Error Report relating to OPENSSH-3.8p1 und OPENSSH-3.8.1p1 With Reliant Unix (5.44/5.45) a connection fails if the host isnât known in DNS. However the host is correctly listed in /etc/hosts. Result: entries in â/etc/hostsâ arenât evaluated from OpenSSH 3.8 on. flow traces Reliant-Unix(5.44/45): With OPENSSH-3.8p1 and OPENSSH-3.8.1p1 the connection fails: $ ssh -v Veiel_U@RECHNERX OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/openssh/ssh_config debug1: Applying options for * ssh: RECHNERX: no address associated with name $ ssh -v Veiel_U@RECHNERX OpenSSH_3.8.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/openssh/ssh_config debug1: Applying options for * ssh: RECHNERX: no address associated with name With OPENSSH-3.7.1p2 the connection establishes: $ ssh -v Veiel_U@RECHNERX OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/openssh/ssh_config debug1: Applying options for * debug1: Connecting to RECHNERX [003.002.001.007]port 22. debug1: Connection established. debug1: identity file /DVZ/BENUTZER/.ssh/identity type -1 debug1: identity file /DVZ/BENUTZER/.ssh/id_rsa type -1 debug1: identity file /DVZ/BENUTZER/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'RECHNERX' is known and matches the RSA host key. debug1: Found key in /DVZ/BENUTZER/.ssh/known_hosts:2 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard- interactive debug1: Next authentication method: publickey debug1: Trying private key: /DVZ/BENUTZER/.ssh/identity debug1: Trying private key: /DVZ/BENUTZER/.ssh/id_rsa debug1: Trying private key: /DVZ/BENUTZER/.ssh/id_dsa debug1: Next authentication method: password Veiel_U@RECHNERX's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. Last login: Mon Jun 28 12:19:25 2004 from terminal#1 Veiel_U@RECHNERX:~ > exit logout debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: free: client-session, nchannels 1 Connection to RECHNERX closed. debug1: Transferred: stdin 0, stdout 0, stderr 32 bytes in 12.4 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2.6 debug1: Exit status 0 $ My configure call with options: configure --with-tcp-wrappers=/DVZ/BENUTZER/openssh/tcp_wrappers_7.6 -- prefix=/opt/openssh --sysconfdir=/etc/openssh --with-ipv4-default Changes against OpenSSH-3.7.1.p2 (Configure) checking for library containing res_query... âlresolv
Assuming you have "files" in nsswitch.conf or its equivalent, it sounds like a broken getaddrinfo. Try adding "#define BROKEN_GETADDRINFO 1" to config.h *after* running configure, then build and test.
I'm sorry your Correction ist not effective.
In that case, it looks like your local resolver is somehow broken. ssh doesn't do anything special with regards to name lookups, when BROKEN_GETADDRINFO is defined it just uses gethostbyname()
I don't think that we have a broken local resolver. Because nslookup works fine and the /etc/hosts is o.k. A recompilation of the Version 3.7.1p2 with the same configure paramaters as in 3.8xx works with no errors. While testing the openssh, we could see that the libssh was linked as static library (3.8) and in 3.7.1p2 it was linked dynamic.
nslookup is not a good test, usually it does not normally use gethostbyname or getaddrinfo, but rather sends DNS requests itself (bypassing the local resolver). Try some other programs, eg ping, telnet (and if possible one that uses getaddrinfo and one that uses gethostbyname). Is BROKEN_GETADDRINFO defined in config.h for either of 3.7.1p2 or 3.8.1p1? You can also try this test program,, which I wrote last time we had reports of problems with getaddrinfo: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108675611705663
this is in all versions of config.h: /* getaddrinfo is broken (if present) */ /* #undef BROKEN_GETADDRINFO */ testing: $ telnet mhpadkuc 23 Trying 123.123.123.23 ... telnet: connect: Connection refused telnet>quit ssh -v Veiel_U@mhpadkuc OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/openssh/ssh_config debug1: Applying options for * ssh: mhpadkuc: no address associated with name your test-programm "getaddrinfospeed.c" cannot be compiled on Reliant-Unix
Does Reliant have getaddrinfo? If so, is it #defined to something else in in /usr/include someplace? (I think Tru64 does that, and it actually has 2 versions with different semantics).
You can also try manually editing Makefile after running configure and removing "-ldl" from LIBS (that was added between 3.7.1p2 and 3.8p1).
We have found a solution for our problem: we made the follwing change in the Makefile after configure: original: LIBS=-lresolv -lcrypto -lz -lsocket -lnsl -ldl -lgen -lucb after our change: LIBS=-lcrypto -lz -lsocket -lnsl -ldl -lgen -lresolv åucb Result: move "åresolv" a few positions backward at LIBS variable. make make install ssh -v Veiel_U@RECHNERX OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/openssh/ssh_config debug1: Applying options for * debug1: Connecting to RECHNERX [003.002.001.007] port 22. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1 debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'RECHNERX' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:42 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password,keyboard- interactive debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password,keyboard- interactive debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: password Veiel_U@RECHNERX's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. Last login: Tue Jul 6 14:10:34 2004 from terminal Veiel_U@RECHNERX:~ >exit thanks for your help
Created attachment 814 [details] Append -lresolv to LIBS early on Reliant Unix libresolv isn't checked until late in configure, and if it's needed the it's *prepended* to LIBS. Reliant Unix apparently doesn't like that. This patch does it early on Reliant. I think the root cause is probably a linker bug, but I think this should work around it. I will also attach a configure rebuilt with this patch. Could you please replace the configure that comes with OpenSSH 3.9p1 with this new one and confirm whether or not it resolves the problem?
Created attachment 815 [details] configure.gz: from 3.9p1 rebuilt with patch 814
Target next release. BTW if you have a working autoconf (v2.59) then you could also just apply the patch and rebuild configure yourself with "autoreconf".
Since the patch affects only Reliant (which appears to be problematic anyway), I've applied it. It will be in tomorrow's snapshot. If it turns out to not resolve it then please reopen this bug.
With the release of OpenSSH 4.0, these bugs are now closed. For details, see: http://www.openssh.com/txt/release-4.0