search for: permit_user_env

...vironment yes #Compression yes #MaxStartups 10 --- servconf.h 20 Jun 2002 23:05:55 -0000 1.58 +++ servconf.h 24 Jul 2002 16:55:26 -0000 @@ -97,6 +97,7 @@ int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ + int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; --- servconf.c 23 Jun 2002 09:46:51 -0000 1.112 +++ servconf.c 24 Jul 2002 16:55:26 -0000 @@ -87,6 +87,7 @@ options...

...6 OR 7, OCCASIONALLY GALE 8 IN WEST, VEERING NORTHEASTERLY 5 LATER. WINTRY SHOWERS. GOOD. --- auth-options.c 28 Jan 2003 18:06:50 -0000 1.1.1.2 +++ auth-options.c 29 Jan 2003 20:39:19 -0000 1.7 @@ -133,7 +135,7 @@ goto next_option; } cp = "environment=\""; - if (options.permit_user_env && + if (!auth_restricted(RESTRICT_ENV, pw) && strncasecmp(opts, cp, strlen(cp)) == 0) { char *s; struct envstring *new_envstring; @@ -217,8 +219,6 @@ } cp = "permitopen=\""; if (strncasecmp(opts, cp, strlen(cp)) == 0) { - char host[256], sp...

...ialize_server_options(ServerOptions options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; + options->challenge_response_authentication_first = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; @@ -222,6 +223,13 @@ fill_default_server_options(ServerOption options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; + if (options->challenge_response_...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...e != SSH_CHANNEL_RPORT_LISTENER) + continue; + snprintf(name, sizeof name, "SSH_REMOTE_FORWARD_PORT_%d", n); + snprintf(buf, sizeof buf, "%d", c->listening_port); + child_set_env(&env, &envsize, name, buf); + } + /* read $HOME/.ssh/environment. */ if (options.permit_user_env && !options.use_login) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment",

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

...rig/servconf.c 2004-08-13 12:30:24.000000000 +0100 +++ openssh-3.9p1.jpmg/servconf.c 2005-01-20 10:11:54.385791373 +0000 @@ -78,16 +78,17 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; + options->num_allow_users_fixedname = 0; options->num_deny_users = 0; options->num_allow_groups = 0; options->num_deny_groups = 0; opt...

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=