similar to: OpenSSH_6.1p1 sends a SSH packet bigger than 32K

The patch below implements a couple of features which are useful in an environment where users do not have a regular shell login. It allows you to selectively disable certain features on a system-wide level for users with a certain shell; it also allows you to control and audit TCP forwarding in more detail. Our system is an email server with a menu for the login shell; we selectively allow port

this (uncomplete) patch makes various features compile time options and saves up to 24K in the resulting ssh/sshd binaries. i don't know whether this should be added to the CVS since it makes the code less readable. perhaps WITH_COMPRESSION should be added, since it removes the dependency on libz -m Index: Makefile.inc =================================================================== RCS

I recently ran across a problem with remote port forwarding in OpenSSH when trying to use dynamic ports. While it is possible to use OpenSSH to request a dynamic port and the OpenSSH sshd handles it just fine, the OpenSSH client gets confused when multiple ports are opened this way, due to the information passed in the "forwarded-tcpip" SSH_MSG_CHANNEL_OPEN message which is sent back to

https://bugzilla.mindrot.org/show_bug.cgi?id=2147 Bug ID: 2147 Summary: OpenSSH remote forwarding of dynamic ports doesn't work when you create more than one Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5

Hi ! Here's a patch to add remote port forwarding support (protocol 2) for openssh. I have tried to test that it works like it should but a more thorough testing is needed. This patch adds both client/server support. The patch should be applied to openssh-2.1.1p4 source tree. Also included is a PortForwarding sshd_config option, new ./configure option --disable-forwarding that should make it

https://bugzilla.mindrot.org/show_bug.cgi?id=2529 Bug ID: 2529 Summary: direct-streamlocal channel open doesn't match PROTOCOL documentation Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: ssh

I don't see a problem, my MTU is at the default value = 1500, but when I look at the trace from libssh2, packet type 4 received, => SSH_MSG_DEBUG packet type 91 received, => SSH_MSG_CHANNEL_OPEN_CONFIRMATION packet type 93 received, => SSH_MSG_CHANNEL_WINDOW_ADJUST packet type 99 received, => SSH_MSG_CHANNEL_SUCCESS packet type 98 received, => SSH_MSG_CHANNEL_REQUEST packet

There is no hash algorithm associated with SSH keys. The key format for RSA keys is always ?ssh-rsa?, and it is capable of being used with any of the available signature algorithms (ssh-rsa for SHA-1 and rsa-sha2-256 or rsa-sha2-512 for SHA-2). See section 3 in https://www.rfc-editor.org/rfc/rfc8332: rsa-sha2-256 RECOMMENDED sign Raw RSA key rsa-sha2-512 OPTIONAL

Today I modified OpenSSH so that it allows me to configure in a generic way, restrictions on what server functions can be used by system users after they authenticate. The partial implementation of my plans only works for SSH2, but allows me to write entries like the following in sshd_config: ChannelReqDeny shell g restricted ChannelReqDeny exec g restricted ChannelReqDeny x11-req u

The version of sshd in FreeBSD 8.4 is not backward compatible with older version from 8.3. OpenSSH_5.4p1 (on FreeBSD 8.3) OpenSSH_6.1p1 (on FreeBSD 8.4) # sshd -t /etc/ssh/sshd_config line 19: Missing argument. On line 19, there is: VersionAddendum It was OK in older versions. It will remove any default text appended to SSH protocol banner (for example 'FreeBSD-20120901'). On

I am trying to make sense of the way in which OpenSSH computes window size, so far without much success :-( My understanding is that when a client specifies a window size N at the beginning of a session, it is letting the server know that it (the server) can send, on a given channel, up to N bytes worth of data that consumes window space (essentially the payload of SSH_MSG_CHANNEL_DATA and one

Note: most but not all of this message is about OpenSSH When I do a remote forward (port on server listens for incoming traffic, traffic gets forwarded to port that is listening on client), the source IPs of all the incoming connections in the server app on the client machine are 127.0.0.1/localhost. Using "-v", I can see that sshd passes the IP addresses of what computers connected to

Hi, I am facing an issue with openssh-4.5p1. I am not sure whether its an openssh issue or a tcp stack issue since I am using a simulated tcp/ip stack. While copying a file of around 1GB using sftp/scp I am getting a send:Message too long error. I did a bit of debugging and found that ssh code was sending packet of size greater than 131072 bytes from the application level to the socket and

Hi, according to RFC 4253 https://www.rfc-editor.org/rfc/rfc4253#section-7.1 for the selection of algorithms (ciphers, KEX, MAC etc.), the leftmost matching client algorithm is picked. While this is fine in most cases, there are cases where it is not desirable, for example: 1) for compatibility with a single old client you enable an old cipher, say aes128-cbc, server side. A modern client

Hi, OpenSSH plans to remove support for DSA keys in the near future. This message describes our rationale, process and proposed timeline. Rationale --------- DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is <=80 bits symmetric equivalent[1][2]. OpenSSH has disabled DSA keys by

Hi, OpenSSH plans to remove support for DSA keys in the near future. This message describes our rationale, process and proposed timeline. Rationale --------- DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is <=80 bits symmetric equivalent[1][2]. OpenSSH has disabled DSA keys by

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

hi OpenSSH folks-- I have several OpenSSH sshd servers that i've maintained for a long time. Some of them have keys that are considered short by today's standards (e.g. 1024-bit RSA keys). On these servers, I would like to be able to do a key rotation such that multiple keys are valid during a time window so that users can learn the new key before i remove the old one. I don't

Hi, I discovered when using my fuse fs for connecting to a remote host using sftp that the new server version 7.4 sends a greeter which is not according the format desribed in https://tools.ietf.org/html/rfc4253#section-4 There is written that the greeter "MUST be terminated by a single Carriage Return (CR) and a single Line Feed (LF) character (ASCII 13 and 10, respectively)." Now

Am I correct in assuming that the user and host public/private keys used in openSSH are only used for authentication (is the remote server known to be X, is this Harry trying to login), and have no role in the encryption? I was under the assumption that each connection used a newly generated key (using DH for key exchange) so each session was unique. (I believe this because the transport layer