similar to: logging RSA key IDs

Attached is a patch which adds a log= directive to authorized_keys. The text in the log="text" directive is appended to the log line, so you can easily tell which key is matched. For instance the line: log="hello world!",no-agent-forwarding,command="/bin/true",no-pty, no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:7" ssh-rsa AAAAB3Nza....xcgaK9xXoU=

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

On Thu, Nov 08, 2001 at 01:59:25PM +0100, Arthur de Jong wrote: > root and warthur both have user id 0. Sorry, I should have made that > clearer. They both have different passwords and rsa keys and I would like > to be able to make the distinction in the logs. Currently ssh only logs > that a ROOT user has logged in, not which one. hm, i don't think uid sharing is a standard unix

I have passwords turned off, and require keys to match. The zombie armies swarming outside are trying brute force attacks that in part involve guessing login NAMES. If they guess the wrong NAME, this is logged in syslog. If they guess a working user name, then the attack has PARTIALLY SUCCEEDED, but this information is IGNORED. That is, it is not logged. If the zombie army has tell when it

There's one vulnerability that's bugged me for some time. It applies to nearly all crypto software, including ssh. That's the swapping of sensitive info (such as keys and key equivalents) onto hard drives where they could possibly be recovered later. The Linux kernel provides a system call, mlock(), that inhibits swapping of a specified region of virtual memory. It locks it into real

Native ERB in ruby, and eruby, seem to lack the -%> feature for suppressing trailing newlines. Thus erb -n script gives errors. Where is Rails ERB so I can invoke it directly? Thank you Hugh

Has anyone heavily exercised the TCP connection forwarding features in openssh? I use this feature quite extensively for secure web surfing. I run a ssh command like this: ssh -c blowfish -L3128:127.0.0.1:3128 squidmachine Then I set up Netscape on my local machine to use 127.0.0.1:3128 as a proxy server. Needless to say, this exercises the TCP connection forwarding feature quite heavily. This

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssh-1.2.1pre20 has been released at: http://violet.ibs.com.au/openssh/files/ This release integrates more of Andre Lucas' portability patch, Ben Taylor's utmpx patch and some cleanups and bugfixes of my own. The auth-passwd failures should be fixed, as should lastlog support on NetBSD. Since Andre Lucas' patch included platform

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssh-1.2.1pre20 has been released at: http://violet.ibs.com.au/openssh/files/ This release integrates more of Andre Lucas' portability patch, Ben Taylor's utmpx patch and some cleanups and bugfixes of my own. The auth-passwd failures should be fixed, as should lastlog support on NetBSD. Since Andre Lucas' patch included platform

We have a system on which users are given a very restricted environment (their shell is a menu) where they should not be able to run arbitrary commands. However, because their shell is not statically linked, ld.so provides a nice clutch of holes for them to exploit. The patch below adds a new configuration option to sshd which quashes their attempts to set LD_PRELOAD etc. using ~/.ssh/environment

As you know, revoking RSA/DSA keys in an SSH environment requires editing all authorized_keys and authorized_keys2 files that reference those public keys. This is, well, difficult at best but certainly very obnoxious, particularly in a large environment. SSH key management is difficult. This patch simplifies key management wherever GSS-API/Kerberos is used and is general enough to be used with

Attached is a simple patch which allows an auth param 'shell=' like 'command=' When specified, sshd will use this shell instead of the one in /etc/passwd or the default shell. This patch allows you can have some chrooted shell (actually any shell) associated with a specific key. You could do this with command=, but then the command given to ssh will be ignored, and scp will not

Hi. I saw a new release appear today, and I pulled it down to see if some residual problems in port forwarding from openssh-1.2.3 were fixed. The configure script had trouble finding the openssl package, even though I had it installed in the standard place (/usr/local/ssl). I investigated and found that the failed test compile was caused by two nonfatal compiler warnings that memset and RAND_add

I'm using Opus for a networked ham radio communications receiver. Kudos on the whole project; it sounds excellent even at low bit rates and the API was surprisingly simple and easy to use. And god knows the world needs a really good, general purpose, non-proprietary codec. One question, though. Depending on the mode my receiver can generate mono or stereo. Most operating modes are mono, but a

Scenario: Use the ssh-keygen utility in openssh-1.2pre17 to generate a host key Kill and restart sshd Remove the old host key from ~/.ssh/known_hosts Connect to the host using ssh. I get this: homer.ka9q.ampr.org$ ssh 199.106.106.3 who The authenticity of host '199.106.106.3' can't be established. Key fingerprint is 1024 a0:8d:17:f0:fa:a9:9f:6f:b5:d0:1c:d6:02:92:bd:5e. Are you sure

Hello ! I think a problem was introduced in openssh-2.3.0p1 which is still there in the latest openssh-2.5.2p1. I just noticed it before my vacation and could not send this mail earlier than today. The problem is: You can't use the Rhosts-RSA authentication based on the hosts.equiv file and the host keys. The only possible way to do rhosts-RSA authentication is to allow the usage of the

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

Hi guys, and another feature request for sshd which I would classify as really useful. And I think this behaviour is currently not available (If yes, sorry, I must have missed it): > I believe that the sshd should log which RSA key was used to connect to > an account. When there are a number of keys in the authorized_keys file > it is often useful to know which one was used for each

For some time I have routinely websurfed across a forwarded TCP connection using SSH. The other end of the TCP tunnel connects to a Squid proxy cache on the same machine. This usually works. But I see lots of error messages on each end of the form Jun 13 13:22:02 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected

http://bugzilla.mindrot.org/show_bug.cgi?id=1011 Summary: Multiple log entries for successful pubkey authentication Product: Portable OpenSSH Version: 4.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at