search for: suseprivilegeseparation

...separation on by default */ if (use_privsep == -1) use_privsep = 1; *************** *** 298,304 **** sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, ! sUsePrivilegeSeparation, sDeprecated } ServerOpCodes; --- 302,308 ---- sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, ! sUsePrivilegeSeparation, sChrootUsers, sDeprecated...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2

...NULL; + options->log_file = NULL; options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; @@ -302,6 +303,7 @@ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sUsePrivilegeSeparation, + sLogFile, sDeprecated } ServerOpCodes; @@ -380,6 +382,7 @@ { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, + { "logfile", sLogFile}, { NULL,...

...cpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);

Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a

...= strdelim(&cp); + p = NULL; + if (!arg || *arg == '\0') + p = "missing"; + if (channel_add_permitted_opens(arg) < 0) + p = "bad"; + if (p != NULL) + fatal("%.200s, line %d: %s inet addr:port.", + filename, linenum, p); + break; case sUsePrivilegeSeparation: intptr = &use_privsep;

Hi All. For various reasons, we're currently looking at extending (or even overhauling) the config parser used for sshd_config. Right now the syntax I'm looking at is a cumulative "Match" keyword that matches when all of the specified criteria are met. This would be similar the the Host directive used in ssh_config, although it's still limiting (eg you can't easily

...te_privsep[] = { + { "sandbox", PRIVSEP_SANDBOX }, + { "yes", PRIVSEP_ON }, + { "no", PRIVSEP_OFF }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1066,7 +1072,8 @@ process_server_config_line(ServerOptions case sUsePrivilegeSeparation: intptr = &use_privsep; - goto parse_flag; + multistate_ptr = multistate_privsep; + goto parse_multistate; case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { @@ -1549,31 +1556,34 @@ parse_server_config(ServerOptions *optio } static const char...

...atform does not support both privilege " @@ -242,6 +244,7 @@ fill_default_server_options(ServerOption options->compression = 0; } #endif +#endif } @@ -799,10 +802,11 @@ parse_flag: intptr = &options->allow_tcp_forwarding; goto parse_flag; +#ifdef USE_PRIVSEP case sUsePrivilegeSeparation: intptr = &use_privsep; goto parse_flag; - +#endif case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) --- openssh-4.2p1/sshd.c~ 2005-07-26 12:54:56.000000000 +0100 +++ openssh-4.2p1/sshd.c 2...

Hi, The code definitely attempts to unlink any old listener beforehand (see misc.c:unix_listener()) so I don't understand why that isn't being called. You might try simulating your configuration using sshd's -T and -C to make sure the flag is correctly being set. Could chroot be interfering? Some platforms implement additional restrictions on devices and sockets inside chroot. -d

...Authentication, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sUsePrivilegeSeparation, @@ -347,16 +348,18 @@ { "permitemptypasswords", sEmptyPasswd }, { "permituserenvironment", sPermitUserEnvironment }, { "uselogin", sUseLogin }, { "compression", sCompression }, { "tcpkeepalive", sTCPKeepAlive }, { "keepalive",...

...ATH_SSH_USER_PERMITTED_KEYS; +#ifndef DISABLE_PRIVSEP /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@ -237,6 +242,7 @@ options->compression = 0; } #endif +#endif /* DISABLE_PRIVSEP */ } @@ -732,8 +738,13 @@ goto parse_flag; case sUsePrivilegeSeparation: +#ifndef DISABLE_PRIVSEP intptr = &use_privsep; goto parse_flag; +#else + /* Ignore the whole line */ + return 0; +#endif /* DISABLE_PRIVSEP */ case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { diff -adurN openssh-3.7.1p2.privsep/session.c ope...

...ot;; + if (channel_add_permitted_opens(arg) < 0) + p = "bad"; + if (p != NULL) + fatal("%.200s, line %d: %s inet addr:port.", + filename, linenum, p); + break; + + case sPermitTcpListen: + intptr = &options->permit_tcp_listen; goto parse_flag; case sUsePrivilegeSeparation: --- servconf.h 28 Jan 2003 18:06:52 -0000 1.1.1.2 +++ servconf.h 29 Jan 2003 21:26:12 -0000 1.7 @@ -32,6 +33,13 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* restrictions */ +#define RESTRICT_AGENT 1 +#define RESTRICT_ENV 2 +#define RESTRICT_RC 4 +#define RESTRICT_TCP 8 +#define...

...>permit_tun = SSH_TUNMODE_NO; + if (options->fips_mode == -1) + options->fips_mode = 0; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -293,6 +301,7 @@ sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sUsePrivilegeSeparation, + sFipsMode, sDeprecated, sUnsupported } ServerOpCodes; @@ -403,6 +412,7 @@ { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, + { "fipsmode", sFipsMode, SSHCFG_GLOBAL }, {...

...ation = 1; if (options->kbd_interactive_authentication == -1) @@ -239,6 +248,7 @@ sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sGssAuthentication, sGssCleanupCreds, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -277,6 +287,13 @@ { "kerberostgtpassing", sUnsupported }, #endif { "afstokenpassing", sUnsupported }, +#ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication }, + { "gssapicleanupcreds", sGssCleanup...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |