similar to: ssh-agent and socket permission check

I know it is just after a release, but I'm trying to see how the regression tests look on Tru64. I hadn't had a chance to really look at them before because I didn't have sudo installed on Tru64 (now I do). Anyway, for the 3.9p1 release, all of them run except for a couple of problems: - agent-ptrace fails; it looks like setgid isn't enough to kill tracing under Tru64, and I

https://bugzilla.mindrot.org/show_bug.cgi?id=2533 Bug ID: 2533 Summary: do not check if HostKeyAgent is available on ssdh startup Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd

Hi. Mac OS X has a PT_DENY_ATTACH argument to ptrace(2) which does what it says on the tin: PT_DENY_ATTACH This request is the other operation used by the traced process; it allows a process that is not currently being traced to deny future traces by its parent. All other arguments are ignored. If the process is currently being traced, it

I use ssh port forwarding to connect to a samba server from Windows 2000/ XP clients. But there is an annoying part that I have to enter my password for samba shares after I already authenticated with the server using ssh. Is there any way to setup samba so in the case of ssh connections it would use already authenticated user name and would not ask for any password for shares? Regards, Igor

Hi! Some vnc clients has '-via ssh_gateway' option to simplify the setup of ssh port forwarding. Basically the option implements the following 3 steps: 1. Find local port available for listening. 2. Fork/exec ssh -L found_port:vnc_host:vnc_port ssh_gateway sleep some_delay 3. Connect to the found_port Although convenient the setup has its problems. First, it exposes the remote vnc

As I understand currently there is no way in sshd_config to match based on the client public key so different configuration for the same username can be applied depending on the key, right? My case is a backup login that needs to run as a root to access all the files and where I want to use ForceCommand to allow the login only to execute a particular command and yet still allow normal root

http://bugzilla.mindrot.org/show_bug.cgi?id=745 Summary: agent-ptrace.sh fails Product: Portable OpenSSH Version: -current Platform: All OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-bugs at mindrot.org ReportedBy: mmokrejs at

Hello, My usage of ProxyCommand just calls the nc utility with various parameters. That in turn after the initial setup just copies copies the data from the network socket to stdin/stdout. This useless coping can be avoided if ssh has an option to receive the socket from the proxy command. I suppose it can improve network error reporting as ssh would talk directly to the network socket rather

https://bugzilla.mindrot.org/show_bug.cgi?id=2435 Bug ID: 2435 Summary: allow to pass socket to the agent over stdin Product: Portable OpenSSH Version: 6.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs

OpenSSH 3.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.4: ============================ *

OpenSSH 3.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.4: ============================ *

On 3/15/23 18:25, Eric Blake wrote: > On Wed, Mar 15, 2023 at 12:01:57PM +0100, Laszlo Ersek wrote: >> Don't try to test async-signal-safety, only that >> NBD_INTERNAL_FORK_SAFE_ASSERT() works similarly to assert(): >> >> - it prints diagnostics to stderr, >> >> - it calls abort(). >> >> Some unfortunate gymnastics are necessary to avoid

I see that the hostname canonicalization configuration options is still rather limited. As that works on DNS level they are of not use if one has to use ProxyCommand to connect over a proxy connection or through a common gateway name where one uses different port numbers to connect to different intranet names. What would be ideal is to extend the ProxyCommand to both return the resolved universal

Hello, I tried to use HostKeyAgent with sshd 6.7 under Linux. That worked for Linux clients. However, when I tried to connect from OpenSSH 6.2 under Mac OS X, the server disconnects: debug2: bits set: 1026/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY Connection closed by 84.22.97.209 When I disabled HostKeyAgent and switched HostKey back to the private

Dear All, Is it possible to move agent sockets to directories other than /tmp? For ex., move to /var/run/ssh? I don't know if anyone has asked for this before. I'm asking this because according to the current FHS 2.2 (http://www.pathname.com/fhs/), PID files and sockets should always go to /var/run. I understand that it is not possible for an ordinary user to write to /var/run,

I am wondering what is the interaction between SE Linux and the kernel "capabilities" in CentOS 5.1? I'm trying to open a raw socket and keep getting permission denied errors. I've tried using the lcap library to find that CAP_SETPCAP appears to be off in the kernel. For compliance reasons, I don't want to turn this on. I've also tried a hand-crafted SE Linux

Hello, I'm trying to get deliver LDA working with postfix in a virtual domain configuration. I'm using dovecot v1.0.rc10. My setup is pretty much exactly as in the wiki (only the path to deliver and auth-master socket are different). I'm having a little problem with permissions and this occurred which I think is undesirable: syslog: Feb 8 13:09:35

I was wondering if it might be possible for an rsync developer to look over the attached patch (tested on Linux 2.4.24 against the rsync-2.6.0 release), and offer suggestions on how I could improve it. Basically I want to use Linux finer grained capabilities to retain only CAP_SYS_CHROOT & CAP_DAC_READ_SEARCH when rsync drops root privs. That way I can take whole system backups as a (mostly)

On Thu, Mar 16, 2023 at 10:50:06AM +0100, Laszlo Ersek wrote: > On 3/15/23 18:25, Eric Blake wrote: > > On Wed, Mar 15, 2023 at 12:01:57PM +0100, Laszlo Ersek wrote: > >> Don't try to test async-signal-safety, only that > >> NBD_INTERNAL_FORK_SAFE_ASSERT() works similarly to assert(): > >> > >> - it prints diagnostics to stderr, > >> >

Chad reported that he was seeing a regression in cifs-utils-6.6. Prior to that, cifs.upcall was able to find credcaches in non-default FILE: locations, but with the rework of that code, that ability was lost. Unfortunately, the krb5 library design doesn't really take into account the fact that we might need to find a credcache in a process that isn't descended from the session. When the