similar to: [Bug 1172] [PATCH] Restrict public key authentication to scp access only

https://bugzilla.mindrot.org/show_bug.cgi?id=1172 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX CC|

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated

Attached is a simple patch which allows an auth param 'shell=' like 'command=' When specified, sshd will use this shell instead of the one in /etc/passwd or the default shell. This patch allows you can have some chrooted shell (actually any shell) associated with a specific key. You could do this with command=, but then the command given to ssh will be ignored, and scp will not

I am a recent convert to openssh. I am very pleased with it, and find it superior to ssh-1.2.27 in many ways (thanks for the good work). I recently found one piece missing from the current release. I have used the 'command' option in the authorized_keys file to restrict access. Using ssh-1.2.27 the original command was placed in the SSH_ORIGINAL_COMMAND envrionment variable. If

I am supporting a site that allows members to upload release files. I have inherited this site which was previously existing. The goal is to allow members to file transfer to and from their project area for release distribution but not to allow general shell access and not to allow access to other parts of the system. Currently rsync and old scp has been restricted using a restricted shell

I am not 100% positive of the security implications of this, but I really can't see any potential for harm. If this patch is applied (I coded it against the now-current openssh-2.2.0p1), then if (a) the authorized_keys entry has command="whatever" to force a specific command, and also (b) the invoker specified some command on their ssh cmdline, then the invoked command will be

On 12.11.23 03:52, Damien Miller wrote: > On Sat, 11 Nov 2023, Bob Proulx wrote: > >> I am supporting a site that allows members to upload release files. I >> have inherited this site which was previously existing. The goal is >> to allow members to file transfer to and from their project area for >> release distribution but not to allow general shell access and not

On Sat, 11 Nov 2023, Bob Proulx wrote: > I am supporting a site that allows members to upload release files. I > have inherited this site which was previously existing. The goal is > to allow members to file transfer to and from their project area for > release distribution but not to allow general shell access and not to > allow access to other parts of the system. > >

The previous version broke the case of internal-sftp without arguments. This is a fixed version. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-19 11:28:29.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if

Hi, This patch makes things like ForceCommand internal-sftp -l INFO work (current code in 5.1 would just end the session). Please consider for inclusion into mainline. Michael. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-18 21:12:51.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command;

http://bugzilla.mindrot.org/show_bug.cgi?id=1217 Summary: scp does not limit bandwidth Product: Portable OpenSSH Version: 4.3p2 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: scp AssignedTo: bitbucket at mindrot.org ReportedBy: jacek_kal at o2.pl

I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a

Greetings! Non-list subscriber, so please be sure to include me on replies. I want to be abut to set up sshd so that I can restrict the remote user's activities. In particular, I want... 1. no shell. I want them to be able to do scp and maybe port forwarding, but I DO NOT want them to be able to start up any shell or anything else! 2. i want to be able to restrict them to be able to do

An embedded and charset-unspecified text was scrubbed... Name: msg.pgp Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020816/fc49c170/attachment.ksh

Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu <kevin at tgivan dot com> Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This

A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator

http://bugzilla.mindrot.org/show_bug.cgi?id=634 Summary: scp incompatibility with ssh.com scp Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: scp AssignedTo: openssh-bugs at mindrot.org ReportedBy: wgs3 at

Hi, A couple of days ago I realized that 'scp' on the client-side requires 'scp' on the server-side as well. client:scp -> server:sshd -> server:scp It this really the way it should be? IMHO it seems like a bad design. I usually create a Solaris-package with prngd, sshd, ssh-keygen and name it OpenSSH-3.x.x-serveronly but now I have to also include 'scp'. Is it

http://bugzilla.mindrot.org/show_bug.cgi?id=1368 Summary: avoid "scp not found" with option to specify remote scp command Product: Portable OpenSSH Version: 4.7p1 Platform: Other OS/Version: Other Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=88 Summary: scp for OpenSSH v3.0.2p1 fails to commercial SSH v3.1.0 server (new -t option to SSH's scp) Product: Portable OpenSSH Version: 3.0.2p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: scp