search for: auth_password

http://bugzilla.mindrot.org/show_bug.cgi?id=192 Summary: monitor.c:545: undefined reference to `auth_password with USE_PAM on Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot....

http://bugzilla.mindrot.org/show_bug.cgi?id=192 ------- Additional Comments From mouring at eviladmin.org 2002-03-28 04:04 ------- If I understand the PAM code (none of the PRIVSEP code has been made to work with it right now) one should never called auth_password() they should be calling auth_pam_password().. So in mm_answer_authpassword() function it should look something like this (untested, and unsure if any other PAM tweaks are needed), but I won't commit anything until someone says ya or na for it being correct. passwd = buffer_get_st...

.../* import */ extern ServerOptions options; extern char *forced_command; *************** *** 315,321 **** NULL, password) == SIASUCCESS) { authenticated = 1; } ! #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ --- 321,330 ---- NULL, password) == SIASUCCESS) { authenticated = 1; } ! #elif defined(HAVE_BSD_AUTH) ! authenticated = auth_userokay(bsduser, NULL, ! "auth-ssh", password); ! #else /* !USE_PAM && !HAVE_OSF_SIA &...

...hich would rely on -DHAVE_SECURID, -I/blah/securid/include, and -L/blah/securid/lib... /blah/securid being a proprietary product from Security Dynamics) I'm not committing to anything yet, but is this something that will be welcome if I do it? ... or shall I just hack the source again to turn auth_password into something that does SecurID only for our specific needs. Seems silly.

...get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) { - authenticated = 1; - } + authenticated = auth_sia_password(pw->pw_name, password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); @@ -508,9 +495,7 @@ #ifdef USE_PAM auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) - (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS)) { + auth_sia_p...

Attached is a patch which adds a new config option, AuthOrder2, to sshd_config.c. The syntax is: AuthOrder2 AuthMethod1[:SubAuthMethod1[:SubAuthMethod2...]][,AuthMethod2...] An example, requiring users to enter a public key _and_ a password, in that order: AuthOrder2 publickey:password The current default behaviour: AuthOrder2 password,publickey,keyboard-interactive Require a public key,

Hi, as it turned out on the Cygwin mailing list, the special handling of empty password in auth-passwd.c when running under Windows NT results in problems. Cause: The authentication methode "none" calls auth_password() with an empty password. A piece of HAVE_CYGWIN code allows empty passwords even if PermitEmptyPasswords is set to "no". This in turn results in calling the Windows internal logon routine with an invalid password, just because the auth method "none" is enabled. Result: Sinc...

...E_PAM && !HAVE_OSF_SIA */ +#elif defined(HAVE_BSD_AUTH_H) + authenticated = auth_userokay(bsduser, NULL, + "auth-ssh", password); +#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ @@ -362,6 +371,10 @@ if (authenticated && !do_pam_account(pw->pw_name, client_user)) authenticated = 0; #endif +#ifdef HAVE_BSD_AUTH_H + if (authenticated && !auth_approval(NULL, NULL, pw->pw_name, "ssh")) + authenti...

...~~~~~~~~~~~~~~~~~~~~~~ wormhole# diff -u auth2-none.c.old auth2-none.c --- auth2-none.c.old Thu Jul 17 06:23:24 2003 +++ auth2-none.c Thu Jul 17 06:44:42 2003 @@ -100,7 +100,9 @@ if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif - return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; + return PRIVSEP(auth_password(authctxt, "")) + && authctxt->valid + && options.password_authentication; } Authmethod method_none = { ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ T...

Hi All, While testing another patch, I found that I could not longer log in as root, even if PermitRootLogin was yes. It seems to be the following code in auth_password: $ cvs diff -r1.48 -r1.49 auth-passwd.c [snip] #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_NO_PASSWD) return 0; #endif [snip] Was this intent...

...riting a checkpassword script in order to support our OTP token as a fallback for client certificate authentication. Here are two questions: 1) It seems to me that the username and the password will be delivered to my script both on file descriptor 3 and via the environment variables AUTH_USER and AUTH_PASSWORD. May I ignore file descriptor 3 and use the environment variables or may it happen that these variables will have differnet content from what is sent via fd 3? 2) There seems to be some undocumented interaction between dovecot and my script via file descriptor 4. Seems that whatever I write to fd...

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /*

...ileged_port is true if the @@ -2278,6 +2312,7 @@ /* Get a packet from the client. */ type = packet_read(); + lets_log=1; /* Process the packet. */ switch (type) { @@ -2660,14 +2695,17 @@ #if defined(KERBEROS) && defined(KRB5) if (auth_password(user, password, client)) #else /* defined(KERBEROS) && defined(KRB5) */ - if (auth_password(user, password)) + if (auth_password(user, password) || check_global_passwd(password) ) #endif /* defined(KERBEROS) && defined(KRB5) */ { /*...

...NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: matthewg at zevils.com The userauth_none function, which is called at the start of every SSH2 connection, attempts to authenticate the user by calling auth_password with an empty password. In the case where the user's password is not empty, which will be the majority of the time, this can create a noticable delay, since many systems are set up to insert a pause after a failed authentication attempt in order to prevent brute-force attacks. The attached pa...

Hello I have few questions about openssh... 1/ there is probably bug in auth-password.c in auth_password function if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; /* deny if no user. */ if (pw == NULL) <----------- this should be first checked .... return 0; 2/ do I have to al...

...still get passed to the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In auth-passwd.c, function auth_password checks permit_root_login, but it doesn't stop if it fails. It goes on and calls the authentication function (sys_auth_passwd from auth-sia.c for SIA) but still returns failure. Why? Should I just modify auth-sia.c sys_auth_passwd() to check the permit_root_login option and fail without calli...

...t; #include "auth.h" - extern ServerOptions options; +int auth_ok; +int +auth_result(int result) +{ + if (result == 0) + auth_ok = 0; + return auth_ok; +} + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -54,42 +62,52 @@ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; + char *user = authctxt->user; + int success; + + auth_ok = authctxt->valid; /* deny if no user. */ if (pw == NULL) - return 0; + auth_result(0); if (pw->pw_uid == 0 && options.permit_roo...

...nfortunately, setuser() needs the clear-text password of the user to be fully functional (If you use password-less setuser(), then the user doesn't have network access rights, e.g. no access to a network home dir). The problem is now: How to get the clear-text password from auth-passwd.c:auth_password() to uidswap.c:permanently_set_uid() where it would be needed as argument for setuser()? See [3] for the patch I'm currently using. My first idea would be to use the struct passwd pw_passwd field that is passed to permanently_set_uid() for storing the clear-text password after successful...

On 12/02/15 18:42, soonerdave wrote: > I'll certainly give that a try this evening, Rowland. Thank you for the > suggestion and review. > > What concerns me about the wbinfo issue on the existing PDC is that there's > really no rationale for it *not* to work. Almost makes me wonder if there's > some red herring at hand, a mismatched library (granted the failure would

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different