> > what about getting rid of the configure stuff entirely?
> >> >
> >> > Tested counterproposal:
>
> I've committed this.
>
> I'll look at the other changes after the release.
>
> [...]
> > As has been discussed more than once on this list, Cygwin^WWindows isn't
> > the only OS allowing more than a single administrativ account.
> > Alternatively the system supports fine-grained account-based permissions
> > or per-executable capabilities.
>
> Agreed, capabilities is what I was thinking of when I replied.
>
> [...]
> > Checking for uid 0 only makes limited sense, and only on very
> > traditional UNIX systems.
>
> In its defense, I suspect that's all it ran on at the time it was written.

:)

Which is quite a long time ago. The big problem with a patch replacing
the uid == 0 checks is probably that it has to be accepted upstream...

[Alex Wilson]

On 7/21/16 9:40 PM, Damien Miller wrote:
> Live testing on suitable non-production systems is also
> appreciated.

Working fine on illumos here.

The GSSAPI key exchange patch we've been carrying around for compat
needs some work now though (or maybe we'll just drop it).

[Jakub Jelen]

On 07/22/2016 06:40 AM, Damien Miller wrote:
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing

> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.

Testing with latest snap/git and applying our patches revealed only one
problem (when I don't count missing API for GSSAPI Kex, where we were
using get_canonical_hostname() also in the client code):

* Forgotten get_remote_ipaddr() function in audit-linux.c code
(attached patch)

Otherwise the package builds and passes all tests on current Fedora 24.

Regards,

--
Jakub Jelen
Security Technologies
Red Hat

[Damien Miller]

On Tue, 26 Jul 2016, Jakub Jelen wrote:

> On 07/22/2016 06:40 AM, Damien Miller wrote:
> > OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This release contains some
> > substantial new features and a number of bugfixes.
> Testing with latest snap/git and applying our patches revealed only one
> problem (when I don't count missing API for GSSAPI Kex, where we were using
> get_canonical_hostname() also in the client code):
>
> * Forgotten get_remote_ipaddr() function in audit-linux.c code (attached
> patch)

Applied (also needed to include packet.h).

-d

[Damien Miller]

On Sat, 23 Jul 2016, Darren Tucker wrote:

> [...]
> >> Could you try commenting out the HAVE_REALLOCARRAY line in config.h
> >> make clean, make and rerun the test?
> >
> > That works. Weird how I need that on -current but not on -7.
>
> Looks like reallocarray was added after 7: it's in
> http://netbsd.gw.com/cgi-bin/man-cgi?reallocarray++NetBSD-current but
> it's not in http://netbsd.gw.com/cgi-bin/man-cgi?reallocarray++NetBSD-7.0.1.
> Maybe there's a bug in it? I note that the man page says the
> prototype needs "_OPENBSD_SOURCE", maybe the lack of prototype gets
> the return truncated to int? maybe try ./configure
> --with-cflags=-D_OPENBSD_SOURCE ?

This is probably the problem - the weird pointer I noted in
Fujinaka-san's gdb output was probably a sign-extended integer.

Could you try this patch? You'll need to make clean, run autoreconf
and configure again.

-d

diff --git a/configure.ac b/configure.ac
index e64386f..373d21b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -839,6 +839,7 @@ mips-sony-bsd|mips-sony-newsos4)
if test "x$withval" != "xno" ; then
need_dash_r=1
fi
+ CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
AC_CHECK_HEADER([net/if_tap.h], ,
AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))

[Hisashi T Fujinaka]

This works. Thanks!

--
Hisashi T Fujinaka - ht...@twofifty.com
BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee

[Damien Miller]

On Wed, 27 Jul 2016, Hisashi T Fujinaka wrote:

> This works. Thanks!

Thanks for your help in debugging this - it's been committed and will
be in openssh-7.3.

-d

[Jeff Wieland]

Compiles and passes tests on SPARC Solaris 10, using our local
build of OpenSSL 1.0.2h.

Damien Miller wrote:
> Hi,

>
> OpenSSH 5.3 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains some
> substantial new features and a number of bugfixes.
>

> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>

> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests

>
> Live testing on suitable non-production systems is also

> appreciated. Please send reports of success or failure to
> openssh-...@mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 7.2
> =========================
>
> This is primarily a bugfix release.
>
> Security
> --------
>
> * sshd(8): Mitigate a potential denial-of-service attack against
> the system's crypt(3) function via sshd(8). An attacker could
> send very long passwords that would cause excessive CPU use in
> crypt(3). sshd(8) now refuses to accept password authentication
> requests of length greater than 1024 characters. Independently
> reported by Tomas Kuthan (Oracle) and curesec via coredump at
> autistici.org.
>
> * sshd(8): Mitigate timing differences in password authentication
> that could be used to discern valid from invalid account names
> when long passwords were sent and particular password hashing
> algorithms are in use on the server. CVE-2016-6210, reported by
> EddieEzra.Harari at verint.com
>
> * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
> oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
> Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
> are disabled by default and only included for legacy compatibility.
>
> * ssh(1), sshd(8): Improve ordering ordering of MAC verification for
> Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
> MAC before decrypting any ciphertext. This removes the possibility
> of timing differences leaking facts about the plaintext, though no
> such leakage has been observed. Reported by Jean Paul Degabriele,
> Kenny Paterson, Torben Hansen and Martin Albrecht.
>
> * sshd(8): (portable only) Ignore PAM environment vars when
> UseLogin=yes. If PAM is configured to read user-specified
> environment variables and UseLogin=yes in sshd_config, then a
> hostile local user may attack /bin/login via LD_PRELOAD or
> similar environment variables set via PAM. CVE-2015-8325,
> found by Shayan Sadigh.
>
> New Features
> ------------
>
> * ssh(1): Add a ProxyJump option and corresponding -J command-line
> flag to allow simplified indirection through a one or more SSH
> bastions or "jump hosts".
>
> * ssh(1): Add an IdentityAgent option to allow specifying specific
> agent sockets instead of accepting one from the environment.
>
> * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
> optionally overridden when using ssh -W. bz#2577
>
> * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
> per draft-sgtatham-secsh-iutf8-00.
>
> * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
> 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
>
> * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
> signatures in certificates;
>
> * ssh(1): Add an Include directive for ssh_config(5) files.
>
> * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
> from the server. bz#2058
>
> Bugfixes
> --------
>
> * ssh(1), sshd(8): Reduce the syslog level of some relatively common
> protocol events from LOG_CRIT. bz#2585
>
> * sshd(8): Refuse AuthenticationMethods="" in configurations and
> accept AuthenticationMethods=any for the default behaviour of not
> requiring multiple authentication. bz#2398
>
> * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
> ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
>
> * ssh(1): Close ControlPersist background process stderr except
> in debug mode or when logging to syslog. bz#1988
>
> * misc: Make PROTOCOL description for direct-st...@openssh.com
> channel open messages match deployed code. bz#2529
>
> * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
> failures when both ExitOnForwardFailure and hostname
> canonicalisation are enabled. bz#2562
>
> * sshd(8): Remove fallback from moduli to obsolete "primes" file
> that was deprecated in 2001. bz#2559.
>
> * sshd_config(5): Correct description of UseDNS: it affects ssh
> hostname processing for authorized_keys, not known_hosts; bz#2554
>
> * ssh(1): Fix authentication using lone certificate keys in an agent
> without corresponding private keys on the filesystem. bz#2550
>
> * sshd(8): Send ClientAliveInterval pings when a time-based
> RekeyLimit is set; previously keepalive packets were not being
> sent. bz#2252
>
> Portability
> -----------
>
> * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
> not supported by OpenSSL. bz#2466
>
> * misc: Fix compilation failures on some versions of AIX's compiler
> related to the definition of the VA_COPY macro. bz#2589
>
> * sshd(8): Whitelist more architectures to enable the seccomp-bpf
> sandbox. bz#2590
>
> * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
> using setpflags(__PROC_PROTECT, ...). bz#2584
>
> * sshd(8): On Solaris, don't call Solaris setproject() with
> UsePAM=yes it's PAM's responsibility. bz#2425
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.

> _______________________________________________
> openssh-unix-dev mailing list
> openssh-...@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

--
Jeff Wieland | Purdue University
Network Systems Administrator | ITIS UNIX Platforms
Voice: (765)496-8234 | 155 S. Grant Street
FAX: (765)496-1380 | West Lafayette, IN 47907