similar to: [PATCH] add log= directive to authorized_hosts

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

Patch is below : diff -nru openssh-3.8.1p1/auth-options.c openssh-3.8.1p1-devs//auth-options.c --- openssh-3.8.1p1/auth-options.c Tue Jun 3 02:25:48 2003 +++ openssh-3.8.1p1-devs//auth-options.c Mon Feb 21 16:56:49 2005 @@ -265,6 +265,81 @@ xfree(patterns); goto next_option; } + +/* e.g: permitopenned="158.156.0.0/255.255.255.0:25[-1024]" + * note that part between [] is

Hi All, Just reporting in on how testing has gone. After reducing obs to 32k max and banners to a max of 10000, plus some minor platform changes - root is not 0, for example, all normal tests have passed except for: multiplex - hangs at the end of this output. We had a similar issue that single reads of data were not working in dd but that does not seem to be the case in this test suite. test

As background, I read: http://therowes.net/~greg/2011/03/23/ssh-trusted-ca-key/ http://www.ibm.com/developerworks/aix/library/au-sshsecurity/ http://bryanhinton.com/blog/openssh-security http://www.linuxhowtos.org/manpages/5/sshd_config.htm

Hello, SSH supports ~/.ssh/authorzied_keys for SSH keys and ~/.ssh/authorized_principals for X509 certs. I could not find an equivalent of authorzied_keys using Kerberos authentication. IMHO it should be possible using the Kerberos principal very much like the principal contained inside a X509 certificate. My main use case is assigning a specific command to a user logging in using Kerberos

This may be a dumb question, but is there any reason why scp a at b:c d: fails, where scp a at b:c . scp c d: succeeds? I get "Host key verification failed.". I'm using nothing more complex than RSA authorized_hosts based authentication. I'm seeing this on openssh-client 1:5.8p1-1ubuntu3 and OS-X 10.6 OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011. -- Alex Bligh

Hello, [if I'm not in the right mailing list, please advise it to me] I'm using ssh certificates for my servers and my users. I have questions about it: I can use the same CA in order to certify all my hosts. Every clients can use it, and it's a great setup. But, if I use the same CA for all my clients, it means that any clients can log in to any server because hosts trusts my

kinit/nfsmount.c:mount_nfs_root() should use the bootpath specified by bootp/dhcp. If the "nfsroot" option is specified then it overrides the boot server bootpath and a message indicating the override is printed. --- klibc-0.194/kinit/nfsroot.c.orig 2005-01-05 04:13:47.043897880 -0700 +++ klibc-0.194/kinit/nfsroot.c 2005-01-05 04:13:09.316633296 -0700 @@ -66,34 +66,21 @@ const int

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

>> the fact that ssh insists on tap* and tun* tun/tap-device-names is a >> real nag and prevents from nice and easy solutions in some cases. > > Could you offer some examples? some client: ssh -o "Tunnel Ethernet" -w any office next client: ssh -o "Tunnel Ethernet" -w any office ...and so forth. interface configuration on the hub for all clients:

> On 24 Jan 2017, at 06:01, Darren Tucker <dtucker at zip.com.au> wrote: > > On Tue, Jan 24, 2017 at 4:54 PM, Vishwanath KC <vicchi.cit at gmail.com> wrote: > [...] >> Distributor ID: Debian >> Description: Debian GNU/Linux 8.2 (jessie) > > As you've seen, sshd requires that the system's getpwnam() function > knows the user, without which

Odd question I know. I am looking for source for as recent a kernel as possible running the old style xenlinux/xenified kernel (i.e. capable of running the xen3.3.x hypervisor). Any ideas where I can get this - preferably in git form? I think Stefano Stabellini had something that worked up to 2.6.36 (from memory). And yes, we would all prefer all our customers moved to xen4 but this is difficult

https://bugzilla.mindrot.org/show_bug.cgi?id=1554 Summary: No feedback when configuration file permissions are set incorrectly. Product: Portable OpenSSH Version: 5.1p1 Platform: ix86 OS/Version: Cygwin on NT/2k Status: NEW Severity: minor Priority: P3 Component: ssh AssignedTo:

Here's another patch for people providing ssh access to restricted environments. We allow our users to use port forwarding when logging into our mail servers so that they can use it to fetch mail over an encrypted channel using clients that don't support TLS, for example fetchmail. (In fact, fetchmail has built-in ssh support.) However we don't want them connecting to other places

As per Alex's suggestion, attached is the proof of concept "sfile" script. If there is anyone out there with great C skills who can recreate this functionality "out of the box", I think there would be a few happy campers (at least two, anyways). -------- Forwarded Message -------- Subject: Re: Encrypt /decrypta file with ssh keys. Date: Fri, 5 Aug 2016 17:24:35

Does xen-4.1.1 really require python 2.7 (as per Ubuntu packaging) or will it actually work on python 2.6? I am trying to backport it to an Ubuntu LTS version and would rather not have to bring in Python 2.7 if possible. -- Alex Bligh

On 20 Mar 2016, at 19:15, Philip Hands <phil at hands.com> wrote: > Is anyone going to be upset by the resulting blank lines being added by > ssh-copy-id when the file was not missing a terminating newline? Well it would be at least mildly annoying my previously nice looking file now has a pile of blank lines in just because someone didn't know how to use their editor ... --

> On 5 Aug 2016, at 18:09, James Murphy <james.murphy.debian at gmail.com> wrote: > > The more mainstream thing to do is just use gpg, which has this > functionality already built in. Is this not suitable for your use case? The advantage of Colin's approach is that gpg requires out of band exchange of gpg keys separately from ssh keys. If you already have ssh keys

Also, if password-based auth is not allowed, WTF would you want to log passwords? This whole idea is ugly, and smacks of a teenage-level prank attempt. I would strongly object against any such modification of the main source (though I'm sure the maintainers are sane enough to never let such a crap in). Of course the original poster is free to hack his own copy in whatever way he wants.?