Displaying 20 results from an estimated 100 matches similar to: "[Patch, enh] Permit host and IP addresses in (Allow|Deny)Groups"
2002 Mar 28
1
[PATCH] Feature addition: user access control per auth method
I added a few features to openssh for my local use that I think would
be more broadly useful. I basically added access control lists to
control who would be allowed public key authentication. I added four
config file entries for the server:
PubkeyAllowUsers
PubkeyDenyUsers
PubkeyAllowGroups
PubkeyDenyGroups
These follow the same sematics as the already existing entries for
2001 Jun 18
2
Patch for changing expired passwords
The primary purpose of the attached patches is for portable OpenSSH to
support changing expired passwords as specified in shadow password files.
To support that, I did a couple enhancements to the base OpenBSD OpenSSH
code. They are:
1. Consolidated the handling of "forced_command" into a do_exec()
function in session.c. These were being handled inconsistently and
allocated
2003 Feb 16
2
AllowUsers Change
Markus, ignore the other stuff I sent.. I need to go back to bed and stop
trying to code.. <sigh>
For everone else.. Will this make everyone happy?
This does the follow.
it will always honor AllowUsers.
If there is no Allow/DenyGroups it stated they are not in allowUsers. IF
there are AllowDenyGroups it tries them. And then stated they are not in
either AllowUsers nor AllowGroups
2004 Feb 20
1
NGROUPS_MAX on Linux
Linux has just raised the NGROUPS_MAX limit from 32 to 64k. In doing an
audit of various tools, openssh turned up as having incorrect groups
handling. Almost no user-space apps really care about NGROUPS_MAX.
A proposed patch (untested, since the CVS build won't compile on my RH box..
:-/) :
What think?
Index: uidswap.c
===================================================================
1999 Jun 02
0
Compiling SAMBA on DEC UNIX 4.0 W/OUT ENH SEC?
Hello!
I am wondering if anyone has compiled Samba on DEC UNIX 4.0 withOUT the
OSF1_ENH_SEC stuff? I don't want to use enhanced security, but I can't
seem to get away from it. I didn't see any configure options, so I have
been editing the source files to remove constants like OSF1_ENH_SEC and
HAVE_GETPRPWNAM (among others).
Has anyone had any luck with trying to do this? Thanks!
2008 Oct 30
1
Enh-Req: Mark As Read When Delivered
I'm under the impression bug-reports are supposed to go to the list,
so hopefully it's okay if I put in a feature request here too
(assuming it's not already implemented; but it doesn't look like it).
Basically, all I would like to do is be able to sometimes deliver mail
as already mail into mail boxes. Is there some way to do this?
If not, could a flag perhaps be added to
2003 Apr 30
2
[ENH] Clarify rsync flavors (PR#2886)
The 1.7.0 (2003-04-16) "R Installation and Adminsistration"
manual mentions various flavors of R available from rsync (section
1.2, p. 1). These are also referred to in various other sources on
and offline (e.g., the FAQ).
The meaning of r-release vs r-patched was not entirely clear to me.
How is the patched version patched? Should it just have bug fixes,
and so likely be more
2001 Aug 15
0
[ossh patch] principal name/patterns in authorized_keys2
As you know, revoking RSA/DSA keys in an SSH environment requires
editing all authorized_keys and authorized_keys2 files that reference
those public keys. This is, well, difficult at best but certainly very
obnoxious, particularly in a large environment.
SSH key management is difficult. This patch simplifies key management
wherever GSS-API/Kerberos is used and is general enough to be used with
2014 Dec 28
2
Compiling a static openssh server
Hello,
I'm trying to compile a static openssh-server, simply by running:
export LDFLAGS=-static
./configure
make sshd
but the linker shows the warnings I've quoted on the bottom of this mail.
The warnings say that I cannot use NSS functions when statically compiling.
This makes sshd not work because at runtime, every call to getpwnam returns
0.
Do you know a way to compile openssh
2012 Mar 06
6
openssh static build - mission impossible?
I am trying to build a static version of ssh, sshd and sftp, but after banging my head against the wall for the best part of the last 3 days I am about to give up...
Since I plan to use this on an embedded device (building dropbear is *NOT* an option!), I've excluded as many openssh configure options as I can but, ultimately, failed. This is my setup:
export LDFLAGS=' -pie -z relro -z
2007 Nov 11
0
Patch to sshd match
Please find attached a patch against openssh-4.7p1
It extends the Match in sshd_config. The point is that it is sometimes
easier (and more secure) to match on NOT something.
A criterium may be preceded by ! which inverts the condition, thus:
Match !Group sysadmins
ForceCommand /usr/bin/sftp
forces use of sftp on any user who is not a system administrator.
A !! has the
2011 Nov 22
4
A "strict Arel" mode for ActiveRecord to prevent SQL injection vulnerabilities
Hello rubyonrails-core,
I’ve been looking into possible changes to ActiveRecord / Arel to make it
easier to write Rails applications that are free of SQL injection
vulnerabilities, and in particular do so in a way that makes it easy for a
code reviewer to verify that the app is safe from such bugs.
The concern:
-----------------
With the ActiveRecord API as is, it’s relatively easy to write
1999 Nov 20
1
openssh and DOS
It appears that openssh has inherited the dos attack that ssh is
susceptible to. This has been discussed on Bugtraq (see
http://securityportal.com/list-archive/bugtraq/1999/Sep/0124.html
for the thread). There does not appear to be an official for ssh.
Attached below is a simple, proof of concept, patch that adds a
MaxConnections to sshd_config that sets the maximum number of
simultaneous
2005 Jan 20
0
AllowUsers - proposal for useful variations on the theme
A short while ago, I looked at using the AllowUsers configuration option
in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to
restrict access such that only specific remote machines could access
specific local accounts.
I swiftly discovered that
a) specifying wildcarded IP numbers to try to allow a useful IP range
was pointless: if I specified
AllowUsers joe at
2006 May 04
2
xmalloc(foo*bar) -> xcalloc(foo, bar) for Portable
Hi All.
While wandering in auth-pam.c I noticed that there's a few Portable-specific
escapees from the xmalloc(foo * bar) cleanup.
There's also a "probably can't happen" integer overflow in
ssh-rand-helper.c with the memset:
num_cmds = 64;
- entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t));
+ entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
2019 Feb 22
2
[PATCH 2/2] Cygwin: implement case-insensitive Unicode user and group name matching
On Feb 22 16:02, Darren Tucker wrote:
> On Fri, Feb 22, 2019 at 03:32:43PM +1100, Darren Tucker wrote:
> > On Wed, 20 Feb 2019 at 23:54, Corinna Vinschen <vinschen at redhat.com> wrote:
> > > The previous revert enabled case-insensitive user names again. This
> > > patch implements the case-insensitive user and group name matching.
> > > To allow Unicode
2002 Sep 25
1
NGROUPS_MAX
Currently openssh (3.4p1) relies on the NGROUPS_MAX define. This makes
the number of allowed simultaneous (per-user) secondary groups a
compile-time decision.
$ find . -name \*.c | xargs grep NGROUPS_MAX
./groupaccess.c:static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */
./groupaccess.c: gid_t groups_bygid[NGROUPS_MAX + 1];
./uidswap.c:static gid_t
2001 Jul 04
0
Sneek peak at what was commited.
For those following the portable CVS tree.. I'd suggest holding off for a
day or so unless you really want to get dirty. I just commited 32 patches
from the OpenBSD tree, but have not worked out all the issues (due to
Linux brain damage <sigh..Faster OpenBSD gets SMP..the happer I'll be>).
The two things that need to be finished integrated in the configure.in is
KRB5 and
2002 Jan 24
1
PATCH: krb4/krb5/... names/patterns in auth_keys entries
This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and
other principal names in authorized_keys entries.
It's a sort of replacement for .klogin and .k5login, but it's much more
general than .k*login as it applies to any authentication mechanism
where a name is associated with the ssh client and it supports name
patterns and all the normal authorized_keys entry options
2015 Nov 18
0
[Bug 2497] New: Add debugging information to ga_match() to show each attempted match
https://bugzilla.mindrot.org/show_bug.cgi?id=2497
Bug ID: 2497
Summary: Add debugging information to ga_match() to show each
attempted match
Product: Portable OpenSSH
Version: 7.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: