Interesting...
Do you have lsof available on the hosts where you can't get X
forwarding? lsof -i should tell you all the processes with ports open,
you can verify if there is some process hogging all 999 ports...
If not, some versions of netstat can also show you the PID of the
process that has
Probably the most robust thing would be to use file-system ACLs to
restrict users to the desired actions.
They could always try a "get" command, but it would fail if they tried
to download a file to which they lacked read permissions.
That would also have the advantage of working regardless of wh
No, don't use xhost +
The entire point of using ssh for X11 forwarding is that the ssh
connection comes from a local process - you don't have to accept
outside X11 connections.
xhost + is used specifically for accepting X11 connections that
_don't_ come from a local process (e.g not over your SSH
On 8/29/06, Christ, Bryan wrote:
All,
Please pardon my naivete.
I was looking at the diagram on the URL listed below and contemplating
how host fingerprinting prevents MITM attacks.
http://www.vandyke.com/solutions/ssh_overview/ssh_overview_threats.html
So my question is this... Given the ill
I would like to write a program that could deycrypt ssh communication
by using the private key of the server computer. This should be
possable right?
I don't believe that is the case. SSH uses its private key only to
certify its identity to the client. So knowing the private key lets
you do a
I have a feeling that might not be very robust if you're allowing sftp
or scp to anywhere a user normally has access to - a user could then
download their own authorized_keys file, edit it to give themselves
shell access, and then upload it.
Another option might be to use the Match option in Open
You're quite right. Netcat is included in most unices (to get full
bidirectional port forwarding, you would actually need two shell
commands & a pipeline). Socat is quite a bit more versatile, and
would do the forward in a single command. I think it's available by
default in some unices, and sh
It can also be set per socket with setsockopt(2).
How to do something similar in an ssh subsystem, I'm afraid I don't know
Regards
Mark
On 1/15/07, olaf weiser wrote:
Hallo to all,
so far I know, this is a system wide parameter You could set this
per interface or for all connections
On 13 Mar 2007 00:41:45 +0100, Thomas Hafner wrote:
Hello,
having an option like
ControlPath ~/.ssh/control/[EMAIL PROTECTED]:%p
is probably not a good idea, if the user's home directory is shared by
different machines (name collision for similiar outgoing SSH
connections). Something like that