Huie-Ying's page: Huie-Ying Lee's Weblog

Recently, I resync'ed the Match conditional block option from OpenSSH to SunSSH. This feature was integrated to Solaris Nevada build 129 last week and it will be available in the next OpenSolaris release.

The Match conditional block option enables users to configure SSH daemon options based on user, group, hostname, or address. It is documented in the sshd_config(4) man page, starting from Solaris Nevada build 129.

Note that there is no limitation on the number of match blocks specified in the sshd_config file; however, all the Match blocks must be placed at the end of the sshd_config file, after all the global settings.

Also note that, only a subset of keywords can be used in a Match block. These keywords are:

• AllowTcpForwarding
•  Banner
• ChrootDirectory
• GatewayPorts
• GSSAPIAuthentication
• HostbasedAuthentication
• PasswordAuthentication
• PermitEmptyPasswords
• PermitRootLogin
• PubkeyAuthentication
• RhostsRSAAuthentication
• RSAAuthentication
• X11DisplayOffset
• X11Forwarding
  
• X11UseLocalhost

Some usage examples:
         Example 1: Disallow user "testuser" to use TCP forwarding
         Match User testuser
                 AllowTcpForwarding no

         Example 2: Display a special banner for users not in the "staff" group
         Match Group *,!staff
                Banner /etc/banner.text

         Example 3: Allow root login from host "rootallowed.example.com"
         Match Host rootallowed.example.com
                PermitRootLogin yes

         Example 4: Allow anyone to use GatewayPorts from the local net
         Match Address 192.168.0.0/24
                 GatewayPorts yes

The pyOpenSSL package for Python 2.6 support is publicly available on OpenSolaris starting from Nevada build 114. As of today, OpenSolaris supports 2 versions of PyOpenSSL:

• SUNWpython26-pyopenssl: for PYTHON 2.6
• SUNWpython-pyopenssl: for PYTHON 2.4

Both 2.4 and 2.6 versions of pyOpenSSL use the same source, so they provide the same interface to the functions in the OpenSSL library.

I just integrated an enhancement for the ssh/sftp command into the Solaris Nevada build 110.

6480741 command line editing is desired for sftp(1)

This enhancement provides the interactive command line editing facilities to the sftp command, for examples, command history and better move on the command line itself. To implement this feature, I used the tecla library. The default TAB key bindings of tecla was disabled, because its completion behavior is not suitable for sftp.

Last Thursday, I integrated the pyOpenSSL package for Python2.4 to Solaris Nevad a build106. This means that the pyOpenSSL package (SUNWpython-pyopenssl) will b e publicly available on OpenSolaris, starting from build 106.

PyOpenSSL provides a high-level interface to the functions in the OpenSSL librar y and it includes the following three modules:

• crypto - Generic cryptographic module.
• rand - An interface to the OpenSSL pseudo randon number generator.
• SSL - An interface to the SSL-specific parts of OpenSSL.

The original source is provided by http://pyopenssl.sourceforge.net and the late st version is 0.8.

Important files include:

• Moudules - are located /usr/lib/python2.4/vendor-packages/OpenSSL.
• The user manual - is located at /usr/share/doc/pyOpenSSL.
• The sample/test scripts - are located at /usr/lib/python2.4/vendor-packages/OpenSSL/test.

Finally, I am joining the crowd and start blogging in this Friday evening. I think I am pretty Cool now. 8-)

My name is Huie-Ying Lee from Solaris Security Technologies group at Sun. For the past 5+ years, I have worked on many interesting security projects. I would like to talk more about these projects in the future, especially for those that I figured out their solutions in my dreams. |-)

In my spare time, I like to watch movies. Guess what, I have seen the "Star Wars: Episode III" twice already and I plan to see it again. It is sheerly a hauntly beautiful and powerful piece, isn't it ?