search for: no_port_forwarding_flag

...t meant I didn't have my ftp server working right, but that clearly wasn't true. So I decided it was time to dig out the source. (I love that about open source). Anyways, after a few moments of checking, I was able to trace the problem down to this line in input_direct_tcpip() ... if (! no_port_forwarding_flag) ... Basically the no_port_forwarding_flag was set to 0. Which seemed odd because I set the GatewayPorts to yes, in the sshd_config. So I look further, and it seems that the no_port_forwarding_flag only is set in one place inside sshd. That is in auth_parse_options(). Unfortunately auth_parse_...

Heya, I'm trying to convince my company to use OpenSSH instead of the commercial SSH version. I need a little help: 1. What features does OpenSSH offer over commercial SSH (besides being free and open source of course)? 2. Our lawyers want details on the licensing / patents stuff. I have the high level details from the OpenSSH page. I need the nitty gritty like RSA patent# and

...erloop.c,v retrieving revision 1.102 diff -u -p -r1.102 serverloop.c --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 +++ serverloop.c 4 Jul 2002 09:13:34 -0000 @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disab...

...ic int sshpam_cred_established = 0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + sshpam_new_authtok_reqd = reqd; + if (reqd) { + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } else { + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + + } +} /* Import regular and PAM environment from subprocess */ static void import_environments(B...

...xfree(patterns); - goto bad_option; - } - if (options.allow_tcp_forwarding) - channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; } --- auth-pam.c 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ auth-pam.c 29 Jan 2003 20:39:19 -0000 1.2 @@ -358,7 +360,7 @@ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (!auth_restricted(RESTRICT_TCP, auth_get_user())) channel_permit_all_opens(); #endif } --- auth.c 28 Jan 2003 18:06:51 -0000 1...

BUG: X11 forwarding no longer works in Openssh-2.1.1p2. I think this is due to the wrong sense of the test in session.c:1372 session_x11_req(Session *s) { if (!no_port_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; } It should be session_x11_req(Session *s) { if (no_port_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."...

...for not using this part of the code? #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif Please reply. Thanks Logsnaath. ----- End forwarded message -----

...and I did something else wrong when trying to 'ssh -R 0:localhost:22 user at remote', please let me know! --- serverloop.c.original 2009-10-21 10:45:13.000000000 +0300 +++ serverloop.c 2009-10-21 10:53:09.000000000 +0300 @@ -1119,9 +1119,9 @@ if (!options.allow_tcp_forwarding || no_port_forwarding_flag || (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT - || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) + || (listen_port !=0 && listen_port < IPPORT_RESERVED && pw->pw_uid != 0) #endif ) { success = 0...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...int child_wait_status; /* Status from wait(). */ +/* Jarno: Needed to check if port_forwarding is allowed */ +extern ServerOptions options; + void server_init_dispatch(void); void @@ -722,7 +725,10 @@ originator, originator_port, target, target_port); /* XXX check permission */ - if (no_port_forwarding_flag) { + /* Jarno: */ + if (no_port_forwarding_flag || !options.port_forwarding) { + packet_send_debug("Server configuration rejects port forwardings."); + debug("Port forwarding disabled in server configuration."); xfree(target); xfree(originator); return -1; diff -u -r...

..., status); + return 0; /* NOTREACHED */ + } +} + +/* + * flag that password change is necessary and disable all forwarding + */ +void +flag_password_change_required(void) +{ + debug3("disabling forwarding"); + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; +} + +/* + * Flags that password change was successful. + * XXX: the password change is performed in the process that becomes the + * shell, but the flags must be reset in its parent and currently there is no + * way to notify th...

..., status); + return 0; /* NOTREACHED */ + } +} + +/* + * flag that password change is necessary and disable all forwarding + */ +void +flag_password_change_required(void) +{ + debug3("disabling forwarding"); + password_change_required = 1; + + /* disallow other functionality for now */ + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; +} + +/* + * Flags that password change was successful. + * XXX: the password change is performed in the process that becomes the + * shell, but the flags must be reset in its parent and currently there is no + * way to notify th...

...n the following configurations: Redhat 8 (without PAM) AIX 4.3.3 Solaris 8 (without PAM) HP-UX 11.0 (trusted configuration, with PAM) I'm confused about this from auth-pam.c: /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); Isn't this all in the post-auth privsep slave? Or am I overlooking something? -- Darren Tucker (dtucker at zip.c...

...ee any functions in channels.c that are intended for setting up the reverse forwarded connections. I assume I will have to add a new check function in: serverloop.c:server_input_global_request at: /* check permissions */ if (!options.allow_tcp_forwarding || no_port_forwarding_flag || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { success = 0; packet_send_debug("Server has disabled port forwarding." I assumed I could implement a parallel mechanism to the -L port checking, but I...

http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From stevesk at pobox.com 2002-05-12 04:04 ------- i'm not immediately positive if no_port_forwarding_flag=1 is sufficient. need to investigate more. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

...ality has been disabled in auth-pam.c #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif default: log("PAM rejected by account configuration[%d]: " "%.20...

Hi I just "stumbled" over the flags settings in pam_password_change_required(). As far as I looked over the OpenSSH code, setting/resetting the 2nd bit in those flags from auth-options.c whould only make sense if the flags are checked to be 0/1 in the remaining OpenSSH code. Frank

http://bugzilla.mindrot.org/show_bug.cgi?id=564 ------- Additional Comments From djm at mindrot.org 2003-07-30 11:48 ------- Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly - suggestions wanted. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

.../* data */ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; +#ifdef WITH_AIXAUTHENTICATE +/* AIX's lastlogin message, set in auth1.c */ +char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ /* Flags set in auth-rsa from authorized_keys flags. These are set in auth-rsa.c. */ int no_port_forwarding_flag = 0; @@ -631,6 +642,15 @@ fclose(f); } } +#if defined(WITH_AIXAUTHENTICATE) + /* + * AIX handles the lastlog info differently. Display it here. + */ + if (command == NULL && aixloginmsg && *aixloginmsg && + !quiet_login && !options.use_login)...