search for: authorizedkeyscommanduser

https://bugzilla.mindrot.org/show_bug.cgi?id=2287 Bug ID: 2287 Summary: AuthorizedKeysCommandUser should have it's default documented Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: Documentation Assignee:...

https://bugzilla.mindrot.org/show_bug.cgi?id=2657 Bug ID: 2657 Summary: Documentation does not mention that AuthorizedKeysCommandUser accepts "%u" token substitution Product: Portable OpenSSH Version: 7.4p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: enhancement Priority: P5 Component: sshd Assigne...

...Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: descala at gmail.com Created attachment 2245 --> https://bugzilla.mindrot.org/attachment.cgi?id=2245&action=edit Patch uid in auth2-pubkey.c If AuthorizedKeysCommandUser is set to a non-root user, AuthorizedKeysCommand is always reported as unsafe: debug1: temporarily_use_uid: 1000/1000 (e=0/0) Unsafe AuthorizedKeysCommand: bad ownership or modes for file /xxx debug1: restore_uid: 0/0 the bug is easily fixed with the attached patch. -- You are receiving this ma...

...individual pieces appear to work once configured: # sudo -u nobody /usr/local/libexec/ssh-ldap-wrapper mwlucas ssh-rsa AAAAB3NzaC1yc... ssh-rsa AAAAB3NzaC1yc2EA... (Two keys come out, with a blank line between them) My sshd_config has: AuthorizedKeysCommand /usr/local/libexec/ssh-ldap-wrapper AuthorizedKeysCommandUser nobody (Yes, a user other than nobody will go into production, but I'm just trying to make the blasted thing work right now.) The keys don't seem to be making it to the SSH server, however. Run with debugging, I get: ... debug3: mm_request_receive entering debug3: monitor_read: checking...

...le argument of the user being logged in. It produces on stdout zero or more lines in authorized_keys format. The program must terminate normally and with a zero exit status or its output is disregarded. The program is executed as the user being logged in, unless a different user is specified using AuthorizedKeysCommandUser. A facility like this grants a large opportunity to shoot oneself in the foot. We try to prevent obvious mistakes (like having the command writable by others), but the best approach is to use a well-audited helper, owned and writable only by root, that runs under a dedicated account that is not us...

...Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: wijet at wijet.pl I have the following at the end of my sshd_config Match User git AuthorizedKeysCommand /opt/git/authorized_keys AuthorizedKeysCommandUser git When I ssh as git user I see in logs the following: Oct 17 19:59:58 cc sshd[6136]: debug3: checking match for 'User git' user git host X addr IP laddr IP lport 22 Oct 17 19:59:58 cc sshd[6136]: debug1: user git matched 'User git' at line 84 Oct 17 19:59:58 cc sshd[6136]: debug...

Is there any way to make the AuthorizedKeysCommand as the user which is trying to log in? Thanks. -- Yves.

...sponseAuthentication no > GSSAPIAuthentication no > Subsystem sftp internal-sftp [...] > Match group JUST-SFTP_USERS_GROUP > ChrootDirectory %h [...] > ForceCommand internal-sftp -l INFO -u 0077 [...] > AuthorizedKeysCommand AKC_SCRIPT > AuthorizedKeysCommandUser AKC_USER > $ cat AKC_SCRIPT > #!/bin/sh [...] > MANDANT="$1" > if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then > # Unsupported characters in username. Refuse to work. > $LOG.warning &quo...

https://bugzilla.mindrot.org/show_bug.cgi?id=2266 Bug ID: 2266 Summary: Bugs intended to be fixed in 6.8 Product: Portable OpenSSH Version: -current Hardware: Other OS: All Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at

...to validate the ssh keys. If I use the include functionality like this: Include /etc/ssh/ssh.d/* And on the /etc/ssh/ssh.d directory I have a config file like this: Match User <user> PasswordAuthentication no AuthorizedKeysCommand <command> "%t" "%k" AuthorizedKeysCommandUser <user> AcceptEnv <some var> It doesn't work. sshd -t tells me the syntax is valid and, when I run sshd with -ddd I see the file getting parsed and loaded, but, when trying to login it operates as if the AuthorizedKeysCommand isn't there. On the other hand, if I do somethin...

...kanizer. As a result of this, a new bug was introduced that causes the parser to ignore AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set. To Reproduce Set AuthorizedPrincipalsCommand and AuthorizedPrincipalsCommandUser to a valid value in sshd_config. Set AuthorizedKeysCommand and AuthorizedKeysCommandUser to a valid value. Suggest using a script that will touch a file to prove it was executed. Reload sshd and login. AuthprizedKeysCommand will not be executed. Remove AuthorizedKeysCommand from the sshd_config and it will work. Suggested patch is attached. -- You are receiving this mail because: Y...

..., sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, @@ -1239,7 +1239,7 @@ process_server_config_line(ServerOptions if (!ciphers_valid(arg)) fatal("%s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : "<NONE>"); - if (options->ciph...

...to specify whether just local or remote TCP forwarding is enabled. * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option. * sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory. * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider". * ssh...

...to specify whether just local or remote TCP forwarding is enabled. * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option. * sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory. * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider". * ssh...

https://bugzilla.mindrot.org/show_bug.cgi?id=2618 Bug ID: 2618 Summary: net-misc/openssh-7.2_p2: Terribly slow Interactive Logon Product: Portable OpenSSH Version: 7.2p2 Hardware: amd64 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd

...hTries 6 > #MaxSessions 10 > > #PubkeyAuthentication yes > > # Expect .ssh/authorized_keys2 to be disregarded by default in future. > #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 > > #AuthorizedPrincipalsFile none > > #AuthorizedKeysCommand none > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhost...

I was wondering what everyone's thoughts were on a simpler way to exclude addresses from having listeners on them. I know a lot of people have multiple subnets, especially larger corporations. Some networks are non-route-able, and therefor unsuitable for use with SSH, aside from communication between other servers on the same subnet. Given that we may want to exclude those non-route-able

...tication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication IgnoreUser...

...isten_via_sctp = 0; + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; @@ -347,7 +353,7 @@ typedef enum { sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, + sAuthenticationMethods, sHostKeyAgent, sListenViaSCTP, sDeprecated, sUnsupported } ServerOpCodes; @@ -474,6 +480,11 @@ static struct { { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum&quot...

Maybe I am not testing the signin correctly. Here is what I am doing. I sign into the client/workstation (hereafter referred to as C/W) via ssh as the local "admin" from another C/W so I can open many terminals to tail log files. Then "sudo -i" into "root". All testing is run as "root". When I sign into "root", I see this: > admin at lws4:~$