similar to: [Bug 1472] New: Authentication options not cleared in privileged process

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

As you know, revoking RSA/DSA keys in an SSH environment requires editing all authorized_keys and authorized_keys2 files that reference those public keys. This is, well, difficult at best but certainly very obnoxious, particularly in a large environment. SSH key management is difficult. This patch simplifies key management wherever GSS-API/Kerberos is used and is general enough to be used with

These patches are against 3.0.1p1. I need them because I have a local mod which needs access to the ServerOptions struct named ``options'', hence the rename. --- auth-rsa.c.orig Mon Nov 19 16:54:01 2001 +++ auth-rsa.c Mon Nov 19 16:56:18 2001 @@ -180,8 +180,7 @@ * user really has the corresponding private key. */ while (fgets(line, sizeof(line), f)) { - char *cp; - char

This patch is against 3.0.2p1. It produces output like the first line in the example below for both v1 and v2 logins. Logging is turned on by sticking ``LogFingerprint yes'' in sshd_conf. It would be nice if something like this would make it into OpenSSH. Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found matching RSA1 key:

Hi, There's a nasty bug in auth-open.c that causes all options in a line of authorized_keys to be applied to all subsequent lines without options. IMNSHO this clearly shows the evil of global variables, and using extern whatever as a means of information sharing. Cheers, Han Holl --- auth-options.c.orig Fri Feb 9 14:14:51 2001 +++ auth-options.c Fri Feb 9 14:18:43 2001 @@ -57,11 +57,12

https://bugzilla.mindrot.org/show_bug.cgi?id=2615 Bug ID: 2615 Summary: LoginGraceTime bypass (DoS) Product: Portable OpenSSH Version: 7.3p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I am not sure if this is the correct place to ask these question, if I am at the wrong place please advise. I am currently working on some modifications to openssh which record the users rsa/dsa identity comment file to a log file when the user logs in (password authentication is disabled). The ssh1 portion of the modification works

https://bugzilla.mindrot.org/show_bug.cgi?id=2688 Bug ID: 2688 Summary: Long log messages to stderr missing newlines Product: Portable OpenSSH Version: 7.4p1 Hardware: All OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hello there! I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of the accepted key to be printed in the log message. It works with SSH1-RSA and SSH2 pubkey (DSA+RSA) authentication. This feature is controllable by the LogKeyFingerprint config option (turned off by default). Michal Kara -------------- next part -------------- diff -u5

https://bugzilla.mindrot.org/show_bug.cgi?id=1829 Summary: auth-rsa.c: move auth_key_is_revoked() call from auth_rsa_verify_response() to auth_rsa_key_allowed() Product: Portable OpenSSH Version: 5.6p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component:

Both systems are running RH 7.3 with a compiled copy of 3.4p1 with pam support enabled via configure root at vlan root]# ssh -v -v -v root at 207.62.147.3 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1:

Hello, I have been observing the case where some part of the proxy connection(s) break/time out, and the "tunnelconnect" proxy (http://www.taiyo.co.jp/~gotoh/ssh/connect.html) exits. The problem is that the process turns into a zombie and _stays_ that way. SSH (OpenSSH-3.9p1) does not seem to wait() for it. Looks like a "deadwait". Jan Engelhardt -- If you knew the

Hi, during our usual work I found it anoying that one can not easily see who logged in using public key authentication. In newer versions of SSH the fingerprint of the public key gets logged, but who can tell which key belongs to whom from his head? So I wrote a little ad-hoc patch (vs. 3.5.p1) so that the comment field on the keys in the authorized_keys[2] files get logged to make life

I may have found a similar issue with plain old RSAAuthentication. After upgrading to 3.4p1 on Solaris 8, I am no longer able to use RSAAuthentication with PermitRootLogin forced-commands-only Following is output from sshd -d -d: Connection from 10.100.100.8 port 39955 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling

https://bugzilla.mindrot.org/show_bug.cgi?id=1452 Summary: (V_5_0) Bugs intended to be fixed in 5.0 Classification: Unclassified Product: Portable OpenSSH Version: -current Platform: Other

https://bugzilla.mindrot.org/show_bug.cgi?id=1567 Summary: Insufficient privileges to chroot() on AIX Product: Portable OpenSSH Version: 5.2p1 Platform: PPC OS/Version: AIX Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: bana

In order to comply with our internal security guidelines, we created a patch on top of openssh-3.6.1p2. With that patch, if sshd sets up a session based on key authentication, it logs to syslog which one of the keys in authorized_keys or authorized_keys2 is actually being used. The patch logs the key comment (typically the key owner's email address) as well as the name of the file containing

sshd also dies when certain other kinds of traffic is generated, such as `man pw' using the most pager[1], and many x11 apps such as emacs. However, it is stable when running simple x11 apps such as xeyes, and the link its self is stable -- a terminal will stay connected without issue for days, as long as not much happens in it. Also a sshfs connection dies immediately. ssh -Y karren gkrellm

http://bugzilla.mindrot.org/show_bug.cgi?id=1343 Summary: Privilege separation does not work on QNX Product: Portable OpenSSH Version: 4.6p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: kraai at

Hi all. As Corinna pointed out, there are some cases where sshd will log some authentications twice when privsep=yes. This can happen on any platform although it seems most obvious on the ones that don't do post-auth privsep. It also occurs when sshd logs to stderr (eg running under daemontools) or when you have a /dev/log in the privsep chroot. The patch below attempts to solve this for