Displaying 16 results from an estimated 16 matches for "auth_root_allow".
Did you mean:
auth_root_allowed
2003 Nov 18
4
3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds
It works for the "yes" case but not for the "without-password" case.
The function that checks (auth_root_allowed(auth_method) is special
cased for "password". The Pam case sends "keyboard-interactive/pam"
which like all other authentication methods except password succeeds.
Here is a patch to make it work for me. Please feel free to criticize
as appropriate.
bob
diff -r -u openssh-3.7...
2002 Jul 12
0
[Bug 325] PermitRootLogin forced-commands-only & privsep - not working together
...illa.mindrot.org/show_bug.cgi?id=325
------- Additional Comments From hlein at progressive-comp.com 2002-07-13 06:14 -------
Seeing this here too; it appears that when auth2.c:userauth_finish is called,
forced_command has been cleared (or perhaps, never set in that forked sshd) so
the call to auth_root_allowed(method) returns 0. The following patch makes
forced-command logins as root work again, but I doubt this is the right fix. In
fact the below may have serious problems; no warranties.
Looking at (but not testing) today's snapshot, this appears to still be a
problem. If so I'm surpised m...
2005 Jan 11
3
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
http://bugzilla.mindrot.org/show_bug.cgi?id=701
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
BugsThisDependsOn| |971
------- Additional Comments From dtucker at zip.com.au 2005-01-11 18:25 -------
Patch attachment #766 in bug #971 should fix this.
2013 Jan 14
3
[Bug 2061] New: Request for PermitRootLogin to be enforced prior to credential check
...Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: vram at tradermail.info
Unless I am misreading the code, at present, when an attempt is made to
log in as "root", first the login attempt is authenticated. Only
afterwards is auth_root_allowed(...) called. Thus if someone wants to
try to login as root via ssh even when PermitRootLogin=no it is only
*after* they succesfully use the correct password/key that the option
is enforced, and the "ROOT LOGIN REFUSED" log message is emitted.
Otherwise, it is logged like any other fai...
2003 Sep 22
4
[Bug 701] With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam'
...using PAM for logins
and who are unaware that root can still log in with a password.
Also, the following code in auth-password.c
#ifndef HAVE_CYGWIN
if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
seems to prevent the auth.c:auth_root_allowed() routine from ever being called,
meaning that the following log line in auth.c doesn't get called:
logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed()
gets run properly.
------- You are r...
2005 Jan 20
1
PermitRootLogin without-password functionality differs for UsePAM yes/no option
...the server functionality differs.
For " UsePAM yes ", the server allows authentication thru password,
meanwhile " UsePAM no " does not. I have fixed that problem and the
patch is given below.
---------------------------------------------------------------------
File: auth.c
In auth_root_allowed() function
+if ((strcmp(method, "password") != 0 ) && (strcmp(method,
"keyboard-interactive/pam") !=0))
+ return 1;
-if (strcmp(method, "password") != 0 )
---------------------------------------------------------------------
Please l...
2008 Feb 07
1
"PermitRootLogin no" fails
I'm running version 4.7p1 of OpenSSH on a Linux system (it was
originally a RedHat system, but I've changed almost everything.) When
I originally built OpenSSH I used the config option --without-pam, and
installed the software in /usr/local. I explicitly forbade root login
with sshd (by setting the PermitRootLogin to "no" in the sshd_config
file), but found that I could login as
2005 Apr 07
1
PermitRootLogin and Tru64 SIA
...l without calling the SIA functions?
Here's a patch that does that:
diff -urN openssh-dist/auth-sia.c openssh/auth-sia.c
--- openssh-dist/auth-sia.c Thu Mar 4 05:59:37 2004
+++ openssh/auth-sia.c Thu Apr 7 07:52:13 2005
@@ -53,6 +53,9 @@
SIAENTITY *ent = NULL;
const char *host;
+ if (! auth_root_allowed ("password"))
+ return (0);
+
host = get_canonical_hostname(options.use_dns);
if (!authctxt->user || pass == NULL || pass[0] == '\0')
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybo...
2015 Sep 02
3
[Bug 2456] New: gssapi-keyex blocked by PermitRootLogin=without-password
https://bugzilla.mindrot.org/show_bug.cgi?id=2456
Bug ID: 2456
Summary: gssapi-keyex blocked by
PermitRootLogin=without-password
Product: Portable OpenSSH
Version: 7.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: sshd
2001 May 23
1
[PATCH]: Drop the use of `check_nt_auth'.
...TH_PASSWORD,pw->pw_uid)) {
- packet_disconnect("Authentication rejected for uid %d.",
- (int)pw->pw_uid);
- authenticated = 0;
- }
-#else
+#ifndef HAVE_CYGWIN
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(get_authname(type)))
Index: auth2.c
===================================================================
RCS file: /cvs/openssh_cvs/auth2.c,v
retrieving revision 1.59
diff -u -p -r1.59 auth2.c
--- auth2.c 2001/04/25 12:44:15 1.59
+++ auth2.c 2001/05/23 09:40:49
@@ -354,10 +354,6 @@ userauth_none(A...
2005 Feb 24
3
Suggestion: SSHD pseudo/fake mode. Source available.
Hi,
SSH brute force attacks seem to enjoy increasing popularity. Call me an
optimist or a misrouted kind of contributer to the community, but on our
company server I actually go through the logs and report extreme cases
to the providers of the originating IP's. With the increasing number of
these attacks, however, I have now decided that it's better to move the
SSHd to a different
2003 Jan 29
0
[PATCH] features for restricted shell environments
...else
+ return 0;
+}
/*
* Given a template and a passwd structure, build a filename
--- auth.h 28 Jan 2003 18:06:51 -0000 1.1.1.2
+++ auth.h 29 Jan 2003 20:39:19 -0000 1.3
@@ -142,6 +143,7 @@
void auth_log(Authctxt *, int, char *, char *);
void userauth_finish(Authctxt *, int, char *);
int auth_root_allowed(char *);
+int auth_restricted(int, struct passwd *);
char *auth2_read_banner(void);
--- channels.c 28 Jan 2003 18:06:51 -0000 1.1.1.2
+++ channels.c 28 Jan 2003 19:06:35 -0000 1.4
@@ -96,6 +98,10 @@
/* Number of permitted host/port pairs in the array. */
static int num_permitted_opens =...
2004 Jan 19
3
Security suggestion concering SSH and port forwarding.
Hi,
sorry if it is the wrong approuch to suggest improvments to OpenSSH,
but here comes my suggestion:
I recently stumbled upon the scponly shell which in it's chroot:ed form is
an ideal solution when you want to share some files with people you trust
more or less.
The problem is, if you use the scponlyc as shell, port forwarding is still
allowed. This can of course be dissallowed in
2001 Nov 06
13
OpenSSH 3.0
OpenSSH 3.0 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.
This release contains many portability bug-fixes (listed in the
ChangeLog) as well as several new features (listed below).
We would like to thank the
2002 Jul 17
13
Testing Call
Ok.. I'm starting official testing calls early this release. I'd like to
have more feedback and more time for handling fixes.
If people could test snapshots (http://www.openssh.org/portable.html, pick
your favorate mirror and select snapshots directory) and report failures
it would be useful.
For those with pmake install there is regress/ which you can try out. It
may help any platform
2001 Nov 20
3
problem with AFS token forwarding
Hello,
I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
concerning the AFS token forwarding. That means that the new versions are
not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this
problem already existed in Openssh 2.9.9p1, but I have never used this
version (I only looked at the