Displaying 20 results from an estimated 300 matches similar to: "Security suggestion concering SSH and port forwarding."
2003 Jan 29
0
[PATCH] features for restricted shell environments
The patch below implements a couple of features which are useful
in an environment where users do not have a regular shell login.
It allows you to selectively disable certain features on a
system-wide level for users with a certain shell; it also allows
you to control and audit TCP forwarding in more detail.
Our system is an email server with a menu for the login shell;
we selectively allow port
2000 Aug 23
1
Protocol 2 remote forwarding patch
Hi !
Here's a patch to add remote port forwarding support (protocol 2) for
openssh. I have tried to test that it works like it should but a more
thorough testing is needed. This patch adds both client/server support.
The patch should be applied to openssh-2.1.1p4 source tree.
Also included is a PortForwarding sshd_config option, new ./configure
option --disable-forwarding that should make it
2004 Apr 07
2
Requiring multiple auth mechanisms
I looked around for a while, but couldn't find any code for requiring multiple
authentication mechanisms in openssh. So I wrote an implemention.
I thought at first I should change the PasswordAuthentication,
PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some
funky stuff in auth2.c with respect to keyboard interactive auth that would make
this kind of
2002 Aug 13
1
[PATCH] global port forwarding restriction
Here's another patch for people providing ssh access to restricted
environments.
We allow our users to use port forwarding when logging into our mail
servers so that they can use it to fetch mail over an encrypted channel
using clients that don't support TLS, for example fetchmail. (In fact,
fetchmail has built-in ssh support.) However we don't want them connecting
to other places
2002 Jul 25
3
[PATCH] prevent users from changing their environment
We have a system on which users are given a very restricted environment
(their shell is a menu) where they should not be able to run arbitrary
commands. However, because their shell is not statically linked, ld.so
provides a nice clutch of holes for them to exploit. The patch below
adds a new configuration option to sshd which quashes their attempts
to set LD_PRELOAD etc. using ~/.ssh/environment
2001 Oct 24
2
disable features
this (uncomplete) patch makes various features compile time
options and saves up to 24K in the resulting
ssh/sshd binaries. i don't know whether this
should be added to the CVS since it makes
the code less readable.
perhaps WITH_COMPRESSION should be added, since
it removes the dependency on libz
-m
Index: Makefile.inc
===================================================================
RCS
2017 May 04
5
OpenSSH contract development / patch
On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote:
> Hi Devin, have you looked at using openssh certificates to help manage
[...]
> While the feature has been around for a while now (and is really
> useful), there doesn't seem to be huge amount of documentation around
> it. I found the following useful when getting a client of my running
Yeah, when I wrote about it
2000 Sep 25
1
How do I get the username in channel_input_port_open
Hello,
Does anyone know how to get the username of the user (already authenticated
and logged in) who is sending data to a forwarded tunnel from the
channel_input_port_open function in channels.c??
I've tried numerous things, and all I can get is the IP address that is
sending the data and where it is going to be sent to. All I want is the
username or the UID
Here is the chain of events that
2001 Jul 22
1
[patch] ignore SSH2_MSG_IGNORE packets
Hi,
protocolkeepalives sends ssh_msg_ignore, which the ssh2 server handles
incorrectly (i.e. it produces some output to syslog, instead of
ignoring the packet):
Jul 9 11:58:07 ren sshd[16580]: error: Hm, dispatch protocol error:
type 32 plen 4
This patch implements a highly advanced function to ignore these
packets ;)
Matthew
-------------- next part --------------
An embedded and
2001 Mar 14
1
/etc/default/login patch?
Would anybody happen to have or know of a patch to make /etc/default/login
PATH and SUPATH the default openssh path? We have customized paths for each
school of engineering (each have their own customized site bin). This is
easily controled with /etc/default/login. The --with-default-path option
is too rigid. This is Solaris I am talking about.
--mike
2003 Feb 17
2
Limit forwarding to specific ports
Hello,
We are using the AllowUsers feature of sshd and would like to control
which users can ask for forwarding of which ports. E.g. when the
user is foo, allow him to tunnel connections to bar:5678 and baz:7654,
but no shell (or some dummy shell) and no other forwardings.
Is such feature planned for the future? Would you accept such patch
in the mainstream distribution?
I would appreciate Cc:
2009 Oct 21
1
Patch to fix dynamic -R forwarding when not root
Hi!
Sorry if this has already been reported or even fixed, I didn't search
very thoroughly. Here's a patch to make dynamic -R remote port
allocation work even when not connecting as root. Without the patch I
got that "Server has disabled port forwarding." message visible in the
patch.
OpenSSH version I'm using is openssh-5.2p1, compiled from official
source package,
2003 Aug 10
9
updated gssapi diff
this is the proposed gssapi diff against OpenSSH-current (non-portable).
note: if this goes in, the old krb5 auth (ssh.com compatible) will be
removed.
please comment.
jakob
Index: auth.h
===================================================================
RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- auth.h
2002 Jul 04
1
[PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT
Hi,
I've sent that patch once already but it seems more or less forgotten
in the tumultuous days of the latest vulnerability.
It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined
on platforms not supporting the concept of "privileged" ports only
accessible by privileged users but which allow everyone to use these
ports.
This patch removes some Cygwin dependencies
2006 Mar 29
7
sshd config parser
Hi All.
For various reasons, we're currently looking at extending (or even
overhauling) the config parser used for sshd_config.
Right now the syntax I'm looking at is a cumulative "Match" keyword that
matches when all of the specified criteria are met. This would be
similar the the Host directive used in ssh_config, although it's still
limiting (eg you can't easily
2001 Nov 12
4
Please test -current
Could people please test -current? We will be making a release fairly
soon.
-d
--
| By convention there is color, \\ Damien Miller <djm at mindrot.org>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)
2005 Feb 22
0
TR: 3.8.1p1 option "permitopennet" added
Patch is below :
diff -nru openssh-3.8.1p1/auth-options.c openssh-3.8.1p1-devs//auth-options.c
--- openssh-3.8.1p1/auth-options.c Tue Jun 3 02:25:48 2003
+++ openssh-3.8.1p1-devs//auth-options.c Mon Feb 21 16:56:49 2005
@@ -265,6 +265,81 @@
xfree(patterns);
goto next_option;
}
+
+/* e.g: permitopenned="158.156.0.0/255.255.255.0:25[-1024]"
+ * note that part between [] is
2002 May 29
2
[PATCH] Add config option disabling drop_connection() behavior
The patch below (against openssh 3.2.3p1) adds a
CheckMaxStartups option, defaulting to yes, to determine whether sshd
calls drop_connection().
The motivation behind this is twofold. In our environment, our
timesharing machines get enough incoming connections that will trigger
spuriously with the default value (10 forked unauthenticated
connections) as well as some significantly higher values,
2001 Feb 10
3
Protocol 2 remote forwarding patch
Hi all,
I'm very new in this list, as looking for codes to plug up the lack of
functionality of "Protocol 2 Remote Forwardig".
Fortunately, I could find it in MARC's archive. Mr. Jarno Huuskonen
posted the codes in Sept, last year, and I tried applying it to my
FreeBSD box environment.
I couldn't apply an original patch, of course, for incompatibility of
virsion. The
2001 Nov 20
3
problem with AFS token forwarding
Hello,
I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
concerning the AFS token forwarding. That means that the new versions are
not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this
problem already existed in Openssh 2.9.9p1, but I have never used this
version (I only looked at the