Displaying 20 results from an estimated 700 matches similar to: "[PATCH] prevent users from changing their environment"
2004 Jan 19
3
Security suggestion concering SSH and port forwarding.
Hi,
sorry if it is the wrong approuch to suggest improvments to OpenSSH,
but here comes my suggestion:
I recently stumbled upon the scponly shell which in it's chroot:ed form is
an ideal solution when you want to share some files with people you trust
more or less.
The problem is, if you use the scponlyc as shell, port forwarding is still
allowed. This can of course be dissallowed in
2003 Jan 29
0
[PATCH] features for restricted shell environments
The patch below implements a couple of features which are useful
in an environment where users do not have a regular shell login.
It allows you to selectively disable certain features on a
system-wide level for users with a certain shell; it also allows
you to control and audit TCP forwarding in more detail.
Our system is an email server with a menu for the login shell;
we selectively allow port
2005 Jan 20
0
AllowUsers - proposal for useful variations on the theme
A short while ago, I looked at using the AllowUsers configuration option
in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to
restrict access such that only specific remote machines could access
specific local accounts.
I swiftly discovered that
a) specifying wildcarded IP numbers to try to allow a useful IP range
was pointless: if I specified
AllowUsers joe at
2001 Mar 14
1
/etc/default/login patch?
Would anybody happen to have or know of a patch to make /etc/default/login
PATH and SUPATH the default openssh path? We have customized paths for each
school of engineering (each have their own customized site bin). This is
easily controled with /etc/default/login. The --with-default-path option
is too rigid. This is Solaris I am talking about.
--mike
2004 Apr 07
2
Requiring multiple auth mechanisms
I looked around for a while, but couldn't find any code for requiring multiple
authentication mechanisms in openssh. So I wrote an implemention.
I thought at first I should change the PasswordAuthentication,
PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some
funky stuff in auth2.c with respect to keyboard interactive auth that would make
this kind of
2002 Aug 13
1
[PATCH] global port forwarding restriction
Here's another patch for people providing ssh access to restricted
environments.
We allow our users to use port forwarding when logging into our mail
servers so that they can use it to fetch mail over an encrypted channel
using clients that don't support TLS, for example fetchmail. (In fact,
fetchmail has built-in ssh support.) However we don't want them connecting
to other places
2001 Mar 02
0
Patch for system-wide default environment
We recently switched to OpenSSH from ssh 1.2.x and
I quickly noticed that /etc/environment processing has gone AWOL.
This patch adds a new sshd_config variable:
SysEnvFile
Specifies a file containing the system-wide default environment
in ``VARNAME=value'' format (default is none.) The contents of a
user's $HOME/.ssh/environment file, if
2003 Mar 02
0
[RFC][PATCH] Require S/KEY before other authentication methods.
I need a way to make sshd require S/KEY authentication to succeed before
allowing either password or public-key authentication.
Currently, we can only have S/KEY+password, by using PAM for
authentication, and configuring PAM accordingly. But PAM of course can't
handle SSH public keys.
I thought for a while that ideally we could actually use PAM to tell
sshd what methods of authentication to
2013 Jan 31
2
OpenSSH NoPty patch
Hey everyone,
I wanted to add support for denying PTY allocation through OpenSSH. I'm
not certain if this is quite thorough enough for all cases, but for me
it might work for the moment.
I know that you can currently do this through authorized_keys, but as
far as I know that only works for an actual key. In my use case, I
wanted a user with no password which is forced to run a specific
2001 Nov 12
4
Please test -current
Could people please test -current? We will be making a release fairly
soon.
-d
--
| By convention there is color, \\ Damien Miller <djm at mindrot.org>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)
2000 Oct 24
2
feature request & patch submit: chroot(2) in sshd
Hello,
whereas most people take passwd/shadow/ldap/<whatever> as the place where
decision on a chrooted environment / sandbox for certain users is met (just
set the given usershell appropriateley), I needed a somewhat different
approach. Below is a tiny patch to 2.2.0p1 which enhances the sshd-config
by two options and, when set, places all users / users of a certain group
immediately in
2001 Nov 20
3
problem with AFS token forwarding
Hello,
I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
concerning the AFS token forwarding. That means that the new versions are
not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this
problem already existed in Openssh 2.9.9p1, but I have never used this
version (I only looked at the
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch
in the sshd_config. You'd use it by having a PAM module that sets
PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs.
The patch is against the 2.9.9p2 distribution.
I'm not on the list, a reply if this patch is accepted would be great.
(But not required, I know some folks have a distaste for
2002 Jul 04
4
Chroot patch (v3.4p1)
The following is a patch I've been working on to support a "ChrootUser"
option in the sshd_config file.
I was looking for a way to offer sftp access and at the same time restict
interactive shell access. This patch is a necessary first step (IMO).
It applies clean with 'patch -l'.
Also attached is a shell script that helps to build a chrooted home dir on
a RedHat 7.2
2013 Aug 05
2
RemoteForward and dynamically allocated listen port
Specifying a RemoteForward of 0:example.com:1234 dynamically allocates
the listen port on the server, and then reports it to ... the client!
Where it is practically useless. Was this someone's idea of a joke?
Presumably not--there are some technical obstacles to reporting it to
the remote process. I'd like to help solve that problem.
The natural way to me would be to extend the syntax
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=118
Summary: Implement TIS (protocol 1) via PAM
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: fcusack at
2000 Aug 27
0
patch for TIS (skey/opie) *and* passwd auth via PAM
Hello,
appended is a patch that makes it possible to use PAM both for
password authentication and TIS (i.e. s/key or opie or any other
interactive challenge/response scheme). I have developed this starting
from the patch at http://www.debian.org/Bugs/db/61/61906.html on
Debian with openssh-2.1.1p4-3. After configuring ssh with
--with-pam-tis, there are two PAM services, "sshd" and
2000 Aug 11
1
OpenSSH Questions
Heya,
I'm trying to convince my company to use OpenSSH instead of the commercial SSH version. I need a little help:
1. What features does OpenSSH offer over commercial SSH (besides being free and open source of course)?
2. Our lawyers want details on the licensing / patents stuff. I have the high level details from the OpenSSH page. I need the nitty gritty like RSA patent# and
2000 Aug 13
1
Patches for openssh port forwarding
Hi !
I hacked together a couple of patches for Openssh 2.1.1p4 port forwarding.
It is a one patch file that does the following two things:
First:
If the server is configured not to allow port forwardings it sends
SSH_SMSG_FAILURE (protocol 1) while openssh client expects SSH_SMSG_SUCCESS.
When the client gets the failure it exists with protocol error message.
This patch will accept both failure
2001 Nov 07
2
Flaw in empty password authentication in sshd
The auth-pam.c of sshd server contains a small flaw that allows empty
password logins even if "PermitEmptyPasswords" option in the sshd config
file is set to "no". The scenario is as follows:
Using ssh the user tries to logon to the machine using an account that has
empty password. If the user presses enter on the password prompt (NULL
password) access is