OpenSSH Patches

Patch to fix hang-on-exit bug in OpenSSH-4.3p2

Here is a simple patch (based on Markus Friedl's suggestion) to OpenSSH to fix the hang-on-exit bug (Protocol 2 only). No data loss occurs with this patch: it does not break ssh or scp.

Patch to add user-dependent IdentityFile to OpenSSH-4.3p2

Here is a patch (BSD version) to allow private key files to be placed system wide (for all users) in a secure (non-NFS) mounted location on systems where home directories are NFS mounted. This addresses an important security hole on systems where home directories are NFS mounted, particularly if there are users who use blank passphrases (or when lpd is tunneled through ssh on systems running lpd as user lp) instead of ssh-agent. IdentityFile now accepts the same %u, %h, %% options that AuthorizedKeysFile accepts (see man sshd). For example, one can specify a user-dependent IdentityFile in ssh_config:

IdentityFile /ssh/%u/id_rsa

This version of the IdentityFile patch modifies ssh-keygen to use the directory part of the first local host IdentityFile entry as the default key location (which may then be overridden). Users may move their key files to a secure filesystem with the command ssh-securekey. To move all key files system wide, the command ssh-securesys may be useful; this requires also ssh-securesys1.

Back to: http://www.math.ualberta.ca/imaging/snfs