Re: [leaf-user] subnet-to-subnet simulation problem
Hello Lynn Avants, Thanks for your reply. I already tookout the 'ip_masq_ipseq' from loading, but still, the exact problem remains. BTW, the eth1 interface from VPN1 BOX actually goes to the VPN1 BOX client. Hence, it's actually an internal device. My diagram is indeed a bit confusing. I do have some more queries regarding keys and my pluto authlog though. Having the authlog below, from my new 'ipsec barf' result, notice that there are errors generated by Pluto. I've already gotten openssl.lrp from JNilo's site in order to resolv this. I'm thinking that Pluto's failure to read the needed certificates brings about problems in my keying/ipsec.secrets resolution. Anyways, if I'm not on the right track please let me know. TIA - Vic == + egrep -n Starting Pluto /var/log/auth.log + cat + sed -n $s/:.*//p + sed -n 1,$p /var/log/auth.log Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: Starting Pluto (FreeS/WAN Version 1.91) Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: including X.509 patch (Version 0.9.3) Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: Could not change to directory '/etc/ipsec.d/cacerts' Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: Could not change to directory '/etc/ipsec.d/crls' Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: could not open my X.509 cert file '/etc/x509cert.der' Jul 30 06:42:07 SR3K-VPN1 Pluto[1737]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: added connection description VPN1-VPN2 Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: listening for IKE messages Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: adding interface ipsec0/eth0 192.168.2.1 Jul 30 06:42:10 SR3K-VPN1 Pluto[1737]: loading secrets from /etc/ipsec.secrets Jul 30 06:42:11 SR3K-VPN1 Pluto[1737]: VPN1-VPN2 #1: initiating Main Mode Jul 30 06:42:21 SR3K-VPN1 Pluto[1737]: some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details) Jul 30 06:42:22 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 06:44:53 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 06:45:33 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 06:46:12 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized + _ + + date Tue Jul 30 06:46:40 UTC 2002 - Original Message - From: guitarlynn [EMAIL PROTECTED] To: Vic Berdin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, September 30, 2002 11:57 AM Subject: Re: [leaf-user] subnet-to-subnet simulation problem On Sunday 29 September 2002 05:08, Vic Berdin wrote: VPN1-CLI |eth0: 192.168.4.1 |gw:192.168.4.200 | | |eth1: 192.168.4.200 |gw:192.168.2.1 VPN1 BOX From the look of things, your using Dachstein, so I will assume this. Looks pretty unusual to use eth1 as an external interface, this can bork the networking pretty good with Dachstein in the default setup. ip_masq_ipsec 7328 0 (unused) DO NOT USE the ipsec module with Dachstein it will bork everything up with the ipsec-kernel. The module is only used for pass-through with Dachstein. Jul 30 03:42:30 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Looks like your keys/naming isn't right in ipsecrets and the point of failure unless having the ipsec module loaded is messing the connection up here (good possibility). -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] subnet-to-subnet simulation problem
Thanks for your reply. I already tookout the 'ip_masq_ipseq' from loading, but still, the exact problem remains. BTW, the eth1 interface from VPN1 BOX actually goes to the VPN1 BOX client. Hence, it's actually an internal device. My diagram is indeed a bit confusing. I do have some more queries regarding keys and my pluto authlog though. Having the authlog below, from my new 'ipsec barf' result, notice that there are errors generated by Pluto. I've already gotten openssl.lrp from JNilo's site in order to resolv this. I'm thinking that Pluto's failure to read the needed certificates brings about problems in my keying/ipsec.secrets resolution. Anyways, if I'm not on the right track please let me know. A couple questions: 1) Why are you loading the ipsec x.509 version of FreeS/WAN when you're not trying to use certificates? You can use conventional RSA signature keys with the x.509 patched version, but in the walk before you run catagory, you should probably be using the plain version of FreeS/WAN (ie just ipsec.lrp) to get started. The x.509 patches change how pluto responds to connection attempts, and essentially add another layer of potential confusion to your debugging attempts. 2) I've snipped all but the critical errors from your auth.log file below. You really need to look at the logs on *BOTH* ends to figure out what's going wrong. Jul 30 06:42:11 SR3K-VPN1 Pluto[1737]: VPN1-VPN2 #1: initiating Main Mode Jul 30 06:42:21 SR3K-VPN1 Pluto[1737]: some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details) Jul 30 06:42:22 SR3K-VPN1 Pluto[1737]: packet from 192.168.2.200:61013: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized The logs indicate two different problems...the first is the IKE message this system sent was rejected by the remote system. This is VERY BAD. There should be a log entry on the remote system indicating *WHY* the packet was refused, which should help track down your configuration error(s). The second problem is the reception of a main-mode message from the remote system that doesn't match a local connection description. This is likely a side-effect of the previous problem. I strongly suggest working with just the plain ipsec.lrp while trying to test your RSA authenticated connection. Once you get that working, you can step up to x.509 certs if necessary. Also, if you post logs again, please do so from *BOTH* machines. For what it's worth, FreeS/WAN is kind of like bind (named)...it seems really complex at first, but it's really pretty simple once you understand how everything works...you should have tunnels up soon! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] subnet-to-subnet simulation problem
Hello Charles/Everyone, 1) Why are you loading the ipsec x.509 version of FreeS/WAN when you're not trying to use certificates? Out of frustration I wish to try out everything and mistakenly backed up ipsec.lrp along with the x.509 binaries. I'm now using the plain ipsec.lrp and tried using both PSK then RSA keying but the problem still lurks. Here are the barfs from the two IPSEC machines. I deaply apologize for this post. But I'm really stumped now. :o( === SR3K-VPN1 Tue Jul 30 12:24:07 UTC 2002 + _ + + ipsec --version Linux FreeS/WAN 1.91 See `ipsec --copyright' for copyright information. + _ + + cat /proc/version Linux version 2.2.19-3-DIGIPH (root@zxivlin) (gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)) #2 Tue Sep 24 11:43:46 PHT 2002 + _ + + cat /proc/net/ipsec_eroute 0 192.168.4.0/24 - 192.168.5.0/24 = %trap + _ + + cat /proc/net/ipsec_spi + _ + + cat /proc/net/ipsec_spigrp + _ + + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.5.0 192.168.2.200 255.255.255.0 UG0 0 0 ipsec0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 0.0.0.0 192.168.2.200 0.0.0.0 UG0 0 0 eth0 + _ + + cat /proc/net/ipsec_tncfg ipsec0 - eth0 mtu=16260(1500) - 1500 ipsec1 - NULL mtu=0(0) - 0 ipsec2 - NULL mtu=0(0) - 0 ipsec3 - NULL mtu=0(0) - 0 + _ + + cat /proc/net/pf_key sock pid socket next prev e n p sndbfFlags Type St c4f33640 1569 c4f1361000 0 0 2 32767 3 1 + _ + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c4f13610 1569 c4f33640 pf_key_registered: 3 c4f13610 1569 c4f33640 pf_key_registered: 9 c4f13610 1569 c4f33640 pf_key_registered:10 c4f13610 1569 c4f33640 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported:10 15 2 0 1 1 + _ + + cd /proc/sys/net/ipsec + egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:0 inbound_policy_check:1 tos:1 + _ + + ipsec auto --status 000 interface ipsec0/eth0 192.168.2.1 000 000 VPN1-VPN2: 192.168.4.0/24===192.168.2.1---192.168.2.200... 000 VPN1-VPN2: ...192.168.3.200---192.168.3.1===192.168.5.0/24 000 VPN1-VPN2: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 0 000 VPN1-VPN2: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; trap erouted 000 VPN1-VPN2: newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 000 #1: VPN1-VPN2 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 37s + _ + + ifconfig -a loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:11483 errors:0 dropped:0 overruns:0 frame:0 TX packets:11483 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec0Link encap:Ethernet HWaddr 00:04:A7:01:02:48 inet addr:192.168.2.1 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec1Link encap:IPIP Tunnel HWaddr unspec addr:[NONE SET] Mask:[NONE SET] NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec2Link encap:IPIP Tunnel HWaddr unspec addr:[NONE SET]
[leaf-user] FreeSWAN weird message
IPSec seems to be working fine, I make connections. But in the log i see a message like: pluto_adns: lib/resolv.so.2 version GLIBC2.2 not found. Any ideas? --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] subnet-to-subnet simulation problem
I'm now using the plain ipsec.lrp and tried using both PSK then RSA keying but the problem still lurks. Here are the barfs from the two IPSEC machines. I deaply apologize for this post. But I'm really stumped now. :o( Well, the log messages on both ends look equally cryptic. In general, I would say you have a problem with configuration. Since both config files look OK, this likely means a problem with your public keys listed in /etc/ipsec.conf and your private key in /etc/ipsec.secrets. Since both these are getting chomped by ipsec barf, and I'm not sure if the limited LEAF version properly creates key sums, you need to manually verify you've actually got the right RSA public keys in your /etc/ipsec.conf file. At this point, I think that's what's causing you problems, but I can't be sure. If the LEAF version of barf is really calculating checksums correctly, you *DO* have a mis-match between your public keys listed in ipsec.conf and the actual keys in ispec.secrets: leftrsasigkey=[sums to 364c...] rightrsasigkey=[sums to 1636...] : RSA { # RSA 1024 bits SR3K-VPN1 Mon Sep 9 10:26:23 2002 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[sums to 5154...] Note...doesn't match either *rsasigkey above. : RSA { # RSA 1024 bits SR3K-VPN1 Mon Sep 9 10:26:39 2002 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=[sums to 7a9d...] And neither does this... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] vpn help, link included
Jeff Newmiller wrote: On Sun, 29 Sep 2002, Matthew Schalit wrote: In addition to what JO said, I'd put the printer on a Jetdirect and make life easy. As someone with a printer with a Jetdirect, I highly recommend having a single computer act as print server anyway... spooling performance can suck remarkably if you don't. Thanks for the tip. I've noticed a slowness w/some printers that didn't have a lot of RAM when using their builtin NICS and no Jetdirect. Is that possibly a factor in your setup? If it can't dump the print job completely into the printer's RAM, then it slows down, AFAIK. Sort of OT, but interesting. Matt --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] sshd
Steve wrote: Date: Sun, 29 Sep 2002 14:15:14 +0200 To: [EMAIL PROTECTED] From: Erich Titl [EMAIL PROTECTED] Subject: Re: [leaf-user] sshd Steve wrote the following at 08:27 29.09.2002: I am trying to set up sshd in Bering. I have loaded the sshd.lrp and libz.lrp packaged and have generated my keys ,but when sshd is run it complaines that is cannont find libnsl.so.1 file. I've done a few searches and can not find where this file might be or where I can download it from. Any suggstions? Regards. Where did you take your sshd.lrp from. I have sshd on bering running on bering without libnsl. IIRC I got mine from Jacques Nilo's packages Erich got it from the same site. I have tried reloading several times all with the same result. Hub:# ls -l /usr/sbin/sshd -rwxr-xr-x1 root root 678220 Aug 2 13:00 /usr/sbin/sshd Hub:# ls -l /lib/libz.so.1.1.4 -rwxr-xr-x1 root root61464 Mar 16 2002 /lib/libz.so.1.1.4 Hub:# uname -a Linux hub 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown That's what my bering rc3 looks like. How about yours? Matthew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] sshd
Steve wrote: got it from the same site. I have tried reloading several times all with the same result. I forgot this, sorry: Hub:# lrpkg -i ldd.lrp Installing ldd ... Done. Hub:# ldd /lib/libz.so.1.1.4 libc.so.6 = /lib/libc.so.6 (0x40a13000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x08c0a000) Hub:# ldd /usr/sbin/sshd libutil.so.1 = /lib/libutil.so.1 (0x4b32e000) libz.so.1 = /lib/libz.so.1 (0x4b331000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x4b342000) libc.so.6 = /lib/libc.so.6 (0x4b36f000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4b322000) I don't see libnsl. Why don't you ldd sshd yourself and paste in the output along with the ls -l stuffings. Matt --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] wisp-dist multiple essid's
Where would I start if I wanted the client/station to attempt to find an AP to connect to from a list of several possible essid's? I would have it try the first essid. If no connection then try the next one in the list and so on. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] subnet-to-subnet simulation problem
On Monday 30 September 2002 09:49, Vic Berdin wrote: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.5.0 192.168.2.200 255.255.255.0 UG0 0 0 ipsec0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 0.0.0.0 192.168.2.200 0.0.0.0 UG0 0 0 eth0 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.4.0 192.168.3.200 255.255.255.0 UG0 0 0 ipsec0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 0.0.0.0 192.168.3.200 0.0.0.0 UG0 0 0 eth0 You have shown that eth0 is your internal address and eth1 is your external apparently you haven't fixed everything attempting to run this way since your routing tables on both boxes clearly show that the machine(s) still think eth0 is the default route. In other words, your routing is attempting to run backwards. conn VPN1-VPN2 auto=start type=tunnel left=192.168.2.1 leftsubnet=192.168.4.0/24 leftnexthop=192.168.2.200 right=192.168.3.1 authby=rsasig #authby=secret leftid=192.168.2.1 rightid=192.168.3.1 rightsubnet=192.168.5.0/24 rightnexthop=192.168.3.200 leftrsasigkey=[sums to 364c...] rightrsasigkey=[sums to 1636...] keyexchange=ike keylife=8h keyingtries=0 pfs=yes rekeymargin=9m rekeyfuzz=25% conn VPN1-VPN2 auto=start type=tunnel left=192.168.2.1 leftsubnet=192.168.4.0/24 leftnexthop=192.168.2.200 right=192.168.3.1 authby=rsasig #authby=secret leftid=192.168.2.1 rightid=192.168.3.1 rightsubnet=192.168.5.0/24 rightnexthop=192.168.3.200 leftrsasigkey=[sums to 364c...] rightrsasigkey=[sums to 1636...] keyexchange=ike keylife=8h keyingtries=0 pfs=yes rekeymargin=9m rekeyfuzz=25% Both sides are intending to start the connection only one can start the connection, the other side(s) must add. And as Charles noted, nothing will ever be accepted if the checksums of the RSA keys do not match. I would suggest using a secret key first, then going to keys (then certs if desired). Start simple, then make the system more complicated. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: sshd
Steve wrote the following at 08:27 29.09.2002: I am trying to set up sshd in Bering. I have loaded the sshd.lrp and libz.lrp packaged and have generated my keys ,but when sshd is run it complaines that is cannont find libnsl.so.1 file. I've done a few searches and can not find where this file might be or where I can download it from. Any suggstions? Regards. Where did you take your sshd.lrp from. I have sshd on bering running on bering without libnsl. IIRC I got mine from Jacques Nilo's packages Erich got it from the same site. I have tried reloading several times all with the same result. Hub:# ls -l /usr/sbin/sshd -rwxr-xr-x1 root root 678220 Aug 2 13:00 /usr/sbin/sshd min is : -rwxr-xr-x1 root root **737464** Aug 2 13:00 /usr/sbin/sshd From this, I take it that my version of sshd is different from yours. So, I replace it with the sshd from http://leaf-project.org/devel/jnilo/packages/ When installed, the file size is now the same. I save that package and rebooted. Now I get Privilege separation user sshd does not exit --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: sshd
On Mon, 30 Sep 2002 22:10:47 MST Steve wrote: So, I replace it with the sshd from http://leaf-project.org/devel/jnilo/packages/ When installed, the file size is now the same. I save that package and rebooted. Now I get Privilege separation user sshd does not exit This is a FAQ[1] see: http://leaf.sourceforge.net/devel/jnilo/packages/openssh-3.4p1/README.txt --Brad [1] 4.2 at http://leaf.sourceforge.net/devel/jnilo/openssh.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] sshd
So, I went to http://leaf-project.org/devel/jnilo/packages/ and loaded this package in. Saved this package, rebooted Now I get Privilege separation use5r sshd does not exit That's expected. It's in the docs somewhere that you need to make the following additions (the sshd lines) --- /etc/passwd - [snip] mail:x:8:8:mail:/var/spool/mail:/bin/sh sh-httpd:x:50:10:shell-script web server:/var/sh-www:/bin/sh sshd:x:51:65534::/var/run/sshd:/bin/false alias:x:70:65534:qmail alias:/var/qmail/alias:/bin/sh [snip] - == /etc/shadow == [snip] mail:*:10091:0:9:7::: sh-httpd:*:10091:0:9:7::: sshd:*:10091:0:9:7::: alias:*:10091:0:9:7::: [snip] === I think that was all it took, but then again :) Matthew --- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html