search for: strict_modes

...u -p -r1.17 auth-rhosts.c --- auth-rhosts.c 2001/04/12 23:34:35 1.17 +++ auth-rhosts.c 2001/06/04 10:05:34 @@ -228,6 +228,9 @@ auth_rhosts2(struct passwd *pw, const ch pw->pw_name, pw->pw_dir); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(pw->pw_dir)) +#endif if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { Index: auth-rsa.c =================================================================== RCS file: /cvs/openssh_cvs/auth-rsa.c,v retrieving revision 1.31 diff -u -p -r1.31 auth-rsa.c ---...

...); - /* Fail quietly if file does not exist */ - if (stat(file, &st) < 0) { - /* Restore the privileged uid. */ - restore_uid(); - xfree(file); - return (0); - } - /* Open the file containing the authorized keys. */ - f = fopen(file, "r"); + f = open_keyfile(file, pw, options.strict_modes); if (!f) { - /* Restore the privileged uid. */ - restore_uid(); - xfree(file); - return (0); - } - if (options.strict_modes && - secure_filename(f, file, pw, line, sizeof(line)) != 0) { - xfree(file); - fclose(f); - logit("Authentication refused: %s", line); + xfree...

...-new/servconf.c 2013-01-31 17:12:36.000000000 +0000 @@ -85,6 +85,7 @@ initialize_server_options(ServerOptions options->x11_forwarding = -1; options->x11_display_offset = -1; options->x11_use_localhost = -1; + options->no_pty = -1; options->xauth_location = NULL; options->strict_modes = -1; options->tcp_keep_alive = -1; @@ -201,6 +202,8 @@ fill_default_server_options(ServerOption options->x11_use_localhost = 1; if (options->xauth_location == NULL) options->xauth_location = _PATH_XAUTH; + if (options->no_pty == -1) + options->no_pty = 0; if (options...

...-- openssh-2.1.1p4/servconf.c Sat Jul 15 07:14:17 2000 +++ openssh-2.1.1p4-jhchanges/servconf.c Sun Aug 13 00:06:25 2000 @@ -45,6 +45,7 @@ options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; + options->port_forwarding = -1; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -116,6 +117,8 @@ if (options->xauth_location == NULL) options->xauth_location = XAUTH_PATH; #endif /* XAUTH_PATH */ + if (options->port_forwarding == -1) + options->port_forwarding = 1;...

...c --- openssh-3.0.2p1.orig/servconf.c Wed Nov 14 00:03:15 2001 +++ openssh-3.0.2p1/servconf.c Tue Feb 12 14:21:14 2002 @@ -64,6 +64,7 @@ options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; + options->xauthority_in_tmp = -1; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -258,7 +259,7 @@ sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxSt...

...2001 @@ -26,6 +28,8 @@ if (!f) { /* Restore the privileged uid. */ restore_uid(); + packet_send_debug("Could not open %.900s for reading.", file); + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); return 0; } if (options.strict_modes) { was this left out by design, or a leftover in auth-rsa.c ? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords

...0x0, lock_file = 0x8076813 "/var/run/rsyncd.lock", read_only = 1, list = 1, use_chroot = 1, transfer_logging = 0, ignore_errors = 0, uid = 0x807680c "nobody", gid = 0x807680c "nobody", hosts_allow = 0x0, hosts_deny = 0x0, auth_users = 0x0, secrets_file = 0x0, strict_modes = 1, exclude = 0x0, exclude_from = 0x0, include = 0x0, include_from = 0x0, log_format = 0x80767f3 "%o %h [%a] %m (%u) %f %l", refuse_options = 0x0, dont_compress = 0x80767c0 "*.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz", timeout = 0, max_connections = 0, ignore_n...

...fr/infosci/RFC/18xx/1855 -------------- next part -------------- diff -ur openssh-2.5.2p2.orig/auth-rhosts.c openssh-2.5.2p2/auth-rhosts.c --- openssh-2.5.2p2.orig/auth-rhosts.c Fri Feb 9 03:11:24 2001 +++ openssh-2.5.2p2/auth-rhosts.c Sun Apr 22 01:19:56 2001 @@ -215,7 +215,8 @@ } if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || - (st.st_mode & 022) != 0)) { + (st.st_uid == 0 && (st.st_mode & 002) != 0) || + (st.st_uid != 0 && (st.st_mode & 022) != 0))) { log("Rhosts authentication refused for %.10...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...for reading.",file); > packet_send_debug("If your home is on an NFS volume, > it may need to be world-readable."); > /* Restore the privileged uid. */ > restore_uid(); > return 0; > } > > if (options.strict_modes && > secure_filename(f, file, pw, line, sizeof(line)) != 0) { > fclose(f); > log("Authentication refused: %s", line); > restore_uid(); > return 0; > } > > key = key_new(KEY_RSA); > > /* > * Get the public key from the file. If...

...*/ +extern int allow_port_forwarding; + /* add listen address */ void add_listen_addr(ServerOptions *options, char *addr); @@ -45,6 +48,7 @@ options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; + allow_port_forwarding = -1; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -116,6 +120,8 @@ if (options->xauth_location == NULL) options->xauth_location = XAUTH_PATH; #endif /* XAUTH_PATH */ + if (allow_port_forwarding == -1) + allow_port_forwarding = 1; /* Allow fo...

...ontaining the authorized keys. */ @@ -160,12 +179,10 @@ restore_uid(); packet_send_debug("Could not open %.900s for reading.", file); packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); - xfree(file); return 0; } if (options.strict_modes && secure_filename(f, file, pw, line, sizeof(line)) != 0) { - xfree(file); fclose(f); log("Authentication refused: %s", line); packet_send_debug("Authentication refused: %s", line); @@ -271,7 +288,6 @@ restore_uid(); /* Close the file. */ - xfree(fi...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...*pw, Key *key, const char *host, const struct hostkey_entry *found; hostkeys = init_hostkeys(); - load_hostkeys(hostkeys, host, sysfile); + load_hostkeys(hostkeys, host, NULL, sysfile); if (userfile != NULL) { user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); if (options.strict_modes && @@ -393,7 +393,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, user_hostfile); } else { temporarily_use_uid(pw); - load_hostkeys(hostkeys, host, user_hostfile); + load_hostkeys(hostkeys, host, NULL, user_hostfile); restore_uid(); }...

..."x11") == 0) + options->restrictions |= RESTRICT_X11; + else + fatal("%s line %d: unknown restriction %s.", + filename, linenum, p); + } + charptr = &options->restricted_shell; + goto parse_filename; + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; @@ -761,6 +800,22 @@ case sAllowTcpForwarding: intptr = &options->allow_tcp_forwarding; + goto parse_flag; + + case sPermitTcpConnect: + arg = strdelim(&cp); + p = NULL; + if (!arg || *arg == '\0') + p = "missing"; + if (channel_add_pe...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the