Displaying 20 results from an estimated 2000 matches similar to: "Certificates and authorized principals"
2010 Aug 09
8
Call for testing: OpenSSH-5.6
Hi,
OpenSSH 5.6 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a moderately large
release, with a number of new features and bug fixes.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH
2020 Jan 30
5
SSH certificates - restricting to host groups
Hello,
I am trying to work out the best way to issue SSH certificates in such
way that they only allow access to specific usernames *and* only to
specific groups of host.
As a concrete example: I want Alice to be able to login as "alice" and
"www" to machines in group "webserver" (only). Also, I want Bob to be
able to login as "bob" and
2020 Jan 30
3
SSH certificates - restricting to host groups
On Thu, Jan 30, 2020 at 7:11 AM Christian, Mark
<mark.christian at intel.com> wrote:
>
> On Thu, 2020-01-30 at 12:27 +0000, Brian Candler wrote:
> > As a concrete example: I want Alice to be able to login as "alice"
> > and
> > "www" to machines in group "webserver" (only). Also, I want Bob to
> > be
> > able to login as
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
Hi all,
this is a patch to make Ciphers, MACs and KexAlgorithms available in
Match blocks. Now I can reach a -current machine with some Android
terminal app without changing the default ciphers for all clients:
Match Address 192.168.1.2
Ciphers aes128-cbc
MACs hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha1
Index: servconf.c
2010 Aug 23
0
Announce: OpenSSH 5.6 released
OpenSSH 5.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches,
2010 Oct 14
1
About new feature option AuthorizedPrincipalsFile in openssh5.6
hi,all
i've read the openssh5.6 new feature document about new option
AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot
times,but still not succeed.
maybe i am still ambiguously about the document's meaning.
The main problem is i don't know what's the content(or file format) in the
file that specifed by the AuthorizedPrincipalsFile option.
could you give me a
2016 May 03
3
StreamLocal forwarding
On Tue, 3 May 2016, Rogan Dawes wrote:
> Hi Damien,
> Thanks for the response!
>
> I tried moving the StreamLocalBindUnlink directive outside of the Match
> rule, and it worked. But that doesn't explain why the Match was not
> correctly setting the directive:
>
> This is running on an alternate port with -ddd:
>
> debug3: checking match for 'User
2001 Aug 16
4
Idletimeout patch
While I was updating our ssh-servers, I rewrote my old patch that adds
idletimeout (just like in old ssh1) parameter to openssh. Since reapplying
the patch for all new versions of openssh is not fun at all, I would like
to have it included in the official openssh, if you consider the patch
worthy.
Unlike ClientAlive, idletimeout works for both protocol versions. It also
works together with
2011 Jul 07
4
Use of ssh certificates in a multi server of different kind environment.
Hello,
[if I'm not in the right mailing list, please advise it to me]
I'm using ssh certificates for my servers and my users.
I have questions about it:
I can use the same CA in order to certify all my hosts. Every clients can use it,
and it's a great setup. But, if I use the same CA for all my clients, it means that
any clients can log in to any server because hosts trusts my
2002 Sep 16
2
privsep versus compression
Hi,
I'm unable to get Kerberos4 authentication working with openssh-3.4p1.
I'm getting a message that privsep is not available on my platform (Irix
6.5.15) and another message stating that compression and privsep are
mutually exclusive. But, ssh decided to turn off compression, I think
because of servconf.c. I think it would be more usefull to have
compression enabled and disable privsep
2011 Nov 03
1
Help with CA Certificates for user authentication?
As background, I read:
http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/
http://www.ibm.com/developerworks/aix/library/au-sshsecurity/
http://bryanhinton.com/blog/openssh-security
http://www.linuxhowtos.org/manpages/5/sshd_config.htm
2010 Mar 18
3
problem of adding a new option of sshd
Dear all,
I want to add a new option "newoption" to the sshd server, I have just add some codes in servconf.h and
servconf.c like the other options. But it seems that the "newoption" can not be enable,when i set
the "newoption" to "yes" in sshd_config file. I have add a debug message in main function of sshd.c
....
debug("main sshd
2002 Jun 25
2
Linux 2.2 + borken mmap() round 1
The following is just a simple 'if ANON|SHARE is broken, disable
compression'. We don't have time for fancy stuff until we have time for
long term testing.
I have one friend of mine testing this. Can I get a few other people to
test. This is against --current, but maybe work against 3.3p1. Unsure.
BTW.. those on NeXT platform (if you have autoreconf) should also test
this. this
2014 Oct 10
16
[Bug 2288] New: documentation of options defaulting to "none"
https://bugzilla.mindrot.org/show_bug.cgi?id=2288
Bug ID: 2288
Summary: documentation of options defaulting to "none"
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: Documentation
Assignee:
2010 Aug 23
3
Announce: OpenSSH 5.6 released
OpenSSH 5.6 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches,
2002 Dec 05
1
patch to add a PAMServiceName config option
I append a patch against openssh-3.5p1.tar.gz which adds a config option
PAMServiceName. The option allows one to specify the PAM service at
runtime in the config file rather than using __progname or having it
hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful
if one wants to run multiple instances of sshd using different PAM
configurations.
With this patch
2001 Jul 21
2
ChallengeResponseAuthentication - typos and inconsistancies?
Hi,
It seems from the source code that there are a couple of quirks
with this option:
firstly, in the code it's mis-spelt as
"challenge_reponse_authentication"
and secondly, the default for the client (in readconf.c) seems to be
off, whereas for the server (servconf.c) seems to be on:
readconf.c: if (options->challenge_reponse_authentication == -1)
readconf.c:
2014 Sep 08
1
possible deadcodes in sources
Hello,
we've run a coverity scan on the openssh sources and it found several
issues. Although the scan was run on patched rhel sources, some results are applicable to vanilla sources
too.
* servconf.c:1458:dead_error_line ? Execution cannot reach this statement "*intptr = *intptr + 1;"
--- a/servconf.c
+++ b/servconf.c
@@ -1451,12 +1451,8 @@
2002 Jul 04
4
Chroot patch (v3.4p1)
The following is a patch I've been working on to support a "ChrootUser"
option in the sshd_config file.
I was looking for a way to offer sftp access and at the same time restict
interactive shell access. This patch is a necessary first step (IMO).
It applies clean with 'patch -l'.
Also attached is a shell script that helps to build a chrooted home dir on
a RedHat 7.2
2001 Aug 20
1
Idletimeout patch, third attempt
Here is my third attempt at the idletimeout patch. I tried to address
the points which Marcus Friedl brought up.
It is actually bigger than the previous patches, but not as intrusive.
It is big because it moves some stuff from serverloop.c to packet.c.
- I moved all the logic to packet.c. This means that I also had to move
the actual select() call, which used to be in serverloop.c to packet.c.