similar to: Match vs. ChallengeResponseAuthentication?

I was wondering what everyone's thoughts were on a simpler way to exclude addresses from having listeners on them. I know a lot of people have multiple subnets, especially larger corporations. Some networks are non-route-able, and therefor unsuitable for use with SSH, aside from communication between other servers on the same subnet. Given that we may want to exclude those non-route-able

Hey everyone, I wanted to add support for denying PTY allocation through OpenSSH. I'm not certain if this is quite thorough enough for all cases, but for me it might work for the moment. I know that you can currently do this through authorized_keys, but as far as I know that only works for an actual key. In my use case, I wanted a user with no password which is forced to run a specific

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

hi folks-- Can a Match block cover a Subsystem directive in sftp? https://bugzilla.mindrot.org/show_bug.cgi?id=1587#c1 suggests that Match can cover Subsystem, but sshd_config (at least, in 5.5p1) doesn't mention Subsystem within the description of Match. What should administrators expect? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name:

Hi, sifting through my system's logs, I noticed many break-in attempts by rogue ssh clients trying long lists of common passwords. For some time now I pondered different approaches to counter these, but could not come up with a solution that really satisfied me. I finally reached the conclusion that any countermeasures required support in sshd itself, and created the attached patch. If

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1930 --- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST --- Retarget unresolved

On Tue, 3 May 2016, Rogan Dawes wrote: > Hi Damien, > Thanks for the response! > > I tried moving the StreamLocalBindUnlink directive outside of the Match > rule, and it worked. But that doesn't explain why the Match was not > correctly setting the directive: > > This is running on an alternate port with -ddd: > > debug3: checking match for 'User

Hello, I manage OpenSSH on a dozen or so servers that act as gateways for a large amount of developers and system administrators. On these servers it is common for there to be more than 1000 active X11 forwards active at peak usage. Beyond ~1000 active X11 forwards, sshd will fail to bind additional ports due to a hard coded range check in channels.c that limits the port range that sshd will

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

1. Versions affected: All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables

I redid my previous OPIE patch for the current ssh tree. It seems to work fine here, and I'ld love to see it merged before the 3.0 release. Wichert. diff -x CVS -wNur ../cvs/other/openssh_cvs/Makefile.in openssh_cvs/Makefile.in --- ../cvs/other/openssh_cvs/Makefile.in Mon Oct 22 02:53:59 2001 +++ openssh_cvs/Makefile.in Sun Nov 4 01:18:19 2001 @@ -50,7 +50,7 @@ SSHOBJS= ssh.o

Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Hello. At work we collect logs (via ssh) from all kinds of hosts on one central node which has no connection to the internet and is tried to kept secure. The idea is, as you can imagine, that in case of a compromise we'd have at least all the logs up to the break without any forgeries. The logging is done continuously and compression is used. Now the following is not really that much

When forwarding a Unix-domain socket, the remote socket path must be absolute (otherwise the forwarding fails later). However, guessing absolute path on the remote end is sometimes not straightforward, because the file system location may vary for many reasons, including the system installation, the choices of NFS mount points, or the remote user ID. To allow ssh clients to request remote socket

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

This patch allows the OpenSSH client to make connections over SCTP, and allows the OpenSSH server to listen for connections over SCTP. SCTP is a robust transport-layer protocol which supports, amongst other things, the changing of endpoint IPs without breaking the connection. To connect via SCTP, pass -H or set "ConnectViaSCTP yes". To listen via SCTP as well as TCP, set