similar to: X11 forwards and libwrap support

Hi! Here is the patch to support tcp wrappers with x11-forwarded connections. The patch is for openssh-3.0.1p1 but it works fine with 2.9.9p2 too. I've understood that this will not be included in the official version because it adds complexity (?!) to openssh. Binding the forwarded port to localhost doesn't solve all problems. I've understood that you should also implement

Hi! I just compiled/installed openssh 3.7p1 (and 3.7.1p1) for solaris some time ago. It has weird behaviour. When I run ssh <hostname> and I enter invalid password I get six password prompts: using new version of openssh: % ssh hostname Password: Password: Password: user at hosts's password: Permission denied, please try again. user at hosts's password: Permission denied, please

Hi! I was browsing through archives and found out that somebody else was having the same problem as I'm. http://bugzilla.mindrot.org/show_bug.cgi?id=248 from the client, when I run scp to the server, I get: scp: warning: Executing scp1 compatibility. scp: FATAL: Executing ssh1 in compatibility mode failed (Check that scp1 is in your PATH). There are more details about this problem here:

Hi! I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled. It seems that if I use public key authentication I can log in to an account that is locked (/etc/shadow has *LK* as password). Login is also allowed even if the user does not have a valid shell. Is this a bug or am I missing something? -- Osmo Paananen

Hi, if I do the following: ssh -X localhost su - another_user xterm I get: X connection to ming:10.0 broken (explicit kill or server shutdown). Where what is really wanted was something like: Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server xterm Xt error: Can't open display: :0.0 'tis easy to reproduce the bug, but the debug

The following message is a courtesy copy of an article that has been posted to comp.emacs.xemacs as well. [This message has been CC'ed to the OpenSSH list in a plea to at least consider supporting more advanced usages of Xauth] Chris Green <sprout at dok.org> writes: > Its not configurable behavior. It always generates a new random file > in /tmp. Then they should probably

http://bugzilla.mindrot.org/show_bug.cgi?id=803 Summary: Security Bug: X11 Forwarding is more powerful than it needs to be. Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: openssh-bugs

I'd like to run SELinux on my CentOS server in enforcing mode, but I get the above message when I run sealert. I assume this is because I am accessing the server from my laptop? In any case, I googled for the message, and this threw up dozens of similar queries over many years. Most of the ones I read offered methods of avoiding the problem rather than solving it. Am I right in thinking the

https://bugzilla.mindrot.org/show_bug.cgi?id=2440 Bug ID: 2440 Summary: X11 connection will fail if user's home directory is read-only Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: sshd

So I'm working from home today, and for the first time I've tried running Evolution over a forwarded X11 connection. Even though work has a T1 and I have 640k at home, and ssh is compressing, it's ... rather slow. So I fire off lbxproxy and try to run an xterm to see if it works. No dice, authentication denied. Does anybody have any experience with this? Is it possible to run

All, There was some discussion recently on Ubuntu Launchpad regarding the bug in NUT 2.2.1 where it was not possible to connect with an accept- all ACL: https://bugs.launchpad.net/bugs/235653 The package was patched for the upcoming Ubuntu release (intrepid), but the discussion drifted to the merits of application-level ACLs (comment 11 and beyond). Steve Langasek brings up a good point

Hello all, after a useless discussion on the opensuse ML I had to find out that they buried the removal news of libwrap last year in some half-sentence. So this is unfortunately pretty late for the topic. Nevertheless it is pretty obvious that you did not get any feedback from people using ssh over decades in server-administration. Let me make a clear point: libwrap removal was a pretty bad idea.

On Thu, 15 Nov 2001, Dan Astoorian wrote: > Date: Thu, 15 Nov 2001 16:09:20 -0500 > From: Dan Astoorian <djast at cs.toronto.edu> > To: Ed Phillips <ed at UDel.Edu> > Subject: Re: X11 cookies and forwarding > > On Thu, 15 Nov 2001 15:46:22 EST, Ed Phillips writes: > > I'm guess I wasn't following the whole cookies discussion completely > >

Hello, There is a small but annoying problem with linking libwrap in openssh. The library is added to LIBS which makes it be linked in to all binaries. This is unnecessary and leads to bogus dependencies if libwrap is a shared library. Following is a trivial fix that reserves a separate autoconf substitution variable LIBWRAP, which is only used for sshd. Please apply. Maciej -- +

Hi folks, I've got a problem with X11 forwarding on an AIX 5.2 system thats stumped me. I've installed the same patched + compiled installp package on all our aix boxes but one of them won't play ball with X11 ssh -X -v -v user at host gives (grepped out X11 looking lines) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1:

On Thu, May 21, 2015 at 1:05 AM, Michael Stone <mstone at mathom.us> wrote: > On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote: > >> Show me this as an example of your firewall skills and replace this >> hosts.allow entry: >> >> sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected >> me | >>

Hello all, $XAUTHORITY location has moved from under /tmp to ~/.Xauthority in 2.9p2. The commit message was: --- remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since we do already trust $HOME/.ssh you can use .ssh/sshrc and .ssh/environment if you want to customize the location of the xauth cookies --- The latter is true, but can only be enabled in per-user basis as far as I see.

Hi, A few things regarding logging and libwrap.. a) PAM_RHOST patch Back in July, dean gaudet helpfully posted a patch to dovecot PAM_RHOST the remote IP. Is this going to be included in the main dovecot tree? It seems like a worthwhile addition. The more informative and concise the logging the better. See http://www.dovecot.org/list/dovecot/2004-July/004011.html for the original message.

hi, this can be applied to the latest portable CVS. by default bind sshd fake display to localhost. [stevesk at jenny stevesk]$ uname -sr HP-UX B.11.11 [stevesk at jenny stevesk]$ echo $DISPLAY localhost:14.0 [stevesk at jenny stevesk]$ netstat -an|grep 6014 tcp 0 0 127.0.0.1.6014 *.* LISTEN this is currently controlled with sshd_config gatewayports;

Is there plans to use libwrap Or is there already some kind of access control i have missed?? What i really want is a mechanism so i can say: If The request comes from "123.121.212.0" dont offer ssl and accept plain else demand ssl and no plain I now have this (almost) in another imap server by xinetd and two ip addresses. I could solve this by iptables or access list on the router