search for: sclientalivecountmax

...ers == -1) + options->chroot_users = 0; + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; *************** *** 298,304 **** sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, ! sUsePrivilegeSeparation, sDeprecated } ServerOpCodes; --- 302,308 ---- sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthor...

...;authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->log_fingerprint == -1) + options->log_fingerprint = 0; } /* Keyword tokens. */ @@ -261,6 +264,7 @@ sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sLogFingerprint, sDeprecated } ServerOpCodes; @@ -334,6 +338,7 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 },...

The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2

...horized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; } /* Keyword tokens. */ @@ -263,7 +258,7 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sClientAliveCountMax, sAuthorizedKeysFile, sDeprecated } ServerOpCodes; @@ -336,7 +331,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile"...

...;idletimeout == -1) + options->idletimeout=0; } /* Keyword tokens. */ @@ -235,7 +238,8 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sPAMAuthenticationViaKbdInt + sClientAliveCountMax, sPAMAuthenticationViaKbdInt, + sIdleTimeout } ServerOpCodes; /* Textual representation of the tokens. */ @@ -302,6 +306,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMa...

...;idletimeout == -1) + options->idletimeout=0; } /* Keyword tokens. */ @@ -235,7 +238,8 @@ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sPAMAuthenticationViaKbdInt + sClientAliveCountMax, sPAMAuthenticationViaKbdInt, + sIdleTimeout } ServerOpCodes; /* Textual representation of the tokens. */ @@ -302,6 +306,7 @@ { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMa...

...wn option */ @@ -259,11 +262,11 @@ sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sDeprecated + sDeprecated, sLogKeyFingerprint } ServerOpCodes; /* Textual representation of the tokens. */ static struct { const char *name; @@ -332,10 +335,11 @@ { "reversemappingcheck", sReverseMappingCheck }, { "clientalive...

..._allow_groups = 0; + options->num_pkey_deny_groups = 0; options->ciphers = NULL; options->macs = NULL; options->protocol = SSH_PROTO_UNKNOWN; @@ -267,7 +271,8 @@ sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sDeprecated + sDeprecated, sPubkeyAllowUsers, sPubkeyDenyUsers, + sPubkeyAllowGroups, sPubkeyDenyGroups } ServerOpCodes; /* Textual representation of the tokens. */ @@ -342,6 +347,10 @@ { "clientalivecountmax", sClientAliveCountMax },...

...ewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sCheckMaxStartups, sMaxStartups, sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -353,6 +357,7 @@ { "protocol", sProtocol }, { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, + { "checkmaxstartups", sCheckMaxStartups }, { "maxstartups", sMaxStartups }, { &quo...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, - sBanner, sReverseMappingCheck, sHostbasedAuthentication, + sBanner, sReverseMappingCheck, sHostbasedAuthentication, sXAuthorityInTmp, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sDeprecated @@ -313,6 +314,7 @@ { "x11forwarding", sX11Forwarding }, { "x11displayoffset", sX11DisplayOffset }, { "xauthlocation", sXAuthLocation }, + { "xauthorityintmp", sXAuthorityInTmp }, { "stri...

Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a

...) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->nodelay == -1) + options->nodelay = 0; } /* Keyword tokens. */ @@ -261,6 +264,7 @@ sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sNoDelay, sDeprecated } ServerOpCodes; @@ -334,6 +338,7 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, + { &qu...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...7 @@ dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); dump_cfg_int(sMaxAuthTries, o->max_authtries); dump_cfg_int(sMaxSessions, o->max_sessions); + dump_cfg_int(sMaxDisplays, o->max_displays); dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); diff -Naur openssh-portable/servconf.h openssh-portable-maxdisplays/servconf.h --- openssh-portable/servconf.h 2016-06-01 21:14:01.820052926 -0400 +++ openssh-portable-maxdisplays/servconf.h...

...ULL; options->num_host_key_files = 0; options->pid_file = NULL; + options->log_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -302,6 +303,7 @@ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sUsePrivilegeSeparation, + sLogFile, sDeprecated } ServerOpCodes; @@ -380,6 +382,7 @@ { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sU...

I'm reading this fine article on O'Reilly: http://linux.oreillynet.com/lpt/a//linux/2001/11/08/ssh_keystroke.html <quote> The paper concludes that the keystroke timing data observable from today's SSH implementations reveals a dangerously significant amount of information about user terminal sessions--enough to locate typed passwords in the session data stream and reduce the

...+ case sAddressFamily: intptr = &options->address_family; multistate_ptr = multistate_addressfamily; @@ -1974,6 +2003,9 @@ dump_config(ServerOptions *o) dump_cfg_int(sMaxSessions, o->max_sessions); dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); +#ifdef USE_SCTP + dump_cfg_int(sListenViaSCTP, o->listen_via_sctp); +#endif /* formatted integer arguments */ dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); diff --git a/servconf.h b/servconf.h index 752d1c5..77bb49e 100644 --- a/servconf.h +++...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...ers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sUsePrivilegeSeparation, @@ -347,16 +348,18 @@ { "permitemptypasswords", sEmptyPasswd }, { "permituserenvironment", sPermitUserEnvironment }, { "uselogin", sUseLogin...