search for: channel_permit_all_opens

Heya, I'm trying to convince my company to use OpenSSH instead of the commercial SSH version. I need a little help: 1. What features does OpenSSH offer over commercial SSH (besides being free and open source of course)? 2. Our lawyers want details on the licensing / patents stuff. I have the high level details from the OpenSSH page. I need the nitty gritty like RSA patent# and

...c 29 Jan 2003 20:39:19 -0000 1.2 @@ -358,7 +360,7 @@ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (!auth_restricted(RESTRICT_TCP, auth_get_user())) channel_permit_all_opens(); #endif } --- auth.c 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ auth.c 29 Jan 2003 21:26:11 -0000 1.4 @@ -291,6 +293,31 @@ return 0; } +/* + * Is the user subject to this restriction? + */ +int +auth_restricted(int restriction, struct passwd *pw) +{ + debug2("user shell is %s", pw-&...

Hi, Just a usecase that I'm sure has been covered before but just in case its not an openssh solution would be very helpful. I was trying to install software on a server that was firewalled so no outbound http connections would work. I was also tunnelling via another server. Outbound ssh connections also were a convenient option. What would have been nice would be a remote version of

...supply name)"); } packet_check_eom(); - sock = channel_connect_to(host, host_port); + sock = channel_connect_to(host, host_port, ctxt); if (sock != -1) { c = channel_new("connected socket", SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, @@ -2349,7 +2366,7 @@ void channel_permit_all_opens(void) { - if (num_permitted_opens == 0) + if (num_permitted_opens == 0 && num_permittednet_opens == 0) all_opens_permitted = 1; } @@ -2368,6 +2385,35 @@ } void +channel_add_permittednet_opens(char *netblock, char *netmask, int porta, int portb) +{ + /* XXX this does not make any...

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...urn; for (i = 0; i < num_permitted_opens; i++) xfree(permitted_opens[i].host_to_connect); num_permitted_opens = 0; --- channels.h 24 Jul 2002 11:04:17 -0000 1.1.1.1 +++ channels.h 13 Aug 2002 18:47:22 -0000 @@ -193,7 +193,8 @@ /* tcp forwarding */ void channel_set_af(int af); void channel_permit_all_opens(void); -void channel_add_permitted_opens(char *, int); +void channel_fix_permitted_opens(void); +int channel_add_permitted_opens(char *); void channel_clear_permitted_opens(void); void channel_input_port_forward_request(int, int); int channel_connect_to(const char *, u_short); --- se...

....c: /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); Isn't this all in the post-auth privsep slave? Or am I overlooking something? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judge...

...Session *); static int session_pty_req(Session *); @@ -140,7 +140,7 @@ #endif void - -do_authenticated(Authctxt *authctxt) +do_authenticated(Authctxt *authctxt, const char *realname) { /* * Cancel the alarm we set to limit the time taken for @@ -176,9 +176,9 @@ channel_permit_all_opens(); if (compat20) - - do_authenticated2(authctxt); + do_authenticated2(authctxt, realname); else - - do_authenticated1(authctxt); + do_authenticated1(authctxt, realname); /* remove agent socket */ if (auth_get_...

...g revision 1.108 diff -u -r1.108 session.c --- session.c 11 Oct 2001 13:45:21 -0000 1.108 +++ session.c 22 Oct 2001 18:37:43 -0000 @@ -148,18 +148,22 @@ } #endif #endif +#ifdef WITH_TCPFWD /* setup the channel layer */ if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); +#endif if (compat20) do_authenticated2(authctxt); else do_authenticated1(authctxt); +#ifdef WITH_AGENTFWD /* remove agent socket */ if (auth_get_socket_name()) auth_sock_cleanup_proc(authctxt->pw); +#endif #ifdef KRB4 if (options.kerberos_ticket_cleanup) krb4_clean...