SSH users authentication depending on their public key.

Hi everyone.

I'm looking for a way to identify my SSH's users according to their
public key; I mean I would like to have their name logged in my bash
session (in a shared unix account).
I put this in my .profile:
 export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S - $SSH_USER] "

So now I'm trying to make OpenSSH fill the "SSH_USER" variable.

First I have to exclude the PermitUserEnvironment possibility for
securities reasons as said in the manual (and so I can't use the
"environment" directive in authorized_keys).
I saw the AcceptEnv and SendEnv directives but I don't want to depend
on clients settings.

So I did some tries with the "command" directive in authorized_keys
and I'm able to manage interactive or non-interactive sessions but I
don't know how to deal with sshfs/sftp use.
Also according to me this is not an elegant solution but I wasn't able
to find on other way until then.

Here is my authorized_keys:
command="sh -c 'SSH_KEY_USER=thomas /tmp/test.sh
${SSH_ORIGINAL_COMMAND:-}'" ssh-rsa publickey thomas <at> host.domain

Here is the /tmp/test.sh script:
#!/bin/bash
#
set -e

Announce: Portable OpenSSH 6.2p2 released

This is a portable OpenSSH bugfix release.

Changes since OpenSSH 6.2p1
===========================

Bugfixes:

 * ssh(1): Only warn for missing identity files that were explicitly
   specified.

 * Fix bug in contributed contrib/ssh-copy-id script that could result in
   "rm *" being called on mktemp failure. bz#2105

 * sshd(8): Quiet disconnect notifications on the server from error() back
   to logit() from error() for normal, client-initiated disconnections.
   bz#2057

 * Avoid conflicting definitions of __int64 on Cygwin

Checksums:
==========

 - SHA1 (openssh-6.2p2.tar.gz) = c2b4909eba6f5ec6f9f75866c202db47f3b501ba

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh <at> openssh.com

[PATCH] Expose remote forwarding ports as environment variable

Good evening gentlemen,

the attached patch against openssh 6.2p1 exposes remote
forwarding ports to the remote shell:

    targethost % ssh -R 1234:localhost:22 controlhost
    controlhost % echo $SSH_REMOTE_FORWARDING_PORTS
    1234

    targethost % ssh -R 0:localhost:22 controlhost
    controlhost % echo $SSH_REMOTE_FORWARDING_PORTS
    54294

    targethost % ssh -R 0:localhost:22 -R 1234:localhost:22 controlhost
    controlhost % echo $SSH_REMOTE_FORWARDING_PORTS
    59056 1234

Detailled motivation can be found at

    http://www.nico.schottelius.org/blog/openssh-6.2-add-callback-functionality-using-dynamic-remote-port-forwarding/

The patch is attached.

Please let me know what you think about it and whether you'd
consider it for inclusion (with or without changes).

Cheers,

Nico

key rotation on ssh servers

hi OpenSSH folks--

I have several OpenSSH sshd servers that i've maintained for a long
time.  Some of them have keys that are considered short by today's
standards (e.g. 1024-bit RSA keys).

On these servers, I would like to be able to do a key rotation such that
multiple keys are valid during a time window so that users can learn the
new key before i remove the old one.  I don't think this is currently
supported, but i'm interested in figuring out how something like this
might happen in the future.

Reading the spec i don't see an explicit prohibition against multiple
keys of the same key type, but i don't see how it would be handled
exactly in the protocol either:

  https://tools.ietf.org/html/rfc4253#page-18

Looking at sshd.c, it seems to me that get_hostkey_by_type() only
permits sshd to offer a single key of each type.

Would it be possible for some sshd to offer more than one key of any
given type?  If so, this would permit such a key transition from clients
that could support it?  Or is there something in the spec that i'm not
seeing which makes this explicitly impossible?

       --dkg

_______________________________________________

Support for "ssh-rsa-sha256" and "ssh-dss-sha256" ?‏

Functionality request for supporting Digital Signatures for RSA and DSS
Public Key Algorithms in alignment with NIST SP800-131A.

I
assume this has been asked before, but I could not find in the
archives.   Support of "ssh-rsa-sha256" and "ssh-dss-sha256" public key
algorithms for OpenSSH?  I know Suite B Algorithms and x509 SSH
Extension Algorithms are supported, but not a path some folks (us) want
to take.  Tectia supports similar algorithms  via their own extensions
in commercial SSH.

Are these algorithms being worked on for
OpenSSH or been previously rejected?  Assuming not rejected, and no one
working on it, if I were to do the work and create the patch set, would
it be accepted into the mainline?

Thanks,
Jeff 		 	   		  

Support for "ssh-rsa-sha256" and "ssh-dss-sha256" ?

Functionality request for supporting Digital Signatures for RSA and DSS Public Key Algorithms in
alignment with NIST SP800-131A.   

I assume this has been asked before, but I could not find in the archives.   Support of "ssh-rsa-sha256" and
"ssh-dss-sha256" public key algorithms for OpenSSH?  I know Suite B Algorithms and x509 SSH Extension
Algorithms are supported, but not a path some folks (us) want to take.  Tectia supports similar algorithms 
via their own extensions in commercial SSH.    

Are these algorithms being worked on for OpenSSH or been previously rejected?  Assuming not rejected, and
no one working on it, if I were to do the work and create the patch set, would it be accepted into the mainline?

Thanks,
Jeff
 		 	   		  

FW:

http://www.rrm-rederiodemedicina.com.br/antgo/y8ndrw.php

[PATCH] Specify PAM Service name in sshd_config

Hello All,

The attached patch allows openssh to specify which pam service name to
authenticate users against by specifying the PAMServiceName attribute in
the sshd_config file.  Because the parameter can be included in the Match
directive sections, it allows different authentication based on the Match
directive.  In our case, we use it to allow different levels of
authentication based on the source of the authentication attempts
(securID auth in untrusted zones, password auth in trusted zones).  The
default is still to use the binary name.

____________________________________________
Ken Schmidt
Research Scientist, Molecular Science Computing Operations
EMSL: Environmental Molecular Sciences Laboratory

Pacific Northwest National Laboratory
902 Battelle Boulevard
P.O. Box 999, MSIN K8-83
Richland, WA  99352 USA
Tel:  509-371-6107
Fax: 509-371-6110
Kenneth.schmidt <at> pnnl.gov
www.emsl.pnl.gov

This material was prepared as an account of work sponsored by an agency of
the United States Government.  Neither the United States Government nor
the United States Department of Energy, nor any of their employees, nor
Battelle Memorial Institute nor any of its employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for

Session rekeying support in OpenSSH

Hi,

I am using OpenSSH_5.2p1.  It seems ssh server doesn't support key
regeneration after a specified amount of time. I manually verified the
OpenSSH_5.2p1 and OpenSSH-6.2 source codes and haven’t found any code
support for session rekeying in both releases.

SSH2 supports session rekeying using the parameter “RekeyIntervalSeconds”
with default value 3600 seconds (one hour) in both ssh2_config and
sshd2_config files.  I haven’t found similar parameter in both releases
OpenSSH_5.2p1 and openssh-6.2 configuration files.

Does openSSH not support session rekeying (rekeying after a specified
amount of time)? If so, is there any alternative approach to achieve this
behavior?

Your prompt reply would be so helpful.

Thanks,

Brundha

Candidate tarball for openssh-6.2p2

Hi,

Here is a release candidate tarball for openssh-6.2p2:

http://www.mindrot.org/openssh_snap/candidate-openssh-6.2p2.tar.gz
http://www.mindrot.org/openssh_snap/candidate-openssh-6.2p2.tar.gz.asc

This includes the following bugfixes (relative to 6.2p1):

 - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h
   to avoid conflicting definitions of __int64, adding the required bits.
   Patch from Corinna Vinschen.
   - djm <at> cvs.openbsd.org 2013/04/11 02:27:50
     [packet.c]
     quiet disconnect notifications on the server from error() back to logit()
     if it is a normal client closure; bz#2057 ok+feedback dtucker <at> 
   - dtucker <at> cvs.openbsd.org 2013/02/17 23:16:57
     [readconf.c ssh.c readconf.h sshconnect2.c]
     Keep track of which IndentityFile options were manually supplied and which
     were default options, and don't warn if the latter are missing.
     ok markus <at> 
   - dtucker <at> cvs.openbsd.org 2013/02/19 02:12:47
     [krl.c]
     Remove bogus include.  ok djm
   - dtucker <at> cvs.openbsd.org 2013/02/22 04:45:09
     [ssh.c readconf.c readconf.h]
     Don't complain if IdentityFiles specified in system-wide configs are
     missing.  ok djm, deraadt.
   - markus <at> cvs.openbsd.org 2013/02/22 19:13:56
     [sshconnect.c]

ssh ethernet tunnel performance problem

Hi

(I'm not subscribed, please, cc)

I've got an ethernet level ssh tunnel to a remote system. That system is 
running a terminal server, so, that tunnel is the only connection, I've 
got. The terminal server is connected via a serial and an ethernet cable 
to a test board and is configured to bridge that ethernet connection to my 
tunnel. I can then trigger that test board to start a TFTP or NFS data 
transfer over the tunnel from my system. The whole should look like this:

[my client] --- <internet> --- [terminal] === <serial cable> === [test ]
                               [ server ] ----- <ethernet> ----- [board]

(whereas I don't know whether the terminal server actually has 2 ethernet 
interfaces or only 1. I think, it should really have 2 at least, because 
actually it's serving 8 test boards, I'll try to clarify its 
configuration and post an update)

This works in principle, and from a "geographically close" location also 
runs reasonably quickly. Whereas from my half-world distance I'm getting 
like 1.5kBps tftp and a bit more with NFS. The person, who's set up the 
server says, that he previously also had performance problems with an 
older Fedora distro, but with Fedora 18 it runs fast now. I've tried with 
Debian squeeze with a self-build 3.9.1 and (about 1-2 year old) Ubuntu 
both over my and a 3G connection - the speed remains the same. Any clues?

Thanks
Guennadi
---