similar to: [Bug 2664] New: Boolean option parsing is excessively case-sensitive

Hello! I'm hoping that Gmail won't HTML format this mail so that I'll get flamed :) Anyway, my question relates to ssh_config. The problem I find is that the Host pattern is only applied to the argument given on the command line, as outlined in the man page: "The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name

This patch allows the OpenSSH client to make connections over SCTP, and allows the OpenSSH server to listen for connections over SCTP. SCTP is a robust transport-layer protocol which supports, amongst other things, the changing of endpoint IPs without breaking the connection. To connect via SCTP, pass -H or set "ConnectViaSCTP yes". To listen via SCTP as well as TCP, set

Hi, This patch (relative to -HEAD) defines an API to allow sandboxing of the pre-auth privsep child and a couple of sandbox implementations. The idea here is to heavily restrict what the network-face pre-auth process can do. This was the original intent behind dropping to a dedicated uid and chrooting to an empty directory, but even this still allows a compromised slave process to make new

https://bugzilla.mindrot.org/show_bug.cgi?id=2400 Bug ID: 2400 Summary: StrictHostKeyChecking=no behaviour on HOST_CHANGED is excessively insecure Product: Portable OpenSSH Version: 6.8p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component:

Some time ago, Ben wrote about a PrintLastLog patch: > If the person who originally submitted it wants to write a complete > patch and submit it. Then we would be happy to debate if it will be > included. Well, here it is, because: "You Asked For It!" PS: I'm tired of maintaining my own version of Debian's ssh just to have this option available, so I hope you find

Because ForwardX11 and ForwardAgent are so useful but introduce risk when used to a not well-secured server, I added a "warn" value to the ForwardX11 and ForwardAgent options which causes the ssh client to print a big warning whenever the forwarding is actually used. I plan to make "ForwardX11=warn" the default in my ssh_config distribution. I'm not proposing that this

Precedence: bulk Hi folks, It seemed to me that it would be useful to be able to control access to my server with the /etc/ssh_known_hosts file, using RSA authentication of the remote host. But the protocol only allows RSA host authentication in conjunction with rhosts, while I prefer RSA user authentication. I've made a patch to the server which adds a new configuration option:

I need a way to make sshd require S/KEY authentication to succeed before allowing either password or public-key authentication. Currently, we can only have S/KEY+password, by using PAM for authentication, and configuring PAM accordingly. But PAM of course can't handle SSH public keys. I thought for a while that ideally we could actually use PAM to tell sshd what methods of authentication to

This is a better approach to persistent control masters than my previous attempt. Instead of forking before we make the connection, do so only when the original session has closed -- much like the code for '~&' backgrounding already does. My earlier patch for 'ControlPath none' still applies and is required, btw. --- openssh/clientloop.c~ 2005-06-17 03:59:35.000000000 +0100

Hello, I going to use ssh with Kerberos V5 support along with support for AFS. I don't want to use Kerberos V4 or AFS token passing. The only thing I need from AFS is creating an AFS token (using appropriate function from krb5 API) after user's authentication. It seems to me that such scenario is not much supported by the current code. Rather it is assumed only Kerberos 4 will be used

I'm trying to replace some sshv1 clients and servers in a modular way, and the "Server Lies" warning (when the server says the key has one more bit than it really has) is causing heartache. Per the FAQ, this is relatively benign. Here's a patch that allows an admin or user to disable the warning. - Morty diff -Nur openssh-3.7.1p2/readconf.c

CentOS Errata and Security Advisory 2020:2664 Important Upstream details at : https://access.redhat.com/errata/RHSA-2020:2664 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: fea11f1f43122034495bbb00d8328241b4194870e1586a2f13c86acad5f200cc bpftool-3.10.0-1127.13.1.el7.x86_64.rpm

Okay...I've got it narrowed down, just don't know why this is happening... In sshd.c, auth_mask is set to "supported authentication methods": /* Declare supported authentication types. */ auth_mask = 0; if (options.rhosts_authentication) auth_mask |= 1 << SSH_AUTH_RHOSTS; if (options.rhosts_rsa_authentication)

We have a system on which users are given a very restricted environment (their shell is a menu) where they should not be able to run arbitrary commands. However, because their shell is not statically linked, ld.so provides a nice clutch of holes for them to exploit. The patch below adds a new configuration option to sshd which quashes their attempts to set LD_PRELOAD etc. using ~/.ssh/environment

I've been trying to cut down the size of openssh so I can run it on my Nokia 770. One thing which helps a fair amount (and will help even more when I get '-ffunction-sections -fdata-sections --gc-sections' working) is to have the option of compiling out privilege separation... Is it worth me tidying this up and trying to make it apply properly to the OpenBSD version? Does the openbsd

Scenario: I have access to a semi-public (about 30 users) server where I keep my webpage. Occasionally, especially if I'm on the road. I use this as a bounce point to get to "secured" systems which only allow ssh from certian IP's. (Ignoring the discussion on spoofing, since we have host keys) But host keys are the problem. If anyone gets root on this hypothetical

Hi, We at BalaBit IT Security Ltd developed a patch against openssh 2.3.0p1 to support TIS authserv authentication. TIS authserv uses a simple protocol, and supports CryptoCard, SKey, password etc. authentication. The commercial versions of SSH support this protocol, OpenSSH implemented SKey on its own using the protocol primitives originally invented for TIS authentication. Our patch is an

Attached is a patch to allow a user to turn on TCP keepalives for port forwarded connections. It's mainly useful when the connections to the ssh listener are coming from many different boxes, some of which crash, leaving the service on the other side of the port forwarder waiting on connections indefinitely. It creates a new option named "KeepAliveForward" to control this behavior.

https://bugzilla.mindrot.org/show_bug.cgi?id=1806 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release

It would be useful to allow matching HostName entries against Host entries. That's to say, I would find it very convenient to have an ssh_config like: Host zeus HostName zeus.greek.gods User hades Host hera HostName hera.greek.gods # [ ... ] Host *.greek.gods User poseidon UserKnownHostsFile ~/.ssh/known_hosts.d/athens # [ Default settings for *.greek.gods ] where I