search for: authmethod

The way things are now, input_userauth_request() calls the authmethod, and then does a bunch of checks, like the special case for root. If an authmethod requires a challenge-response conversation, these checks are skipped, unless they are duplicated by the authmethod. For example, in auth2-chall.c, some of the code is duplicated (logging, sending the reply), but th...

...bled, and it's easy to write conflicting configurations. In addition, if a list of required auth mechs is given, then enabling mechanisms that are not required is pointless, because they won't be sufficient. So my final decision, for the sake of simplicity, was to add a "NumRequiredAuthMethods" keyword, which defaults to 1. If you set it to 2, the client must pass at least two of the enabled auth methods. I'm using the term "methods" here because I'm only counting general auth methods as defined in auth2.c's "authmethods" array, namely publickey,...

...X Subclass: REGREQ Timestamp: 00000ms SCall: 22458 DCall: 00000 [192.168.2.1:4569] USERNAME : hayley REFRESH : 1800 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: REGAUTH Timestamp: 00003ms SCall: 00010 DCall: 22458 [192.168.2.1:4569] AUTHMETHODS : 3 CHALLENGE : 193147468 USERNAME : hayley Rx-Frame Retry[Yes] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: REGREQ Timestamp: 00000ms SCall: 22458 DCall: 00000 [192.168.2.1:4569] USERNAME : hayley REFRESH : 1800 Tx-Frame Retry[-01] -- OSeq...

...following with the option calltokenoptional = 0.0.0.0/0.0.0.0 in iax2.conf in the general section. On the sending Server Asterisk 1.2.x Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00007ms SCall: 01471 DCall: 00004 [192.168.42.251:4569] AUTHMETHODS : 3 CHALLENGE : 138954087 USERNAME : priv Tx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: INVAL Timestamp: 00000ms SCall: 00004 DCall: 01471 [192.168.42.251:4569] Rx-Frame Retry[Yes] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHR...

...00007ms SCall: 00001 DCall: 00000 [66.234.228.170:4569] > USERNAME : nWv96gaD75 > REFRESH : 60 > > Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: > REGAUTH > Timestamp: 00012ms SCall: 00055 DCall: 00001 [66.234.228.170:4569] > AUTHMETHODS : 3 > CHALLENGE : 164462354 > USERNAME : nWv96gaD75 > > Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: > REGREQ > Timestamp: 00049ms SCall: 00001 DCall: 00055 [66.234.228.170:4569] > USERNAME : nWv96gaD75 > REFRES...

How is -n supposed to work? When you say ssh -n, it sets stdin_null_flag but not batch mode. When the client is choosing authmethods, there is a batch_flag that is tested to see (presumably) if we are in batch mode or perhaps if -n has been given. But nothing sets it. It looks like it's supposed to point to options.batch_mode, but it's never even initialized! Even if it did point to batch_mode, that's independent...

...-1); + return KbdintResultFailure; } sshbuf_free(buffer); - return (1); + return KbdintResultAgain; } static void diff --git a/auth.h b/auth.h index 98bb23d4c..aba6e775d 100644 --- a/auth.h +++ b/auth.h @@ -51,6 +51,7 @@ struct sshauthopt; typedef struct Authctxt Authctxt; typedef struct Authmethod Authmethod; typedef struct KbdintDevice KbdintDevice; +typedef int KbdintResult; struct Authctxt { sig_atomic_t success; @@ -115,6 +116,10 @@ struct Authmethod { int (*userauth)(struct ssh *, const char *); }; +#define KbdintResultFailure -1 +#define KbdintResultSuccess 0 +#define Kbdin...

...: REGREQ Timestamp: 00011ms SCall: 00003 DCall: 00000 [212.29.199.163:4569] USERNAME : ilavender REFRESH : 60 Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: REGAUTH Timestamp: 00017ms SCall: 00170 DCall: 00003 [212.29.199.163:4569] AUTHMETHODS : 3 CHALLENGE : 101355226 USERNAME : ilavender Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: REGREQ Timestamp: 00017ms SCall: 00003 DCall: 00170 [212.29.199.163:4569] USERNAME : ilavender REFRESH : 60 MD5 RESUL...

...nd disallow challenge-response authentication so + we don't just accept it twice :) */ + options.challenge_response_authentication_first = 0; + options.challenge_response_authentication = 0; + options.kbd_interactive_authentication = options.pam_authentication_via_kbd_int; + + methods = authmethods_get(); + packet_start(SSH2_MSG_USERAUTH_FAILURE); + packet_put_cstring(methods); + packet_put_char(1); /* XXX partial success, used */ + packet_send(); + packet_write_wait(); + xfree(methods); } } @@ -272,6 +289,11 @@ authmethods_get(void) char *list; int i; + /* If challenge-resp...

...: inboundcontext FORMAT : 8 CAPABILITY : 65407 ADSICPE : 2 DATE TIME : 2010-11-25 17:01:46 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00011ms SCall: 00403 DCall: 00006 [212.11.91.201:4569] AUTHMETHODS : 3 CHALLENGE : 167512360 USERNAME : inboundcontext Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: INVAL Timestamp: 00000ms SCall: 00006 DCall: 00403 [212.11.91.201:4569] Rx-Frame Retry[Yes] -- OSeqno: 000 ISeqno: 000 Type: IAX Subcla...

...should have seen before. If nothing else I'd suggest a statement in the ssh man page in the section for HostbasedAuthentication saying that one needs to alter the PreferredAuthentications before it is likely to work. Looking at the code in sshconnect2.c it seems to default to the order in the authmethods array, is there any reason not to patch that to place hostbased before password? Am I missing something, is this a subtle hint that we should not actually use hostbasedauthentication? -- Jon

...penSSH 4.x versions. If I try to ssh to a system with a user account and if all my auth methods fails, the client side gets the following message. Permission denied (publickey,password,keyboard-interactive). This looks like an information leak, where a malicious user can detect all the allowed authmethods on the server system. I would like to know if there are some reasons for giving these informations out. Thanks, Senthil Kumar.

...t;some_username> FORMAT : 2 CAPABILITY : 2097151 ADSICPE : 2 DATE TIME : 2006-10-18 10:16:14 Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00006ms SCall: 00003 DCall: 00004 [213.160.177.186:9785] AUTHMETHODS : 3 CHALLENGE : 585590037 USERNAME : VALSABBIA-SLOVENSKO Tx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: INVAL Timestamp: 00000ms SCall: 00004 DCall: 00003 [213.160.177.186:9785] B) calling thru openvpn - working Tx-Frame Retry[000] -- OSeq...

From: "Marco Trevisan" <marco at ubuntu.com> This serie of patches have been already submitted via [1], but i'm sending them again to the ML, to see if they can get some more traction. The patches are already part of Ubuntu openssh since 24.04, and they basically allow proper immediate instruction reporting to clients using PAM (as per RFC4256). This follows the approach

...AX Subclass: REGREQ Timestamp: 00001ms SCall: 10489 DCall: 00000 [192.168.50.66:4569] USERNAME : 100 REFRESH : 300 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: REGAUTH Timestamp: 00008ms SCall: 00001 DCall: 10489 [192.168.50.66:4569] AUTHMETHODS : 3 CHALLENGE : 455913197 USERNAME : 100 Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: REGREQ Timestamp: 00047ms SCall: 10489 DCall: 00001 [192.168.50.66:4569] USERNAME : 100 REFRESH : 300 MD5 RESULT : 90dd8ef285337...

....0.2p1/auth2.c Tue Jan 29 15:21:58 2002 @@ -58,10 +58,14 @@ extern int session_id2_len; static Authctxt *x_authctxt = NULL; static int one = 1; +static char real_info[1024] = " ssh2"; +static char *info = real_info + 5; +static int info_size = sizeof(real_info)-5; + typedef struct Authmethod Authmethod; struct Authmethod { char *name; int (*userauth)(Authctxt *authctxt); int *enabled; @@ -261,11 +265,11 @@ NULL)) authenticated = 0; #endif /* USE_PAM */ /* Log before sending the reply */ - auth_log(authctxt, authenticated, method, " ssh2"); + auth_log(auth...

...I hv portforwarded tcp 4569 and 5060 from my firewall to my asterisk server. Any idea what else is missing. Debug info -- Called fwd/393393612 Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00015ms SCall: 02703 DCall: 00002 [65.39.205.121:4569] AUTHMETHODS : 3 CHALLENGE : 207142319 USERNAME : 686928 Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: AUTHREP Timestamp: 00098ms SCall: 00002 DCall: 02703 [65.39.205.121:4569] MD5 RESULT : 8785af398932159114985608249d26ce Rx-Frame Retry[ No] -- OS...

...xBurstLength = 16776192 node.session.iscsi.DefaultTime2Wait = 0 node.session.iscsi.DefaultTime2Retain = 0 node.session.iscsi.MaxConnections = 0 node.conn[0].iscsi.HeaderDigest = None node.conn[0].iscsi.DataDigest = None node.conn[0].iscsi.MaxRecvDataSegmentLength = 65536 #discovery.sendtargets.auth.authmethod = CHAP #discovery.sendtargets.auth.username = dima #discovery.sendtargets.auth.password = aloha node.conn[0].timeo.login_timeout = 15 node.conn[0].timeo.logout_timeout = 15 node.conn[0].timeo.noop_out_interval = 10 node.conn[0].timeo.noop_out_timeout = 15 --- i checked the LUN: # iscsiadm -m disc...

This may not strictly be an asterisk question, but not sure where else to post ... I have an Asterisk test server setup with two firefly clients, one on the local lan and one on an external ip address. Both clients are setup the same way and voice calls work fine. The asterisk console reports a "Registered" message for the external client at about one minute intervals but the

...ERNAME : voicepulse-in-01 FORMAT : 4 CAPABILITY : 1086 ADSICPE : 2 DATE TIME : 171511810 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00015ms SCall: 00001 DCall: 00335 [66.234.228.170:4569] AUTHMETHODS : 4 CHALLENGE : 123344711 USERNAME : voicepulse-in-01 Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: AUTHREP Timestamp: 00049ms SCall: 00335 DCall: 00001 [66.234.228.170:4569] RSA RESULT : Sc+mxi0AL1JdD4Gh3s8Y5LJ13MrLm4DNNMDkCV2a5n...