similar to: auth2-pubkey.c - change an error message

Hi, I have a setup in which I run sshd as unprivileged user at dedicated port to serve specific application. It is working perfectly! One tweak I had to do, since the AuthorizedKeysCommand feature requires file to be owned by root, I had to use root owned command at root owned directory, although it does not add a security value. At auth2-pubkey.c::user_key_command_allowed2(), we have the

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|pgsery at swcp.com |djm at mindrot.org --- Comment #58 from Damien Miller

https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #51 from Petr Lautrbach <plautrba at redhat.com> 2012-03-28 02:35:54 EST --- Created attachment 2138 --> https://bugzilla.mindrot.org/attachment.cgi?id=2138 fixes of original patch (In reply to comment #46) > Created attachment 2096 [details] > Updated version of original patch. Fix missing braces around block in

https://bugzilla.mindrot.org/show_bug.cgi?id=2270 Bug ID: 2270 Summary: AuthenticationMethods - partial success is considered as failure Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd

Hello, Currently OpenSSH has a fixed order on how the key authenticates the user: at first it tries to authenticate against TrustedUserCAKeys, afterwards it does it against the output keys from the AuthorizedKeysCommand and finally against the files as set in AuthorizedKeysFile. I have an use-case where this order is not ideal. This is because in my case the command fetches keys from the cloud

Hi guys, It might be nice if AuthorizedKeysCommand would receive the fingerprint of the offered key as an argument, so that programs like gitolite could implement more refined key-based identity lookup that offers better performance than AuthorizedKeysFile's linear scan. The following patch is untested but is the basic idea: diff -ru openssh-6.2p1/auth2-pubkey.c

https://bugzilla.mindrot.org/show_bug.cgi?id=2011 --- Comment #8 from Petr Lautrbach <plautrba at redhat.com> --- Created attachment 2214 --> https://bugzilla.mindrot.org/attachment.cgi?id=2214&action=edit don't probe seccomp capability of running kernel in configure I'd like to add also possibility to build seccomp_filter sandbox on system with older kernel, E.g. Fedora

https://bugzilla.mindrot.org/show_bug.cgi?id=2166 Bug ID: 2166 Summary: sshd logs unnecessary messages if some of default host keys doesn't exist Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=2263 Bug ID: 2263 Summary: sshd privsep monitor process doesn't handle SIGXFSZ signal Product: Portable OpenSSH Version: 6.6p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=1388 Summary: Parts of auth2-pubkey.c are completely devoid of debug logging Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: Other OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=2133 Bug ID: 2133 Summary: scp failes between two ends using password authentication Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: scp

https://bugzilla.mindrot.org/show_bug.cgi?id=2332 Bug ID: 2332 Summary: Show more secure fingerprints than MD5 (e.g. SHA256) in ssh and ssh-keygen Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5

https://bugzilla.mindrot.org/show_bug.cgi?id=2102 Bug ID: 2102 Summary: [PATCH] Specify PAM Service name in sshd_config Classification: Unclassified Product: Portable OpenSSH Version: 6.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: PAM support

https://bugzilla.mindrot.org/show_bug.cgi?id=2245 Bug ID: 2245 Summary: Multiple USER_LOGIN messages when linux audit support is enabled on bad login Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5

Hello, I've hit 2 build issues on rhel-7 using the latest portable tree - HEAD 3dfd8d93dfcc69261f5af99df56f3ff598581979 - rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function) (Td4[(t0 >> 24) ] << 24) ^ ^ introduced in commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e - ./libssh.a(krl.o): In function `ssh_krl_from_blob':

Hi, I'm attempting to test the AuthorizedKeysCommand feature with the new port of ssh-ldap-wrapper to OpenBSD. I'm running yesterday's OpenBSD-current i386 snapshot, which includes AuthorizedKeysCommand. The port of ssh-ldap-helper (at http://old.nabble.com/-new--ssh-ldap-helper-td34667413.html) contains all the bits I need, and the individual pieces appear to work once configured:

https://bugzilla.mindrot.org/show_bug.cgi?id=2110 Bug ID: 2110 Summary: ssh-copy-id fails on nonexisting private key Product: Portable OpenSSH Version: 6.2p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=2165 Bug ID: 2165 Summary: ssh option to prompt for fingerprint input Product: Portable OpenSSH Version: 5.9p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

Hi. I would like to add an option [-p port] to ssh-copy-id. If this option is given then ssh-copy-id calls ssh with -p port to connect to non-standard port. The patch [1] adds this option to ssh-copy-id and documents it in ssh-copy-id(1) man page [1] http://plautrba.fedorapeople.org/openssh/718674/ssh-copy-id-p-port.patch Thanks, Petr diff --git a/contrib/ssh-copy-id

Hello everybody, An issue was reported in RH bugzilla [1] about the size of the used DH group when combined with the 3des-cbc cipher. OpenSSH uses the actual key length for the size estimation. This is probably fine as far as the cipher has the same number of bits of security as the key length. But this is not true for 3TDEA where the key size is 168 resp 192 but it's security is only 112.