search for: permitlocalcommand

Hi ya'll- I'm having this weird problem with the new version of OpenSSH compiled on Solaris, version 4.3p2. SSH and SSHD work fine, all is well. But when I try to sftp or scp something I get this: % sftp bullitt Connecting to bullitt... command-line: line 0: Bad configuration option: PermitLocalCommand Connection closed % "PermitLocalCommand" doesn't appear in sshd_config or ssh_config, so I have no idea what's up... Has anyone seen this kind of thing before? Thanks for any insight, erich

https://bugzilla.mindrot.org/show_bug.cgi?id=1280 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |1452 --- Comment #1 from Damien Miller

...tem "SetupCommand": Sample Implementation: ~~~~~~~~~~~~~~~~~~~~~~ I propose adding a new configuration item "SetupCommand" for the ssh client software. It would accept a string that is treated exactly the same as LocalCommand. As with LocalCommand it should also be ignored when PermitLocalCommand is disabled. Otherwise the command should be executed right before connecting to the server. I created a patch against 5.1p1 and tested it (attached). What do you think about this: 1) Is option 3 the best approach or did I overlook something? 2) Is this useful enough to patch ssh? 3) Can this im...

...ks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/host-expand.sh b/regress/host-expand.sh new file mode 100644 index 0000000..cd4e03c --- /dev/null +++ b/regress/host-expand.sh @@ -0,0 +1,18 @@ +# Placed in the Public Domain. + +tid="expand %h and %n" + +echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy +printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy + +cat >expect <<EOE +somehost +127.0.0.1 +EOE + +for p in 1 2; do + verbose "test $tid: proto $p" + ${SSH} -F $OBJ/ssh_proxy -$p...

Hi. It would be nice to be able to configure sshd so that the following would work: After a successful password-authenticated connection from client user x on client host y, subsequent connections from client user x on client host y within a (resetting) time limit would succeed without re-authenticating via password. Perhaps this would be achieved by sshd sending the client ssh a key that

...reeBSD lab1 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Jan 13 13:01:17 EST 2006 root@:/usr/src/sys/i386/compile/SMP i386 # cat /etc/sysctl.conf | egrep -v '(^#|^$)' net.inet.ip.fastforwarding=1 # cat ~/.ssh/config Host 169.254.254.20 Tunnel yes TunnelDevice 0:any PermitLocalCommand yes LocalCommand sh /root/scripts/netstart tun0 # cat /root/scripts/netstart #!/bin/sh ifconfig $1 inet 169.254.253.10 169.254.253.20 netmask 255.255.255.0 && \ route add host2 169.254.253.20 lab 2 config: # uname -a FreeBSD lab2 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri J...

...tem "SetupCommand": Sample Implementation: ~~~~~~~~~~~~~~~~~~~~~~ I propose adding a new configuration item "SetupCommand" for the ssh client software. It would accept a string that is treated exactly the same as LocalCommand. As with LocalCommand it should also be ignored when PermitLocalCommand is disabled. Otherwise the command should be executed right before connecting to the server. I created a patch against 5.1p1 and tested it (attached). The patch can be successfully applied to 5.6p1, too. Discussion: ~~~~~~~~~~~ After I proposed this patch on the mailinglist (see above) it was dis...

...e host and inform this parked RemoteCommand about the name of the local tty. To make this a bit more concrete, the config block to make this work with my tool looks like ``` Host = your-ssh-target-name Hostname your.ssh.host.example.com RemoteCommand shpool plumbing ssh-remote-command PermitLocalCommand yes LocalCommand ssh -oPermitLocalCommand=no -oRemoteCommand="shpool plumbing ssh-local-command-set-metadata '%u@%h:%p$(tty)'" %n ``` This kinda works, but has several fairly big problems. A really obvious one is that single global parking slot which opens this protocol up to...

...ecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VersionAddendum FreeBSD-20061110 # Add kerberos ticket forwarding # QAK - 12/13/06 Host * GSSAPIAuthentication yes GSSAPIDelegateCredentials yes # If this option is set to yes then the remote X11 clients will have full access # to the local X11 display. As virtually no X11 clien...

....num_bind_address = 1; break; case 'F': config = optarg; diff -rupN orig/openssh-5.9p1/ssh_config openssh-5.9p1/ssh_config --- orig/openssh-5.9p1/ssh_config 2010-01-12 10:40:27.000000000 +0200 +++ openssh-5.9p1/ssh_config 2012-02-12 16:57:02.150192696 +0200 @@ -45,3 +45,8 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com + +# --Examble of BindAddress +# BindAddress 192.168.0.1 3004:aaaa::beef any +# This means, that ssh tries 192.168.0.1 if fail to bind, next address willbe 3004:aaaa::beef and if it fails, +# uses default bind s...

https://bugzilla.mindrot.org/show_bug.cgi?id=2103 Bug ID: 2103 Summary: remote command as an option in ssh_config Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh

..., this might have a mild security impact for the weird border case, where someone copy and pastes input to a remote terminal, e.g. after reading seemingly unproblematic commands on a webpage or in a mail. In worst case, that could allow unwanted remote connections to the local machine or with "PermitLocalCommand" execute commands on the client. For the case where the remote machine is compromised, the admin would need to copy and paste problematic text while seeing it, e.g. by expanding an attacker-created file using tab expansion and copy-pasting the file name then (or paste it while writing the mai...

...+++++++++++++++++++++++ ssh.c | 57 +++++++++++++ 5 files changed, 452 insertions(+), 2 deletions(-) diff --git a/readconf.c b/readconf.c index eb4a8b9..9f862a9 100644 --- a/readconf.c +++ b/readconf.c @@ -135,7 +135,7 @@ typedef enum { oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, oKexAlgorithms, oIPQoS, - oDeprecated, oUnsupported + oDeprecated, oUnsupported, oLocalEnvMod } OpCodes; /* Textual representations of the tokens. */ @@ -245,6 +245,7 @@ static struct { #endif { "kexalgorithms"...

...id_ecdsa # IdentityFile ~/.ssh/id_ed25519 # Port 22 # Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h -------------- next part -------------- /Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -ddd -p 222 -f /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config debug2: load_server_config: filename /Data/o...

On 08/03/16 02:12, Darren Tucker wrote: > On Wed, Aug 3, 2016 at 7:42 AM, rl <rainer.laatsch at t-online.de> wrote: > [...] >> /Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -p 222 -f \n >> DESTDIR/usr/local/etc/sshd_config > > It looks like you have an embedded newline in the config file name > you're passing to sshd. If that's the case I'm

Numerous how-tos all over the Internet show how one would set up a tunnel using ssh, e.g.: ssh -f -o Tunnel=ethernet <server_ip> true I was wondering if there's a way to subsequently acquire the names of the local and remote tun/tap interfaces (e.g., using the default "-w any:any") for subsequent automatic tunnel configuration, e.g.: ip link set $TapDev up ip link set

...ns *); --- openssh-4.7p1/readconf.c Mon Dec 17 03:46:49 2007 +++ openssh-4.7p1/readconf.c Fri Dec 21 15:40:50 2007 @@ -130,6 +130,7 @@ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, + oFipsMode, oDeprecated, oUnsupported } OpCodes; @@ -226,6 +227,7 @@ { "tunneldevice", oTunnelDevice }, { "localcommand", oLocalCommand }, { "permitlocalcommand", oPermitLocalCommand }, + { "fipsmode", oFipsMode}, { NULL, oBadOption } }; @@...