I blame it on network gear that has only
ever been tested with HTTP traffic and has no idea what to do with
long-lived persistent TCP connections that don't have constant traffic.
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
ward. More features are nice, but I can
see the merits of simplicity here. But I no longer maintain a large
infrastructure built on Kerberos, so I'm not putting as much weight on the
GSSAPI support as I used to.)
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
Marco d'Itri writes:
> On Jan 20, Russ Allbery wrote:
>> This also implies that there is arguably an SONAME issue with this library
>> given that two versions of the library with the same SONAME don't provide
>> the same symbols, but I suspect there were really
e for me (but now I wonder if I have other
> leftover files like this…).
This also implies that there is arguably an SONAME issue with this library
given that two versions of the library with the same SONAME don't provide
the same symbols, but I suspect there were really, really good reasons
ay except for some details on how source trees were managed. The
governance of glibc now is essentially from eglibc.
This is not at all an analogous situation. OpenSSH is not in trouble as a
project, this fork is not replacing it or causing any mass defection of
developers, and all the deve
n have to
install openssh-server, and in that case it makes logical sense that
they'll need to explicitly enable GSS-API.
I think it's fine to just remove the package. It long ago served its
purpose, and the few remaining people who may be using it as a shortcut
will hopefully be able to figure out the right thing to do.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
ing package installation.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
r
protocol 2. The openssh-client-ssh1 package includes "ssh1", "scp1",
and "ssh-keygen1" binaries which you can use if you have no alternative
way to connect to an outdated SSH1-only server; please contact the
server administrator or system vendor in suc
Carlos Alberto Lopez Perez writes:
> Attackers usually don't start trying to probe exploit after exploit.
Of course they do. That is, *by far*, the most common attacker strategy
on the Internet. Just look at the logs of any Internet-facing service.
--
Russ Allbery (r...@de
com/legacy.html
It sounds like the remote host to which you're trying to connect only
offers ssh-dss keys, which are no longer supported by default (following
upstream) because they're not very secure.
This is unrelated to host key checking or IP checking. It's about the
type of underlying crypto being used to secure the connection.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
If there were a real feature benefit, the backwards-incompatibility may be
worth it, but given that the feature doesn't actually work, meh. It's
hard to get particularly excited about doing work to try to enable it, and
it feels really dubious to do it by breaking the command-line option
everyone is used to using.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
ith attempting to duplicate the shutdown behavior in a controlled way.
Clearly something changed in systemd vs. sysvinit, which is a clue, but I
don't think we've yet established *what* changed, and therefore have no
idea whether it's intentional, a side effect of something else, a b
Vincent Lefevre writes:
> On 2015-03-21 13:14:08 -0700, Russ Allbery wrote:
>> Correct. The Policy statement is about preserving user changes, not
>> about never touching any file that a user has modified in any way. The
>> package is free to modify unchanged portions of t
er
the benefit of the change is worth the disruption of changed behavior on
upgrades.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87egoif6r3@hope.eyrie.org
t, and
then using Type=notify. Then sshd startup won't be considered complete
until the sshd daemon calls sd_notify, and the correct status will be
reported if it exits for some reason before doing so.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
-
eAuthentication is disabled too.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/871tlrgn05@hope.eyrie.org
gonna
> happen. Could it possibly make it into jessie-backports, or is that also
> too much to hope for?
That's certainly possible.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.deb
ect's
unwillingness to take the key exchange patches, forcing every distribution
to apply them separately and meaning that they aren't considered when
upstream works on things like the configuration parameter for key exchange
methods.
--
Russ Allbery (r...@debian.org)
c key
exchange mechanism as a fallback.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/871tlyeau8@hope.eyrie.org
Christoph Anton Mitterer writes:
> On Sun, 2014-12-14 at 09:28 -0800, Russ Allbery wrote:
>> since I routinely see the same behavior when shutting down servers
>> right now, in wheezy, using sysvinit.
> This is quite interesting, btw,... cause I've never seen that durin
(the default) runs it in traditional daemon mode. Both are
provided so that the local system administrator can switch to inetd-style
if they wish (usually for systems with minimal resources that don't want
to have another long-running daemon), but I believe only ssh.service is
enabled by de
and would certainly be a nice way to
implement it. I wasn't sure if namespaces were per-cgroup or if those
were two separate things that had to be handled independently.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to de
erited
by all child processes of the spawned process, so you'd end up with shells
that also had read-only /usr, possibly interfering with later sudo, su, or
other similar operations.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, em
Luca Falavigna writes:
> I believe this bug is quite important, and should deserve a fix in
> time for Jessie, hence the severity bump.
Er, why? Have you read the discussion in the bug?
I continue to believe that this is not even a bug at all, let alone an
important one.
--
Russ Allb
nd you lose the connection.
In other words, this is just the same issue, only there are three
processes that may be killed in some random order instead of two.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to deb
us no clean disconnection happening) or
> whether it's some issue in ssh itself.
It doesn't really matter, since the client can go away without sending a
FIN in a ton of other ways. If you care, you should set ClientAlive* or
TCPKeepAlive, like you have. I've see
before restarting, so that it
can clearly diagnose configuration errors. Maybe I'm missing some problem
for doing this with sshd, though.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian
atches/openssh.html
Many different distributions incorporate it. For issues that are generic
to any packaging of ssh with that patch, you may want to report them
directly to Simon, or at least copy him on these reports, and he's
probably the best person to ask questions about how the patch works
vinit-started sshd.
If you can find a way to improve the behavior along some axis that you
care about, I'm certainly fine with that, but given that I don't even
consider the problem that you're trying to solve to be a problem, I'm
going to have a low tolerance for regr
asant. We need to preserve
the current sshd behavior that stopping the service does *not* kill open
sessions.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscrib
cket activation and already has to
> document other considerations there, such as the non-obvious interaction
> with MaxStartups.
This sounds right to me as well.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-
ed directly in the ListenAddress configuration as well.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@list
bug for lighttpd too, but I guess less people are
> paying attention to that.
It's probably the same issue. lighttpd can't fix the problem in the
packaging for that service, I think.
As a workaround, I believe adding the "nofail" option to mounts that may
or may not suc
k; I
forget which it was). Could this also be the case for you?
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listma
hat systemd and sysvinit are
different in their handling of failures of file system mounts without
nofail specified.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsub
change is enabled,
since in that case the lack of keys may be an intentional configuration
choice by the server administrator to force the use of Kerberos keys
instead of system-generated public keys.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUB
h" to get past the two parsing
> runs, then "print options.gss_deleg_creds" - it comes out correctly
> depending on "Host" stanzas in ~/.ssh/config).
I use GSS-API daily and can confirm that it works as intended.
--
Russ Allbery (r...@debian.org) <
UID)
That host block doesn't match that ssh command. Try changing it to:
Host foo foo.mydomain.com
and see if you get different behavior.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.or
. See the first few paragraphs of
the ssh_config man page.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debia
for the security
model that you need.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archiv
Colin Watson writes:
> That indeed sounds sensible. I'm not sure anyone has started the jessie
> release notes, and building from Subversion currently generates release
> notes that claim to be for wheezy; but how does the following change
> read?
This looks great to me.
--
t to the jessie release notes, at least, seems like it would be a
good idea. (I also wholeheartedly agree with the change, though.)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of &q
e
disruption as possible.
This is why openssh-server was already using a non-standard handling
method for its init script actions.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of &
e was started via an init script so that it will stop via
the init script and then start via the unit?
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "uns
reated as a regular
file.
This still feels like a weird edge case to me, and I'm not sure it's worth
checking for it in the unit file, but on the other hand I completely
understand Colin's conservatism in maintaining checks when converting
between init system configurations. And ssh
Colin Watson writes:
> On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote:
>> It would be better for any application that uses the kernel keyring if
>> pam_keyinit were run by default in the PAM session stack. Without this
>> module, users are placed in a d
; No I can add as many port forwards as I like after the master connection
> is established. All options I have tried are honoured except for -g.
Huh. This is definitely not my experience. I'm not sure why it behaves
differently for you.
--
Russ Allbery (r...@debian.org) <
connection and is ignored for subsequent
connections.
I suspect this is inherent in the design.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe"
tainers, so this is
just third-party commentary.)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87d2m2ail1@windlord.stanford.edu
n:
aptitude unmarkauto openssh-server
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87y54suied@windlord.stanford.edu
ad idea to log *only* the
hostname without the IP.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debi
Matthieu CERDA writes:
> Le 6 juil. 2012 à 18:55, Russ Allbery a écrit :
>> Oh. I knew that looked familiar. This is #512410. I thought that was
>> fixed in unstable already.
> Oh ! Well thanks a lot anyway, this is a testing / wheezy machine so the
> package has certa
text=context@entry=0x557fbda0, aname=aname@entry=0x557fc3b0,
> lnsize=lnsize@entry=65, lname=lname@entry=0x7fffda30 "\200t~UUU")
> at ../../../../src/lib/krb5/os/an_to_ln.c:632
Oh. I knew that looked familiar. This is #512410. I thought that was
fixed in unst
g and then get a new backtrace?
I'm particularly interested in the call site of that free.
Running sshd under valgrind might also help, since this may be heap
corruption.
I assume that you're using libpam-krb5 to do the password checking. What
version of libpam-krb5 do you have installe
ount that was fixed in the
squeeze time frame and probably should have been closed a long time ago.
So consider this an implicit close of that issue.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
wi
reassign 512410 libkrb5-3
# double-free triggered in externally-accessible services is always
# potentially a security issue
severity 512410 serious
tags 512410 security
found 512410 libkrb5-3/1.10.1+dfsg-1
thanks
"Livingston, John A" writes:
> On Jun 6, 2012, at 5:40 PM, Russ
"Livingston, John A" writes:
> On Jun 6, 2012, at 4:59 PM, Russ Allbery wrote:
>> Can you try running sshd -d under valgrind and see if it can spot where
>> the memory corruption is happening?
> Below are two valgrind runs (without and with -v, depending on how much
./../../src/lib/krb5/os/an_to_ln.c:632
Ugh. So it's segfaulting on a routine free(). That means memory
corruption somewhere.
Can you try running sshd -d under valgrind and see if it can spot where
the memory corruption is happening?
--
Russ Allbery (r...@debian.org) <
"Livingston, John A" writes:
> On Jun 4, 2012, at 6:10 PM, Russ Allbery wrote:
>> Are you using libpam-krb5? If so, could you upgrade to the version
>> just uploaded to unstable? The version in testing will segfault if
>> krb5_init_context fails; the version
you some sort of error message.
A lot of people in Ubuntu are seeing issues with krb5_init_context
failing. In a few cases, this has been tracked to /etc/krb5.conf
mysteriously becoming mode 600 and unreadable by some processes.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.
he
like) to determine what realm of a ticket got forwarded with klist and
then rename it after login, setting KRB5CCNAME to follow. That will be
reliable in the face of whatever sshd does.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE,
her. The remote system could be using something
completely different to store the ticket cache, like KCM or kernel keyring
caches.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subj
entation and
> chooses which library to load and call based on a config file.
This is what libgssglue is. The question is: does it export enough of the
non-standard interfaces to let ssh do all the things it wants to do? It
was fairly limited the last time I looked at it.
--
Russ Allbery (r...@
rk with
> 'set -e', and that this would be a good idea independent of any other
> change.
Yes. I would be very happy to remove that footnote in Policy. :)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, e
ic proofs to demonstrate of knowledge of the password while
revealing nothing useful to an attacker or compromised endpoint.
This is experimental, work-in-progress code and is presently
compiled-time disabled (turn on -DJPAKE in Makefile.inc).
--
Russ Allbery (r...@debi
d then we don't have to carry the directory
in the package forever going forward.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trou
Arto Jantunen writes:
> Russ Allbery writes:
>> If you su to a user from root (so that you don't have to enter a password)
>> do you get the supplemental groups for that user?
> Apparently yes, hadn't tried that one before.
Hm, okay. That argues to me that the
Arto Jantunen writes:
> Russ Allbery writes:
>> Arto Jantunen writes:
>>> I'm fairly certain that NIS is the differentiating factor here, it's quite
>>> rare these days. I see the problem on all three NIS using machines I have
>>> upgraded to squee
your /etc/nsswitch.conf look like?
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Arc
27;s
tickling the bug, and that would probably point to the problem package.
Do you have any unusual or non-default PAM configuration? Also, how are
your supplemental groups managed; is it all in /etc/group, or are you
using LDAP or some other system?
--
Russ Allbery (r...@debian.org)
ings to
be run in the password case and not in the pubkey case.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm
Marc Lehmann writes:
> Russ Allbery wrote:
>> Marc Lehmann writes:
>>> What luck that I found out how to reproduce it a while later: remove the
>>> /etc/shadow entry for the user, and you get connection closed but no log
>>> messages whatsoever.
>> I
on): session opened
for user eagle by (uid=0)
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.deb
but I would have thought I'd notice.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archi
id the
memory allocation, so you need a library API for the free.
I don't think that comment was intended to have anything to do with the
difference between krb5_free_unparsed_name and krb5_xfree.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
whereas Heimdal collects the random simple
frees into krb5_xfree, which simplifies the interface somewhat. If you're
writing solely to Heimdal's API, there's no reason to use the more
specific function.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagl
he attacker can't tell why
they're failing.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-ssh-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
faces differ by protocol. If you
only have an IPv4 interface available and then later add an IPv6
interface, I don't think INADDR_ANY will pick up the IPv6 connections.
I haven't tested, though.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
#x27;s used to run the auth
stack).
I suspect the bug here is a segfault bug in pam_smbpass.
I wonder if trying to log in as root with an empty password would
reproduce this problem. It's an obvious edge case, and I've seen it cause
problems with PAM modules in the past.
--
Russ Allbe
stantly, as do many of my users, and the few
cases where we've installed an sshd without xauth accidentally have caused
a lot of confusion. It's definitely a feature that users around here, at
least, expect to have available and working.
--
Russ Allbery ([EMAIL PROTECTED])
t to install
Recommends. Installing Recommends is the default, but you can change that
easily in your local apt configuration. The above is due to the
Recommends on xauth (required for X forwarding), not due to a dependency.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.e
"Moore, Joe" <[EMAIL PROTECTED]> writes:
>> Russ Allbery <[EMAIL PROTECTED]> writes:
>> I spoke too soon -- I shouldn't have taken your word for the priority
>> of openssh-blacklist. It's already priority: optional. So nothing to
>> fix
Russ Allbery <[EMAIL PROTECTED]> writes:
> "Moore, Joe" <[EMAIL PROTECTED]> writes:
>
>>>From the Debian Policy manual:
>> 2.5
>> Packages must not depend on packages with lower priority values
>> (excluding build-time dependencies). In
e a bug against openssh-blacklist asking
that it be increased.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
n
dpkg-reconfigure openssh-server, which will regenerate your host keys
again, and you should then have secure host keys.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Joey Hess <[EMAIL PROTECTED]> writes:
> Russ Allbery wrote:
>> Do we have a feel for how astronomically unlucky you have to get? If
>> it's really astronomical, it's probably not worth worrying about. (My
>> general rule of thumb on that sort of thing is
ical, it's probably not worth worrying about. (My general
rule of thumb on that sort of thing is that if the chances of a collision
are lower than the chances of hardware failure during the course of the
operation, it's probably not worth taking any special safeguards.)
--
Russ Allbery (
Russ Allbery <[EMAIL PROTECTED]> writes:
> Brian May <[EMAIL PROTECTED]> writes:
>> Can I please confirm what version of Heimdal you are using? The initial
>> bug report seemed to quote the old version in testing, but here you
>> seem to indicate the latest ve
segfaults definitely in
functions called by libpam-heimdal, not by openssh itself. I'll include
the backtrace when I get home and can reproduce it.
gdb doesn't produce a usable backtrace (probably because of the library
confusion). Only valgrind would work for me, and only with a
They used to use
symbol versioning precisely because of this problem; see Bug#205592 which
was closed in 0.6-4. It looks like that was lost or dropped somewhere
along the way.
I'm copying Brian May on this. I think the bug should probably be
reassigned to the heimdal source package.
--
Ru
was having this problem, I thought it was ssh for a long
time too, and then I caught single bit errors in some straight HTTP
traffic.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
th one of the intervening pieces of network equipment. When
I've previously tracked down problems like this, I've found bit errors
introduced on the wire and had the problem go away after network cards and
switches were replaced.
--
Russ Allbery ([EMAIL PROTECTED]) <http:/
Sebastian Pipping <[EMAIL PROTECTED]> writes:
> Russ Allbery wrote:
>> Speaking as one of the former maintainers of openssh-krb5 (for a brief
>> period near the end of its life), I don't think this is a great idea.
>> Maintaining a separate forked copy of the ssh
(for a brief
period near the end of its life), I don't think this is a great idea.
Maintaining a separate forked copy of the ssh code base in another package
is painful from a security standpoint, and managing the shared
configuration and conflicts and whatnot can be rather horrific.
--
Russ All
the same
thing. There was a long discussion about this a while back, and I think
the conclusion was that /usr/sbin/nologin was better than /bin/false for
this purpose.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EM
not included in this file.
That's exactly the behavior we want.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Colin Watson <[EMAIL PROTECTED]> writes:
> On Fri, Mar 30, 2007 at 12:32:48PM -0700, Russ Allbery wrote:
>> Do we know which lookup in particular is hanging? I had originally
>> thought that it was the lookups for the KDCs, but it sounds like that
>> may not be
if
it's something else, it may be easier to fix.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Jim Meyering <[EMAIL PROTECTED]> writes:
> Almost. The only difference is that there seems to be no time-out.
> In one case today, I let ssh "hang" for well over an hour.
Huh. Okay, that I've not seen. I've seen timeouts on Kerberos realms,
but not just hang
ope* it's not particularly common to have Kerberos tickets for a realm
that isn't responding.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
1 - 100 of 126 matches
Mail list logo
