search for: authmethods

...ethod requires a challenge-response conversation, these checks are skipped, unless they are duplicated by the authmethod. For example, in auth2-chall.c, some of the code is duplicated (logging, sending the reply), but the root special case is skipped. One way to fix this, and make life easier for authmethods that require some state to be hauled around, is to take all the post-authmethod stuff currently in input_userauth_request(), and put it after the call to dispatch_run() in do_authentication2(). That would simplify that code (it's currently mostly conditional on 'authenticated') and ens...

...bled, and it's easy to write conflicting configurations. In addition, if a list of required auth mechs is given, then enabling mechanisms that are not required is pointless, because they won't be sufficient. So my final decision, for the sake of simplicity, was to add a "NumRequiredAuthMethods" keyword, which defaults to 1. If you set it to 2, the client must pass at least two of the enabled auth methods. I'm using the term "methods" here because I'm only counting general auth methods as defined in auth2.c's "authmethods" array, namely publickey, p...

...X Subclass: REGREQ Timestamp: 00000ms SCall: 22458 DCall: 00000 [192.168.2.1:4569] USERNAME : hayley REFRESH : 1800 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: REGAUTH Timestamp: 00003ms SCall: 00010 DCall: 22458 [192.168.2.1:4569] AUTHMETHODS : 3 CHALLENGE : 193147468 USERNAME : hayley Rx-Frame Retry[Yes] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: REGREQ Timestamp: 00000ms SCall: 22458 DCall: 00000 [192.168.2.1:4569] USERNAME : hayley REFRESH : 1800 Tx-Frame Retry[-01] -- OSeqn...

...following with the option calltokenoptional = 0.0.0.0/0.0.0.0 in iax2.conf in the general section. On the sending Server Asterisk 1.2.x Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00007ms SCall: 01471 DCall: 00004 [192.168.42.251:4569] AUTHMETHODS : 3 CHALLENGE : 138954087 USERNAME : priv Tx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: INVAL Timestamp: 00000ms SCall: 00004 DCall: 01471 [192.168.42.251:4569] Rx-Frame Retry[Yes] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHRE...

...00007ms SCall: 00001 DCall: 00000 [66.234.228.170:4569] > USERNAME : nWv96gaD75 > REFRESH : 60 > > Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: > REGAUTH > Timestamp: 00012ms SCall: 00055 DCall: 00001 [66.234.228.170:4569] > AUTHMETHODS : 3 > CHALLENGE : 164462354 > USERNAME : nWv96gaD75 > > Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: > REGREQ > Timestamp: 00049ms SCall: 00001 DCall: 00055 [66.234.228.170:4569] > USERNAME : nWv96gaD75 > REFRESH...

How is -n supposed to work? When you say ssh -n, it sets stdin_null_flag but not batch mode. When the client is choosing authmethods, there is a batch_flag that is tested to see (presumably) if we are in batch mode or perhaps if -n has been given. But nothing sets it. It looks like it's supposed to point to options.batch_mode, but it's never even initialized! Even if it did point to batch_mode, that's independent...

From: Marco Trevisan (Trevi?o) <mail at 3v1n0.net> kbdint result vfunc may return various values, so use an enum to make it clearer what each result means without having to dig into the struct documentation. --- auth-bsdauth.c | 2 +- auth-pam.c | 10 +++++----- auth.h | 5 +++++ auth2-chall.c | 4 ++-- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git

...: REGREQ Timestamp: 00011ms SCall: 00003 DCall: 00000 [212.29.199.163:4569] USERNAME : ilavender REFRESH : 60 Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: REGAUTH Timestamp: 00017ms SCall: 00170 DCall: 00003 [212.29.199.163:4569] AUTHMETHODS : 3 CHALLENGE : 101355226 USERNAME : ilavender Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: REGREQ Timestamp: 00017ms SCall: 00003 DCall: 00170 [212.29.199.163:4569] USERNAME : ilavender REFRESH : 60 MD5 RESULT...

...nd disallow challenge-response authentication so + we don't just accept it twice :) */ + options.challenge_response_authentication_first = 0; + options.challenge_response_authentication = 0; + options.kbd_interactive_authentication = options.pam_authentication_via_kbd_int; + + methods = authmethods_get(); + packet_start(SSH2_MSG_USERAUTH_FAILURE); + packet_put_cstring(methods); + packet_put_char(1); /* XXX partial success, used */ + packet_send(); + packet_write_wait(); + xfree(methods); } } @@ -272,6 +289,11 @@ authmethods_get(void) char *list; int i; + /* If challenge-respo...

...: inboundcontext FORMAT : 8 CAPABILITY : 65407 ADSICPE : 2 DATE TIME : 2010-11-25 17:01:46 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00011ms SCall: 00403 DCall: 00006 [212.11.91.201:4569] AUTHMETHODS : 3 CHALLENGE : 167512360 USERNAME : inboundcontext Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: INVAL Timestamp: 00000ms SCall: 00006 DCall: 00403 [212.11.91.201:4569] Rx-Frame Retry[Yes] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclas...

...should have seen before. If nothing else I'd suggest a statement in the ssh man page in the section for HostbasedAuthentication saying that one needs to alter the PreferredAuthentications before it is likely to work. Looking at the code in sshconnect2.c it seems to default to the order in the authmethods array, is there any reason not to patch that to place hostbased before password? Am I missing something, is this a subtle hint that we should not actually use hostbasedauthentication? -- Jon

...penSSH 4.x versions. If I try to ssh to a system with a user account and if all my auth methods fails, the client side gets the following message. Permission denied (publickey,password,keyboard-interactive). This looks like an information leak, where a malicious user can detect all the allowed authmethods on the server system. I would like to know if there are some reasons for giving these informations out. Thanks, Senthil Kumar.

...t;some_username> FORMAT : 2 CAPABILITY : 2097151 ADSICPE : 2 DATE TIME : 2006-10-18 10:16:14 Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00006ms SCall: 00003 DCall: 00004 [213.160.177.186:9785] AUTHMETHODS : 3 CHALLENGE : 585590037 USERNAME : VALSABBIA-SLOVENSKO Tx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 000 Type: IAX Subclass: INVAL Timestamp: 00000ms SCall: 00004 DCall: 00003 [213.160.177.186:9785] B) calling thru openvpn - working Tx-Frame Retry[000] -- OSeqn...

From: "Marco Trevisan" <marco at ubuntu.com> This serie of patches have been already submitted via [1], but i'm sending them again to the ML, to see if they can get some more traction. The patches are already part of Ubuntu openssh since 24.04, and they basically allow proper immediate instruction reporting to clients using PAM (as per RFC4256). This follows the approach

...AX Subclass: REGREQ Timestamp: 00001ms SCall: 10489 DCall: 00000 [192.168.50.66:4569] USERNAME : 100 REFRESH : 300 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: REGAUTH Timestamp: 00008ms SCall: 00001 DCall: 10489 [192.168.50.66:4569] AUTHMETHODS : 3 CHALLENGE : 455913197 USERNAME : 100 Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: REGREQ Timestamp: 00047ms SCall: 10489 DCall: 00001 [192.168.50.66:4569] USERNAME : 100 REFRESH : 300 MD5 RESULT : 90dd8ef2853376...

Hello there! I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of the accepted key to be printed in the log message. It works with SSH1-RSA and SSH2 pubkey (DSA+RSA) authentication. This feature is controllable by the LogKeyFingerprint config option (turned off by default). Michal Kara -------------- next part -------------- diff -u5

...I hv portforwarded tcp 4569 and 5060 from my firewall to my asterisk server. Any idea what else is missing. Debug info -- Called fwd/393393612 Rx-Frame Retry[ No] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00015ms SCall: 02703 DCall: 00002 [65.39.205.121:4569] AUTHMETHODS : 3 CHALLENGE : 207142319 USERNAME : 686928 Tx-Frame Retry[000] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: AUTHREP Timestamp: 00098ms SCall: 00002 DCall: 02703 [65.39.205.121:4569] MD5 RESULT : 8785af398932159114985608249d26ce Rx-Frame Retry[ No] -- OSe...

Hi, i have a debian Etch x86_64 with a xen 3.1 on a kernel 2.6.18-xen. I have some DomU with Debian Etch. I installed open-iscsi, configure /etc/iscsi/iscsid.conf: --- node.active_cnx = 1 node.startup = automatic #node.session.auth.username = dima #node.session.auth.password = aloha node.session.timeo.replacement_timeout = 120 node.session.err_timeo.abort_timeout = 10

This may not strictly be an asterisk question, but not sure where else to post ... I have an Asterisk test server setup with two firefly clients, one on the local lan and one on an external ip address. Both clients are setup the same way and voice calls work fine. The asterisk console reports a "Registered" message for the external client at about one minute intervals but the

...ERNAME : voicepulse-in-01 FORMAT : 4 CAPABILITY : 1086 ADSICPE : 2 DATE TIME : 171511810 Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX Subclass: AUTHREQ Timestamp: 00015ms SCall: 00001 DCall: 00335 [66.234.228.170:4569] AUTHMETHODS : 4 CHALLENGE : 123344711 USERNAME : voicepulse-in-01 Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX Subclass: AUTHREP Timestamp: 00049ms SCall: 00335 DCall: 00001 [66.234.228.170:4569] RSA RESULT : Sc+mxi0AL1JdD4Gh3s8Y5LJ13MrLm4DNNMDkCV2a5nS...