search for: sshcfg_global

...4 06:18:35 -0000 1.249 +++ servconf.c 6 Jun 2014 08:04:06 -0000 @@ -399,8 +399,8 @@ static struct { { "denyusers", sDenyUsers, SSHCFG_ALL }, { "allowgroups", sAllowGroups, SSHCFG_ALL }, { "denygroups", sDenyGroups, SSHCFG_ALL }, - { "ciphers", sCiphers, SSHCFG_GLOBAL }, - { "macs", sMacs, SSHCFG_GLOBAL }, + { "ciphers", sCiphers, SSHCFG_ALL }, + { "macs", sMacs, SSHCFG_ALL }, { "protocol", sProtocol, SSHCFG_GLOBAL }, { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG...

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

...wGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -411,6 +414,7 @@ static struct { { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, + { "nopty", sNoPty, SSHCFG_ALL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, @@ -1075,6 +1079,10 @@ process_server_config_...

...(options->engconffile == NULL) > options->engconffile = _PATH_OPENSSL_CONFIG; > > if (options->engconfstanza == NULL) > options->engconfstanza = OPENSSL_STANZA; > } 409a471,473 > { "enginehostkey", sEngineHostKey, SSHCFG_GLOBAL }, > { "engineconfigfile", sEngineConfigFile, SSHCFG_GLOBAL }, > { "engineconfigstanza", sEngineConfigStanza, SSHCFG_GLOBAL }, 915a995,1021 > case sEngineHostKey: > if (options->engineindex != -1) { > fatal("%s line...

...thods, sHostKeyAgent, + sAuthenticationMethods, sHostKeyAgent, sListenViaSCTP, sDeprecated, sUnsupported } ServerOpCodes; @@ -474,6 +480,11 @@ static struct { { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, +#ifdef USE_SCTP + { "listenviasctp", sListenViaSCTP, SSHCFG_GLOBAL }, +#else + { "listenviasctp", sUnsupported, SSHCFG_GLOBAL }, +#endif { NULL, sBadOption, 0 } }; @@ -543,6 +554,17 @@ add_list...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...on, + sSubsystem, sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -282,6 +288,7 @@ u_int flags; } keywords[] = { { "port", sPort, SSHCFG_GLOBAL }, + { "cakeyfile", sCAKeyFile, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "pidfile", sPidFile, SSHCFG_GLOBAL }, @@ -296,6 +303,7 @@ { "hostbasedauthentication",...

I was wondering what everyone's thoughts were on a simpler way to exclude addresses from having listeners on them. I know a lot of people have multiple subnets, especially larger corporations. Some networks are non-route-able, and therefor unsuitable for use with SSH, aside from communication between other servers on the same subnet. Given that we may want to exclude those non-route-able

...h, sMaxDisplays, sDeprecated, sUnsupported } ServerOpCodes; @@ -572,6 +575,7 @@ { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, + { "maxdisplays", sMaxDisplays, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1031,7 +1035,15 @@ fatal("%s line %d: Badly formatted port number.", filename, linenum); break; - + case sMaxDisplays: + arg = strdelim(&cp); + if (!arg || *arg ==...

hi folks-- Can a Match block cover a Subsystem directive in sftp? https://bugzilla.mindrot.org/show_bug.cgi?id=1587#c1 suggests that Match can cover Subsystem, but sshd_config (at least, in 5.5p1) doesn't mention Subsystem within the description of Match. What should administrators expect? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name:

Hi, sifting through my system's logs, I noticed many break-in attempts by rogue ssh clients trying long lists of common passwords. For some time now I pondered different approaches to counter these, but could not come up with a solution that really satisfied me. I finally reached the conclusion that any countermeasures required support in sshd itself, and created the attached patch. If

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1930 --- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST --- Retarget unresolved

Hello. At work we collect logs (via ssh) from all kinds of hosts on one central node which has no connection to the internet and is tried to kept secure. The idea is, as you can imagine, that in case of a compromise we'd have at least all the logs up to the break without any forgeries. The logging is done continuously and compression is used. Now the following is not really that much

...uot;streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, + { "streamlocalbindrootdirectory", sStreamLocalBindRootDirectory, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, @@ -1823,6 +1827,17 @@ process_server_config_line(ServerOptions *options, char *line, intptr = &options->fwd_opts.streamlocal_bind_unlink; goto parse_flag; + case sStreamLocalBindRootDirectory: + charptr = &...

...ePrivilegeSeparation, + sFipsMode, sDeprecated, sUnsupported } ServerOpCodes; @@ -403,6 +412,7 @@ { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, + { "fipsmode", sFipsMode, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1253,6 +1263,10 @@ options->adm_forced_command = xstrdup(cp + len); return 0; + case sFipsMode: + intptr = &options->fips_mode; + goto parse_flag; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename...