Displaying 20 results from an estimated 400 matches similar to: "preauth privsep logging via monitor"
2012 Jan 28
1
PATCH: Fix memory leak in sshd
Hello,
The below patch fixes a memory leak I noticed in monitor_read_load() when the child's log pipe is closed.
Thanks,
Zev Weiss
--
diff --git a/monitor.c b/monitor.c
index a166fed..6464eec 100644
--- a/monitor.c
+++ b/monitor.c
@@ -510,6 +510,7 @@ monitor_read_log(struct monitor *pmonitor)
debug("%s: child log fd closed", __func__);
close(pmonitor->m_log_recvfd);
2002 Jun 26
5
[PATCH] improved chroot handling
There are a couple of niggles with the sandboxing of the unprivileged
child in the privsep code: the empty directory causes namespace pollution,
and it requires care to ensure that it is set up properly and remains set
up properly. The patch below (against the portable OpenSSH, although the
patch against the OpenBSD version is very similar) replaces the fixed
empty directory with one that is
2014 Sep 08
1
possible deadcodes in sources
Hello,
we've run a coverity scan on the openssh sources and it found several
issues. Although the scan was run on patched rhel sources, some results are applicable to vanilla sources
too.
* servconf.c:1458:dead_error_line ? Execution cannot reach this statement "*intptr = *intptr + 1;"
--- a/servconf.c
+++ b/servconf.c
@@ -1451,12 +1451,8 @@
2012 Dec 21
0
File Attachments for previous bug report
I have renamed all of the patch files to .txt, which should be acceptable
for the mailer daemon at mindrot, per Angel's suggestion.
I am attaching the patch files to the email, with the extra space removed
and a minor correction made.
Bill Parker (wp02855 at gmail dot com)
-------------- next part --------------
--- port-linux.c.orig 2012-12-19 17:40:53.231529475 -0800
+++ port-linux.c
2005 Dec 08
0
"User child is on pid"-logging
Hi!
I sent a mail a while ago wondering if it was possible to change the
loglevel for the "User child is on pid"-message from debug2 to
verbose. It would make it easier to trace a connection in the logs
when privilege separation is used and sshd uses the user child pid to
report that the connection is closing . Is it possible to change this
or would it violate the privacy of the users?
2005 Nov 21
0
"User child pid" logging
Hi!
It would be easier to trace a connection in the logs if sshd reported
the change of pid with LogLevel set to verbose instead of debug2. Is
it possible to have it changed?
Regards
Claes Leufv?n
Here is a patch for it:
--- sshd.c_orig 2005-11-21 10:51:08.000000000 +0100
+++ sshd.c 2005-11-21 10:51:11.000000000 +0100
@@ -652,7 +652,7 @@
if (pmonitor->m_pid == -1)
fatal("fork of
2002 Jul 02
3
New PAM kbd-int diff
Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes
PAM kbd-int work with privilege separation.
Contrary to what I have previously stated - it *does* handle multiple
prompts. What it does not handle is multiple passes through the PAM
conversation function, which would be required for expired password
changing.
I would really appreciate some additional eyes over the
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
Hi All.
Attached is a patch that implements password expiry with PAM and
privsep. It works by passing a descriptor to the tty to the monitor,
which sets up a child with that tty as stdin/stdout/stderr, then runs
chauthtok(). No setuid helpers.
I used some parts of Michael Steffens' patch (bugid #423) to make it
work on HP-UX.
It's still rough but it works. Tested on Solaris 8 and
2003 Oct 08
4
OS/390 openssh
Hello Steve, Hello OpenSSH-portable developers,
I am building OpenSSH for our (EBCDIC-based) BS2000 mainframe
operating system, and I noticed you do the same for OS/390.
Because my initial ssh port was based on IBM's OSS port (ssh-1.2.2
or some such), I thought it was fair enough to help with a little
co-operation; we might come up with a unified EBCDIC patch which could
be contributed to
2002 Jun 25
4
PAM kbd-int with privsep
The following is a patch (based on FreeBSD code) which gets kbd-int
working with privsep. It moves the kbd-int PAM conversation to a child
process and communicates with it over a socket.
The patch has a limitation: it does not handle multiple prompts - I have
no idea how common these are in real-life. Furthermore it is not well
tested at all (despite my many requests on openssh-unix-dev@).
-d
2016 Mar 28
2
Is it possible to extend log message?
Hello folks,
Is it possible to extend log message as large as PATH_MAX?
Current length of message format including file path is small against linux PATH_MAX, 4096.
diff --git a/log.c b/log.c
index ad12930..95df4a9 100644
--- a/log.c
+++ b/log.c
@@ -359,7 +359,7 @@ log_redirect_stderr_to(const char *logfile)
log_stderr_fd = fd;
}
-#define MSGBUFSIZ 1024
+#define MSGBUFSIZ 5192
void
2012 Dec 20
4
Deprecated calls to bzero() and index() found in OpenSSH 6.1p1
Hello All,
In reviewing source code for OpenSSH-6.1p1, I found instances
of deprecated library calls still within various source code files.
Examples of deprecated calls are: bzero() (replaced with memset()
which is ANSI compliant), index() (replaced with strchr() which
is also ANSI compliant).
In file 'auth2-jpake.c', I've replaced all the bzero() calls with
the equivalent
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
Hello All.
Attached is an update to my previous patch to make do_pam_chauthtok and
privsep play nicely together.
First, a question: does anybody care about these or the password
expiration patches?
Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after
the pty has been allocated but before it's made the controlling tty.
This allows the child running chauthtok to
2002 Jul 31
2
privsep+kerb5+ssh1
please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.
i'd like to see this in the next release. thx
-m
-------------- next part --------------
--- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002
+++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002
@@ -73,18 +73,17 @@
* from the ticket
*/
int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char
2003 Aug 10
9
updated gssapi diff
this is the proposed gssapi diff against OpenSSH-current (non-portable).
note: if this goes in, the old krb5 auth (ssh.com compatible) will be
removed.
please comment.
jakob
Index: auth.h
===================================================================
RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- auth.h
2015 Jul 06
3
[PATCH v2 1/1] paint visual host key with unicode box-drawing characters
From: Christian Hesse <mail at eworm.de>
Signed-off-by: Christian Hesse <mail at eworm.de>
---
log.c | 2 +-
sshkey.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++-----------------
2 files changed, 58 insertions(+), 21 deletions(-)
diff --git a/log.c b/log.c
index 32e1d2e..90c1232 100644
--- a/log.c
+++ b/log.c
@@ -444,7 +444,7 @@ do_log(LogLevel level, const char *fmt,
2013 Aug 07
29
[Bug 2140] New: Capsicum support for FreeBSD 10 (-current)
https://bugzilla.mindrot.org/show_bug.cgi?id=2140
Bug ID: 2140
Summary: Capsicum support for FreeBSD 10 (-current)
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: FreeBSD
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2013 Oct 31
9
[Bug 2167] New: Connection remains when fork() fails.
https://bugzilla.mindrot.org/show_bug.cgi?id=2167
Bug ID: 2167
Summary: Connection remains when fork() fails.
Product: Portable OpenSSH
Version: 5.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at
2019 Sep 06
2
[PATCH 1/1] log: do not print carriage return
From: Christian Hesse <mail at eworm.de>
Logging to stderr results in line endings being terminated with carriage
return (\r) and new line (\n). While this is fine for terminals it may
have undesired effects when running from crond and logging to syslog
or similar.
I run ssh from cron on an recent linux host. Viewing logs with
journalctl I see:
Sep 06 16:50:01 linux CROND[152575]: [96B
2011 Jun 22
3
sandbox pre-auth privsep child
Hi,
This patch (relative to -HEAD) defines an API to allow sandboxing of the
pre-auth privsep child and a couple of sandbox implementations.
The idea here is to heavily restrict what the network-face pre-auth
process can do. This was the original intent behind dropping to a
dedicated uid and chrooting to an empty directory, but even this still
allows a compromised slave process to make new