search for: ssh_privsep_user

Displaying 19 results from an estimated 19 matches for "ssh_privsep_user".

2014 Mar 31
1
SSH_PRIVSEP_USER configurable at runtime?
Hi, Right now, the unprivileged account for privilege separation is only configurable at compile time (SSH_PRIVSEP_USER). I'd like to ask if it would be acceptable to have the account runtime configurable by adding something like PrivilegeSeparationAccount foo to sshd_config. The reason I'm asking is this. I'm working on a long overdue change to Cygwin which is supposed to get rid of the /etc/pass...
2002 Apr 18
3
privsep no user fatal message
...=================================================================== RCS file: /cvs/openssh/sshd.c,v retrieving revision 1.200 diff -u -r1.200 sshd.c --- sshd.c 2 Apr 2002 20:48:20 -0000 1.200 +++ sshd.c 18 Apr 2002 13:36:04 -0000 @@ -536,7 +536,7 @@ demote_sensitive_data(); if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) - fatal("%s: no user", SSH_PRIVSEP_USER); + fatal("no user: %s", SSH_PRIVSEP_USER); memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); endpwent();
2002 Jul 15
10
Patch: Solaris packages don't create privsep user or group
...-u -r1.5 buildpkg.sh --- contrib/solaris/buildpkg.sh 9 Jul 2002 02:02:11 -0000 1.5 +++ contrib/solaris/buildpkg.sh 15 Jul 2002 12:32:49 -0000 @@ -98,6 +98,19 @@ eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` done + +## Collect value of privsep user +for confvar in SSH_PRIVSEP_USER +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` +done + +## Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi + ## Extract common info requires for the 'info' part of the pack...
2006 Jan 08
3
Allow --without-privsep build.
...5-09-01 10:15:22.000000000 +0100 +++ openssh-4.2p1/config.h.in 2006-01-07 17:44:23.000000000 +0000 @@ -152,6 +152,9 @@ /* Builtin PRNG command timeout */ #undef ENTROPY_TIMEOUT_MSEC +/* Use privilege separation */ +#undef USE_PRIVSEP + /* non-privileged user for privilege separation */ #undef SSH_PRIVSEP_USER --- openssh-4.2p1/configure.ac~ 2005-08-31 17:59:49.000000000 +0100 +++ openssh-4.2p1/configure.ac 2006-01-07 18:41:38.000000000 +0000 @@ -1873,6 +1873,16 @@ AC_ARG_WITH(entropy-timeout, ) AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) +use_privsep=1 + +AC_ARG_WITH(privsep, + [ -...
2005 Mar 29
1
[Bug 1005] installing openssh on AIX takes a long time when there are many users
...grep ssh' to see if the privsep user has been created. The trouble is that invoking 'lsusers ALL' takes TWO HOURS to complete at a particular site with thousands of users! The simple fix to contrib/aix/buildbff.sh was: 225c225 < if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null --- > if lsuser "$SSH_PRIVSEP_USER" >/dev/null ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
2002 Jun 26
5
[PATCH] improved chroot handling
...) + fatal("chdir(\"%s\"): %s", emptydir, strerror(errno)); + if (write(pmonitor->m_sendfd, &status, 1) < 0) + fatal("write(): %s", strerror(errno)); close(pmonitor->m_sendfd); /* Demote the child */ @@ -1008,10 +1027,6 @@ if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); - if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || - (S_ISDIR(st.st_mode) == 0)) - fatal("Missing privilege separation directory: %s", - _PATH_PRIVSEP_CHROOT_DIR);...
2002 Sep 11
1
tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms
...method shows that a utmp entry does get made for the tty. There are several issues I see with this configuration, but I don't think any pose insurmountable problems: - There is an #if'd-out call to do_setusercontext() in the subroutine privsep_preauth_child(), which means that the SSH_PRIVSEP_USER would be run through the session_setup_sia() should the '#if 0' preprocessor directive be removed. I don't want SSH_PRIVSEP_USER to be passed through session_setup_sia(), because I like that account to be locked and the session setup stuff would fail in this case....
2017 Mar 20
12
Announce: OpenSSH 7.5 released
OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community
2017 Mar 27
2
Is support being removed for ordinary users to run sshd?
...gt; diff --git a/sshd.c b/sshd.c > > index 010a2c3..4f9b2c8 100644 > > --- a/sshd.c > > +++ b/sshd.c > > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > > > /* Store privilege separation user for later use if required. */ > > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > > - if (use_privsep || options.kerberos_authentication) > > + if ((use_privsep || options.kerberos_authentication) > > + && (getuid() == 0 || geteuid() == 0)) > > fatal("Privilege separation user %s does not exist", > >...
2002 Jul 19
0
[Bug 364] New: resolution for bug 302 doesn`t appear to work
...ve been trying to resolve issues shown by bug 302 as i`m getting error id sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" when running a make install. The bug fix advises to change id sshd to id sshd - t in makefile.in however I only have id $(SSH_PRIVSEP_USER) in my makefile.in. When i substitute sshd -t for the variable I still get the same error. Your help would be much appreciated. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
2006 Apr 11
0
Problem building openssh-4.3p2 under cygwin and windows XP
...etstat' PROG_PS='/bin/ps' PROG_SAR='undef' PROG_TAIL='/bin/tail' PROG_UPTIME='undef' PROG_VMSTAT='undef' PROG_W='undef' PROG_WHO='/bin/who' RANLIB='ranlib' SED='/usr/bin/sed' SH='/usr/bin/sh' SHELL='/bin/sh' SSH_PRIVSEP_USER='sshd' STARTUP_SCRIPT_SHELL='/bin/sh' STRIP_OPT='-s' TEST_MINUS_S_SH='/usr/bin/bash' TEST_SHELL='sh' XAUTH_PATH='undefined' ac_ct_CC='gcc' ac_ct_RANLIB='ranlib' bindir='${exec_prefix}/bin' build='i686-pc-cygwin' build_a...
2011 Jun 22
3
sandbox pre-auth privsep child
...v/systrace.h> +]) +AC_CHECK_DECL([RLIMIT_NPROC], + [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [ + #include <sys/types.h> + #include <sys/resource.h> +]) use_stack_protector=1 AC_ARG_WITH([stackprotect], @@ -2461,6 +2471,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [ [non-privileged user for privilege separation]) AC_SUBST([SSH_PRIVSEP_USER]) +# Decide which sandbox style to use +sandbox_arg="" +AC_ARG_WITH([sandbox], + [ --with-sandbox=style Specify privilege separation sandbox (no, rlimit, systrace)], + [ + if test "x$withval&quot...
2003 Oct 08
4
OS/390 openssh
...versions differ for %s: %.200s vs. %.200s", @@ -583,7 +613,25 @@ /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; +#if #system(bs2000) + { + char *upper; + /* BS2000(PSD/POSIX) ufork needs the user name in UPPER case */ + upper = xstrdup(SSH_PRIVSEP_USER); + strupper(upper, NULL); + if ((pid = ufork(upper)) == -1 && errno == EPERM) { + if (getpwnam(SSH_PRIVSEP_USER) == NULL) + fatal("Privilege separation user %s does not exist", + SSH_PRIVSEP_USER); +...
2002 Jun 24
4
README.privsep
Hi, This is included in the release now; any feedback? Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at:
2003 Dec 30
8
[Bug 651] SCO 3.2v4.2 and OpenSSH 3.7.1p1 --> connection hangs and does not close (ssh2 only)
http://bugzilla.mindrot.org/show_bug.cgi?id=651 ------- Additional Comments From vikashb at comparexafrica.co.za 2003-12-30 16:39 ------- tried openssh-SNAP-20031223 does not compile: (cd openbsd-compat && make) gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include -Dftruncate=chsize -I/usr/local/include -DHAVE_CONFIG_H -c
2014 Feb 10
0
[PATCH] Basic SCTP support for OpenSSH client and server
...else + SCTP_MSG="no" + fi + ] +) + +if test "x$SCTP_MSG" = "xyes"; then + if test "x$have_sctp" != "xyes" ; then + AC_MSG_ERROR([SCTP support not found]) + fi + + AC_DEFINE([USE_SCTP], [1], + [Define if you want to enable SCTP support]) +fi + SSH_PRIVSEP_USER=sshd AC_ARG_WITH([privsep-user], [ --with-privsep-user=user Specify non-privileged user for privilege separation], @@ -4838,6 +4865,7 @@ echo " sshd superuser user PATH: $J" fi echo " Manpage format: $MANTYPE" echo "...
2005 Sep 19
1
ssh hangs or gives Segmentation fault
...f WITH_AIXAUTHENTICATE */ /* #undef AIX_LOGINFAILED_4ARG */ /* #undef SKEYCHALLENGE_4ARG */ /* #undef WITH_IRIX_ARRAY */ /* #undef WITH_IRIX_PROJECT */ /* #undef WITH_IRIX_AUDIT */ /* #undef WITH_IRIX_JOBS */ /* #undef PRNGD_SOCKET */ /* #undef PRNGD_PORT */ #define ENTROPY_TIMEOUT_MSEC 200 #define SSH_PRIVSEP_USER "sshd" /* #undef MANTYPE */ #define HAVE_OPENSSL 1 /* #undef RSAREF */ #define HAVE_STRUCT_TIMEVAL 1 #define HAVE_HOST_IN_UTMP 1 #define HAVE_HOST_IN_UTMPX 1 #define HAVE_ADDR_IN_UTMP 1 #define HAVE_ADDR_IN_UTMPX 1 #define HAVE_ADDR_V6_IN_UTMP 1 #define HAVE_ADDR_V6_IN_UTMPX 1 /* #undef H...
2020 Jul 21
11
[RFC PATCH 0/4] PAM module for ssh-agent user authentication
Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.
2008 Apr 21
3
FIPS 140-2 OpenSSL(2007) patches
...nd %s", name); --- openssh-4.7p1/Makefile.in Tue Dec 18 02:42:38 2007 +++ openssh-4.7p1/Makefile.in Tue Dec 18 02:42:21 2007 @@ -18,6 +18,7 @@ piddir=@piddir@ srcdir=@srcdir@ top_srcdir=@top_srcdir@ +ssldir=@ssldir@ DESTDIR= VPATH=@srcdir@ @@ -29,6 +30,7 @@ PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ +FIPS_MODE=@FIPS_MODE@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ @@ -252,12 +254,18 @@ $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_P...