similar to: ssh-agent security

Hi everyone. I have a system where I'd like to give certain users time-limited access to the use of certain SSH private keys without actually exposing the keys. I have the idea of using ssh-agent to do this. The agent would run as a "keyholder" user, and group permissions on the UNIX-domain socket would allow read-write by both that account and the actual ssh user. Right now,

Hi all! I do not know openssh patch policy so I am just sending the patch to the mailing list. Sorry for inconvenience. Ssh-agent seems to be too slow if you need to access thousands of servers. This is a simple patch to enable threading in ssh2 authentication. Patch adds "-p numthreads" option and defaults to the number of processors. I've tested it as I could, but

Hi all Patch adds flag -C to ssh-agent which will force confirmation for any key added in agent (similar to ssh-add -c) Helps when forwarded agent authentication is used and each key should be confirmed before use catam --- ssh-agent.c 2006-08-28 14:02:12.000000000 +0300 +++ ssh-agent.c.orig 2006-08-28 13:36:05.000000000 +0300 @@ -111,9 +111,6 @@ /* Default lifetime (0 == forever) */

Moin, attached is a patch, which adds a new configuration option "PreferAskpass" to the ssh config. ssh{,-add,-keygen,-agent} will use ssh-askpass to prompt for passwords, if this option is set to "yes", and if ssh-askpass is available. Default for "PreferAskpass" is "no". Pacth is against current CVS. Sebastian -- signature intentionally left blank.

http://bugzilla.mindrot.org/show_bug.cgi?id=421 ------- Additional Comments From mouring at eviladmin.org 2002-10-25 14:03 ------- [.. Important part from URL..] gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. - I/usr/local/ssl/include -DHAVE_CONFIG_H -c bsd-getpeereid.c bsd-getpeereid.c: In function `getpeereid': bsd-getpeereid.c:35: storage size of `cred'

http://bugzilla.mindrot.org/show_bug.cgi?id=1254 Summary: Race condition in ssh-agent AUTH_CONNECTION Product: Portable OpenSSH Version: 4.4p1 Platform: ix86 OS/Version: FreeBSD Status: NEW Keywords: patch Severity: normal Priority: P2 Component: ssh-agent AssignedTo: bitbucket at

There are at least three cases: * Linux: check credentials and pid from client; restrict permissions from server * BSD: check credentials only from client; restrict permissions from server * Solaris: wide open --- configure.in | 4 ++-- src/control.c | 11 ++++++++++- src/control_common.h | 1 + src/tincctl.c | 38 ++++++++++++++++++++++++++++++++++---- 4

New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be used on Linux (only) to read the peer PID, UID and GID from clients connected over a Unix domain socket. This can be used in the preconnect phase to add additional filtering. One use for this is to add an extra layer of authentication for local connections. A subsequent commit will enhance the now misnamed nbdkit-ip-filter to

https://bugzilla.mindrot.org/show_bug.cgi?id=1633 Summary: Race condition in ssh-agent AUTH_CONNECTION Product: Portable OpenSSH Version: 5.2p1 Platform: ix86 OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: ssh-agent AssignedTo: unassigned-bugs at

http://bugzilla.mindrot.org/show_bug.cgi?id=421 ------- Additional Comments From carl at chage.com 2003-01-10 05:38 ------- I noticed the same problem with a compile error where ucred is undefined in SUSE Linux 6.1. The problem is the test for SO_PEERCRED-- the feature is not available even though the define is present. In my linux/socket.h there is a "#define SCM_CREDENTIALS" next

hi, Solaris doesn't have getpeereid() or SO_PEERCRED. However, getpeerucred() is perfectly usable for that; and it's in Solaris 10 and OpenSolaris. So, ssh-agent(1) security there so far depends only on permissions of the socket directory and with this patch it checks peer's credentials, too. I patched following files using a snapshot from 20060921: openssh/config.h.in

This approach is more complex than I'd like, but it works even on Solaris, which has neither credential passing nor permissions on the socket itself. --- src/control.c | 82 +++++++++++++++++++++++++++++++++++++++----------- src/control_common.h | 1 + src/tincctl.c | 67 +++++++++++++++++++++++++++++++++-------- src/tincd.c | 2 +- 4 files changed, 120

Per POSIX, execvp() is not safe to call in a child process forked from a multi-threaded process. We can now replace the execvp() call in the child process with a call to our fork-safe (async-signal-safe) variant. Prepare our internal execvpe context on the parent's construction path, use the context in the child, and release the context in the parent on the way out, regardless of whether the

Hi Andrew, I have checked for the reason of below error single_terminate: reason[socket_get_remote_addr() failed] As mentioned by you earlier that it requires "credentials passing via the getpeereid() call or SO_PEERCRED" On investigating it further i found below condition that fails File :- lib/tsocket/tsocket_bsd.c Function int _tsocket_address_bsd_from_sockaddr(TALLOC_CTX

On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > used on Linux (only) to read the peer PID, UID and GID from clients > connected over a Unix domain socket. This can be used in the > preconnect phase to add additional filtering. > > One use for this is to add an extra layer of authentication for local >

On May 14, 6:26am, maxb@ukf.net (Max Bowsher) wrote: -- Subject: rsync digest, Vol 1 #717 - 12 msgs > > + After thinking about it a bit more I'm somewhat inclined to call it a > + bug in Cygwin and try to get them to fix it. > > Well, you could, but I'd much prefer it if you didn't :-) > I guess its time for you to make an executive descision - Is it reasonable

Hello all, I'm currently writing a C program that uses the libvirt API and I need a way to obtain the pid of a given domain's QEMU process. Specifically, I'm writing an ivshmem server that uses SO_PEERCRED to get the pid of clients that connect to it, and I would like to use that pid to look up the domain in libvirt to determine the proper domain ID to return to the client. As

On Wed, 2017-06-14 at 11:01 +0100, Rowland Penny via samba wrote: > On Wed, 14 Jun 2017 15:13:13 +0530 > Arjit Gupta <arjitk.gupta at gmail.com> wrote: > > > Thanks for the response. > > > > Is this xattr causing this RPC server is unavailable issue ? > > > > Arjit Kumar > > > > > > Lets be perfectly honest here, the lack of

I'm using vpopmail's POP-before-SMTP auth, but dovecot don't support it, so I'm wrote this patch ============================================================== diff -Naur dovecot-0.99.10.5/src/auth/auth-login-interface.h dovecot-0.99.10.5-patched/src/auth/auth-login-interface.h --- dovecot-0.99.10.5/src/auth/auth-login-interface.h Sun May 18 16:26:28 2003 +++

On Sat, Mar 09, 2019 at 04:32:00PM +0100, Michal Prívozník wrote: > On 3/1/19 2:31 AM, Shawn Anastasio wrote: > > Hello all, > > > > I'm currently writing a C program that uses the libvirt API and I need a > > way to obtain the pid of a given domain's QEMU process. > > > > Specifically, I'm writing an ivshmem server that uses SO_PEERCRED to get