Tom Worster thefsb.org> wrote:

By "avoid running it as root", do you mean that you really don't
want any part of the mechanism to run with root privilege, or just
that you don't want to have to _authenticate_ as root in order to
run the script?

If the latter, then probably the simplest approach is a root script
with carefully limited behaviour, invoked through some mechanism
that lets selected non-root users run it without additional
authentication. A setuid binary is the obvious such mechanism, but I
like

http://chiark.greenend.org.uk/~ian/userv/

one day i was away from home without my keys when i urgently needed ssh
access to my web servers. i had turned off password auth, being concerned
about the volume of guesswork reported in the logs. thankfully my hosting
firm was accommodating enough to turn password auth back on for me (eric's a
great guy). lesson learned, i haven't turned password auth off again. yet.

while it would help, i'm not real excited about port number obscurity. and
if i can avoid it, i'd rather not start writing scripts to dynamically
modify kernel policy at the ip or socket level (i'm using freebsd so the
canned iptables methods would need some hacking).

so i'm considering how a non-root script might turn password auth on/off or
enable/ban specific users or something like that. whatever mechanisms i
choose to implement, i'd rather avoid running the script(s) as root, if at
all possible.

so my question: is sshd willing to read any config files that aren't solely
root-writable and without receiving a signal or restarting? maybe a bit like
qmail reads control files on the fly? a group-writable file of banned
usernames would do the trick, just for example. i read the sshd man file but
din't get any bright ideas.

Hi all,

I've got a question dealing with remote execution of commands through
ssh.

Executing a command locally on a Unix box, the $? in the shell gives
me the exit status of the command.
Moreover, if the command (instead of exiting normally) is killed by a
signal, examinig $? let me know
that the command was killed and by which signal.

For example sending a kill -9 to the command, $? is set to 137.
WIFSIGNAL(137) is true and WTERMSIG(137) gives 9 which is exactly the
signal number I sent to the program.

Now if I execute the command on a remote sshd server with an ssh
client command, after ssh command terminates,
$? reflects the exit status of the remotely executed command if that
command exited normally.

However, if the remote command was killed by a signal, after ssh
command terminates, $? is always 255 which
does not reflect what has going on on the remote server and is not
very useful.

ram@zedat.fu-berlin.de (Stefan Ram) writes:

Does this old terminal client have a name? If so what is it?

Before I explore implementing this myself, I'd like to know if anyone has heard
of software that does the following (all 5):

1. Acts as a library intercept wedge that causes TCP connections to be handled
through a proxy. There is one out there (I forget its name) that does this
for a running SOCKS proxy (which could be an SSH client process doing dynamic
forwarding).

2. Instead of connecting to an existing SOCKS proxy, this intercept will start
an SSH client (or more than one if needed) in the background to manage the
connection forwarding.

3. Instead of using SSH's port forwarding, it will start an agent on the remote
host to be the remote end of the forwarding. The traffic will then run over
the SSH main channel, not using SSH's port forwarding. This agent will be
part of this project and therefore must be installed on the remote host.

4. Enhanced fowarding capabilities will be part of this, including the ability
to start yet another SSH client to forward through. Other features include
the ability to specify the source IP address and port of connections going
out from the remote host to the target connection peer. Specifics of how
make these connections can be provided in environment variables, user home
based config files, and global config files.

Whats the difference between a exportable rsa key and which is not?.
If key pair is not generated as exportable can't I copy key to a diff
machine and use it there?

Thanks
Reji

Hi,

I'm just wondering: Is the account name used for login already part of
the encryption or not?

Thanks in advance!
Tobias

Running psftp (Putty package) in a batch file under Win/XP with the -b
option (commands in a file), errors seem to terminate psftp without setting
the errorlevel. Specifically, a cd command to a non-existent directory
fails (as it should), an error message is displayed and the process quits.
Users running the batch file don't notice the error message, and with no
errorlevel, the batch file doesn't know it should do something to attract
attention. The return code is zero even if the file of commands is
missing.

A bad password does yield an error return of 1, as does psftp -h.

Am I missing anything?

Neutriinojen oskillaatio pelastikin päivänpaisteen aivan hiljattain. Jo
vuonna 1968 oli näet huomattu, että Auringosta tulee vain kolmannes niistä
neutriinoista, joita sen säteilyn tuottaminen teoriassa edellyttää. Oli siis
syytä epäillä, ettei auringonpaisteen alkuperää ymmärretty kunnolla. Toinen
vaihtoehto oli, että matkalla Maahan Auringon neutriinoille tapahtuu
jotakin. Kesällä 2001 kanadalaiset fyysikot ilmoittivat havainneensa, että
Auringon elektronin neutriinot muuttuvat muiksi, vaikeammin havaittaviksi
neutriinoiksi. Siksi elektronien neutriinoja siis rekisteröitiin odotettua
vähemmän. Yli 30-vuotinen mysteeri ratkesi. Kayserin mukaan Auringon
neutriinojen oskillaatiosta kertynyt näyttö on vahva, ja seminaarin neljä
muuta esitelmöijää ovat samaa mieltä. Löytö on niin merkittävä, että...

I recently had to upgrade my version of OpenSSH from 4.7 to 5.0 on my
MacBook (Darwin). I installed the latest 'portable' tarball and
removed the system version:
$ ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.7l 28 Sep 2006
$ which ssh
/usr/bin/ssh

sshd is the same version, installed in /usr/sbin/sshd. Now, things are
a bit broken: I am able to ssh from another machine into my MacBook,
so the server (sshd) is working, but the outgoing client (ssh) hangs
indefinitely on connect. ssh-add also hangs on any operation. ssh-
agent shows:
SSH_AUTH_SOCK=/tmp/ssh-35xNGanxBs/agent.2282; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2283; export SSH_AGENT_PID;
echo Agent pid 2283;