[Bug 1780] New: Option to disable .k5login support
https://bugzilla.mindrot.org/show_bug.cgi?id=1780 Summary: Option to disable .k5login support Product: Portable OpenSSH Version: 5.5p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: unassigned-b...@mindrot.org ReportedBy: jchad...@redhat.com .k5login allows a user to let others access his account w/o admin intervention. There are 2 potential problems in some setups. A) Company policy that prevents account sharing B) Access to other users credentials using social engineering techniques to make someone log into your account and forward you his credentials For these reasons it would be useful if there were a sshd_config option to prevent sshd from using .k5login files. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1781] New: Document how to use Solaris 10 /dev/random
https://bugzilla.mindrot.org/show_bug.cgi?id=1781 Summary: Document how to use Solaris 10 /dev/random Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: unassigned-b...@mindrot.org ReportedBy: pep...@reppep.com http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL says: --with-prngd-socket=/some/file allows you to enable EGD or PRNGD support and to specify a PRNGd socket. Use this if your Unix lacks /dev/random and you don't want to use OpenSSH's builtin entropy collection support. --with-prngd-port=portnum allows you to enable EGD or PRNGD support and to specify a EGD localhost TCP port. Use this if your Unix lacks /dev/random and you don't want to use OpenSSH's builtin entropy collection support. I hoped that the configure script would automatically use /dev/random, but apparently not -- it says Random number source: OpenSSL internal ONLY. r...@thor:/# uname -a SunOS thor 5.10 Generic_142901-08 i86pc i386 i86pc r...@thor:/# ls -l /dev/random /devices/pseudo/ran...@0:random lrwxrwxrwx 1 root root 33 Oct 21 2009 /dev/random - ../devices/pseudo/ran...@0:random crw-r--r-- 1 root sys 149, 0 Jun 10 11:27 /devices/pseudo/ran...@0:random I see configure arguments for a subprocess or PRNGd, but nothing obvious to point at /dev/random (a character device). Should I just use --with-prngd-socket=/dev/random? pep...@thor:~/cvs/openssh$ ./configure --help|egrep -i '(rand|prng)' --with-rand-helper Use subprocess to gather strong randomness --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool) Perhaps the Solaris heading in README.platform should include a suggestion? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1781] Document how to use Solaris 10 /dev/random
https://bugzilla.mindrot.org/show_bug.cgi?id=1781 Damien Miller d...@mindrot.org changed: What|Removed |Added CC||d...@mindrot.org Status|NEW |RESOLVED Resolution||WORKSFORME --- Comment #1 from Damien Miller d...@mindrot.org --- If your platform supports /dev/random, and OpenSSL has been configured to use it (if OpenSSL came with your system, or you compiled it on there then it will almost certainly do so), then you can rely on its internal seeding. If something is wrong (e.g. OpenSSL has not been configured to seed from /dev/random) then the problem will be immediately apparent as ssh, sshd, etc will throw loud error messages and refuse to start. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1781] Document how to use Solaris 10 /dev/random
https://bugzilla.mindrot.org/show_bug.cgi?id=1781 --- Comment #2 from Chris Pepper pep...@reppep.com --- That makes sense, but then INSTALL or README.paltform should mention that OpenSSL internal ONLY is likely to be acceptable if OpenSSL is getting randomness from /dev/random. From the current wording, I thought I needed to ensure that OpenSSH could access /dev/random directly. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
