|
|
Compiling OpenSSH 3.7p1
|
|
|
|
Mac Enthusiast
Join Date: Sep 2000
Location: New York, NY USA
Status:
Offline
|
|
All, Have what is probably a pretty silly question for you all.
I've built and installed Openssh 3.7 on my machine, but sshd is having some problems. Whenever I attempt to connect, sshd drops the connection. When I turn on debug, I get the following:
debug1: permanently_set_uid: 75/75
setreuid 75: Operation not permitted
debug1: Calling cleanup 0x2525c(0x0)
I compiled with the following options:
--prefix=/usr --sysconfdir=/etc --with-tcp-wrappers
I've compiled and installed openssl 0.9.7b. I've also tried installing the latest openssl libraries in fink and then pointed the ssh compile at the fink libraries to no effect.
One funny thing is that, when I enable higher levels of debug, it'll sometimes (but not always) let me login.
I'm sure there's something stupid staring me in my face. Any help is appreciated.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Location: Portland, OR
Status:
Offline
|
|
Originally posted by justinkim:
debug1: permanently_set_uid: 75/75
setreuid 75: Operation not permitted
debug1: Calling cleanup 0x2525c(0x0)
Sounds like it isn't able to do privilege separation right.. UID/GID 75 is the sshd user. Are you running sshd as root? I just looked on my unpatched version and sshd isn't normally set as suid root, so you will need to run it as root..
The other things to check would be that /var/empty exists (the directory that the privilege separation user runs from.)
I haven't upgraded mine yet (I'll probably just wait for Apple's update) so I haven't experienced this yet..
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Sep 2000
Location: New York, NY USA
Status:
Offline
|
|
Running as root
/var/empty is there.
I even just restarted the machine to see how it would come up.
I tell ya, this is driving me nuts
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2000
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Sep 2000
Location: New York, NY USA
Status:
Offline
|
|
Ahhhhhh swapping uidswap.c in did the trick. Many thanks! It's nice to know that I'm not off my rocker.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2000
Status:
Offline
|
|
OK, it actually appears the setreuid call is broken on OS X 10.2. Here's a minimal program that demonstrates the problem:
Code:
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
extern int errno;
int
main( int argc, char *argv[] )
{
uid_t uid = 0;
if ( geteuid() != 0 ) {
fprintf( stderr, "%s must be run as root.\n", argv[ 0 ] );
exit( 1 );
}
if ( argc != 2 ) {
fprintf( stderr, "Usage: %s uid\n", argv[ 0 ] );
exit( 1 );
}
uid = ( uid_t )atoi( argv[ 1 ] );
if ( setreuid( uid, uid ) < 0 ) {
fprintf( stderr, "setreuid %d/%d: %s\n", uid, uid, strerror( errno ));
exit( 2 );
}
/* XXXX Never get here on OS X */
printf( "UID: %d\tEUID: %d", getuid(), geteuid());
return( 0 );
}
Compile this, and try running it as root with an existent uid as the parameter. You'll get the same error you encounter with OpenSSH 3.7.x portable.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2000
Status:
Offline
|
|
OK. Problem solved, I think. If you #define BROKEN_SETREUID 1 and #define BROKEN_SETREGID 1 in config.h (or acconfig.h, and rerun the configure script), the problem goes away.
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Dec 2002
Location: someplace
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2002
Location: Portland, OR
Status:
Offline
|
|
Originally posted by fitter:
OK, it actually appears the setreuid call is broken on OS X 10.2. Here's a minimal program that demonstrates the problem:
I just tested this on 10.3 6B53 and it is broken there too.
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Dec 2001
Location: Zurich (Switzerland)
Status:
Offline
|
|
Did you try the recently updated fink version? It seems like the fink developers patched OpenSSH. A new version was added two days ago to the fink unstable tree:
http://fink.sourceforge.net/pdb/package.php/openssh
Be sure to check that you get version 3.7.1p1-2
Chris.
PS: You could also look at the patch from fink.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2000
Status:
Offline
|
|
The OpenSSH developers have fixed the problem detecting the broken setreuid and setregid calls.
There's another bug, though: the sftp client doesn't properly parse quotation marks wrapping filenames when doing a get or a put. Example:
sftp> get "filename.txt"
Unterminated quote
sftp> get "filename.txt" "local-filename.txt"
Fetching /home/filename.txt to /Users/user
sftp>
The second command actually downloads filename.txt to a file with the name <space>. sftp is interpreting the closing quote of the source filename as the beginning quote of the destination filename. Hence the first command fails with an "Unterminated quote" error. If you do:
sftp> get "filename.txt"destination.txt"
Fetching /home/filename.txt to /Users/user/destination.txt
it works as expected.
A patch has been submitted, but it has not been applied yet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|