similar to: MaxDisplays configuration option

hi, this can be applied to the latest portable CVS. by default bind sshd fake display to localhost. [stevesk at jenny stevesk]$ uname -sr HP-UX B.11.11 [stevesk at jenny stevesk]$ echo $DISPLAY localhost:14.0 [stevesk at jenny stevesk]$ netstat -an|grep 6014 tcp 0 0 127.0.0.1.6014 *.* LISTEN this is currently controlled with sshd_config gatewayports;

Hey everyone, I wanted to add support for denying PTY allocation through OpenSSH. I'm not certain if this is quite thorough enough for all cases, but for me it might work for the moment. I know that you can currently do this through authorized_keys, but as far as I know that only works for an actual key. In my use case, I wanted a user with no password which is forced to run a specific

https://bugzilla.mindrot.org/show_bug.cgi?id=2580 Bug ID: 2580 Summary: Support for MaxDisplays to replace artificial MAX_DISPLAYS limit Product: Portable OpenSSH Version: 7.2p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd

Hi, here's a patch so that ssh also supports hurd-i386. Thanks for incorporating. The patch comes from Robert Bihlmeyer <robbe at orcus.priv.at>. > openssh 2.2.0p1-1.1 does not build on the Hurd. The appended patch > fixes that. Changes in detail: > * PAM is not (yet?) supported, so the PAM dependencies are only put into > the control file on architectures != hurd-i386.

Hi, This also has been discussed in SSHSCI's SSH context. All SSH versions (both SSHSCI and OpenSSH) derive value for DISPLAY variable from `uname -n`. The problem is that the returned value is not necessarily resolvable to a valid IP number which in turn might cause a failure. To make it fool-proof I suggest to set DISPLAY to the interface's address the user has reached the system in

Hi, I think we should try other AF for "x11_use_localhost" case. --- openssh-3.1p1/channels.c Tue Mar 5 10:57:45 2002 +++ openssh-3.1p1-fix/channels.c Thu May 2 21:26:28 2002 @@ -2356,6 +2356,13 @@ continue; } } +#ifdef IPV6_V6ONLY + if (ai->ai_family == AF_INET6) { + int on = 1; + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)

On Tue, 3 May 2016, Rogan Dawes wrote: > Hi Damien, > Thanks for the response! > > I tried moving the StreamLocalBindUnlink directive outside of the Match > rule, and it worked. But that doesn't explain why the Match was not > correctly setting the directive: > > This is running on an alternate port with -ddd: > > debug3: checking match for 'User

Hi all, Here's a small mechanism I have built to run games in a dedicated display. The main reasons for doing that were: - to avoid desktop stuff to pop over my games display - to run games in a display matching the game resolution - to avoid manually switching my main resolution back and forth - to avoid problems where quitting a games leaves my desktop in the wrong resolution The idea is

This patch allows the OpenSSH client to make connections over SCTP, and allows the OpenSSH server to listen for connections over SCTP. SCTP is a robust transport-layer protocol which supports, amongst other things, the changing of endpoint IPs without breaking the connection. To connect via SCTP, pass -H or set "ConnectViaSCTP yes". To listen via SCTP as well as TCP, set

On Mon, Jul 23, 2001 at 12:49:14AM +0100, Matthew Vernon wrote: > ------- start of forwarded message ------- > From: <mouring at etoh.eviladmin.org> > To: Matthew Vernon <matthew at empire.ucam.org> > cc: <openssh-unix-dev at mindrot.org> > Subject: Re: [patch] GNU/Hurd compatibility patches > Date: Sun, 22 Jul 2001 12:39:32 -0500 (CDT) > > > We

Hi thanks for the answers I'm using the following Patch now (Works for AIX 4.3.3, I'll check other AIX Versions, Solaris and Linux later) configure --with-cppflags=-DLOCALHOST_IN_DISPLAY activates the change *** channels.c Wed Jun 13 21:18:05 2001 --- ../openssh-2.9p2.aix/channels.c Wed Aug 8 14:55:24 2001 *************** *** 2268,2276 **** --- 2268,2282 ----

The patch below implements a couple of features which are useful in an environment where users do not have a regular shell login. It allows you to selectively disable certain features on a system-wide level for users with a certain shell; it also allows you to control and audit TCP forwarding in more detail. Our system is an email server with a menu for the login shell; we selectively allow port

Hi! Here is the patch to support tcp wrappers with x11-forwarded connections. The patch is for openssh-3.0.1p1 but it works fine with 2.9.9p2 too. I've understood that this will not be included in the official version because it adds complexity (?!) to openssh. Binding the forwarded port to localhost doesn't solve all problems. I've understood that you should also implement

Non-gcc compilers tend not to like C++-style // comments in plain C code, as I discovered when trying to build the latest snapshot (20010615) with the Tru64 UNIX C compiler. *** channels.h.orig Fri Jun 8 18:20:07 2001 --- channels.h Fri Jun 15 14:41:01 2001 *************** *** 209,215 **** /* x11 forwarding */ int x11_connect_display(void); ! //int x11_check_cookie(Buffer *b);

This issue has been discussed here and elsewhere a fair bit in the past year or so, but to re-address the issue... As of OpenSSH 2.9.something the ability to have an Xauthority located in /tmp was removed, with the following description in the ChangeLog : - markus at cvs.openbsd.org 2001/06/12 21:21:29 [session.c] remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since

Hi ! I hacked together a couple of patches for Openssh 2.1.1p4 port forwarding. It is a one patch file that does the following two things: First: If the server is configured not to allow port forwardings it sends SSH_SMSG_FAILURE (protocol 1) while openssh client expects SSH_SMSG_SUCCESS. When the client gets the failure it exists with protocol error message. This patch will accept both failure

This is on Solaris 10 x86, do not see this behavior on Solaris 10 sparc. Seen on multiple machines. Sshd debug: debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1:

https://bugzilla.mindrot.org/show_bug.cgi?id=1950 Bug #: 1950 Summary: sshd tries to bind over and over to ::1 for several seconds Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2

Attached is a patch to allow a user to turn on TCP keepalives for port forwarded connections. It's mainly useful when the connections to the ssh listener are coming from many different boxes, some of which crash, leaving the service on the other side of the port forwarder waiting on connections indefinitely. It creates a new option named "KeepAliveForward" to control this behavior.

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be