similar to: Problem of updating openssh-4.4p1 to openssh-5.5p1 with MAX_ALLOW_USERS option

Hello! > Hello! > > We have the server with RHEL 5.5 (64-bit) and need to connect many parallel users over ssh (OpenSSH). > Usually we use openssh-4.4p1, builded from the sources with changed "servconf.h" file by this type: > #define MAX_ALLOW_USERS 10000 /* Max # users on allow list. */ > #define MAX_DENY_USERS

The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2

I added a few features to openssh for my local use that I think would be more broadly useful. I basically added access control lists to control who would be allowed public key authentication. I added four config file entries for the server: PubkeyAllowUsers PubkeyDenyUsers PubkeyAllowGroups PubkeyDenyGroups These follow the same sematics as the already existing entries for

A short while ago, I looked at using the AllowUsers configuration option in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to restrict access such that only specific remote machines could access specific local accounts. I swiftly discovered that a) specifying wildcarded IP numbers to try to allow a useful IP range was pointless: if I specified AllowUsers joe at

Hey everyone, I have been using sftp for quite some time now and we have just hit 256 sftp users. Line 21 of servconf.h reads: #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ I am curious why this is in a header file and not something that is in sshd_config that can be changed without recompile? Thanks in advance! -- James Dennis Harvard Law School "Not

It appears that openssh has inherited the dos attack that ssh is susceptible to. This has been discussed on Bugtraq (see http://securityportal.com/list-archive/bugtraq/1999/Sep/0124.html for the thread). There does not appear to be an official for ssh. Attached below is a simple, proof of concept, patch that adds a MaxConnections to sshd_config that sets the maximum number of simultaneous

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

I'm trying to understand why I'm getting a new error message in 4.4p1, when 4.3p1 did not produce the error message. The config files are the unchanged. The new error in the log is Failed hostbased for xxx from nnn.nnn.nnn.nnn That is followed by the usual Accepted hostbased for xxx from nnn.nnn.nnn.nnn and the host based authentication continues to work correctly despite the new

Hi All, The version 5.5.1 of "X.509 certificates support in OpenSSH" is ready for download. On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.5.1 you can found diff for OpenSSH versions 4.4p1. What's new: * specific diff of 5.5 for OpenSSH 4.4p1 Because of OpenSSH source code changes, like include statements and new server option

I am running Openssh 4.4p1 on a Solaris 9 server. I would like the accting service account to be able to run accounting scripts from a central server without the standard pre-login banner. At the end of the sshd_config file I have the following, where /etc/nobanner is an empty file: Banner /etc/issue Match User accting Banner /etc/nobanner When an attempt is made to restart sshd, the

Hi All, The version of "PKCS#11 support in OpenSSH" is ready for download. On download page http://alon.barlev.googlepages.com/openssh-pkcs11 you can find a patch for OpenSSH 4.4p1. What's new: - Some pkcs11-helper updates. - Rebase against 4.4p1. I will be grateful to receive any comments regarding this feature. Best Regards, Alon Bar-Lev.

Would anybody happen to have or know of a patch to make /etc/default/login PATH and SUPATH the default openssh path? We have customized paths for each school of engineering (each have their own customized site bin). This is easily controled with /etc/default/login. The --with-default-path option is too rigid. This is Solaris I am talking about. --mike

Hi there, I've run into a strange problem. I have just finished building OpenSSH 4.4p1 against openssl 0.9.8d under Mac OS X 10.3.9 and 10.4.7. Both were installed as updates to OpenSSH 4.3p2/openssl 0.9.8c (not Apple's obsolete versions which are bypassed). The 10.4.7 build works as expected, whereas the 10.3.9 build throws Disconnecting: Bad packet length 2477450673. when I

Hi, I tried to build the CVS snapshot for OpenSSH 4.4p1 dated 9/08/06. Make install failed on Fedora Core 4 system with the following errors: [root at fedora4 openssh]# make install \if test ! -z ""; then \ /usr/bin/perl ./fixprogs ssh_prng_cmds ; \ fi (cd openbsd-compat && make) make[1]: Entering directory `/usr/local/openssh/openbsd-compat' make[1]: Nothing to be

I've updated the streamlocal patch for OpenSSH 4.4p1. http://www.25thandclement.com/~william/projects/streamlocal.html This patch allows for local and remote forwards, to and from Unix domain sockets. Simply specify the socket path, enclosed within squares braces (i.e. -L[/tmp/.s.PGSQL.5432]:[/tmp/.s.PGSQL.5432]) as the origin and/or destination of the -R and -L switches. This patch also

What's going on here? I see nothing about this in the ChangeLog, so I am confused. ================================================================== ~:cairo> pwd /afs/rcf/user/jblaine ~:cairo> cat bin/tester #!/bin/sh echo "TESTER program in $HOME/bin!" ~:cairo> ================================================================== OpenSSH 4.4p1 (previous version we were

Hi, I'm pleased to be able to announce the availability of my GSSAPI Key Exchange patch for OpenSSH 4.4p1. This patch adds RFC4462 compatibility to OpenSSH, along with adding additional GSSAPI support that is yet to make it into the main tree. The patch implements: *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. This can be enabled through the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, FYI: I had to add #include <signal.h> to entropy.c to get ssh compiled. My configure was: ./configure --prefix=/usr/local/openssh-4.4p1 \ - --with-ssl-dir=/usr/local/openssl-0.9.8d \ - --with-zlib=/usr/local/zlib-1.2.3 --with-rand-helper \ - --with-prngd-socket=/var/run/prng_sock Cheers, Rainer -----BEGIN PGP SIGNATURE----- Version: