search for: authorizedkeyscommanduser

Displaying 20 results from an estimated 26 matches for "authorizedkeyscommanduser".

2014 Oct 10
12
[Bug 2287] New: AuthorizedKeysCommandUser should have it's default documented
https://bugzilla.mindrot.org/show_bug.cgi?id=2287 Bug ID: 2287 Summary: AuthorizedKeysCommandUser should have it's default documented Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: trivial Priority: P5 Component: Documentation Assignee:...
2016 Dec 31
1
[Bug 2657] New: Documentation does not mention that AuthorizedKeysCommandUser accepts "%u" token substitution
https://bugzilla.mindrot.org/show_bug.cgi?id=2657 Bug ID: 2657 Summary: Documentation does not mention that AuthorizedKeysCommandUser accepts "%u" token substitution Product: Portable OpenSSH Version: 7.4p1 Hardware: 68k OS: Mac OS X Status: NEW Severity: enhancement Priority: P5 Component: sshd Assigne...
2013 Apr 15
7
[Bug 2092] New: AuthorizedKeysCommand: bad ownership or modes for file
...Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: descala at gmail.com Created attachment 2245 --> https://bugzilla.mindrot.org/attachment.cgi?id=2245&action=edit Patch uid in auth2-pubkey.c If AuthorizedKeysCommandUser is set to a non-root user, AuthorizedKeysCommand is always reported as unsafe: debug1: temporarily_use_uid: 1000/1000 (e=0/0) Unsafe AuthorizedKeysCommand: bad ownership or modes for file /xxx debug1: restore_uid: 0/0 the bug is easily fixed with the attached patch. -- You are receiving this ma...
2012 Nov 13
1
problem with AuthorizedKeysCommand on OpenBSD
...individual pieces appear to work once configured: # sudo -u nobody /usr/local/libexec/ssh-ldap-wrapper mwlucas ssh-rsa AAAAB3NzaC1yc... ssh-rsa AAAAB3NzaC1yc2EA... (Two keys come out, with a blank line between them) My sshd_config has: AuthorizedKeysCommand /usr/local/libexec/ssh-ldap-wrapper AuthorizedKeysCommandUser nobody (Yes, a user other than nobody will go into production, but I'm just trying to make the blasted thing work right now.) The keys don't seem to be making it to the SSH server, however. Run with debugging, I get: ... debug3: mm_request_receive entering debug3: monitor_read: checking...
2012 Oct 31
5
AuthorizedKeysCommand support added
...le argument of the user being logged in. It produces on stdout zero or more lines in authorized_keys format. The program must terminate normally and with a zero exit status or its output is disregarded. The program is executed as the user being logged in, unless a different user is specified using AuthorizedKeysCommandUser. A facility like this grants a large opportunity to shoot oneself in the foot. We try to prevent obvious mistakes (like having the command writable by others), but the best approach is to use a well-audited helper, owned and writable only by root, that runs under a dedicated account that is not us...
2013 Oct 17
10
[Bug 2161] New: AuthorizedKeysCommand is not executed when defined inside Match block
...Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: wijet at wijet.pl I have the following at the end of my sshd_config Match User git AuthorizedKeysCommand /opt/git/authorized_keys AuthorizedKeysCommandUser git When I ssh as git user I see in logs the following: Oct 17 19:59:58 cc sshd[6136]: debug3: checking match for 'User git' user git host X addr IP laddr IP lport 22 Oct 17 19:59:58 cc sshd[6136]: debug1: user git matched 'User git' at line 84 Oct 17 19:59:58 cc sshd[6136]: debug...
2014 May 30
2
AuthorizedKeysCommand run as the user
Is there any way to make the AuthorizedKeysCommand as the user which is trying to log in? Thanks. -- Yves.
2023 Apr 03
0
sftp and utmp
...sponseAuthentication no > GSSAPIAuthentication no > Subsystem sftp internal-sftp [...] > Match group JUST-SFTP_USERS_GROUP > ChrootDirectory %h [...] > ForceCommand internal-sftp -l INFO -u 0077 [...] > AuthorizedKeysCommand AKC_SCRIPT > AuthorizedKeysCommandUser AKC_USER > $ cat AKC_SCRIPT > #!/bin/sh [...] > MANDANT="$1" > if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then > # Unsupported characters in username. Refuse to work. > $LOG.warning &quo...
2014 Aug 29
90
[Bug 2266] New: Bugs intended to be fixed in 6.8
https://bugzilla.mindrot.org/show_bug.cgi?id=2266 Bug ID: 2266 Summary: Bugs intended to be fixed in 6.8 Product: Portable OpenSSH Version: -current Hardware: Other OS: All Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at
2020 Feb 18
11
[Bug 3122] New: New Include functionality does not work as documented
...to validate the ssh keys. If I use the include functionality like this: Include /etc/ssh/ssh.d/* And on the /etc/ssh/ssh.d directory I have a config file like this: Match User <user> PasswordAuthentication no AuthorizedKeysCommand <command> "%t" "%k" AuthorizedKeysCommandUser <user> AcceptEnv <some var> It doesn't work. sshd -t tells me the syntax is valid and, when I run sshd with -ddd I see the file getting parsed and loaded, but, when trying to login it operates as if the AuthorizedKeysCommand isn't there. On the other hand, if I do somethin...
2023 May 22
6
[Bug 3574] New: ssh ignores AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set
...kanizer. As a result of this, a new bug was introduced that causes the parser to ignore AuthorizedPrincipalsCommand if AuthorizedKeysCommand is also set. To Reproduce Set AuthorizedPrincipalsCommand and AuthorizedPrincipalsCommandUser to a valid value in sshd_config. Set AuthorizedKeysCommand and AuthorizedKeysCommandUser to a valid value. Suggest using a script that will touch a file to prove it was executed. Reload sshd and login. AuthprizedKeysCommand will not be executed. Remove AuthorizedKeysCommand from the sshd_config and it will work. Suggested patch is attached. -- You are receiving this mail because: Y...
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
..., sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, @@ -1239,7 +1239,7 @@ process_server_config_line(ServerOptions if (!ciphers_valid(arg)) fatal("%s line %d: Bad SSH2 cipher spec '%s'.", filename, linenum, arg ? arg : "<NONE>"); - if (options->ciph...
2013 Mar 22
4
Announce: OpenSSH 6.2 released
...to specify whether just local or remote TCP forwarding is enabled. * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option. * sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory. * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider". * ssh...
2013 Mar 22
0
Announce: OpenSSH 6.2 released
...to specify whether just local or remote TCP forwarding is enabled. * sshd(8): Added a sshd_config(5) option AuthorizedKeysCommand to support fetching authorized_keys from a command in addition to (or instead of) from the filesystem. The command is run under an account specified by an AuthorizedKeysCommandUser sshd_config(5) option. * sftp-server(8): Now supports a -d option to allow the starting directory to be something other than the user's home directory. * ssh-keygen(1): Now allows fingerprinting of keys hosted in PKCS#11 tokens using "ssh-keygen -lD pkcs11_provider". * ssh...
2016 Sep 27
4
[Bug 2618] New: net-misc/openssh-7.2_p2: Terribly slow Interactive Logon
https://bugzilla.mindrot.org/show_bug.cgi?id=2618 Bug ID: 2618 Summary: net-misc/openssh-7.2_p2: Terribly slow Interactive Logon Product: Portable OpenSSH Version: 7.2p2 Hardware: amd64 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd
2020 Sep 26
2
Debian client/workstation pam_mount
...hTries 6 > #MaxSessions 10 > > #PubkeyAuthentication yes > > # Expect .ssh/authorized_keys2 to be disregarded by default in future. > #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 > > #AuthorizedPrincipalsFile none > > #AuthorizedKeysCommand none > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhost...
2014 Jun 23
2
ListenAdress Exclusion
I was wondering what everyone's thoughts were on a simpler way to exclude addresses from having listeners on them. I know a lot of people have multiple subnets, especially larger corporations. Some networks are non-route-able, and therefor unsuitable for use with SSH, aside from communication between other servers on the same subnet. Given that we may want to exclude those non-route-able
2016 Jun 29
3
SSH Closes Immediately After Opening
...tication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication IgnoreUser...
2014 Feb 10
0
[PATCH] Basic SCTP support for OpenSSH client and server
...isten_via_sctp = 0; + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; @@ -347,7 +353,7 @@ typedef enum { sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, + sAuthenticationMethods, sHostKeyAgent, sListenViaSCTP, sDeprecated, sUnsupported } ServerOpCodes; @@ -474,6 +480,11 @@ static struct { { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum&quot...
2020 Sep 26
2
Debian client/workstation pam_mount
Maybe I am not testing the signin correctly. Here is what I am doing. I sign into the client/workstation (hereafter referred to as C/W) via ssh as the local "admin" from another C/W so I can open many terminals to tail log files. Then "sudo -i" into "root". All testing is run as "root". When I sign into "root", I see this: > admin at lws4:~$