search for: serveroption

...ddr=196.209.244.243" | grep -i > stream > streamlocalbindmask 0177 > allowstreamlocalforwarding yes oh, that's a bug in the config dump support. diff --git a/servconf.c b/servconf.c index 6111c5a..2094c48 100644 --- a/servconf.c +++ b/servconf.c @@ -2293,6 +2293,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_b...

...mitted_cnames[MAX_CANON_DOMAINS]; + int connect_via_sctp; char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/servconf.c b/servconf.c index 7ba65d5..b106458 100644 --- a/servconf.c +++ b/servconf.c @@ -57,6 +57,8 @@ static void add_listen_addr(ServerOptions *, char *, int); static void add_one_listen_addr(ServerOptions *, char *, int); +static void add_one_listen_addr_proto(ServerOptions *, char *, + int, int); /* Use of privilege separation or not */ extern int use_privsep; @@ -153,6 +155,7 @@ initialize_server_options(ServerOptions *options)...

Hi All. For various reasons, we're currently looking at extending (or even overhauling) the config parser used for sshd_config. Right now the syntax I'm looking at is a cumulative "Match" keyword that matches when all of the specified criteria are met. This would be similar the the Host directive used in ssh_config, although it's still limiting (eg you can't easily

...============================================ RCS file: /cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -w -u -w -b -p -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 24 Nov 2002 18:43:41 -0000 @@ -378,10 +378,13 @@ void start_pam(const char *user) extern ServerOptions options; extern u_int utmp_len; const char *rhost; + char buf[1024]; debug("Starting up PAM with username \"%.200s\"", user); - pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh); + strlcpy(buf, SSHD_PAM_SERVICE, sizeof(buf)); + strlcat(buf, option...

On 6/26/2024 9:34 PM, Henry Qin wrote: > Hi folks, > > I've recently started to work on a patch for openssh that introduces a new > option to disable authentication. > I'd like to explain why I think this might be generally useful, and solicit > opinions on whether such a patch would be acceptable to the maintainers as > a pull request. Why not just use a different

When I looked at `man pam_unix`, I did not see any obvious options that would cause ssh to authenticate without prompting for a password at all, short of setting an empty password which is similar to PermitEmptyPasswords option. However, I am not very familiar with the internals of PAM, so pointers to documentation would be greatly appreciated. Also, I think adding a single line to sshd_config

On 27.06.24 06:34, Henry Qin wrote: > *Specific use cases:* > 1. Combine sshd on an unprivileged port with kubectl port-forward to > replace kubectl exec for shelling into containers running in a secure > Kubernetes environment. Kubectl exec does not kill processes on disconnect, > and does not support remote port forwarding, while ssh does both of these > things. > 2. Run an

see pam_permit(8) On Thu, Jun 27, 2024 at 10:37?AM Henry Qin <hq6 at cs.stanford.edu> wrote: > > When I looked at `man pam_unix`, I did not see any obvious options that > would > cause ssh to authenticate without prompting for a password at all, short of > setting an empty password which is similar to PermitEmptyPasswords option. > > However, I am not very familiar

Hi folks, I've recently started to work on a patch for openssh that introduces a new option to disable authentication. I'd like to explain why I think this might be generally useful, and solicit opinions on whether such a patch would be acceptable to the maintainers as a pull request. *Why is this useful?* Openssh has useful capabilities such as remote and local port-forwarding, as well

Thanks for the pointer! I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file /etc/pam.d/sshd_disable_auth. auth required pam_permit.so account required pam_permit.so session required pam_permit.so Thus, this does indeed enable disabling authentication. Unfortunately, as far as I can tell, only root can create files

i'm not a maintainer, but my personal opinion is that it's probably easier to prepare a container with this pam configuration On Thu, Jun 27, 2024 at 2:26?PM Henry Qin <hq6 at cs.stanford.edu> wrote: > > Thanks for the pointer! > I played around with PamServiceName set to 'sshd_disable_auth' and got it working with the minimum contents below in the file

...nssh-3.5p1.orig/servconf.h Thu Aug 1 02:28:39 2002 +++ openssh-3.5p1/servconf.h Tue Dec 3 14:10:55 2002 @@ -132,6 +132,7 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int pam_authentication_via_kbd_int; + char *pam_service_name; } ServerOptions; void initialize_server_options(ServerOptions *); @@ -139,5 +140,8 @@ void fill_default_server_options(ServerOptions *); int process_server_config_line(ServerOptions *, char *, const char *, int); +#if !defined(SSHD_PAM_SERVICE) +# define SSHD_PAM_SERVICE __progname +#endif #endif...

...11 @@ options->reverse_mapping_check = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; + options->log_key_fingerprint = -1; } void fill_default_server_options(ServerOptions *options) { @@ -227,10 +228,12 @@ else options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->log_key_fingerprint == -1) + options->lo...

...not on the list. -------------- next part -------------- diff -rupN openssh-6.1p1/servconf.c openssh-6.1p1-new/servconf.c --- openssh-6.1p1/servconf.c 2012-07-31 02:22:38.000000000 +0000 +++ openssh-6.1p1-new/servconf.c 2013-01-31 17:12:36.000000000 +0000 @@ -85,6 +85,7 @@ initialize_server_options(ServerOptions options->x11_forwarding = -1; options->x11_display_offset = -1; options->x11_use_localhost = -1; + options->no_pty = -1; options->xauth_location = NULL; options->strict_modes = -1; options->tcp_keep_alive = -1; @@ -201,6 +202,8 @@ fill_default_server_options(Server...

...including host-specific sshd configuration. --- servconf.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/servconf.c b/servconf.c index 86c2979360c5..daf8f2df15a2 100644 --- a/servconf.c +++ b/servconf.c @@ -1297,7 +1297,8 @@ process_server_config_line_depth(ServerOptions *options, char *line, struct connection_info *connectinfo, int *inc_flags, int depth, struct include_list *includes) { - char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword; + char *str, ***chararrayptr, **charptr, *arg, *arg2, *arg_pre, *p, *keyword; + char thishost[NI_MAX...

...ding host-specific sshd configuration. --- servconf.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/servconf.c b/servconf.c index 5b32f0bfc8db..0bc281784b73 100644 --- a/servconf.c +++ b/servconf.c @@ -1254,9 +1254,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, struct connection_info *connectinfo, int *inc_flags, int depth, struct include_list *includes) { - char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword; - int cmdline = 0, *intptr, value, value2, n, port, oactive, r; - int ca_only = 0, found = 0; + char...

I would like to understand your opinion a little more deeply. Are you suggesting that it's easier to (prepare the container and add a line at runtime) compared to (add a line to an sshd config at runtime)? The latter scenario would be the case if the patch is merged. Or did you mean that it's easier to prepare the container than to implement a correct patch into sshd to enable the option

it's not just adding a line at runtime. it's the openssh maintainers maintaining an odd codepath and testing it at each release and answering questions about the configuration, etc. On Thu, Jun 27, 2024 at 3:00?PM Henry Qin <hq6 at cs.stanford.edu> wrote: > > I would like to understand your opinion a little more deeply. > > Are you suggesting that it's easier to

This allows the localhost percent-style escapes in arguments to the Include directive. These are useful for including host-specific ssh configuration. --- readconf.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/readconf.c b/readconf.c index a2282b562df0..ad47d0e9730a 100644 --- a/readconf.c +++ b/readconf.c @@ -1030,7 +1030,8 @@

Using these escapes, the include directive can be crafted to include differing, host-specific configuration. Ronan Pigott (2): Permit %L and %l percent escapes in ssh Include Permit %L and %l percent escapes in sshd Include readconf.c | 16 +++++++++++++--- servconf.c | 17 ++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) base-commit: