so that there is no need to have commands such as /usr/bin/su in the
restricted environment. Access to the file system is restricted to
the newroot subtree and privileges are restricted to those of the
newuser account (which must be a known account in the unrestricted
environment).
updated to today's snapshot of OpenSSH.
Various updates from the latest ${CVS_DATE}, and requisite patch
changes, are the "big new thing". Nothing major has changed; the
biggest ones would be using atomicio() in a lot of places and a
fix for a SIGHUP not updating sshd(8)'s configuration until the
next connection.
This version includes sysmouse(4) support ( thanks to
Christian Weisgerber <naddy@mips.rhein-neckar.de> )
PR: 15323
Submitted by: Trevor Johnson <trevor@jpj.net>
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources. In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
So here we are, rate-limiting. The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
More work in this area is being done by alfred@FreeBSD.org and
markus@OpenBSD.org, at the very least. This is, essentially, a
stopgap solution; however, it is a properly implemented and documented
one, and has an easily modifiable framework.
reality, though. One file, cipher.c, calls cryptographic routines
from external libraries. This really cannot encumber OpenSSH in
any case, but I put RESTRICTED back since it would give people a
false hope of being able to install the OpenSSH package but
not the requisite, RESTRICTED (so nonexistant) openssl package.
Reasons:
1. It's not crypto.
2. It links with crypto.
a. That crypto is in the public domain.
b. Linking with crypto does not constitute cryptography.
3. Even if it were crypto, the description of the entire protocol, etc.,
is in the public domain. The RFC is PD in the USA, and the white paper
in Europe.
4. Precedence? Even if it were crypto, the Bernstein case has set
precedence for allowing export of that. But it's not even crypto.
server.
The submitter states that the author of this software has been unresponsive
for several months.
PR: 15199
Submitted by: Akinori MUSHA aka knu <knu@idaemons.org>