similar to: Does anyone use UsePrivilegedPort=yes or setuid ssh(1) ?

On 6 July 2018 at 17:24, Gert Doering <gert at greenie.muc.de>wrote: [...] > I think we have one customer connection where their firewall admin > thinks "it is more secure that way" - read, we can't ssh in if we come > from high ports. > > OTOH, thanks for the pointer with ProxyCommand - it's a very specific > niche problem with a viable workaround, so I

As I understand currently there is no way in sshd_config to match based on the client public key so different configuration for the same username can be applied depending on the key, right? My case is a backup login that needs to run as a root to access all the files and where I want to use ForceCommand to allow the login only to execute a particular command and yet still allow normal root

Hi, OpenSSH 6.5 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is

Hi, On Mon, Jan 13, 2020 at 03:16:00PM +0000, Jochen Bern wrote: > Out of interest: > 1. If an extended mechanism were to be implemented, which server pubkey > do you expect to be seen/stored/verified by the client? The proxy's > / v4 middlebox's, or the v6 backend's? Or would you require that all > server-side machines use the *same* host keypairs? I'd do

The next OpenSSH release is close, too. If you want OpenSSH 3.2 to be the best version of OpenSSH, then please test the snapshots. If you like to see new features in future OpenSSH releases, then test the snapshots. If you are running OpenBSD then please test the OpenBSD snapshots. If you are running the portable OpenSSH release then please test the nightly snapshots from

Hello, I'm new to the list, and I've been having a very weird problem with the IRIX version of portable openssh that I think may be a bug in this platform... I've looked through the FAQs and the man pages and can't find why this might not be working. The ssh binary is setuid-root, both ssh and sshd are told that Rhosts and RhostsRSA auth is OK in their config files, etc. I

Hi Gert, Thanks for your reply. But we can't upgrade to 7.2 version also we don't have plan to upgrade in near future. Can I fix these vulnerabilities in the current version? Regards Abhishek On Tue, Mar 8, 2016 at 6:42 PM, Gert Doering <gert at greenie.muc.de> wrote: > Hi, > > On Tue, Mar 08, 2016 at 06:14:01PM +0530, abhi dhiman wrote: > > Actually I am working

I noticed that AIX now comes with a version of zlib installed in /usr. (I'm working on 5.2) My first inclination was to simply uninstall it and use the one we compile (and put in /usr/local). However, IBM has made zlib part of the RPM package itself! So, I cannot uninstall it without removing RPM.... Next, I tried passing --with-zlib=/usr/local to configure for ssh. This seems to work, but

I was under the impression it was just compatibility, and not actually built-in, but I thought I'd ask here and just make sure of what I'm saying. :) TIA. -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "It is the part of a good shepherd to shear his flock, not to skin it." Latin Proverb -------------- next part

Changes since OpenSSH 6.4 ========================= This is a feature-focused release. New features: * ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it. * ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a

All, When logging into an HP-UX 10.2 system from a Windows NT machine running Cygwin and openssh 2.9p2, control-c sends a sigint to the ssh client on the NT system, thus killing the ssh process. Interestingly enough, this behavior is only observed when using X11 forwarding. I can eliminate the behavior by changing clientloop.c to ignore SIGINT (signal(SIGINT, SIG_IGN) ) but then I'm bak to

This was dicovered in openssh-2.9p2 on BSDi 4.1. If you configure --with-ssl-dir and give a relative path (like ../openssl-0.9.6b), it will not compile because that path is no longer valid once it cds to openbsd-compat. In the CPPFLAGS variable in openbsd-compat/Makefile, you can put in another ../ (-I../openssl-0.9.6a/include becomes -I../../openssl-0.9.6a/include) and it works. Perhaps there

Hi, i have written a patch for openSSH 5.8p2 which allows the user to set the local source port. The patch is as follows: diff -rupN openssh-5.8p2//readconf.c openssh-5.8p2-srcport//readconf.c --- openssh-5.8p2//readconf.c 2010-11-20 04:19:38.000000000 +0000 +++ openssh-5.8p2-srcport//readconf.c 2011-07-17 20:57:52.385044096 +0100 @@ -125,7 +125,7 @@ typedef enum { oGlobalKnownHostsFile2,

On Wed, Apr 22, 2015 at 1:53 PM, Gert Doering <gert at greenie.muc.de> wrote: > Hi, > > On Wed, Apr 22, 2015 at 01:26:06PM -0700, Reuben Hawkins wrote: >> Let me know if I'm missing something. :) > > Signed keys from a common CA? I don't think the signed key helps in my particular case (I may be wrong, if so please correct me). I'm working on a management

I would like to implement an arbitrary script to be executed when logging on via SSH. This is supposedly possible using the ForceCommand option to sshd. However, as soon as I implement any script, even as simple as echoing a string, clients can no longer connect to the server. Clients report only that the connection was dropped by the server. The server, in debug mode, shows: Feb 17 16:14:01

Hi, On Tue, Oct 17, 2017 at 05:54:52AM -0600, The Doctor wrote: > The best solution is if (LIBRESSL) || (OPENSSL < 1010...) > > Else > > Whatever. > > Is that too much work? Littering code with #ifdef is almost never a good idea. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert

Hi All, Actually I am working with the OpenSSH version 6.2p which is vulnerable to above mentioned vulnerabilities. So am looking for some help how I can fix these vulnerabilities in my version. I need to fix it in the OpenSSH code. Regards Abhishek

Sudarshan Soma wrote: > Does sssd/NSS has a way to fetch user names from sources like > RADIUS/TACACS server? My impression is that while this might be theoretically possible, nobody does this. Especially it's not clear to me how you would push group membership to the system. And AFAICS in case of TACACS+ there's also only a single "role" available (translate this to

On Wed, Apr 22, 2015 at 10:55 AM, ?ngel Gonz?lez <keisial at gmail.com> wrote: > On 22/04/15 16:42, Reuben Hawkins wrote: >> >> Hi SSH-devs, >> >> This may be a bit off topic for this list, but.... >> >> Would it be ok to share a private key in an installer script so long >> as the corresponding public key is setup like this... >> >>

it's really^3 annoying that no matter the value of $HOME, that tilde_expand_filename() only looks at getpwnam() and friends instead of at least trying getenv("HOME"). What is the use case? HOME=longpath_to_config1 ssh -i ~/.ssh/key1 HOME=longpath_to_config2 ssh -i ~/.ssh/key2 but getpwnam() defeats this by always accessing what's in the passwd file. So .ssh/known_hosts is