[Bug 1254085] Re: ssh fails to connect to VPN host - hangs at 'expecting SSH2_MSG_KEX_ECDH_REPLY'
Might be your PMTU discovery is being blocked by a firewall somewhere. http://mccltd.net/blog/?p=1577 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1254085 Title: ssh fails to connect to VPN host - hangs at 'expecting SSH2_MSG_KEX_ECDH_REPLY' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 954620] Re: SSH StrictModes does not work correctly
Debian has a Debian specific patch (user-group-modes.patch) that changes the behavior compared to the upstream version of OpenSSH. If a user ssh file or directory has a group write bit set and that group has no other members besides the user then sshd now allows the use of the ssh file or directory. I've confirmed this behavior in Ubuntu 12.04. Upstream the change was not accepted for security reasons and that other distros may not have per-user groups like Debian. See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 https://bugzilla.mindrot.org/show_bug.cgi?id=1060 ** Bug watch added: Debian Bug tracker #314347 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 ** Bug watch added: OpenSSH Portable Bugzilla #1060 https://bugzilla.mindrot.org/show_bug.cgi?id=1060 ** Changed in: openssh (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/954620 Title: SSH StrictModes does not work correctly To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/954620/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 424371] Re: Logins to OpenSSH server slow due to UseDNS yes config
I'd propose submitting a request upstream to make the default setting for UseDNS be No. Additionally add comments in the sshd_config and man page: # UseDNS - Determines whether IP Address to Hostname lookup and comparison is performed # Default value is No which avoids login delays when the remote client's DNS cannot be resolved # Value of No implies that the usage of from= in authorized_keys will not support DNS host names but only IP addresses. # Value of Yes supports host names in from= for authorized_keys. Additionally if the remote client's IP address does not match the resolved DNS host name (or could not be reverse lookup resolved) then a warning is logged. # UseDNS Yes -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/424371 Title: Logins to OpenSSH server slow due to UseDNS yes config To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1261861] [NEW] man page for sshd contains error about NP and locked accounts
Public bug reported: man sshd This paragraph: Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, listed in DenyUsers or its group is listed in DenyGroups . The definition of a locked account is system dependant. Some platforms have their own account database (eg AIX) and some modify the passwd field ( ‘*LK*’ on Solaris and UnixWare, ‘*’ on HP-UX, containing ‘Nologin’ on Tru64, a leading ‘*LOCKED*’ on FreeBSD and a leading ‘!’ on most Linuxes). If there is a requirement to disable password authentication for the account while allowing still public-key, then the passwd field should be set to something other than these values (eg ‘NP’ or ‘*NP*’ ). The recommended use of NP or *NP* causes a conflict as If the encrypted password in /etc/passwd is *NP* (without the quotes), the shadow record should be obtained from an NIS+ server. http://man7.org/linux/man-pages/man5/passwd.5.html The upstream OpenSSH package doesn't have this paragraph in the man page so it was something added by Debian/Ubuntu. How an account is locked and what OpenSSH checks for locked also depends on whether UsePAM is yes or no. When yes an account can still be logged into even when the password entry field has a leading ! When no then OpenSSH's behavior is to treat the account as inaccessible if there is a leading ! in the password. This paragraph should be updated to recommend something else. Perhaps no password login allowed as the recommended value. It'd be nice to have this paragraph submitted upstream as well. Reference also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=219377 ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Tags: manpage -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1261861 Title: man page for sshd contains error about NP and locked accounts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1261861/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1195009] [NEW] sftp should include seconds in directory listings
Public bug reported: Directory listings from the ls -l command in sftp are only granular for mtime to the minute and not the second. When using sftp clients that support uploading only changed files based on mtime this causes the same file to appear different. sftp should provide the complete timestamp and not just hh:mm. [rbeede@ubuntu:/home/rbeede] $ ssh -V OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012 [rbeede@ubuntu:/home/rbeede] $ uname -a Linux ubuntu 3.8.0-19-generic #30-Ubuntu SMP Wed May 1 16:35:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux This may belong to openssh-server or openssh-client. ** Affects: openssh (Ubuntu) Importance: Undecided Status: New ** Tags: sftp -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1195009 Title: sftp should include seconds in directory listings To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1195009/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1188827] Re: User option (-u or --user) is ignored
Yes, that was the first one I tried. I thought the Ubuntu package may have been compiled without the option support so I tried a recompile to ensure it was enabled. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tftp-hpa in Ubuntu. https://bugs.launchpad.net/bugs/1188827 Title: User option (-u or --user) is ignored To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tftp-hpa/+bug/1188827/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1188827] [NEW] User option (-u or --user) is ignored
*** This bug is a security vulnerability *** Public security bug reported: Tested in Ubuntu 12.04 and 13.04. The --user, -u, or /etc/default/tftpd-hpa TFTP_USERNAME=tftp options are ignored when running the tftpd-hpa service. I pulled the source with wget https://www.kernel.org/pub/software/network/tftp/tftp-hpa/tftp- hpa-5.2.tar.xz and compiled. Ran with /root/tftp-hpa-5.2/tftpd/tftpd --listen -u nobody --address 0.0.0.0:69 --secure /var Result was root@ubuntu:/var/log# ps -ef | grep tftpd root 7955 1 0 13:55 ?00:00:00 /root/tftp-hpa-5.2/tftpd/tftpd --listen -u nobody --address 0.0.0.0:69 --secure /var I expected the process uid to be that of nobody. Killing the process and trying again I also looked at /proc to see what it thought about it: root@ubuntu:/var/log# cat /proc/8037/task/8037/status Name: tftpd State: S (sleeping) Tgid: 8037 Pid:8037 PPid: 1 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 FDSize: 64 Groups: 0 VmPeak:13048 kB VmSize:13048 kB VmLck: 0 kB VmPin: 0 kB VmHWM: 140 kB VmRSS: 140 kB VmData: 444 kB VmStk: 136 kB VmExe:32 kB VmLib: 2140 kB VmPTE:44 kB VmSwap:0 kB Threads:1 SigQ: 0/31432 SigPnd: ShdPnd: SigBlk: SigIgn: 0001 SigCgt: 4003 CapInh: CapPrm: 001f CapEff: 001f CapBnd: 001f Seccomp:0 Cpus_allowed: , Cpus_allowed_list: 0-63 Mems_allowed: ,0001 Mems_allowed_list: 0 voluntary_ctxt_switches:1 nonvoluntary_ctxt_switches: 0 ** Affects: tftp-hpa (Ubuntu) Importance: Undecided Status: New ** Tags: tftp ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to tftp-hpa in Ubuntu. https://bugs.launchpad.net/bugs/1188827 Title: User option (-u or --user) is ignored To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tftp-hpa/+bug/1188827/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
