search for: auth_fail_msg

...ilures++ > AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); + loginfailed(authctxt->user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); }

...get_remote_port(), user); -#ifdef HAVE_LIBPAM - do_pam_account_and_session(pw->pw_name, client_user); +#ifndef HAVE_LIBPAM + if (authenticated) + return; - /* Clean up */ - if (client_user != NULL) - xfree(client_user); + if (attempt > AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); +#else /* HAVE_LIBPAM */ + if (authenticated) { + do_pam_account_and_session(pw->pw_name, client_user); - if (password != NULL) { - memset(password, 0, strlen(password)); - xfree(password); - } -#endif /* HAVE_LIBPAM */ + /* Clean up */ + if (client_user != NULL)...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

...} - if (client_user != NULL) + if (client_user != NULL) { xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); This should close this bug and #54894 (which I don't believe would have posed security problems), and with a bit of luck might yield more clues to #51306 as well. HTH, -- Colin Watson [cjw44 at cam.ac.uk] --[[text/plain]]

...fix is probably needed for the pam code, btw) --- sshd.c~ Tue Jan 25 16:07:22 2000 +++ sshd.c Sun Mar 5 22:14:40 2000 @@ -1525,7 +1525,10 @@ } if (client_user != NULL) + { xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

...t;Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -271,6 +282,10 @@ #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#ifdef _CRAY + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _CRAY */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAU...

...= RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.112 diff -u -r1.112 auth2.c --- auth2.c 24 Feb 2003 00:59:27 -0000 1.112 +++ auth2.c 25 Feb 2003 09:45:10 -0000 @@ -241,10 +241,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); Index: sshlogin.c =====...

...HEIMDAL */ #endif /* KRB5 */ Index: auth.h =================================================================== RCS file: /cvs/openssh/auth.h,v retrieving revision 1.67 diff -u -r1.67 auth.h --- auth.h 16 Jun 2005 03:18:35 -0000 1.67 +++ auth.h 6 Jul 2005 10:31:51 -0000 @@ -191,4 +191,9 @@ #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #define SKEY_PROMPT "\nS/Key Password: " + +#if defined(KRB5) && !defined(HEIMDAL) +#include <krb5.h> +krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); +#endif #endif Index: gss-serv-krb5.c ============...

...= RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.112 diff -u -r1.112 auth2.c --- auth2.c 24 Feb 2003 00:59:27 -0000 1.112 +++ auth2.c 25 Feb 2003 09:45:10 -0000 @@ -241,10 +241,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); Index: sshlogin.c =====...

...is needed. */ @@ -408,8 +406,12 @@ client_user = NULL; } - if (attempt > AUTH_FAIL_MAX) + if (attempt > AUTH_FAIL_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); @@ -430,7 +432,7 @@ unsigned int ulen; char *user; #ifdef WITH_AIXAUTHENTICATE - char *loginmsg; + extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */...

Hi, I would like to report a bug in OpenSSH-1.2.2 (release) under Linux. Under certain conditions the sshd client process segfaults while doing the password authentification. I have observed the behaviour with glibc 2.0.7 (non-PAM), glibc 2.1.1 (PAM) and glibc 2.1.2 (PAM), when 'RhostsRSAAuthentication yes' is chosen in sshd_config. It appears to happen regardless whether PAM is used or

...= RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.111 diff -u -r1.111 auth2.c --- auth2.c 26 Sep 2002 00:38:49 -0000 1.111 +++ auth2.c 27 Jan 2003 11:38:03 -0000 @@ -242,10 +242,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); Index: sshlogin.c =====...

...UTH_REQUEST, &dispatch_protocol_ignore); - packet_start(SSH2_MSG_USERAUTH_SUCCESS); - packet_send(); - packet_write_wait(); - /* now we can break out */ - authctxt->success = 1; - } else { + if (!authenticated) { if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } @@ -252,6 +243,32 @@ userauth_finish(Authctxt *authctxt, int packet_send(); packet_write_wait(); xfree(methods); + } else if (!options.challenge_response_authentication_first) { + /* Success. turn off userauth */ + dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &d...

...08:59:39 2000 +++ openssh-2.3.0p1/auth.h Thu Nov 30 10:32:54 2000 @@ -45,8 +45,8 @@ int allowed_user(struct passwd * pw); struct passwd * auth_get_user(void); -#define AUTH_FAIL_MAX 6 -#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) +#define AUTH_FAIL_MAX 5 +#define AUTH_FAIL_LOG AUTH_FAIL_MAX #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #endif diff -ru openssh-2.3.0p1.orig/auth2.c openssh-2.3.0p1/auth2.c --- openssh-2.3.0p1.orig/auth2.c Thu Nov 30 08:59:39 2000 +++ openssh-2.3.0p1/auth2.c Thu Nov 30 10:37:56 2000 @@ -189,21 +189,14 @@ char *user, *service, *method; int...

...@ if (authctxt == NULL) fatal("input_userauth_info_response_pam: no authentication context"); - if (authctxt->attempt++ >= AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); + if (authctxt->failures >= AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp);

sorry, Darren. Long over due comments. [..] >+/* Record a failed login attempt. */ >+void >+record_failed_login(const char *user, const char *host, const char *ttyname) >+{ >+#ifdef WITH_AIXAUTHENTICATE >+ loginfailed(user, host, ttyname); >+#endif >+#ifdef _UNICOS >+ cray_login_failure((char *)user, IA_UDBERR); >+#endif /* _UNICOS */ >+} I like the

...;pw_name, client_user)) { ! if (client_user != NULL) xfree(client_user); do_fake_authloop(pw->pw_name); } #endif /* USE_PAM */ return; ! } ! if (client_user != NULL) xfree(client_user); if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); packet_write_wait(); } } /* --- 1422,1463 ---- #ifdef USE_PAM if (!do_pam_account(pw->pw_name, client_user)) { ! i...

OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the