search for: auth_root_allowed

It works for the "yes" case but not for the "without-password" case. The function that checks (auth_root_allowed(auth_method) is special cased for "password". The Pam case sends "keyboard-interactive/pam" which like all other authentication methods except password succeeds. Here is a patch to make it work for me. Please feel free to criticize as appropriate. bob diff -r -u openssh-3.7.1...

...illa.mindrot.org/show_bug.cgi?id=325 ------- Additional Comments From hlein at progressive-comp.com 2002-07-13 06:14 ------- Seeing this here too; it appears that when auth2.c:userauth_finish is called, forced_command has been cleared (or perhaps, never set in that forked sshd) so the call to auth_root_allowed(method) returns 0. The following patch makes forced-command logins as root work again, but I doubt this is the right fix. In fact the below may have serious problems; no warranties. Looking at (but not testing) today's snapshot, this appears to still be a problem. If so I'm surpised mor...

http://bugzilla.mindrot.org/show_bug.cgi?id=701 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |971 ------- Additional Comments From dtucker at zip.com.au 2005-01-11 18:25 ------- Patch attachment #766 in bug #971 should fix this.

...Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: vram at tradermail.info Unless I am misreading the code, at present, when an attempt is made to log in as "root", first the login attempt is authenticated. Only afterwards is auth_root_allowed(...) called. Thus if someone wants to try to login as root via ssh even when PermitRootLogin=no it is only *after* they succesfully use the correct password/key that the option is enforced, and the "ROOT LOGIN REFUSED" log message is emitted. Otherwise, it is logged like any other faile...

...using PAM for logins and who are unaware that root can still log in with a password. Also, the following code in auth-password.c #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif seems to prevent the auth.c:auth_root_allowed() routine from ever being called, meaning that the following log line in auth.c doesn't get called: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); When the code in auth-passwd.c is commented out, auth.c:auth_root_allowed() gets run properly. ------- You are rec...

...the server functionality differs. For " UsePAM yes ", the server allows authentication thru password, meanwhile " UsePAM no " does not. I have fixed that problem and the patch is given below. --------------------------------------------------------------------- File: auth.c In auth_root_allowed() function +if ((strcmp(method, "password") != 0 ) && (strcmp(method, "keyboard-interactive/pam") !=0)) + return 1; -if (strcmp(method, "password") != 0 ) --------------------------------------------------------------------- Please let...

I'm running version 4.7p1 of OpenSSH on a Linux system (it was originally a RedHat system, but I've changed almost everything.) When I originally built OpenSSH I used the config option --without-pam, and installed the software in /usr/local. I explicitly forbade root login with sshd (by setting the PermitRootLogin to "no" in the sshd_config file), but found that I could login as

...l without calling the SIA functions? Here's a patch that does that: diff -urN openssh-dist/auth-sia.c openssh/auth-sia.c --- openssh-dist/auth-sia.c Thu Mar 4 05:59:37 2004 +++ openssh/auth-sia.c Thu Apr 7 07:52:13 2005 @@ -53,6 +53,9 @@ SIAENTITY *ent = NULL; const char *host; + if (! auth_root_allowed ("password")) + return (0); + host = get_canonical_hostname(options.use_dns); if (!authctxt->user || pass == NULL || pass[0] == '\0') -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody...

https://bugzilla.mindrot.org/show_bug.cgi?id=2456 Bug ID: 2456 Summary: gssapi-keyex blocked by PermitRootLogin=without-password Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: sshd

...TH_PASSWORD,pw->pw_uid)) { - packet_disconnect("Authentication rejected for uid %d.", - (int)pw->pw_uid); - authenticated = 0; - } -#else +#ifndef HAVE_CYGWIN /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) Index: auth2.c =================================================================== RCS file: /cvs/openssh_cvs/auth2.c,v retrieving revision 1.59 diff -u -p -r1.59 auth2.c --- auth2.c 2001/04/25 12:44:15 1.59 +++ auth2.c 2001/05/23 09:40:49 @@ -354,10 +354,6 @@ userauth_none(Aut...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

...else + return 0; +} /* * Given a template and a passwd structure, build a filename --- auth.h 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ auth.h 29 Jan 2003 20:39:19 -0000 1.3 @@ -142,6 +143,7 @@ void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); int auth_root_allowed(char *); +int auth_restricted(int, struct passwd *); char *auth2_read_banner(void); --- channels.c 28 Jan 2003 18:06:51 -0000 1.1.1.2 +++ channels.c 28 Jan 2003 19:06:35 -0000 1.4 @@ -96,6 +98,10 @@ /* Number of permitted host/port pairs in the array. */ static int num_permitted_opens = 0;...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

Ok.. I'm starting official testing calls early this release. I'd like to have more feedback and more time for handling fixes. If people could test snapshots (http://www.openssh.org/portable.html, pick your favorate mirror and select snapshots directory) and report failures it would be useful. For those with pmake install there is regress/ which you can try out. It may help any platform

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the