similar to: [Bug 2353] New: options allowed for Match blocks missing form documentation

Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c

On Tue, 3 May 2016, Rogan Dawes wrote: > Hi Damien, > Thanks for the response! > > I tried moving the StreamLocalBindUnlink directive outside of the Match > rule, and it worked. But that doesn't explain why the Match was not > correctly setting the directive: > > This is running on an alternate port with -ddd: > > debug3: checking match for 'User

Hi, The code definitely attempts to unlink any old listener beforehand (see misc.c:unix_listener()) so I don't understand why that isn't being called. You might try simulating your configuration using sshd's -T and -C to make sure the flag is correctly being set. Could chroot be interfering? Some platforms implement additional restrictions on devices and sockets inside chroot. -d

When forwarding a Unix-domain socket, the remote socket path must be absolute (otherwise the forwarding fails later). However, guessing absolute path on the remote end is sometimes not straightforward, because the file system location may vary for many reasons, including the system installation, the choices of NFS mount points, or the remote user ID. To allow ssh clients to request remote socket

Hi folks, (3rd time I am sending this message, none of the other appear to have made it through!) Using "OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015" on the server, "OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016" on the client. I am trying to use sshtunnel with StreamLocal forwarding to enable me to connect back to the client's ssh port, without having to

Hello, I manage OpenSSH on a dozen or so servers that act as gateways for a large amount of developers and system administrators. On these servers it is common for there to be more than 1000 active X11 forwards active at peak usage. Beyond ~1000 active X11 forwards, sshd will fail to bind additional ports due to a hard coded range check in channels.c that limits the port range that sshd will

OpenSSH 6.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

http://25thandclement.com/~william/openssh-4.3p2-streamlocal-20060421.patch The above URL is a complete patch to OpenSSH 4.3p2 to implement unix domain socket forwarding (this supercedes a canceled message I sent last night w/ an inline attachment). Basically, for forward and reverse forwardings anywhere you previously put a port number you can now put a path. The socket path should go between

OpenSSH 6.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

https://bugzilla.mindrot.org/show_bug.cgi?id=2601 Bug ID: 2601 Summary: StreamLocalBindUnlink not working Product: Portable OpenSSH Version: 7.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org

Greetings, I am using OpenSSH Signed Public Key authentication for servers ssh login. All of the servers are setup with below sshd_config options: TrustedUserCAKeys /etc/ssh/ca.pub # CA Public Keys RevokedKeys /etc/ssh/revoke.pub # User Public Keys When i started working on it, for ssh authentication i had to have CA Public Key in User ~/.ssh/authorized_keys, like: cert-authority ssh-rsa

https://bugzilla.mindrot.org/show_bug.cgi?id=2487 Bug ID: 2487 Summary: AuthorizedPrincipalsCommand should probably document whether it only applies to TrustedUserCAKeys CAs Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement

Wondering if it would make sense to have more granular control of trustedUserCAkeys? I have 1 key used to sign root certs, the key is shortlived, and is rotated daily. And I have a 2nd key to sign non- privileged user certs. The non-privileged certs have a longer validity period, and the signing keys are not rotated as frequently. It would be nice to ensure this second signing key's

https://bugzilla.mindrot.org/show_bug.cgi?id=3634 Bug ID: 3634 Summary: IPQoS default should be changed to "none" Product: Portable OpenSSH Version: 9.5p1 Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee:

OpenSSH 5.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,

https://bugzilla.mindrot.org/show_bug.cgi?id=1965 Bug #: 1965 Summary: IPQoS option ignored for AF_INET since 5.9p1-1 Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All URL: http://bugs.debian.org/643312 OS/Version: Linux Status: NEW Severity: normal

Hi, There are a few minor tweaks I would like to suggest regrading the recently added TrustedUserCAKeys section in sshd_config(5). TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted sign user certificates for authentication. Keys are listed one per line, empty lines and comments starting with

https://bugzilla.mindrot.org/show_bug.cgi?id=1963 Bug #: 1963 Summary: IPQoS not honoured Classification: Unclassified Product: Portable OpenSSH Version: 5.8p1 Platform: amd64 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at

Hey everyone, I wanted to add support for denying PTY allocation through OpenSSH. I'm not certain if this is quite thorough enough for all cases, but for me it might work for the moment. I know that you can currently do this through authorized_keys, but as far as I know that only works for an actual key. In my use case, I wanted a user with no password which is forced to run a specific

OpenSSH 5.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches,