From Michael.Tuexen at lurchi.franken.de Fri Jun 1 06:02:55 2012 From: Michael.Tuexen at lurchi.franken.de (Michael Tuexen) Date: Thu, 31 May 2012 22:02:55 +0200 Subject: SCTP support for OpenSSH Message-ID: <4BF73250-AA5A-4C55-9A80-9C31E7242CAB@lurchi.franken.de> Dear all, I just subscribed, therefore I can't answer inline the earlier messages... The FreeBSD SCTP implementation (and I think also the Linux implementation) support a feature called AUTO-ASCONF. If a node gets a new IP-address, or gives up one, it is automatically added or removed from the association. So you don't need to involve DNS in this. And you do not need to write OS specific code to deal with local address changes. Best regards Michael From ondrejv at s3group.com Fri Jun 1 17:50:41 2012 From: ondrejv at s3group.com (Ondrej Valousek) Date: Fri, 01 Jun 2012 09:50:41 +0200 Subject: ssh & control groups Message-ID: <4FC87451.5000701@s3group.cz> Hi List, I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec - so for example: /bin/cgexec -g /bin/bash This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious user hogging the machine by running cpu/memory intensive applications). Is something like that possible to achieve? Thanks, Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 From imorgan at nas.nasa.gov Sat Jun 2 03:02:59 2012 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 1 Jun 2012 10:02:59 -0700 Subject: ssh & control groups In-Reply-To: <4FC87451.5000701@s3group.cz> References: <4FC87451.5000701@s3group.cz> Message-ID: <20120601170259.GA5174@linux124.nas.nasa.gov> On Fri, Jun 01, 2012 at 02:50:41 -0500, Ondrej Valousek wrote: > Hi List, > > I am looking for an option for sshd to start user's shell (when logging in interactively to a remote host) in a control group via cgexec - > so for example: > > /bin/cgexec -g /bin/bash > > This would be extremely handy on linux Terminal servers to control users access to the system resources (protect system from a malicious > user hogging the machine by running cpu/memory intensive applications). > > Is something like that possible to achieve? > Thanks, > > Ondrej > Hello, Unfortunately, OpenSSH doesn't support aa option which could handle this. The closest would be the ForceCommand option, but it does not have the flexibility you need and the command is invoked with the user's shell. Something which I have been contemplating submitting as a feature enhancement is a ForceShell option. The original motivation was to provide a means of overriding a user's shell from withing an sshd_config(5) Match block. This could be used to conditionally force the user's shell to something like authpf, scponly, mesh etc. If the option supported macros such as %u (for the username) and %s (for the user's original shell), it would probably meet your needs. However, this only exists as a concept. I have not cut any code for this and It will probably be a few months before I have an opportunity to do so. And, since this is the first time I have mentioned this on the list, I have no idea whether such a feature would be of interest to the developers. -- Iain Morgan From bert.wesarg at googlemail.com Sat Jun 2 04:34:59 2012 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Fri, 1 Jun 2012 20:34:59 +0200 Subject: ssh & control groups In-Reply-To: <4FC87451.5000701@s3group.cz> References: <4FC87451.5000701@s3group.cz> Message-ID: Hi, On Fri, Jun 1, 2012 at 9:50 AM, Ondrej Valousek wrote: > Hi List, > > I am looking for an option for sshd to start user's shell (when logging in > interactively to a remote host) in a control group via cgexec - so for > example: > > /bin/cgexec -g /bin/bash > > This would be extremely handy on linux Terminal servers to control users > access to the system resources (protect system from a malicious user hogging > the machine by running cpu/memory intensive applications). Shouldn't this be handles by PAM. A quick search reveals this: http://fedoraproject.org/wiki/Features/ControlGroups Bert > > Is something like that possible to achieve? > Thanks, > > Ondrej > From ondrejv at s3group.com Mon Jun 4 19:48:29 2012 From: ondrejv at s3group.com (Ondrej Valousek) Date: Mon, 04 Jun 2012 11:48:29 +0200 Subject: ssh & control groups In-Reply-To: References: <4FC87451.5000701@s3group.cz> Message-ID: <4FCC846D.9070505@s3group.cz> On 06/01/2012 08:34 PM, Bert Wesarg wrote: > Shouldn't this be handles by PAM. A quick search reveals this: > > http://fedoraproject.org/wiki/Features/ControlGroups > > Bert Hi, Thanks for the tip. Installing libcgroup-pam did the job, indeed! The only remaining thing is the Control group creation upon user login - and that one I can obviously handle with pam_exec.so Thanks all, Ondrej The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 From vinschen at redhat.com Tue Jun 5 22:04:31 2012 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 5 Jun 2012 14:04:31 +0200 Subject: [patch/cygwin]: Explicitely add user right to start service Message-ID: <20120605120431.GA26750@calimero.vinschen.de> Hi, could somebody with checkin rights please apply the below patch to the Cygwin service creator script? It patches a problem when using an existing account to start the sshd service. In that case the script so far doesn't make sure that the user has th right to logon as a service. Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v retrieving revision 1.31 diff -u -p -r1.31 ssh-host-config --- contrib/cygwin/ssh-host-config 21 Feb 2011 10:41:32 -0000 1.31 +++ contrib/cygwin/ssh-host-config 5 Jun 2012 12:04:22 -0000 @@ -493,6 +493,7 @@ install_service() { -a "-D" -y tcpip "${cygwin_env[@]}" \ -u "${run_service_as}" -w "${password}" then + /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight echo csih_inform "The sshd service has been installed under the '${run_service_as}'" csih_inform "account. To start the service now, call \`net start sshd' or" Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From rudupa at easylink.com Fri Jun 8 02:40:42 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Thu, 7 Jun 2012 16:40:42 +0000 Subject: While using internal sftp server, need to access files outside chroot Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> Hi, I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory. The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot. Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root. I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and becoming root to chroot is not an option. Thanks, Raghu From keisial at gmail.com Fri Jun 8 02:58:26 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Thu, 07 Jun 2012 18:58:26 +0200 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: <4FD0DDB2.2010108@gmail.com> On 07/06/12 18:40, Raghu Udupa wrote: > Hi, > > I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory. > > The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot. Heh, that's precisely the point of placing it in a chroot. > Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root. > > I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and becoming root to chroot is not an option. > > Thanks, > Raghu It doesn't matter. You can make a binary setuid from outside the chroot. When you run it from the inside, it will become root, even if there's no "user named root" inside. You can then use the classical technique to exit a chroot(), and copy the file you wanted, *being very careful*, as that script will be a weak point in your security (you don't want to allow it to copy files anywhere, or to overwrite configuration files, for instance). Some reasons this might not work include that the mount doesn't allow setuid, and that your kernel is security-enhanced to avoid chroot-escaping. From rudupa at easylink.com Fri Jun 8 06:47:26 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Thu, 7 Jun 2012 20:47:26 +0000 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <4FD0DDB2.2010108@gmail.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> Angel, When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with patches required for sftp) to have setuid flag set? If I turn on setuid bit, sshd does not run properly. Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment? Thanks, Raghu -----Original Message----- From: ?ngel Gonz?lez [mailto:keisial at gmail.com] Sent: Thursday, June 07, 2012 12:58 PM To: Raghu Udupa Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: While using internal sftp server, need to access files outside chroot On 07/06/12 18:40, Raghu Udupa wrote: > Hi, > > I need to make a custom code change in sftp-server module to copy the received file outside the chroot-setup. I am trying to chroot repeatedly to get physical root directory and the copy received file to a directory outside chrooted directory. > > The children processes are owned by the sftp-user and so, sftp child process does not have permission to escape out of chroot. Heh, that's precisely the point of placing it in a chroot. > Is there a simple way where I can spawn child processes for sftp so that these processes are owned by root. > > I tried to change user to root, but user root is not defined in chroot environment and so, setting setuid and becoming root to chroot is not an option. > > Thanks, > Raghu It doesn't matter. You can make a binary setuid from outside the chroot. When you run it from the inside, it will become root, even if there's no "user named root" inside. You can then use the classical technique to exit a chroot(), and copy the file you wanted, *being very careful*, as that script will be a weak point in your security (you don't want to allow it to copy files anywhere, or to overwrite configuration files, for instance). Some reasons this might not work include that the mount doesn't allow setuid, and that your kernel is security-enhanced to avoid chroot-escaping. From keisial at gmail.com Fri Jun 8 07:02:42 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Thu, 07 Jun 2012 23:02:42 +0200 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: <4FD116F2.6020909@gmail.com> On 07/06/12 22:47, Raghu Udupa wrote: > Angel, > > When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with patches required for sftp) to have setuid flag set? > > If I turn on setuid bit, sshd does not run properly. > Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment? > > Thanks, > Raghu No. I was thinking on another program which lived inside the chroot and was called to copy files outside. I begin to wonder why you need to do so, though. Why do you chroot to a folder if you then need to move the files anywhere else? What's your use case? If it's a simple drop box, you could use a unchrooted process watching the folder and moving out new files. From rudupa at easylink.com Fri Jun 8 07:14:35 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Thu, 7 Jun 2012 21:14:35 +0000 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <4FD116F2.6020909@gmail.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> Angel, I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory. Your first solution of having a custom script to copy the file to generic queue dir would work. Can you think of a better way to move files given my requirements? Thanks, Raghu -----Original Message----- From: ?ngel Gonz?lez [mailto:keisial at gmail.com] Sent: Thursday, June 07, 2012 5:03 PM To: Raghu Udupa Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: While using internal sftp server, need to access files outside chroot On 07/06/12 22:47, Raghu Udupa wrote: > Angel, > > When you say "You can make a binary setuid from outside the chroot" do you mean making my custom sshd (with patches required for sftp) to have setuid flag set? > > If I turn on setuid bit, sshd does not run properly. > Could you give me some more detail regarding providing access out of chroot in ssh-sftp (internal sftp) environment? > > Thanks, > Raghu No. I was thinking on another program which lived inside the chroot and was called to copy files outside. I begin to wonder why you need to do so, though. Why do you chroot to a folder if you then need to move the files anywhere else? What's your use case? If it's a simple drop box, you could use a unchrooted process watching the folder and moving out new files. From keisial at gmail.com Fri Jun 8 07:56:34 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Thu, 07 Jun 2012 23:56:34 +0200 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: <4FD12392.3040704@gmail.com> On 07/06/12 23:14, Raghu Udupa wrote: > Angel, > > I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory. Why? Can they be chrooted to that queue directory? From rudupa at easylink.com Fri Jun 8 08:06:33 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Thu, 7 Jun 2012 22:06:33 +0000 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <4FD12392.3040704@gmail.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> Angel, I do not think I can chroot to that dir( basically it is a queue directory that contains all incoming files from various users queued for subsequent processing). After thinking a little bit more, have a perl daemon to monitor inboxes and move it the common queue dir is the best solution(your 2nd idea). This requires minimal customization on ssh-side and is very clean.... Thanks, Raghu -----Original Message----- From: ?ngel Gonz?lez [mailto:keisial at gmail.com] Sent: Thursday, June 07, 2012 5:57 PM To: Raghu Udupa Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: While using internal sftp server, need to access files outside chroot On 07/06/12 23:14, Raghu Udupa wrote: > Angel, > > I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory. Why? Can they be chrooted to that queue directory? From mouring at eviladmin.org Fri Jun 8 08:15:49 2012 From: mouring at eviladmin.org (Ben Lindstrom) Date: Thu, 7 Jun 2012 17:15:49 -0500 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> The major edge case you need to worry about is the perl deamon moving/copying before sftp is done. A move to the same partition isn't a problem as sftp still has the file descriptor, but a copy or a move to another partition will result in corrupted data. The easiest solution if clients are disconnected more often than connected is to skip all active inboxes with sftp sessions associated with them. - Ben On Jun 7, 2012, at 5:06 PM, Raghu Udupa wrote: > Angel, > > I do not think I can chroot to that dir( basically it is a queue directory that contains all incoming files from various users queued for subsequent processing). After thinking a little bit more, have a perl daemon to monitor inboxes and move it the common queue dir is the best solution(your 2nd idea). This requires minimal customization on ssh-side and is very clean.... > > Thanks, > Raghu > > -----Original Message----- > From: ?ngel Gonz?lez [mailto:keisial at gmail.com] > Sent: Thursday, June 07, 2012 5:57 PM > To: Raghu Udupa > Cc: 'openssh-unix-dev at mindrot.org' > Subject: Re: While using internal sftp server, need to access files outside chroot > > On 07/06/12 23:14, Raghu Udupa wrote: >> Angel, >> >> I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory. > Why? Can they be chrooted to that queue directory? > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From carson at taltos.org Fri Jun 8 08:56:01 2012 From: carson at taltos.org (Carson Gaspar) Date: Thu, 07 Jun 2012 15:56:01 -0700 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> Message-ID: <4FD13181.2060408@taltos.org> On 6/7/12 3:15 PM, Ben Lindstrom wrote: > > The major edge case you need to worry about is the perl deamon > moving/copying before sftp is done. A move to the same partition > isn't a problem as sftp still has the file descriptor, but a copy or > a move to another partition will result in corrupted data. > > The easiest solution if clients are disconnected more often than > connected is to skip all active inboxes with sftp sessions associated > with them. IFF you can control client behaviour, one standard work-around is to use an atomic transaction to indicate the file is ready for processing. The 2 most common are rename and chmod. So either: - upload file as foo.inprogress - rename after complete to foo.alldone - process all *.alldone files or - upload file as foo, umasking so it's not executable by default - chmod u+x foo - process all executable files From nkadel at gmail.com Fri Jun 8 09:47:55 2012 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Thu, 7 Jun 2012 19:47:55 -0400 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> Message-ID: On Thu, Jun 7, 2012 at 5:14 PM, Raghu Udupa wrote: > Angel, > > I need to provide a set of users only SFTP access. But files these users > put need to be copied to a generic queue directory. > > Your first solution of having a custom script to copy the file to generic > queue dir would work. > > Can you think of a better way to move files given my requirements? > > Thanks, > Raghu > > If the propagation doesn't have to be instantaneous, "rsync" between the source and target locations run from a cron job should work quite well. From rudupa at easylink.com Fri Jun 8 12:54:11 2012 From: rudupa at easylink.com (Raghu Udupa) Date: Fri, 8 Jun 2012 02:54:11 +0000 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com>, Message-ID: <10F20BC0C13B3F4C928EFD1C3A651F36338138@PSEXMBX01.netmaster.corp.easylink.com> Thanks all. After a complete file is received, I will be moving file from say, inbox directory to received directory. Only files in received directory are going to be picked up and after successful copy, removed. Regards, Raghu ________________________________ From: Nico Kadel-Garcia [nkadel at gmail.com] Sent: Thursday, June 07, 2012 7:47 PM To: Raghu Udupa Cc: ?ngel Gonz?lez; openssh-unix-dev at mindrot.org Subject: Re: While using internal sftp server, need to access files outside chroot On Thu, Jun 7, 2012 at 5:14 PM, Raghu Udupa > wrote: Angel, I need to provide a set of users only SFTP access. But files these users put need to be copied to a generic queue directory. Your first solution of having a custom script to copy the file to generic queue dir would work. Can you think of a better way to move files given my requirements? Thanks, Raghu If the propagation doesn't have to be instantaneous, "rsync" between the source and target locations run from a cron job should work quite well. From keisial at gmail.com Sat Jun 9 00:24:56 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Fri, 08 Jun 2012 16:24:56 +0200 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> Message-ID: <4FD20B38.1050600@gmail.com> On 08/06/12 00:15, Ben Lindstrom wrote: > The major edge case you need to worry about is the perl deamon moving/copying before sftp is done. A move to the same partition isn't a problem as sftp still has the file descriptor, but a copy or a move to another partition will result in corrupted data. > > The easiest solution if clients are disconnected more often than connected is to skip all active inboxes with sftp sessions associated with them. > > - Ben It also depends on how you watch the directory. Some mechanisms, like inotfy, allow you to perform the action when the file has been closed by the writing process. From omri.il at gmail.com Tue Jun 12 05:31:06 2012 From: omri.il at gmail.com (Omri Bahumi) Date: Mon, 11 Jun 2012 22:31:06 +0300 Subject: ssh-agent for an entire unix group Message-ID: Hello everyone, I've recently needed to allow the use of the same private key to a group of users without exposing it. My first idea was to use ssh-agent. After running it I changed the directory permissions and file permissions, but it still didn't work (Long story short - one user actually has access to the private & public key. He launches the ssh-agent and imports the key. The other users in the group are able to authenticate with it, but are unable to export it). Further investigation revealed that there's a hard coded protection for accessing the agent from other users (besides root). Even further investigation revealed that this check could not be omitted, so, I wrote a patch that fixes it. When running the ssh-agent with the -g flag, the /tmp directory is created with group read-execute permissions and the UNIX socket is created with read-write permissions (these are the permissions required according to the unix(7) man page). I've checked it and it works. My thoughts are: 1. No one thought about it before or no one needed this feature before 2. There's a security risk in this implementation (other than the requirement itself) Attached the patch file. It's a patch against the Debian stable version, although I checked it against the nighties and it wouldn't be so hard to integrate it inside the upstream. So, any comments are much appreciated. Cheers, Omri Bahumi. From keisial at gmail.com Tue Jun 12 06:42:47 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Mon, 11 Jun 2012 22:42:47 +0200 Subject: ssh-agent for an entire unix group In-Reply-To: References: Message-ID: <4FD65847.1020704@gmail.com> On 11/06/12 21:31, Omri Bahumi wrote: > Attached the patch file. It's a patch against the Debian stable > version, although I checked it against the nighties and it > wouldn't be so hard to integrate it inside the upstream. > > So, any comments are much appreciated. > The mailing list stripped the attachment. Try resending as text/plain and/or provide a link for download. From omri.il at gmail.com Tue Jun 12 06:46:46 2012 From: omri.il at gmail.com (Omri Bahumi) Date: Mon, 11 Jun 2012 23:46:46 +0300 Subject: ssh-agent for an entire unix group In-Reply-To: <4FD65847.1020704@gmail.com> References: <4FD65847.1020704@gmail.com> Message-ID: Re attached -------------- next part -------------- --- openssh-5.5p1/ssh-agent.c 2010-02-26 22:55:06.000000000 +0200 +++ openssh-5.5p1.new/ssh-agent.c 2012-06-11 22:12:09.000000000 +0300 @@ -120,6 +120,10 @@ int max_fd = 0; +/* instead of just effective uid checking, accept same effective gid as well + this is useful for sharing the same agent with the entire group without hacks */ +int accept_same_gid = 0; + /* pid of shell == parent of agent */ pid_t parent_pid = -1; u_int parent_alive_interval = 0; @@ -960,10 +964,14 @@ close(sock); break; } - if ((euid != 0) && (getuid() != euid)) { - error("uid mismatch: " - "peer euid %u != uid %u", - (u_int) euid, (u_int) getuid()); + if ((euid != 0) && + ((!accept_same_gid && getuid() != euid) || + (accept_same_gid && getgid() != egid))) { + error("uid/gid mismatch: " + "peer euid %u != uid %u, " + "peer egid %u != gid %u", + (u_int) euid, (u_int) getuid(), + (u_int) egid, (u_int) getgid()); close(sock); break; } @@ -1051,6 +1059,7 @@ fprintf(stderr, " -c Generate C-shell commands on stdout.\n"); fprintf(stderr, " -s Generate Bourne shell commands on stdout.\n"); fprintf(stderr, " -k Kill the current agent.\n"); + fprintf(stderr, " -g Accept connections from same GID as well as the same UID\n"); fprintf(stderr, " -d Debug mode.\n"); fprintf(stderr, " -a socket Bind agent socket to given name.\n"); fprintf(stderr, " -t life Default identity lifetime (seconds).\n"); @@ -1060,7 +1069,7 @@ int main(int ac, char **av) { - int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0; + int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0, g_flag = 0; int sock, fd, ch, result, saved_errno; u_int nalloc; char *shell, *format, *pidstr, *agentsocket = NULL; @@ -1095,7 +1104,7 @@ init_rng(); seed_rng(); - while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { + while ((ch = getopt(ac, av, "cdkgsa:t:")) != -1) { switch (ch) { case 'c': if (s_flag) @@ -1110,6 +1119,11 @@ usage(); s_flag++; break; + case 'g': + if (g_flag) + usage(); + g_flag++; + break; case 'd': if (d_flag) usage(); @@ -1131,7 +1145,7 @@ ac -= optind; av += optind; - if (ac > 0 && (c_flag || k_flag || s_flag || d_flag)) + if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || g_flag)) usage(); if (ac == 0 && !c_flag && !s_flag) { @@ -1168,6 +1182,10 @@ } parent_pid = getpid(); + if (g_flag) { + accept_same_gid = 1; + } + if (agentsocket == NULL) { /* Create private directory for agent socket */ strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir); @@ -1175,6 +1193,12 @@ perror("mkdtemp: private socket dir"); exit(1); } + if (accept_same_gid) { + if (chmod(socket_dir, 0750) != 0) { + perror("chmod: private socket dir"); + exit(1); + } + } snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir, (long)parent_pid); } else { @@ -1196,7 +1220,7 @@ memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path)); - prev_mask = umask(0177); + prev_mask = umask(accept_same_gid ? 0117 : 0177); if (bind(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) < 0) { perror("bind"); *socket_name = '\0'; /* Don't unlink any existing file */ From saw at online.de Sat Jun 16 07:06:59 2012 From: saw at online.de (Sascha Wildner) Date: Fri, 15 Jun 2012 23:06:59 +0200 Subject: [PATCH] Fix sizeof in jpake_free() Message-ID: Hello, running Coccinelle (http://coccinelle.lip6.fr/) on the DragonFly source tree with a patch to find issues of this kind turned up this one. Please see the attached diff (against OpenBSD). Regards, Sascha From lists at eitanadler.com Sat Jun 16 07:21:21 2012 From: lists at eitanadler.com (Eitan Adler) Date: Fri, 15 Jun 2012 14:21:21 -0700 Subject: [PATCH] Fix sizeof in jpake_free() In-Reply-To: References: Message-ID: On 15 June 2012 14:06, Sascha Wildner wrote: > Hello, > > running Coccinelle (http://coccinelle.lip6.fr/) on the DragonFly source tree > with a patch to find issues of this kind turned up this one. Please see the > attached diff (against OpenBSD). it got stripped. can you resend as a url? -- Eitan Adler From keisial at gmail.com Sat Jun 16 07:22:19 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Fri, 15 Jun 2012 23:22:19 +0200 Subject: [PATCH] Fix sizeof in jpake_free() In-Reply-To: References: Message-ID: <4FDBA78B.107@gmail.com> On 15/06/12 23:06, Sascha Wildner wrote: > Hello, > > running Coccinelle (http://coccinelle.lip6.fr/) on the DragonFly > source tree with a patch to find issues of this kind turned up this > one. Please see the attached diff (against OpenBSD). > > Regards, > Sascha Diff was stripped by the list. Resend as text/plain or provide a link. From saw at online.de Sat Jun 16 07:31:16 2012 From: saw at online.de (Sascha Wildner) Date: Fri, 15 Jun 2012 23:31:16 +0200 Subject: [PATCH] Fix sizeof in jpake_free() In-Reply-To: <20120615212042.17385.qmail@stuge.se> References: <20120615212042.17385.qmail@stuge.se> Message-ID: On Fri, 15 Jun 2012 23:20:42 +0200, Peter Stuge wrote: > Sascha Wildner wrote: >> Please see the attached diff (against OpenBSD). > > No attachment. Possibly stripped by the list if not text/plain. Sorry, patch is here: http://87.78.98.243/stuff/jpake_sizeof.diff From keisial at gmail.com Sat Jun 16 09:12:07 2012 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Sat, 16 Jun 2012 01:12:07 +0200 Subject: [PATCH] Fix sizeof in jpake_free() In-Reply-To: References: <20120615212042.17385.qmail@stuge.se> Message-ID: <4FDBC147.3050306@gmail.com> On 15/06/12 23:31, Sascha Wildner wrote: > Sorry, patch is here: > > http://87.78.98.243/stuff/jpake_sizeof.diff Well found. That should indeed be applied. I think you should send it up to openssh at openssh.com . The portable version will pick it the changes from there. Regards Below is the content of the referenced patch: > Index: usr.bin/ssh/jpake.c > =================================================================== > RCS file: /home/obcvs/src/usr.bin/ssh/jpake.c,v > retrieving revision 1.6 > diff -u -r1.6 jpake.c > --- usr.bin/ssh/jpake.c 20 Sep 2010 04:54:07 -0000 1.6 > +++ usr.bin/ssh/jpake.c 15 Jun 2012 20:13:22 -0000 > @@ -131,7 +131,7 @@ > #undef JPAKE_BN_CLEAR_FREE > #undef JPAKE_BUF_CLEAR_FREE > > - bzero(pctx, sizeof(pctx)); > + bzero(pctx, sizeof(*pctx)); > xfree(pctx); > } > From john.m.olsson at ericsson.com Mon Jun 18 19:40:59 2012 From: john.m.olsson at ericsson.com (John Olsson M) Date: Mon, 18 Jun 2012 11:40:59 +0200 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> Message-ID: > A move to the same partition isn't a problem as sftp still has the file > descriptor, but a copy or a move to another partition will result in > corrupted data. What do you think of having the SFTP server temporarily rename the transfered file with a ".tmp" extension which is removed when transfer is completed? Then another application knows when a file has been transfered completely. Or is this an excercise best left to the client to do? /John From peter at stuge.se Mon Jun 18 20:19:48 2012 From: peter at stuge.se (Peter Stuge) Date: Mon, 18 Jun 2012 12:19:48 +0200 Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> Message-ID: <20120618101948.13727.qmail@stuge.se> John Olsson M wrote: > What do you think of having the SFTP server temporarily rename the > transfered file with a ".tmp" extension which is removed when > transfer is completed? What happens when I upload a file called foo.tmp ? Even using inotify to know when a file gets closed does not tell the full story - it is still unknown if the file was closed because the SFTP upload finished successfully, or because it was aborted by the client, or due to network error, or some other problem. :( A reliable solution indeed requires sftp-server to take action in order to signal successful vs. failed upload completion. I'd like to use POSIX Message Queues for this, but they aren't widely supported. :( It would work a treat on Linux however! Please just verify your input and dismiss anything corrupt. This is fundamental for any programming. Do it and you will be happier. //Peter From djm at mindrot.org Fri Jun 22 14:37:14 2012 From: djm at mindrot.org (Damien Miller) Date: Fri, 22 Jun 2012 14:37:14 +1000 (EST) Subject: While using internal sftp server, need to access files outside chroot In-Reply-To: References: <10F20BC0C13B3F4C928EFD1C3A651F3633800E@PSEXMBX01.netmaster.corp.easylink.com> <4FD0DDB2.2010108@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F36338099@PSEXMBX01.netmaster.corp.easylink.com> <4FD116F2.6020909@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380B8@PSEXMBX01.netmaster.corp.easylink.com> <4FD12392.3040704@gmail.com> <10F20BC0C13B3F4C928EFD1C3A651F363380FA@PSEXMBX01.netmaster.corp.easylink.com> <7A6CBD48-99D5-42AC-B2CD-4FADC1291415@eviladmin.org> Message-ID: On Mon, 18 Jun 2012, John Olsson M wrote: > > A move to the same partition isn't a problem as sftp still has the > > file descriptor, but a copy or a move to another partition will > > result in corrupted data. > > What do you think of having the SFTP server temporarily rename the > transfered file with a ".tmp" extension which is removed when transfer > is completed? Then another application knows when a file has been > transfered completely. Or is this an excercise best left to the client > to do? A few people have asked to be able to upload files under a temporary name and rename them into place once the upload successfully completes. This can be implemented pretty easily and purely in the client. I'm pretty backlogged at the moment, but writing this (as a "put" flag) would be an easy afternoon project for someone interested. -d From dtucker at zip.com.au Fri Jun 22 22:03:38 2012 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 22 Jun 2012 22:03:38 +1000 Subject: [patch/cygwin]: Explicitely add user right to start service In-Reply-To: <20120605120431.GA26750@calimero.vinschen.de> References: <20120605120431.GA26750@calimero.vinschen.de> Message-ID: <20120622120338.GA30786@gate.dtucker.net> On Tue, Jun 05, 2012 at 02:04:31PM +0200, Corinna Vinschen wrote: > could somebody with checkin rights please apply the below patch to the > Cygwin service creator script? It patches a problem when using an > existing account to start the sshd service. In that case the script > so far doesn't make sure that the user has th right to logon as a > service. Applied, thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sotocad at gmail.com Mon Jun 25 14:30:14 2012 From: sotocad at gmail.com (Nelson) Date: Mon, 25 Jun 2012 00:30:14 -0400 Subject: Tuneles ssh se caen. Message-ID: <05926C61-69F9-4633-AD75-E7568BF26EF9@gmail.com> Buenas tardes, Necesito obtener informaci?n de la cantidad de tuneles ssh que puede tener activo un servidor y adem?s por cuanto tiempo pueden permanecer activos estos tuneles. Explico mi situaci?n, tengo un servidor centos 5.5, con sistema ssh que viene por defecto la versi?n 4.3. A este servidor se conectan alrededor de 100 terminales, cada uno de estos terminales levantan 3 tuneles contra el servidor, puerto 80, 3306, 1752, pero constantemente y en forma aleatoria estos tuneles se cierran, por lo que debo volver a crear los tuneles. He aplicado pol?ticas tanto en el servidor como en los clientes de keeplive, serveraliveinterval, serveralivecountmax, clientaliveinterval, clientalivecountmax. He modificado par?metros a nivel de capa 4, protocolo TCP, para mantener las conexiones, pero sin resultados positivos. Debido a lo anterior son mis consultas, existe un limite de m?ximo de conexiones a la vez, de tuneles a la vez, y por cuanto tiempo pueden estar en linea los tuneles a la vez. Enviado desde mi iPhone Atentamente, Nelson Sotomayor Vera Ingeniero Civil Inform?tico From cmadams at hiwaay.net Wed Jun 27 04:40:32 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 26 Jun 2012 13:40:32 -0500 Subject: Modify $TERM from config Message-ID: <20120626184032.GF16409@hiwaay.net> The terminal programs (xterm, gnome-terminal, etc.) in Fedora have all supported 256 colors for quite a while, so there's a proposal for Fedora to switch them to using "xterm-256color" for $TERM. One drawback would be when you SSH to another host that doesn't have an up-to-date terminal database and doesn't recognize "xterm-256color" (but does know "xterm"). I don't see a way to override $TERM for a particular host in ~/.ssh/config. Also, it would really be better to be able to modify it (rather than just override it), with some way to say "drop the -256color suffix if it exists". Any suggestions? Would something along these lines be accepted by OpenSSH? I'd like to see this because I use "screen" a lot, and if it set $TERM to "screen-256color", my SSH connections to my Juniper JUNOS routers would be annoying (while they recognize "xterm-256color", they don't know "screen-256color"). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From ras at anzio.com Wed Jun 27 04:58:07 2012 From: ras at anzio.com (Bob Rasmussen) Date: Tue, 26 Jun 2012 11:58:07 -0700 (PDT) Subject: Modify $TERM from config In-Reply-To: <20120626184032.GF16409@hiwaay.net> References: <20120626184032.GF16409@hiwaay.net> Message-ID: Perhaps the answer to this is to bring forward a concept from the telnet protocol, into SSH. When a telnet client connects, it doesn't just say "I am TERM=ABC". Instead there is an option negotiation process defined. So if the server responds "I don't know what terminal ABC is", the client can try "I am TERM=XYZ". This process can continue until the client decides what is the best fit, and tells the host. It's similar in concept to how, in SSH, authentication methods are negotiated. Another environment variable that would benefit from this approach would be LANG. My client might want to try "LANG=en_US.UTF-8", but be able to drop back to "LANG=en_US". On Tue, 26 Jun 2012, Chris Adams wrote: > The terminal programs (xterm, gnome-terminal, etc.) in Fedora have all > supported 256 colors for quite a while, so there's a proposal for Fedora > to switch them to using "xterm-256color" for $TERM. One drawback would > be when you SSH to another host that doesn't have an up-to-date terminal > database and doesn't recognize "xterm-256color" (but does know "xterm"). > > I don't see a way to override $TERM for a particular host in > ~/.ssh/config. Also, it would really be better to be able to modify it > (rather than just override it), with some way to say "drop the -256color > suffix if it exists". > > Any suggestions? Would something along these lines be accepted by > OpenSSH? > > I'd like to see this because I use "screen" a lot, and if it set $TERM > to "screen-256color", my SSH connections to my Juniper JUNOS routers > would be annoying (while they recognize "xterm-256color", they don't > know "screen-256color"). > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > Regards, ....Bob Rasmussen, President, Rasmussen Software, Inc. personal e-mail: ras at anzio.com company e-mail: rsi at anzio.com voice: (US) 503-624-0360 (9:00-6:00 Pacific Time) fax: (US) 503-624-0760 web: http://www.anzio.com street address: Rasmussen Software, Inc. 10240 SW Nimbus, Suite L9 Portland, OR 97223 USA From cmadams at hiwaay.net Wed Jun 27 06:09:05 2012 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 26 Jun 2012 15:09:05 -0500 Subject: Modify $TERM from config In-Reply-To: References: <20120626184032.GF16409@hiwaay.net> Message-ID: <20120626200905.GI16409@hiwaay.net> Once upon a time, Bob Rasmussen said: > Perhaps the answer to this is to bring forward a concept from the telnet > protocol, into SSH. When a telnet client connects, it doesn't just say > "I am TERM=ABC". Instead there is an option negotiation process defined. > So if the server responds "I don't know what terminal ABC is", the client > can try "I am TERM=XYZ". This process can continue until the client > decides what is the best fit, and tells the host. That would be cool. However, I'm trying to deal with hosts that are not as up-to-date already (e.g. have a smaller terminal database), so a new extension would unfortunately not help me much (since those same hosts would probably not support it for years). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From mike at pair.com Wed Jun 27 06:30:20 2012 From: mike at pair.com (Mike Kelly) Date: Tue, 26 Jun 2012 16:30:20 -0400 Subject: Modify $TERM from config In-Reply-To: <20120626200905.GI16409@hiwaay.net> References: <20120626184032.GF16409@hiwaay.net> <20120626200905.GI16409@hiwaay.net> Message-ID: <4FEA1BDC.1060905@pair.com> On Tue 26 Jun 2012 04:09:05 PM EDT, Chris Adams wrote: > Once upon a time, Bob Rasmussen said: >> Perhaps the answer to this is to bring forward a concept from the telnet >> protocol, into SSH. When a telnet client connects, it doesn't just say >> "I am TERM=ABC". Instead there is an option negotiation process defined. >> So if the server responds "I don't know what terminal ABC is", the client >> can try "I am TERM=XYZ". This process can continue until the client >> decides what is the best fit, and tells the host. > > That would be cool. However, I'm trying to deal with hosts that are not > as up-to-date already (e.g. have a smaller terminal database), so a new > extension would unfortunately not help me much (since those same hosts > would probably not support it for years). I've usually handled this with some code in my ~/.bashrc that just changes and re-exports the TERM variable early on, if it looks like one that that host doesn't support. I've done this in an ad-hoc way, so I don't have some nice universal thing to share, but, for example: [[ "${TERM}" == "rxvt-unicode-256color" ]] \ && export TERM="rxvt-unicode" I'm sure there's something that can be done with some terminfo command or something. I think someone mentioned handling different LANG settings, and I do that this way: if [[ -x "$(type -P locale)" ]] ; then case "`locale -a`" in *en_US.UTF-8*) LANG="en_US.UTF-8" ;; *en_US.utf8*) LANG="en_US.utf8" ;; *en_US*) LANG="en_US" ;; esac [[ -n "${LANG}" ]] && export LANG SUPPORTED="${LANG}:en_US:en" fi -- Mike Kelly From christophe at garault.org Wed Jun 27 06:57:46 2012 From: christophe at garault.org (Christophe Garault) Date: Tue, 26 Jun 2012 22:57:46 +0200 Subject: Modify $TERM from config In-Reply-To: <20120626184032.GF16409@hiwaay.net> References: <20120626184032.GF16409@hiwaay.net> Message-ID: <4FEA224A.2080203@garault.org> On 26/06/2012 20:40, Chris Adams wrote : > I don't see a way to override $TERM for a particular host in > ~/.ssh/config. I'm not sure if this could help you, but you could allow the PermitUserEnvironment in the sshd conf of that host and then change the authorized_keys accordingly: environment="TERM=xterm-256color" before the key itself. Hth. -- Christophe Garault -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5376 bytes Desc: S/MIME Cryptographic Signature URL: From loganaden at gmail.com Wed Jun 27 12:47:07 2012 From: loganaden at gmail.com (Loganaden Velvindron) Date: Wed, 27 Jun 2012 06:47:07 +0400 Subject: sftp resume support (client side) Message-ID: Hi, I implemented something because I get sick of resuming large downloads from scratch. Any interest upstream-wise ? https://bugzilla.mindrot.org/show_bug.cgi?id=2021 -- Brightest day, Blackest night, No bug shall escape my sight, And those who worship evil's mind, be wary of my powers, puffy lantern's light ! From mouring at eviladmin.org Wed Jun 27 13:00:33 2012 From: mouring at eviladmin.org (Ben Lindstrom) Date: Tue, 26 Jun 2012 22:00:33 -0500 Subject: sftp resume support (client side) In-Reply-To: References: Message-ID: Please refer to an already open bug on this topic. https://bugzilla.mindrot.org/show_bug.cgi?id=626 - Ben On Jun 26, 2012, at 9:47 PM, Loganaden Velvindron wrote: > Hi, > > I implemented something because I get sick of resuming large downloads > from scratch. > > > Any interest upstream-wise ? > > https://bugzilla.mindrot.org/show_bug.cgi?id=2021 > > -- > Brightest day, > Blackest night, > No bug shall escape my sight, > And those who worship evil's mind, > be wary of my powers, > puffy lantern's light ! > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From loganaden at gmail.com Thu Jun 28 07:04:21 2012 From: loganaden at gmail.com (Loganaden Velvindron) Date: Thu, 28 Jun 2012 01:04:21 +0400 Subject: sftp resume support (client side) In-Reply-To: References: Message-ID: Ok, I incorporated Damien's diff into mine. https://bugzilla.mindrot.org/attachment.cgi?id=2168&action=diff On Wed, Jun 27, 2012 at 7:00 AM, Ben Lindstrom wrote: > > Please refer to an already open bug on this topic. > > https://bugzilla.mindrot.org/show_bug.cgi?id=626 > > - Ben > > On Jun 26, 2012, at 9:47 PM, Loganaden Velvindron wrote: > >> Hi, >> >> I implemented something because I get sick of resuming large downloads >> from scratch. >> >> >> Any interest upstream-wise ? >> >> https://bugzilla.mindrot.org/show_bug.cgi?id=2021 >> >> -- >> Brightest day, >> Blackest night, >> No bug shall escape my sight, >> And those who worship evil's mind, >> be wary of my powers, >> puffy lantern's light ! >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Brightest day, Blackest night, No bug shall escape my sight, And those who worship evil's mind, be wary of my powers, puffy lantern's light ! From loganaden at gmail.com Thu Jun 28 14:36:57 2012 From: loganaden at gmail.com (Loganaden Velvindron) Date: Thu, 28 Jun 2012 08:36:57 +0400 Subject: sftp resume support (client side) In-Reply-To: References: Message-ID: highwater must match filesize, else, reget in interactive mode is truncated to 0. bugzilla is down right now. I put the latest diff on dragonflybsd server. http://leaf.dragonflybsd.org/~logan/resume14.diff On Thu, Jun 28, 2012 at 1:04 AM, Loganaden Velvindron wrote: > Ok, I incorporated Damien's diff into mine. > > https://bugzilla.mindrot.org/attachment.cgi?id=2168&action=diff > > On Wed, Jun 27, 2012 at 7:00 AM, Ben Lindstrom wrote: >> >> Please refer to an already open bug on this topic. >> >> https://bugzilla.mindrot.org/show_bug.cgi?id=626 >> >> - Ben >> >> On Jun 26, 2012, at 9:47 PM, Loganaden Velvindron wrote: >> >>> Hi, >>> >>> I implemented something because I get sick of resuming large downloads >>> from scratch. >>> >>> >>> Any interest upstream-wise ? >>> >>> https://bugzilla.mindrot.org/show_bug.cgi?id=2021 >>> >>> -- >>> Brightest day, >>> Blackest night, >>> No bug shall escape my sight, >>> And those who worship evil's mind, >>> be wary of my powers, >>> puffy lantern's light ! >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > > > -- > Brightest day, > Blackest night, > No bug shall escape my sight, > And those who worship evil's mind, > be wary of my powers, > puffy lantern's light ! -- Brightest day, Blackest night, No bug shall escape my sight, And those who worship evil's mind, be wary of my powers, puffy lantern's light !