similar to: [Patch, enh] Permit host and IP addresses in (Allow|Deny)Groups

I added a few features to openssh for my local use that I think would be more broadly useful. I basically added access control lists to control who would be allowed public key authentication. I added four config file entries for the server: PubkeyAllowUsers PubkeyDenyUsers PubkeyAllowGroups PubkeyDenyGroups These follow the same sematics as the already existing entries for

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated

Markus, ignore the other stuff I sent.. I need to go back to bed and stop trying to code.. <sigh> For everone else.. Will this make everyone happy? This does the follow. it will always honor AllowUsers. If there is no Allow/DenyGroups it stated they are not in allowUsers. IF there are AllowDenyGroups it tries them. And then stated they are not in either AllowUsers nor AllowGroups

Linux has just raised the NGROUPS_MAX limit from 32 to 64k. In doing an audit of various tools, openssh turned up as having incorrect groups handling. Almost no user-space apps really care about NGROUPS_MAX. A proposed patch (untested, since the CVS build won't compile on my RH box.. :-/) : What think? Index: uidswap.c ===================================================================

Hello! I am wondering if anyone has compiled Samba on DEC UNIX 4.0 withOUT the OSF1_ENH_SEC stuff? I don't want to use enhanced security, but I can't seem to get away from it. I didn't see any configure options, so I have been editing the source files to remove constants like OSF1_ENH_SEC and HAVE_GETPRPWNAM (among others). Has anyone had any luck with trying to do this? Thanks!

I'm under the impression bug-reports are supposed to go to the list, so hopefully it's okay if I put in a feature request here too (assuming it's not already implemented; but it doesn't look like it). Basically, all I would like to do is be able to sometimes deliver mail as already mail into mail boxes. Is there some way to do this? If not, could a flag perhaps be added to

The 1.7.0 (2003-04-16) "R Installation and Adminsistration" manual mentions various flavors of R available from rsync (section 1.2, p. 1). These are also referred to in various other sources on and offline (e.g., the FAQ). The meaning of r-release vs r-patched was not entirely clear to me. How is the patched version patched? Should it just have bug fixes, and so likely be more

As you know, revoking RSA/DSA keys in an SSH environment requires editing all authorized_keys and authorized_keys2 files that reference those public keys. This is, well, difficult at best but certainly very obnoxious, particularly in a large environment. SSH key management is difficult. This patch simplifies key management wherever GSS-API/Kerberos is used and is general enough to be used with

Hello, I'm trying to compile a static openssh-server, simply by running: export LDFLAGS=-static ./configure make sshd but the linker shows the warnings I've quoted on the bottom of this mail. The warnings say that I cannot use NSS functions when statically compiling. This makes sshd not work because at runtime, every call to getpwnam returns 0. Do you know a way to compile openssh

I am trying to build a static version of ssh, sshd and sftp, but after banging my head against the wall for the best part of the last 3 days I am about to give up... Since I plan to use this on an embedded device (building dropbear is *NOT* an option!), I've excluded as many openssh configure options as I can but, ultimately, failed. This is my setup: export LDFLAGS=' -pie -z relro -z

Please find attached a patch against openssh-4.7p1 It extends the Match in sshd_config. The point is that it is sometimes easier (and more secure) to match on NOT something. A criterium may be preceded by ! which inverts the condition, thus: Match !Group sysadmins ForceCommand /usr/bin/sftp forces use of sftp on any user who is not a system administrator. A !! has the

Hello rubyonrails-core, I’ve been looking into possible changes to ActiveRecord / Arel to make it easier to write Rails applications that are free of SQL injection vulnerabilities, and in particular do so in a way that makes it easy for a code reviewer to verify that the app is safe from such bugs. The concern: ----------------- With the ActiveRecord API as is, it’s relatively easy to write

It appears that openssh has inherited the dos attack that ssh is susceptible to. This has been discussed on Bugtraq (see http://securityportal.com/list-archive/bugtraq/1999/Sep/0124.html for the thread). There does not appear to be an official for ssh. Attached below is a simple, proof of concept, patch that adds a MaxConnections to sshd_config that sets the maximum number of simultaneous

A short while ago, I looked at using the AllowUsers configuration option in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to restrict access such that only specific remote machines could access specific local accounts. I swiftly discovered that a) specifying wildcarded IP numbers to try to allow a useful IP range was pointless: if I specified AllowUsers joe at

Hi All. While wandering in auth-pam.c I noticed that there's a few Portable-specific escapees from the xmalloc(foo * bar) cleanup. There's also a "probably can't happen" integer overflow in ssh-rand-helper.c with the memset: num_cmds = 64; - entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t)); + entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));

On Feb 22 16:02, Darren Tucker wrote: > On Fri, Feb 22, 2019 at 03:32:43PM +1100, Darren Tucker wrote: > > On Wed, 20 Feb 2019 at 23:54, Corinna Vinschen <vinschen at redhat.com> wrote: > > > The previous revert enabled case-insensitive user names again. This > > > patch implements the case-insensitive user and group name matching. > > > To allow Unicode

Currently openssh (3.4p1) relies on the NGROUPS_MAX define. This makes the number of allowed simultaneous (per-user) secondary groups a compile-time decision. $ find . -name \*.c | xargs grep NGROUPS_MAX ./groupaccess.c:static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ ./groupaccess.c: gid_t groups_bygid[NGROUPS_MAX + 1]; ./uidswap.c:static gid_t

For those following the portable CVS tree.. I'd suggest holding off for a day or so unless you really want to get dirty. I just commited 32 patches from the OpenBSD tree, but have not worked out all the issues (due to Linux brain damage <sigh..Faster OpenBSD gets SMP..the happer I'll be>). The two things that need to be finished integrated in the configure.in is KRB5 and

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

https://bugzilla.mindrot.org/show_bug.cgi?id=2497 Bug ID: 2497 Summary: Add debugging information to ga_match() to show each attempted match Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: