similar to: [Bug 339] New: 3.4p1: UsePrivilegeSeparation breaks key fingerprint logging

http://bugzilla.mindrot.org/show_bug.cgi?id=339 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2005-04-21 15:31

Fwiw, I filed a bug report on this earlier (339). -- Jos Backus <josb at microsoft.com> WebTV Networks, Inc., Mountain View, CA

Hi, I'm wondering whether it is possible to log the key fingerprint (or, the comment of the key) that was used for authentication) with the actual available openssh v3.4p1 on solaris? (with Solaris 8 / UsePrivilegeSeparation yes, if this might be relevant, it seems not) -Is it possible at all? How? -Is there a special sshd configuration option neccessary to use? -Does is only work with a

http://bugzilla.mindrot.org/show_bug.cgi?id=112 Summary: Using host key fingerprint instead of "yes" Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org

I just upgraded to OpenSSH 3.4p1 from 2.5.2p2 to take advantage of privilege separation. After installation, when a user tries to login he gets dropped almost immediately. In the server's /var/log/messages: Jun 26 20:15:04 sclp3 sshd[6433]: Accepted password for jason from 128.165.148.66 port 41871 ssh2 Jun 26 20:15:12 sclp3 jason[110]: sshd[6444]: fatal: xrealloc: out of memory (new_size

Hello there! I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of the accepted key to be printed in the log message. It works with SSH1-RSA and SSH2 pubkey (DSA+RSA) authentication. This feature is controllable by the LogKeyFingerprint config option (turned off by default). Michal Kara -------------- next part -------------- diff -u5

This patch against OpenSSH 3.2.3p1 implements an ssh-agent authentication retry mechanism which is useful when starting many ssh clients in a short period of time. The number of retries and the maximum delay between retries is runtime-configurable using AuthMaxRetries <integer> AuthRetryDelay <seconds> The patch is available at:

This patch is against 3.0.2p1. It produces output like the first line in the example below for both v1 and v2 logins. Logging is turned on by sticking ``LogFingerprint yes'' in sshd_conf. It would be nice if something like this would make it into OpenSSH. Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found matching RSA1 key:

http://bugzilla.mindrot.org/show_bug.cgi?id=259 Summary: UsePrivilegeSeparation crashed sshd under Linux 2.2 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

Using openssh-3.4p1 on Linux I noticed that PermitRootLogin=forced-commands-only does not work if UsePrivilegeSeparation is enabled; but it does work if privsep is disabled. Here are excerpts of debug from the server. -----------UsePrivilegeSeparation DISABLED------- ... Found matching DSA key: 56:9d:72:b0:4f:67:2e:ed:06:e7:41:03:e2:86:52:0d^M debug1: restore_uid^M debug1: ssh_dss_verify:

Simon Cooper already mailed in a patch to get the effects of MAP_ANON on IRIX systems, but it was against openssh/3.3p1. I've reapplied his patach to openssh/3.4p1 and include it as an attachment. Here's his explanation: > I noticed that the recent release requires the existence of MAP_ANON to get > an anonymous memory region. In Irix the equivalent functionality can be >

http://bugzilla.mindrot.org/show_bug.cgi?id=283 Summary: UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev

This patch updates the files under popt/ to the latest vendor drop. The only change is the inclusion of a FreeBSD-specific patch to popt.c. This is needed in case somebody decides to build rsync on that platform without using the port. I'm not happy about the wording in popt/README.rsync so I may change it. The patch is available at http://www.catnook.com/rsync-popt-1.5.1.patch Comments

Hello, there are emerging container services that restrict regular users to launch containers under some random uid for security reasons. If such user needs sshd in their container, they need to turn off `UsePrivilegeSeparation` so that sshd is executed as the current uid and not `root`. I understand that privilege separation [1] is more than changing the process uid. On the other hand, it is

http://bugzilla.mindrot.org/show_bug.cgi?id=1080 Summary: 4.1p1 to 4.2p1 broke UsePrivilegeSeparation on HPUX Product: Portable OpenSSH Version: 4.2p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=1945 Bug #: 1945 Summary: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes Classification: Unclassified Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: HP-UX Status: NEW

Perhaps now is a good time to commit this patch which updates the included popt to version 1.7. This has been tested on FreeBSD and Solaris. http://www.catnook.com/patches/rsync-popt-1.7.diff Comments? -- Jos Backus _/ _/_/_/ Sunnyvale, CA _/ _/ _/ _/ _/_/_/ _/ _/ _/

http://www.catnook.com/patches/rsync-popt-1.6.4.patch has a patch which upgrades the popt included with rsync to the latest version, 1.6.4. The configure script had to be regenerated (with autoconf 2.53) because popt.c wants HAVE_FLOAT_H. As an aside, I have heard people complain about this version of autoconf generating scripts that break when run under bash (as /bin/sh). Comments? -- Jos

https://bugzilla.mindrot.org/show_bug.cgi?id=1659 Summary: VisualHostKey and host key fingerprint aren't displayed when host's IP address is changed Product: Portable OpenSSH Version: 5.2p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh

http://bugzilla.mindrot.org/show_bug.cgi?id=1020 Summary: PrintLastLog doesn't work for UsePrivilegeseparation yes Product: Portable OpenSSH Version: 4.0p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org