search for: authctxt

...files ./auth-krb5.c ./auth.h ./session.c * file diffs --- orig/auth-krb5.c +++ mod/auth-krb5.c @@ -199,6 +199,25 @@ return (1); } +/* + * Mainly useful with GSSAPI Kerberos 5 forwarded credentials. + * Called after we have setuid to the user. + */ +void +session_krb5_use_ccache(Authctxt *authctxt) +{ + char *ccname; + debug("session_krb5_use_ccache called"); + if (authctxt->krb5_fwd_ccache) + return; + ccname = getenv("KRB5CCNAME"); + if (!ccname) + return; + debug("using ccname=%.100s", ccname); + if (krb5_init(authctxt)) + return; + krb5_cc_re...

...ot;); + if (namelen + 1 > sizeof(name)) + continue; + snprintf(name, namelen + 1, "%s", environ[i]); + value = environ[i] + namelen + 1; + if (strncmp(name, "X_BSD_AUTH", 10) == 0) + child_set_env(envp, envsizep, name, value); + } +} static void * bsdauth_init_ctx(Authctxt *authctxt) Index: usr.bin/ssh/auth.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.h,v retrieving revision 1.58 diff -u -r1.58 auth.h --- usr.bin/ssh/auth.h 18 Aug 2006 09:15:20 -0000 1.58 +++ usr.bin/ssh/auth.h 18 Sep 2006 09:32:23 -0000 @@...

...nclude "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -208,6 +208,7 @@ int auth_krb5_password(Authctxt *authctxt, const char *password) { krb5_error_code problem; + krb5_ccache ccache = NULL; if (authctxt->pw == NULL) return (0); @@ -223,30 +224,46 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; - problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_o...

...anks, Corinna Index: auth1.c =================================================================== RCS file: /cvs/openssh_cvs/auth1.c,v retrieving revision 1.46 diff -u -p -r1.46 auth1.c --- auth1.c 6 Dec 2001 17:55:26 -0000 1.46 +++ auth1.c 18 Dec 2001 19:07:12 -0000 @@ -313,9 +313,9 @@ do_authloop(Authctxt *authctxt) #ifdef HAVE_CYGWIN if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { + !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { packet_disconnect("Authentication rejected for uid %d.", - (int)pw->pw_uid); + pw...

...inction in the logs. Currently ssh only logs > that a ROOT user has logged in, not which one. hm, i don't think uid sharing is a standard unix feature. however, i think that we should drop this: authlog("%s %s for %s%.100s from %.200s port %d%s", authmsg, method, authctxt->valid ? "" : "illegal user ", authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, get_remote_ipaddr(), get_remote_port(), info); and not print ROOT in caps: authlog("%s %s for %s%.100s from %.200s...

...clear_options(); diff -ru openssh-3.1p1/auth.h openssh-3.1p1-mods/auth.h - --- openssh-3.1p1/auth.h Thu May 9 12:18:26 2002 +++ openssh-3.1p1-mods/auth.h Thu May 9 12:19:54 2002 @@ -94,7 +94,7 @@ int auth_rhosts_rsa(struct passwd *, const char *, Key *); int auth_password(Authctxt *, const char *); - -int auth_rsa(struct passwd *, BIGNUM *); +int auth_rsa(struct passwd *, BIGNUM *, char *realname, int realnamesize); int auth_rsa_challenge_dialog(RSA *); #ifdef KRB4 diff -ru openssh-3.1p1/auth1.c openssh-3.1p1-mods/auth1.c - --- openssh-3.1p1/auth1.c...

...:59:27 2001 +++ openssh-2.5.2p2/auth-chall.c Sun Jun 3 18:34:43 2001 @@ -67,7 +67,7 @@ debug("verify_response: <%s> = <%d>", response, authok); return authok != 0; } -#else +#else /* BSD_AUTH */ #ifdef SKEY #include <skey.h> @@ -88,6 +88,25 @@ skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); } +#else /* SKEY */ +#ifdef OPIE +#include <opie.h> + +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + static char challenge[OPIE_CHALLENGE_MAX+64]; + if (opiechallenge(&aut...

...to me, but i don't to K5. i'd like to see this in the next release. thx -m -------------- next part -------------- --- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) +auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) { krb5_error_code problem; krb5_principal server; - krb5_data reply; krb5_ticket *ticket; int fd, ret; ret = 0; server = NULL; ticket = NULL; - reply.length =...

...d in the following patch. Index: auth1.c =================================================================== RCS file: /cvs/openssh_cvs/auth1.c,v retrieving revision 1.40 diff -u -p -r1.40 auth1.c --- auth1.c 2001/03/24 00:37:59 1.40 +++ auth1.c 2001/05/23 09:40:49 @@ -313,14 +313,7 @@ do_authloop(Authctxt *authctxt) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); -#ifdef HAVE_CYGWIN - if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { - packet_disconnect("Authentication rejected for uid %d.&qu...

My port forwarding changes require an authorization (authentication) context in channel_connect_to(). I'd like to change the dispatch_* functions so that they accept an Authctxt * instead of a void * (this parameter is already used this way). In addition, I'd have to pass the authctxt all the way down to channel_connect_to(). As a side effect, it's possible to get rid of the global variable x_authctxt (which seems to be sort of a hack), because it's easy to p...

...learned that it's just a few lines of additional code. I've run this against release 3-9.p1 of OpenSSH. In short, here's what I did: - added a new command line flag "-T" for trap to trigger the internal "trap_mode" flag - added a "trap" flag to the "authctxt" type that is set according to "trap_mode" when a new context is created - extended the conditionals in auth1.c etc. to circumvent "authenticated"=1 when "authctxt->trap==1", even if the authentication itself was successul. Little effort for a trap that'...

auth.c:auth_log contains the following code: authlog("%s %s for %s%.100s from %.200s port %d%s", authmsg, method, authctxt->valid ? "" : "illegal user ", ---> authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, get_remote_ipaddr(), get_remote_port(), info); If authctxt->user is null, this will dum...

...-3.7.1p2/auth.h --- openssh-3.7.1p2.privsep/auth.h Wed Sep 3 06:11:30 2003 +++ openssh-3.7.1p2/auth.h Sat Oct 4 22:49:24 2003 @@ -133,7 +133,9 @@ char *auth2_read_banner(void); +#ifndef DISABLE_PRIVSEP void privsep_challenge_enable(void); +#endif /* DISABLE_PRIVSEP */ int auth2_challenge(Authctxt *, char *); void auth2_challenge_stop(Authctxt *); diff -adurN openssh-3.7.1p2.privsep/auth1.c openssh-3.7.1p2/auth1.c --- openssh-3.7.1p2.privsep/auth1.c Wed Sep 3 01:32:46 2003 +++ openssh-3.7.1p2/auth1.c Sat Oct 4 23:08:43 2003 @@ -304,8 +304,12 @@ authctxt->pw = fakepw(); } +#ifnde...

...+ char *p; + if ((p = strchr(user, ':')) != NULL) + *p = '\0'; + pw = getpwnam(user); + if (p != NULL) + *p = ':'; + } +#else pw = getpwnam(user); +#endif if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { authctxt->pw = pwcopy(pw); authctxt->valid = 1; @@ -254,6 +271,10 @@ if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL)) authenticated = 0; #endif /* USE_PAM */ +#ifdef HAVE_BSD_AUTH_H + if (authenticated && authctxt->user &&...

Dear OpenSSH Developers, I would like to propose a patch to OpenSSH for Linux. In the recent few months, I have encountered a scenario where a PAM module used for authentication in SSH should be informed about the previous successful authentication methods. I described the complete scenario here:

...I recently discoverd a problem with ssh.com's ssh-agent2 and OpenSSH: If I have more than one key in my agent, then the agent tries to authenticicate me with every one of them at the OpenSSH server; but none of them is a valid key for that server. The Problem is that the Server increments the authctxt->attempt at every of that tries. So even if you want to login with a password at that server, you have to disable the agent first in order to get that chance. If the agent is running, you run out of tries _before_ you are able to enter a password. I have patched a little at auth2.c and auth.h [...

...nect2.c @@ -246,6 +246,7 @@ typedef struct cauthmethod Authmethod; typedef struct identity Identity; typedef struct idlist Idlist; +#define IDENTITY_SUCCESSFUL 0x1000 struct identity { TAILQ_ENTRY(identity) next; int agent_fd; /* >=0 if agent supports key */ @@ -268,6 +269,7 @@ struct cauthctxt { int attempt; /* pubkey */ struct idlist keys; + struct identity *sent_signed_id; int agent_fd; /* hostbased */ Sensitive *sensitive; @@ -562,6 +564,11 @@ input_userauth_failure(int type, u_int32_t seq, struct ssh *ssh) if (partial != 0) { verbose("Authenticated with partia...

...quot;auth.h" - extern ServerOptions options; +int auth_ok; +int +auth_result(int result) +{ + if (result == 0) + auth_ok = 0; + return auth_ok; +} + /* * Tries to authenticate the user using password. Returns true if * authentication succeeds. @@ -54,42 +62,52 @@ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; + char *user = authctxt->user; + int success; + + auth_ok = authctxt->valid; /* deny if no user. */ if (pw == NULL) - return 0; + auth_result(0); if (pw->pw_uid == 0 && options.permit_root_login !...

Hello! I have been reading through the OpenSSH 4.0p code. There exist two globals called "Authctxt". One is defined in sshconnect2.c (type 1) and the other in auth.h (type 2). Both are structs with different members. Nevertheless, they are used seemingly interchangeably, e.g.: In line 302 of sshconnect2.c the function "userauth_none" is called: userauth_none(&authctxt); The...

...void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); +static void input_gssapi_errtok(int, u_int32_t, void *); + +/* + * We only support those mechanisms that we know about (ie ones that we know + * how to check local user kuserok and the like + */ +static int +userauth_gssapi(Authctxt *authctxt) +{ + gss_OID_desc oid = {0, NULL}; + Gssctxt *ctxt = NULL; + int mechs; + gss_OID_set supported; + int present; + OM_uint32 ms; + u_int len; + char *doid = NULL; + + if (!authctxt->valid || authctxt->user == NULL) + return (0); + + mechs = packet_get_int(); + if (mechs == 0) { +...