similar to: "Semi-Trusted" SSH-Keys that also require PAM login

Hello Damien, Brian and all, thanks for the suggestions. I actually had not considered host-based authentication and looked it up. As I understand from my first quick reading, I would need to specify the clients which are allowed to use host-based auth on the server with a DNS name or an IP, which would not work for a client behind a CG NAT or in a cellular network. Or did I get this wrong?

Good day! A few weeks ago, we had a security breach in the company I'm working for, because employees used "ssh -R" to expose systems from our internal network to some SSH server in the outer world. Of course, this is a breach of our internal security policy, but lead us to wonder, whether there is a technical solution to prevent our users from creating SSH-reverse-tunnels. After

On Apr 4 13:58, Nico Kadel-Garcia wrote: > On Wed, Apr 4, 2018 at 11:43 AM, Alexander Wuerstlein > <snalwuer at cip.informatik.uni-erlangen.de> wrote: > > On 2018-04-04T17:27, mlrx <openssh-unix-dev at 18informatique.com> wrote: > >> Le 04/04/2018 ? 13:32, Jan Bergner a ?crit : > >> > Good day! > >> > > >> > Is it possible to

On Thu, Apr 5, 2018 at 7:13 AM, Jan Bergner <jan.bergner at indurad.com> wrote: > Hello all. > > First of all, I want to extend my sincere thanks to all the people who > came to the rescue so quickly. > > In any case, there is obviously room for clarification on my part, so I > will try to describe the situation we had in more detail. > > In short: > Employees

Hello All, The attached patch allows openssh to specify which pam service name to authenticate users against by specifying the PAMServiceName attribute in the sshd_config file. Because the parameter can be included in the Match directive sections, it allows different authentication based on the Match directive. In our case, we use it to allow different levels of authentication based on the

There has been some good discussion around our IBM security team as to what actually constitutes SSH multi factor authentication. There are 2 options being discussed. One, the Google Authenticator (OTP authentication). Two, Public/Private key authentication (pubkeyauthentication = yes) which supports pass phrase private key authentication. Which of these is considered multi-factor

Hey everyone, Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with

I don't see a way to do this currently (unless I am missing something) but I would like to be able to specify, that in order for a user to login, they need to use at least 1 public key from 2 separate key sources.? Specifically this would be when using "AuthenticationMethods publickey,publickey".? Right now requiring 2 public keys for authentication will allow 2 public keys from

I'm writing a PAM module to do authentication through Signal (as in Open Whisper Systems) [1]. I would like to be able to offer (Public key AND Signal) or (Password AND Signal) for authentication. This suggests setting AuthenticationMethods to publickey,keyboard-interactive:pam password,keyboard-interactive:pam However, when PAM is enabled "password" means "show password

I have sshd server sshd -V ... OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 ... running on linux/64 with cat sshd_config ... PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no

I'm having trouble with the rsync wrapper's I've found online: rsync_wrapper[8458]: SSH_ORIGINAL_COMMAND environment variable apparently not set rsync: connection unexpectedly closed (0 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(189) I'm not sure if this is a problem of incompatibility between my RHES3 and the wrappers I've found or

On Sat, 2012-05-12 at 00:47 -0500, Hal Finkel wrote: > On Tue, 01 May 2012 21:25:29 -0500 > Peter Bergner <bergner at vnet.ibm.com> wrote: > > By the strict letter of the 32-bit ABI, the save and restore of > > r31 at a negative offset of r1 is verboten. The ABI states the > > the stack space below the stack pointer is declared as volatile. > > I actually

On Tue, 2012-05-01 at 19:58 -0500, Peter Bergner wrote: > On Tue, 2012-05-01 at 17:47 -0500, Hal Finkel wrote: > > By default it should build for > > whatever the current host is (no special flags required). To > > specifically build for something else, use: > > -ccc-host-triple powerpc64-unknown-linux-gnu > > or > > -ccc-host-triple

Hi, first of: my familiarity with OpenSSH/Pam code-base is very limited.. Please excuse me if some of this does not make any sense or seems stupid! I'm investigating if it is possible for a PAM module to find out which public key was accepted (when 'AuthenticationMethods publickey,keyboard-interactive' is used). From my digging in the source, it seems it is currently not. Would

On Tue, 01 May 2012 17:23:07 -0500 Peter Bergner <bergner at vnet.ibm.com> wrote: > On Tue, 2012-05-01 at 16:06 -0500, Hal Finkel wrote: > > LLVM/clang now will build in the normal way (./configure; make > > install) on PPC (you'll need at least the 3.1 release candidate (or > > trunk)). I generally build on my PPC64 hosts with: > > make ENABLE_OPTIMIZED=1

Ok, and then? in file smb.conf.192.168.0.1 [global] ... bind interfase only = yes interfaces = eth0 ... [FOR_ALL] ... in file smb.conf.192.168.0.2 [global] ... bind interfase only = yes interfaces = eth1 ... [ADMINS] ... Does this configuration works? Is this a good solution? i really don't know, so what's the global thinking about this. -- Information Systems

On 9/13/17 10:31 AM, Peter Bergner via llvm-dev wrote: > On 9/12/17 8:15 PM, Bill Seurer via llvm-dev wrote: >> I updated one of my powerpc64le llvm test systems to Fedora 25 and I >> started getting a whole bunch of sanitizer test case failures.  I tried >> testing some earlier revisions on the new OS that had worked fine under >> the old but they generate the same

Hello everyone, I know this is not correct place to ask this question but please help if you know As mentioned some tutorial, i install git version 1.7.3.4 in home directory (/var/chroot/home/content/xx/xxxxxxx/git). then I initialize git repository by git init --bare in my samplerepo.git then i add code in .bashrc file as follow export GIT_BIN=${HOME}/git export

Hello, OpenSSH-wizards. In our company, we have looked into SSH-HostKey-signing in order to realize automated access without the need to accept the server's hostkey, manually. I got it to work with the HostCertificate-directive inside the sshd_config. Now, I was wondering whether it is possible to have multiple signatures, so I can, for example, sign the hostkey once with a

On Fri, 2012-04-27 at 14:54 -0500, Hal Finkel wrote: > There is a comment in the file which reads: > > /* The weird 'i#*X' constraints on the following suppress a gcc > warning when __excepts is not a constant. Otherwise, they mean the > same as just plain 'i'. */ [sinp] > ("mtfsb0 %s0" : : "i#*X"(__builtin_ffs (__excepts))); [snip]