search for: sshcfg_all

...================================ RCS file: /cvs/src/usr.bin/ssh/servconf.c,v retrieving revision 1.249 diff -u -p -u -r1.249 servconf.c --- servconf.c 29 Jan 2014 06:18:35 -0000 1.249 +++ servconf.c 6 Jun 2014 08:04:06 -0000 @@ -399,8 +399,8 @@ static struct { { "denyusers", sDenyUsers, SSHCFG_ALL }, { "allowgroups", sAllowGroups, SSHCFG_ALL }, { "denygroups", sDenyGroups, SSHCFG_ALL }, - { "ciphers", sCiphers, SSHCFG_GLOBAL }, - { "macs", sMacs, SSHCFG_GLOBAL }, + { "ciphers", sCiphers, SSHCFG_ALL }, + { "macs", sMacs, SSHCFG_A...

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a

...asswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -411,6 +414,7 @@ static struct { { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, + { "nopty", sNoPty, SSHCFG_ALL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL...

...treamLocalBindMask, sStreamLocalBindUnlink, + sStreamLocalBindRootDirectory, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; @@ -558,6 +561,7 @@ static struct { { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, + { "streamlocalbindrootdirectory", sStreamLocalBindRootDirectory, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStrea...

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1930 --- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST --- Retarget unresolved

Hi, sifting through my system's logs, I noticed many break-in attempts by rogue ssh clients trying long lists of common passwords. For some time now I pondered different approaches to counter these, but could not come up with a solution that really satisfied me. I finally reached the conclusion that any countermeasures required support in sshd itself, and created the attached patch. If

I was wondering what everyone's thoughts were on a simpler way to exclude addresses from having listeners on them. I know a lot of people have multiple subnets, especially larger corporations. Some networks are non-route-able, and therefor unsuitable for use with SSH, aside from communication between other servers on the same subnet. Given that we may want to exclude those non-route-able

...tUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, - sAllowStreamLocalForwarding, sFingerprintHash, + sAllowStreamLocalForwarding, sFingerprintHash, sMaxDisplays, sDeprecated, sUnsupported } ServerOpCodes; @@ -572,6 +575,7 @@ { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, + { "maxdisplays", sMaxDisplays, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1031,7 +1035,15 @@ fatal("%s line %d...

...rizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, + sAuthenticationMethods, sHostKeyAgent, sListenViaSCTP, sDeprecated, sUnsupported } ServerOpCodes; @@ -474,6 +480,11 @@ static struct { { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, +#ifdef USE_SCTP + { "listenviasctp", sListenViaSCTP, SSHCFG_GLOBAL }, +#else + { "listenviasctp", sUnsupported, SSHCFG_GLOBAL }, +...

...OS: All Status: NEW Severity: minor Priority: P5 Component: Documentation Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hi. AFAIU such options which are allowed for Match blocks are marked with "SSHCFG_ALL" in servconf.c. Going through the list, a number of the is apparently allowed but missing from sshd_config(5): AllowStreamLocalForwarding IPQoS RevokedKeys StreamLocalBindMask StreamLocalBindUnlink TrustedUserCAKeys Could you please add these? I'd have written a patch, but since all my...

hi folks-- Can a Match block cover a Subsystem directive in sftp? https://bugzilla.mindrot.org/show_bug.cgi?id=1587#c1 suggests that Match can cover Subsystem, but sshd_config (at least, in 5.5p1) doesn't mention Subsystem within the description of Match. What should administrators expect? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name:

https://bugzilla.mindrot.org/show_bug.cgi?id=1963 --- Comment #5 from martin f. krafft <bugzilla.mindrot.org at pobox.madduck.net> --- With reference to http://bugs.debian.org/650512, which I just reopened, I am sorry to say that the bug persists in OpenSSH 6.0. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the

...efault */ if (use_privsep == -1) @@ -293,6 +301,7 @@ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sUsePrivilegeSeparation, + sFipsMode, sDeprecated, sUnsupported } ServerOpCodes; @@ -403,6 +412,7 @@ { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, + { "fipsmode", sFipsMode, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1253,6 +1263,10 @@ options->adm_forced_command = xstrdup(cp + len); return 0; +...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Hello. At work we collect logs (via ssh) from all kinds of hosts on one central node which has no connection to the internet and is tried to kept secure. The idea is, as you can imagine, that in case of a compromise we'd have at least all the logs up to the break without any forgeries. The logging is done continuously and compression is used. Now the following is not really that much

https://bugzilla.mindrot.org/show_bug.cgi?id=2408 Bug ID: 2408 Summary: Expose authentication information to PAM Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: