Displaying 20 results from an estimated 10000 matches similar to: "defense-in-depth possible for sshd?"
2012 Jan 02
2
'last' command doesn't include ssh connections made by this perl script?
My home machine has IP 50.54.225.130. I have (for the purposes of this
experiment) one remote machine at www.peacefire.org (69.72.177.140) and
another at www.junkwhale.com.
When I'm logged in to peacefire, I run this perl script to open an ssh
connection to junkwhale and run a command:
my $hostname="www.junkwhale.com";
my $server_password = "[redacted!]";
use Net::SFTP;
2012 Jan 01
11
an actual hacked machine, in a preserved state
(Sorry, third time -- last one, promise, just giving it a subject line!)
OK, a second machine hosted at the same hosting company has also apparently
been hacked. Since 2 of out of 3 machines hosted at that company have now
been hacked, but this hasn't happened to any of the other 37 dedicated
servers that I've got hosted at other hosting companies (also CentOS, same
version or almost),
2017 Aug 06
3
deprecation of UsePrivilegeSeparation breaks container use cases
Hello,
there are emerging container services that restrict regular users to
launch containers under some random uid for security reasons. If such
user needs sshd in their container, they need to turn off
`UsePrivilegeSeparation` so that sshd is executed as the current uid
and not `root`.
I understand that privilege separation [1] is more than changing the
process uid. On the other hand, it is
2004 Jun 01
2
issue with SE/Linux - sshd not giving access to /dev/pts/[n]
hi there,
i have an issue on my newly created Debian/SELinux/unstable system.
i have pam 0.77 se1 installed
ssh 3.8.1p1-4 (OpenSSH)
and libselinux1 1.12-1.
i can log in as root, fine.
but i cannot log in as an ordinary user, and i had to grant
special permission to the _user_ process (NOT sshd or pam
before a setuid and exec is carried out) to access
/dev/pts/0.
in other
2011 Dec 28
3
why not have yum-updatesd running by default?
Ever since someone told me that one of my servers might have been hacked
(not the most recent instance) because I wasn't applying updates as soon as
they became available, I've been logging in and running "yum update"
religiously once a week until I found out how to set the yum-updatesd
service to do the equivalent automatically (once per hour, I think).
Since then, I've
2002 Jun 26
5
[PATCH] improved chroot handling
There are a couple of niggles with the sandboxing of the unprivileged
child in the privsep code: the empty directory causes namespace pollution,
and it requires care to ensure that it is set up properly and remains set
up properly. The patch below (against the portable OpenSSH, although the
patch against the OpenBSD version is very similar) replaces the fixed
empty directory with one that is
2017 Mar 27
2
Is support being removed for ordinary users to run sshd?
Hello Darren,
Could you comment on this issue being raised by myself and
Corinna Vinschen?
This will create big problems for me.
I'm not clear if this is a conscious decision supported by solid
reasons or if it is just collateral damage.
Thank you for all you work!
Jack DoDDs
-------- Original Message --------
Date: Mon, 27 Mar 2017 16:31:03 +0200
Subject: Re: Announce: OpenSSH 7.5
2004 Sep 13
2
CentOS 3.1: sshd and pam /etc/security/limits.conf file descriptor settings problem
Why can't non-uid 0 users have more than 1024 file descriptors when
logging in via ssh?
I'm trying to allow a user to have a hard limit of 8192 file
descriptors(system defaults to 1024) via the following setting in
/etc/security/limits.conf:
jdoe hard nofile 8192
But when jdoe logs in via ssh and does 'ulimit -Hn' he gets '1024' as a
response. If he tries to
2002 Jun 25
2
Linux 2.2 + borken mmap() round 1
The following is just a simple 'if ANON|SHARE is broken, disable
compression'. We don't have time for fancy stuff until we have time for
long term testing.
I have one friend of mine testing this. Can I get a few other people to
test. This is against --current, but maybe work against 3.3p1. Unsure.
BTW.. those on NeXT platform (if you have autoreconf) should also test
this. this
2002 May 28
5
Problems with UsePrivilegeSeparation (was: port fwd as user != root?
I just upgraded to OpenSSH3.2.3p1 as it seemed that
UsePrivilegeSeparation yes
might help with my problem (connections forwarded
are owned by root instead of the user I logged in as
on the server), but instead, sshd barfs on receiving
a connection. Without UsePrivilegeSeparation
the server works fine.
# strace -o /tmp/sshd.str sshd -d
debug1: sshd version OpenSSH_3.2.3p1
debug1: private host
2011 Dec 28
8
what percent of time are there unpatched exploits against default config?
Suppose I have a CentOS 5.7 machine running the default Apache with no
extra modules enabled, and with the "yum-updatesd" service running to pull
down and install updates as soon as they become available from the
repository. (Assume further the password is strong, etc.) On the other
hand, suppose that as the admin, I'm not subscribed to any security alert
mailing lists which send
2012 Jan 05
6
SELinux and access across 'similar types'
http://wiki.centos.org/HowTos/SELinux
says:
"Access is only allowed between similar types, so Apache running as
httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
however the doc doesn't define what "similar types" means. I assumed it
just meant "beginning with the same prefix". However that can't be
right because on my system with
2014 Oct 21
2
dictionary attack defense
Does dovecot have any dictionary attack defenses yet?
In the past I have had to implement defense from outside dovecot, but
since dovecot is at the front lines and therefore is the first to know
I'm hoping by now there is something we can set. For example, a limit
on access failures per minut/hour/day or some such. If not why not?
2014 Jun 27
1
Using AuthorizedKeysCommand in unprivileged sshd mode
Hi,
I have a setup in which I run sshd as unprivileged user at dedicated port
to serve specific application.
It is working perfectly!
One tweak I had to do, since the AuthorizedKeysCommand feature requires
file to be owned by root, I had to use root owned command at root owned
directory, although it does not add a security value.
At auth2-pubkey.c::user_key_command_allowed2(), we have the
2006 Jan 19
5
Only one chance to enter a new password?
Hello there,
We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various
Solaris boxes with PAM and an LDAP server back end.
Recently we have added a requirement for users to have complex
passwords. The problem is, if a user's password has expired, when they
log in they are prompted for a new password (good) but if they enter a
non-complex new password the session is closed rather than
2005 Dec 31
2
pam_mkhomedir.so problem
Hello Samba People,
I'm doing some tests with samba on a debian Sarge in order to implement a
file server
with the recycle bin module, so my smb.conf loks like this :
[global]
workgroup = HOME
server string = %h server (Samba %v)
preferred master = no
realm = home.local
security = ADS
encrypt passwords = true
password server = 192.168.0.15
socket options = TCP_NODELAY
#
2006 Oct 27
1
Requirement for sshd account since 4.4p1
Hi,
there's a change made to 4.4p1, which gave some irritation on the Cygwin
mailing list. It's a change from 20060907:
- (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
be used to drop privilege to; fixes Solaris GSSAPI crash reported by
Magnus Abrante; suggestion and feedback dtucker@
NB. this change will require that the privilege separation user must
2008 May 07
4
[Bug 15857] New: Errors in Desktop Tower Defense (flash game)
http://bugs.freedesktop.org/show_bug.cgi?id=15857
Summary: Errors in Desktop Tower Defense (flash game)
Product: swfdec
Version: git
Platform: x86 (IA32)
OS/Version: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: library
AssignedTo: swfdec at lists.freedesktop.org
2002 Nov 05
2
[PATCH] Add a chroot_users option to sshd
This patch adds a new option to sshd, chroot_users. It has the effect of
chroot()ing incoming ssh users to their home directory. Note: this option
does not work if UsePrivilegeSeparation is enabled.
Patch is based on OpenSSH 3.4p1.
*** servconf.h@@\main\1 Tue Oct 1 17:25:32 2002
--- servconf.h Wed Oct 2 06:17:48 2002
***************
*** 131,136 ****
--- 131,137 ----
char
2009 Sep 21
2
How to generate additional debug messages for sshd gssapi failures?
I'm trying to troubleshoot gssapi_with_mic authentication with OpenSSH
5.2p1 on FreeBSD 8.0.
If I run sshd with maximum debug "sshd -ddd" the most detail I get is:
GSSAPI MIC check failed
That comes from line 282 in auth2-gss.c
279 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
280 authenticated =