similar to: Detecting forwarded agent connections

hi, Solaris doesn't have getpeereid() or SO_PEERCRED. However, getpeerucred() is perfectly usable for that; and it's in Solaris 10 and OpenSolaris. So, ssh-agent(1) security there so far depends only on permissions of the socket directory and with this patch it checks peer's credentials, too. I patched following files using a snapshot from 20060921: openssh/config.h.in

Any way to check if another proc has run or been run by a proc that is setuid or seteuid?

On 2/17/16 9:50 AM, Carson Gaspar wrote: > Solaris 10 has setppriv, but does not have priv_basicset. To work on > Solaris 10, the call would need to be replaced with the equivalent set > of explicitly listed privs: The prior art in other apps on the system seems to suggest that priv_str_to_set is a better fallback if priv_basicset is not available. I've attached a patch that seems

On Wed, 17 Feb 2016, Alex Wilson wrote: > On 2/17/16 2:04 PM, Alex Wilson wrote: > > I've attached a patch... > > > > Also at > > https://us-east.manta.joyent.com/arekinath/public/openssh-wip-fix-for-sol10-privs.patch > > If you are having trouble getting the patch out of the email. > > Also, as for Damien's patch, you will want to regenerate

Hi, I can''t seem to get libvirtd to accept remote connections. Both systems are built using genunix''s b130. It seems that connections originating from the xvm0 server itself are fine but as soon as I go on to the other box and run the same python script (or simply virsh) the connection gets dropped immediately. Telnetting to port 16509 confirms that it drops the connection

I ran into two issues trying to upgrade our dovecot installation (Solaris 10). 1) Does not compile with OpenSSL 0.9.7 Not a big deal, as I was able to successfully against OpenSSL 0.9.8, but does dovecot require OpenSSL >= 0.9.8 now? libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-test -std=gnu99 -O3 -fomit-frame-pointer -mcpu=ultrasparc -Wall -W

Hi, I want to integrate openpam with openssh in our server (which uses QNX632 operating system). I am facing some problems in the "make install" part of openssh. Following are the steps I followed to build zlib, openssl, openpam and openssh. *NOTE*: Since I want the sshd and ssh binaries in my server(using QNX), I had to cross compile the packages for QNX (environment was set to x86)

ssh-agent is a great tool that is often misconfigured with respect to agent forwarding. How many people running ssh-agent and doing a ssh -A have the very same public keys in ~/.ssh/authorized_keys of the machine they are coming from? ssh(1) is very clear in its warning about enabling agent forwarding. The simple act of prompting the user before using the key would enable them to determine

I am sponsoring this fasttrack for John Levon. It is set to expire on 3/14/2007. Note that this is an externally visible case. liane --- SMF services for Xen 1. Introduction This case introduces the SMF services used by a Solaris-based domain 0 when running on Xen, or a Xen-compatible hypervisor. All of these services only run on domain 0 when booted under Xen virtualisation.

Consider this topology domain1-server1 domain2-server2 | | laptop - domain1-server1 ---- domain2-server1 Laptop has two ssh identities, domain1 and domain2. I don't wish to store identity locally in any of the servers. As far as I understand, there isn't any way to limit ssh-agent to allow only signing

http://bugzilla.mindrot.org/show_bug.cgi?id=1287 Summary: Use getpeerucred on Solaris Product: Portable OpenSSH Version: v4.5p1 Platform: All URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=115919880516907&w=2 OS/Version: Solaris Status: NEW Severity: normal

This is an old idea I had, resurrected by the mention of changing the agent protocol in "ssh-agent allowing access to other users?" thread. Currently, when you forward the ssh-agent, the forwarded host has the same rights as the local user. And when the key requires confirmation, the is quite terse: "Allow use of key foobar? Key fingerprint abcdf." It would be desirable to

http://bugzilla.mindrot.org/show_bug.cgi?id=1287 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #1 from dtucker at zip.com.au 2007-03-21 21:40

http://bugzilla.mindrot.org/show_bug.cgi?id=1287 bugzilla-openssh at thewrittenword.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Comment #2 from bugzilla-openssh at

Hi, This may or may not cause concern for some people (considering a lot of people store all of their keys on a single client system). Snippet from draft-ietf-secsh-agent-00.txt: 2. Security Considerations This protocol is designed only to run as a channel of the SSH protocol. The goal of this extension is to ensure that the users private keys never leave the machine they are

New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be used on Linux (only) to read the peer PID, UID and GID from clients connected over a Unix domain socket. This can be used in the preconnect phase to add additional filtering. One use for this is to add an extra layer of authentication for local connections. A subsequent commit will enhance the now misnamed nbdkit-ip-filter to

On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > used on Linux (only) to read the peer PID, UID and GID from clients > > connected over a Unix domain socket. This can be used in the > > preconnect phase to add additional filtering.

On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > used on Linux (only) to read the peer PID, UID and GID from clients > connected over a Unix domain socket. This can be used in the > preconnect phase to add additional filtering. > > One use for this is to add an extra layer of authentication for local >

On Mon, Oct 05, 2020 at 02:38:37PM +0100, Daniel P. Berrangé wrote: > On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > > used on Linux (only) to read the peer PID, UID and GID from clients > > > connected over a Unix domain

http://bugzilla.mindrot.org/show_bug.cgi?id=421 ------- Additional Comments From carl at chage.com 2003-01-10 05:38 ------- I noticed the same problem with a compile error where ucred is undefined in SUSE Linux 6.1. The problem is the test for SO_PEERCRED-- the feature is not available even though the define is present. In my linux/socket.h there is a "#define SCM_CREDENTIALS" next