similar to: [Bug 339] 3.4p1: UsePrivilegeSeparation breaks key fingerprint logging

http://bugzilla.mindrot.org/show_bug.cgi?id=339 Summary: 3.4p1: UsePrivilegeSeparation breaks key fingerprint logging Product: Portable OpenSSH Version: -current Platform: All URL: http://www.catnook.com/misc/sshd-key-fp-logging.txt OS/Version: Solaris Status: NEW Severity: normal

Hello, there are emerging container services that restrict regular users to launch containers under some random uid for security reasons. If such user needs sshd in their container, they need to turn off `UsePrivilegeSeparation` so that sshd is executed as the current uid and not `root`. I understand that privilege separation [1] is more than changing the process uid. On the other hand, it is

I just upgraded to OpenSSH 3.4p1 from 2.5.2p2 to take advantage of privilege separation. After installation, when a user tries to login he gets dropped almost immediately. In the server's /var/log/messages: Jun 26 20:15:04 sclp3 sshd[6433]: Accepted password for jason from 128.165.148.66 port 41871 ssh2 Jun 26 20:15:12 sclp3 jason[110]: sshd[6444]: fatal: xrealloc: out of memory (new_size

Fwiw, I filed a bug report on this earlier (339). -- Jos Backus <josb at microsoft.com> WebTV Networks, Inc., Mountain View, CA

Hi, I'm wondering whether it is possible to log the key fingerprint (or, the comment of the key) that was used for authentication) with the actual available openssh v3.4p1 on solaris? (with Solaris 8 / UsePrivilegeSeparation yes, if this might be relevant, it seems not) -Is it possible at all? How? -Is there a special sshd configuration option neccessary to use? -Does is only work with a

https://bugzilla.mindrot.org/show_bug.cgi?id=2082 Bug ID: 2082 Summary: Please add pubkey fingerprint to authentication log message Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5

http://bugzilla.mindrot.org/show_bug.cgi?id=1080 Summary: 4.1p1 to 4.2p1 broke UsePrivilegeSeparation on HPUX Product: Portable OpenSSH Version: 4.2p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org

Currently, LogLevel must be set to VERBOSE to see the fingerprint of an accepted key, and the default LogLevel is INFO. Since this is useful security information, I would like to propose that the 'Accepted publickey' message be modified to include the fingerprint of the accepted key. Is this a reasonable solution? Here is an example log snippet with LogLevel VERBOSE: Oct 1 15:23:24

On Wed, Jul 20, 2016 at 09:02:57PM -0600, Selphie Keller wrote: > I wonder if could be useful to set the fall back account to something user > defined to avoid suggesting people add passwords to root, though I do like > root since the account is always there, Since committing that diff I've heard of people running in production with no root password (ie *LK*, !! or similar).

I just upgraded to OpenSSH3.2.3p1 as it seemed that UsePrivilegeSeparation yes might help with my problem (connections forwarded are owned by root instead of the user I logged in as on the server), but instead, sshd barfs on receiving a connection. Without UsePrivilegeSeparation the server works fine. # strace -o /tmp/sshd.str sshd -d debug1: sshd version OpenSSH_3.2.3p1 debug1: private host

https://bugzilla.mindrot.org/show_bug.cgi?id=1863 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |djm at mindrot.org Status|NEW

Hi, I admin a box that has Subversion users authenticate with public keys to a restricted 'svnuser' account. The comment field of all the keys describe who they belong to (it has their usernames), but unfortunately, sshd does not log this when a user successfully authenticates: Jun 21 08:18:22 localhost sshd[23636]: Accepted publickey for svnuser from x.x.x.x port 2065 ssh2 Jun

https://bugzilla.mindrot.org/show_bug.cgi?id=2167 Bug ID: 2167 Summary: Connection remains when fork() fails. Product: Portable OpenSSH Version: 5.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hello, for a research project I am trying to log the algorithms suggested by the client during key exchange. I am using the source of version 5.8p2. I figured the function kex_buf2prop() in kex.c might be the place to log that information. I am calling logit() within the for loop -> for (i = 0; i < PROPOSAL_MAX; i++) { proposal[i] =

Hello, I have just installed OpenSSH 4.6p1 and it appears that ChallengeResponseAuthentication is not allowed unless I explicitly set it to "yes" in the sshd_config file. I am using the same config file as I did with 4.5p1 where it was allowed by default. Also, this is OpenSSH package from sunfreeware, but I believe that both versions were compiled with the same options. Is this the

There are a couple of niggles with the sandboxing of the unprivileged child in the privsep code: the empty directory causes namespace pollution, and it requires care to ensure that it is set up properly and remains set up properly. The patch below (against the portable OpenSSH, although the patch against the OpenBSD version is very similar) replaces the fixed empty directory with one that is

https://bugzilla.mindrot.org/show_bug.cgi?id=2646 Bug ID: 2646 Summary: zombie processes when using privilege separation Product: Portable OpenSSH Version: 7.2p2 Hardware: ix86 OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hello Darren, Could you comment on this issue being raised by myself and Corinna Vinschen? This will create big problems for me. I'm not clear if this is a conscious decision supported by solid reasons or if it is just collateral damage. Thank you for all you work! Jack DoDDs -------- Original Message -------- Date: Mon, 27 Mar 2017 16:31:03 +0200 Subject: Re: Announce: OpenSSH 7.5

https://bugzilla.mindrot.org/show_bug.cgi?id=1863 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Close all resolved bugs after 7.3p1 release

https://bugzilla.mindrot.org/show_bug.cgi?id=2107 Bug ID: 2107 Summary: seccomp sandbox breaks GSSAPI Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Kerberos support