search for: verifyreversemap

http://bugzilla.mindrot.org/show_bug.cgi?id=585 ------- Additional Comments From dtucker at zip.com.au 2003-09-05 13:39 ------- What's the status of this? At the moment, my understanding is: * a bug exists in getaddrinfo in IRIX 6.5.18 and up * defining BROKEN_GETADDRINFO causes a type clash with gai_strerror * solving the type clash results in an sshd that works OK Should we be

http://bugzilla.mindrot.org/show_bug.cgi?id=585 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From dtucker at zip.com.au 2003-12-22

http://bugzilla.mindrot.org/show_bug.cgi?id=585 Summary: sshd core dumping on IRIX 6.5.18 with VerifyReverseMapping enabled Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: ktayl...

http://bugzilla.mindrot.org/show_bug.cgi?id=585 ------- Additional Comments From dtucker at zip.com.au 2003-07-07 00:32 ------- dmalloc (http://dmalloc.com/) claims to work on IRIX. It's likely to increase the CPU and memory load, though. I've built with dmalloc on Linux thusly: LDFLAGS=-ldmalloc ./configure && make eval `dmalloc -l /path/to/log high` ./sshd [options]

...tional Comments From djm at mindrot.org 2003-06-03 10:28 ------- - markus at cvs.openbsd.org 2003/06/02 09:17:34 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] [sshd_config.5] deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@ Switch UseDNS off if y...

http://bugzilla.mindrot.org/show_bug.cgi?id=859 Summary: getaddrinfo(host, "0", &hints, &res) may take extra cycles Product: Portable OpenSSH Version: 3.8p1 Platform: All OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Miscellaneous

does anyone have a comment to make about this? (cert picked it up and we're being asked for a vendor response) http://www.securityfocus.com/archive/1/324016/2003-06-03/2003-06-09/0 do we have an "official" response yet? thanks, wendy -- wendy palm Cray Open Software Development, Cray Inc. wendyp at cray.com, 651-605-9154

...on localhost by default; see sshd X11UseLocalhost option to revert to prior behaviour if your older X11 clients do not function with this configuration Other Changes: ============== - ssh ~& escape char functions now for both protocol versions - sshd ReverseMappingCheck option changed to VerifyReverseMapping to clarify its function; ReverseMappingCheck can still be used - public key fingerprint is now logged with LogLevel=VERBOSE - reason logged for disallowed logins (e.g., no shell, etc.) - more robust error handling for x11 forwarding - improved packet/window size handling in ssh2 - use of rege...

...on localhost by default; see sshd X11UseLocalhost option to revert to prior behaviour if your older X11 clients do not function with this configuration Other Changes: ============== - ssh ~& escape char functions now for both protocol versions - sshd ReverseMappingCheck option changed to VerifyReverseMapping to clarify its function; ReverseMappingCheck can still be used - public key fingerprint is now logged with LogLevel=VERBOSE - reason logged for disallowed logins (e.g., no shell, etc.) - more robust error handling for x11 forwarding - improved packet/window size handling in ssh2 - use of rege...

...ith the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server ------------------------------------------------------------------- Everything else is default.I'm not starting SSHD with any additional parameters than the defaults in /etc/defaults/rc.conf and just a...

http://bugzilla.mindrot.org/show_bug.cgi?id=820 Summary: utmp seems to be getting clobbered on logins Product: Portable OpenSSH Version: 3.8p1 Platform: All OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: ktaylor

...sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, - sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, + sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, + sCheckMaxStartups, sMaxStartups, sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -353,6 +357,7 @@ { "protocol", sProtocol }, { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem...

...#X11UseLocalhost yes @@ -447,11 +449,14 @@ StrictModes no UsePrivilegeSeparation $privsep_used #PermitUserEnvironment no #Compression yes - +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid #MaxStartups 10 + # no default banner path #Banner /some/path -#VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server -- Corinna Vinschen Cygwin Developer Red Hat, Inc.

...ost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no # 20030219 jem turned off Privilege Separation for Putty pSFTP to work #UsePrivilegeSeparation yes UsePrivilegeSeparation no PermitUserEnvironment no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server

...otd no Protocol 2 PubkeyAuthentication yes #RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication no ServerKeyBits 768 StrictModes yes Subsystem sftp /usr/libexec/sftp-server SyslogFacility AUTH UseLogin no UsePAM yes UsePrivilegeSeparation no #VerifyReverseMapping no X11DisplayOffset 10 X11Forwarding yes X11UseLocalhost yes XAuthLocation /usr/openwin/bin/xauth

...setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes PrintLastLog yes KeepAlive yes #UseLogin no UsePrivilegeSeparation yes Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/local/openssh-3.3p1/libexec/sftp-server ================ I try to SSH to that port, and I see this in /var/log/messages: Jun 24 23:39:31 mallard sshd[26833]: Server listening on 0.0.0.0 port 2200. Jun 24 23:39:31 mallard ss...

...e connection before the correct key is tried. * SOCKS5 support has been added to the dynamic forwarding mode in ssh(1). * Removed implementation barriers to operation of SSH over SCTP. * sftp(1) client can now transfer files with quote characters in their filenames. * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed. * Fix a number of memory leaks. * Support for sending tty BREAK over SSH protocol 2. * Workaround for other vendor bugs in KEX guess handling. * Support for generating KEX-GEX groups (/etc/modul...

...e connection before the correct key is tried. * SOCKS5 support has been added to the dynamic forwarding mode in ssh(1). * Removed implementation barriers to operation of SSH over SCTP. * sftp(1) client can now transfer files with quote characters in their filenames. * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed. * Fix a number of memory leaks. * Support for sending tty BREAK over SSH protocol 2. * Workaround for other vendor bugs in KEX guess handling. * Support for generating KEX-GEX groups (/etc/modul...

...e connection before the correct key is tried. * SOCKS5 support has been added to the dynamic forwarding mode in ssh(1). * Removed implementation barriers to operation of SSH over SCTP. * sftp(1) client can now transfer files with quote characters in their filenames. * Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed. * Fix a number of memory leaks. * Support for sending tty BREAK over SSH protocol 2. * Workaround for other vendor bugs in KEX guess handling. * Support for generating KEX-GEX groups (/etc/modul...

...rning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes X11Forwarding no X11DisplayOffset 10 X11UseLocalhost yes PrintMotd yes PrintLastLog yes KeepAlive yes UseLogin no MaxStartups 10 # no default banner path #Banner /some/path VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/ssh/libexec/sftp-server -- David R. Steiner david.r.steiner at dartmouth.edu UNIX System Manager Phone: 603.646.3127 Dartmouth College F...