Displaying 20 results from an estimated 800 matches similar to: "[PATCH] Add a chroot_users option to sshd"
2002 Jul 04
4
Chroot patch (v3.4p1)
The following is a patch I've been working on to support a "ChrootUser"
option in the sshd_config file.
I was looking for a way to offer sftp access and at the same time restict
interactive shell access. This patch is a necessary first step (IMO).
It applies clean with 'patch -l'.
Also attached is a shell script that helps to build a chrooted home dir on
a RedHat 7.2
2002 Jan 23
0
[PATCH] Add multiple AuthorizedKeyFiles options
Hi,
We'd like to run sshd with a configuration morally equivilent to:
# stuff ...
AuthorizedKeysFile /var/db/keys-distributed-by-security-team/%u
AuthorizedKeysFile %h/.ssh/authorized_keys
# be backwards compatable for a bit longer yet
AuthorizedKeysFile %h/.ssh/authorized_keys2
# more stuff ...
The following patch (against the cvs source) turns the authorizedkeysfile
statement in sshd.conf
2004 Jan 19
3
Security suggestion concering SSH and port forwarding.
Hi,
sorry if it is the wrong approuch to suggest improvments to OpenSSH,
but here comes my suggestion:
I recently stumbled upon the scponly shell which in it's chroot:ed form is
an ideal solution when you want to share some files with people you trust
more or less.
The problem is, if you use the scponlyc as shell, port forwarding is still
allowed. This can of course be dissallowed in
2001 Dec 04
0
PATCH: log key fingerprint upon successful login
This patch is against 3.0.2p1. It produces output like the first line in the
example below for both v1 and v2 logins. Logging is turned on by sticking
``LogFingerprint yes'' in sshd_conf. It would be nice if something like this
would make it into OpenSSH.
Dec 4 14:21:09 lizzy.bugworks.com sshd[7774]: [ID 800047 auth.info] Found
matching RSA1 key:
2002 Jan 29
2
Key fingerprint logging
Hello there!
I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of
the accepted key to be printed in the log message. It works with SSH1-RSA and
SSH2 pubkey (DSA+RSA) authentication.
This feature is controllable by the LogKeyFingerprint config option (turned
off by default).
Michal Kara
-------------- next part --------------
diff -u5
2002 Mar 28
1
[PATCH] Feature addition: user access control per auth method
I added a few features to openssh for my local use that I think would
be more broadly useful. I basically added access control lists to
control who would be allowed public key authentication. I added four
config file entries for the server:
PubkeyAllowUsers
PubkeyDenyUsers
PubkeyAllowGroups
PubkeyDenyGroups
These follow the same sematics as the already existing entries for
2002 Dec 18
2
patch for openssh3.5p1 - adds logging option
this patch adds a LogFile option to sshd_config. it just logs messages
directly to a file instead of stderr or syslog. the largest change
is an additional argument to log_init() in log.c for the log file name
(and then changes to the rest of the tools to add a NULL arg).
galt
-------------- next part --------------
diff -urN openssh-3.5p1-orig/log.c openssh-3.5p1/log.c
---
2001 Nov 12
4
Please test -current
Could people please test -current? We will be making a release fairly
soon.
-d
--
| By convention there is color, \\ Damien Miller <djm at mindrot.org>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)
2002 May 29
2
[PATCH] Add config option disabling drop_connection() behavior
The patch below (against openssh 3.2.3p1) adds a
CheckMaxStartups option, defaulting to yes, to determine whether sshd
calls drop_connection().
The motivation behind this is twofold. In our environment, our
timesharing machines get enough incoming connections that will trigger
spuriously with the default value (10 forked unauthenticated
connections) as well as some significantly higher values,
2007 May 16
2
Disabling ForceCommand in a Match block
Hello,
I am trying to force a command for all users *except* for users in the
"wheel" group. My idea was to do the following in sshd_config:
ForceCommand /usr/bin/validate-ssh-command
Match Group wheel
ForceCommand
But obviously this doesn't work, because ForceCommand requires an
argument. I couldn't find a way to achieve what I want.
I wrote a patch that adds a
2002 Jan 26
7
[PATCH] Added NoDelay config option and nodelay subsystem option
Hello again!
Since there was some resistance against adding TCP_NODELAY uncontionally,
I've made another patch. The new patch contains the following:
* Added a NoDelay yes/no (default no) config option to ssh and sshd
* Added -oNoDelay=yes to the ssh command line for sftp.
* Changed the sshd subsystem config option syntax from
Subsystem name path
to
Subsystem name options path
2001 Aug 16
4
Idletimeout patch
While I was updating our ssh-servers, I rewrote my old patch that adds
idletimeout (just like in old ssh1) parameter to openssh. Since reapplying
the patch for all new versions of openssh is not fun at all, I would like
to have it included in the official openssh, if you consider the patch
worthy.
Unlike ClientAlive, idletimeout works for both protocol versions. It also
works together with
2002 Aug 08
0
Probable bug in Chroot patch (v3.4p1)
While I was trying to get the patch to work on one of my AIX hosts (4.3.3),
I discovered what is probably a bug in the section of code in session.c.
for (i = 0; i < options.num_chroot_users; i++) {
if (match_user(pw->pw_name, hostname, ipaddr,
options.chroot_users[i])) {
dir = chroot_dir(pw);
/* 'dir' now points to memory block holding pathname */
2016 Apr 19
2
llvm::sys::path::home_directory() implementation for unix
I recently was using llvm code from a process that I manually spawned as a child process and noticed that llvm::sys::path::home_directory() only works if "HOME" is set in the process environment:
bool home_directory(SmallVectorImpl<char> &result) {
if (char *RequestedDir = getenv("HOME")) {
result.clear();
result.append(RequestedDir, RequestedDir +
2001 Nov 20
3
problem with AFS token forwarding
Hello,
I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
concerning the AFS token forwarding. That means that the new versions are
not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this
problem already existed in Openssh 2.9.9p1, but I have never used this
version (I only looked at the
2001 Nov 09
4
keystroke timing attack
I'm reading this fine article on O'Reilly:
http://linux.oreillynet.com/lpt/a//linux/2001/11/08/ssh_keystroke.html
<quote>
The paper concludes that the keystroke timing data observable from
today's SSH implementations reveals a dangerously significant amount of
information about user terminal sessions--enough to locate typed
passwords in the session data stream and reduce the
2004 Feb 27
1
[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Here is a patch I just wrote and tested which may be of interest to
those who wish to use KerberosGetAFSToken (currently requires Heimdal
libkafs) in combination with GSSAPIDelegateCredentials. The patch is
in the public domain and comes with no warranty whatsoever. Applies
to pristine 3.8p1. Works for me on Solaris and Tru64.
I'd probably have used Doug Engert's patch from 2004-01-30 if
2002 Jan 27
0
IdentityFile patch
By the way, I noticed in the previous IdentityFile patch I forgot to
expand tilde. I fixed this by making the change in ssh.c instead of
readconf.c, which is probably where it belongs, as far as the existing code
is concerned:
diff -ur openssh-3.0.2p1/auth.c openssh-3.0.2p1I/auth.c
--- openssh-3.0.2p1/auth.c Sun Nov 11 17:06:07 2001
+++ openssh-3.0.2p1I/auth.c Sun Jan 27 12:05:14 2002
@@ -44,7
2001 Mar 14
1
[PATCH]: contrib/cygwin/README
Hi,
I have a small patch here which changes the Cygwin README file so
that the following fact is mentioned.
OpenSSH never uses $HOME to search for user config files but the
value in the pw_dir field in /etc/passwd.
This might be of minor interest for generic U*X folks but that's
an important fact for Cygwin users. When /etc/passwd is automatically
created under WinNT/2K it uses the values
2002 Jan 27
1
[PATCH] Add user-dependent IdentityFile to OpenSSH-3.0.2p1
Here is a patch to allow private key files to be placed system wide (for
all users) in a secure (non-NFS) mounted location on systems where home
directories are NFS mounted. This is especially important for users who use
blank passphrases rather than ssh-agent (a good example of where this is
necessary is for tunnelling lpd through ssh on systems that run lpd as user
lp).
IdentityFile now accepts