search for: bsd_auth

Hello, There has been an annoyance with OpenSSH that has been bugging me lately. It pays no attention to pw_change and pw_expire fields from the passwd file for users by default. Thus even if the admin has set a user's account to expire 5 days ago they can still login. So one might say, just add 'UseLogin yes' and all of your problems will be solved. This of course is not a good

...swd/login.c,v retrieving revision 1.8 diff -u -r1.8 login.c --- libexec/login_passwd/login.c 14 Apr 2005 18:33:42 -0000 1.8 +++ libexec/login_passwd/login.c 18 Sep 2006 10:32:00 -0000 @@ -107,6 +107,9 @@ exit(1); } + fprintf(back, BI_SETENV " X_BSD_AUTH_SOME_RESOURCE %d\n", 1024); + fprintf(back, BI_SETENV " TESTVAR %s\n", "bar"); + /* * Read password, either as from the terminal or if the * response mode is active from the caller program. ######################################...

...h-chall.c openssh-2.5.2p2/auth-chall.c --- org/openssh-2.5.2p2/auth-chall.c Mon Mar 5 07:59:27 2001 +++ openssh-2.5.2p2/auth-chall.c Sun Jun 3 18:34:43 2001 @@ -67,7 +67,7 @@ debug("verify_response: <%s> = <%d>", response, authok); return authok != 0; } -#else +#else /* BSD_AUTH */ #ifdef SKEY #include <skey.h> @@ -88,6 +88,25 @@ skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); } +#else /* SKEY */ +#ifdef OPIE +#include <opie.h> + +char * +get_challenge(Authctxt *authctxt, ch...

The following are patches against openssh 2.1.1p4 to add support for the BSD_AUTH authentication mechanisms. It allows the use of non-challenge/response style mechanisms (which styles are allowed my be limited by appropriate auth-ssh entries in login.conf). The patches also add support for calling setusercontext for the appropriate class when called with a command (so that t...

...xes a misplaced #ifdef in the OpenSSH distribution in bsd-vis.c. After applying this patch, run "autoreconf". Index: auth1.c --- auth1.c 2001/02/13 07:43:16 1.1 +++ auth1.c 2001/02/13 22:00:06 @@ -28,6 +28,12 @@ #include "auth.h" #include "session.h" +#ifdef HAVE_BSD_AUTH_H +# include <login_cap.h> +# include <bsd_auth.h> +static char *bsduser=NULL; /* XXX -- ugly, but we need the original */ +#endif + /* import */ extern ServerOptions options; extern char *forced_command; @@ -258,7 +264,10 @@ NULL, password) == SIASUCCESS) { authenticated =...

...nsertions(+) diff --git a/auth.c b/auth.c index 13e8d7998..da0af66d4 100644 --- a/auth.c +++ b/auth.c @@ -465,6 +465,9 @@ getpwnamallow(struct ssh *ssh, const char *user) { #ifdef HAVE_LOGIN_CAP extern login_cap_t *lc; +#ifdef HAVE_AUTH_HOSTOK + const char *from_host, *from_ip; +#endif #ifdef BSD_AUTH auth_session_t *as; #endif @@ -510,6 +513,21 @@ getpwnamallow(struct ssh *ssh, const char *user) debug("unable to get login class: %s", user); return (NULL); } +#ifdef HAVE_AUTH_HOSTOK + from_host = auth_get_canonical_hostname(ssh, options.use_dns); + from_ip = ssh_remote_ipadd...

...h2-chall.c =================================================================== RCS file: /var/cvs/openssh/auth2-chall.c,v retrieving revision 1.17 diff -u -r1.17 auth2-chall.c --- auth2-chall.c 22 Mar 2002 02:30:43 -0000 1.17 +++ auth2-chall.c 24 Apr 2002 01:03:14 -0000 @@ -40,11 +40,17 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; #else #ifdef SKEY extern KbdintDevice skey_device; +extern KbdintDevice mm_skey_device; #endif #endif +#ifdef USE_PAM +extern KbdintDevice pam_device; +extern KbdintDevice mm_pam_device; +#endif KbdintDevice *device...

I'm running OpenSSH 3.4 and have the situation that some users want to allow password authentication into their accounts and some explicitly want to disallow password authentication. Is this possible? I wasn't able to come up with a way looking through ssh_config and sshd_config, as well as some FAQs. It seems the problem is that there is no scoping of directives in sshd_config, thus

...h2-chall.c =================================================================== RCS file: /var/cvs/openssh/auth2-chall.c,v retrieving revision 1.19 diff -u -r1.19 auth2-chall.c --- auth2-chall.c 26 Jun 2002 13:58:40 -0000 1.19 +++ auth2-chall.c 2 Jul 2002 02:19:35 -0000 @@ -40,11 +40,17 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; #else #ifdef SKEY extern KbdintDevice skey_device; +extern KbdintDevice mm_skey_device; #endif #endif +#ifdef USE_PAM +extern KbdintDevice sshpam_device; +extern KbdintDevice mm_sshpam_device; +#endif KbdintDevice...

I noticed that (perhaps because ':' is invalid in a username) you can say ssh -l user:style host, where the "user:style" is sent by the client, and the server strips the ":style" part off and makes it available as part of the authentication context. It's currently unused. What are the plans for this, if any? I was experimenting with the idea of using it with SRP

...e[1]: Entering directory `/tmp/openssh-4.7p1/openbsd-compat' gcc -s -O3 -march=i686 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -std=gnu99 -I. -I.. -I. -I./.. -I/usr/local/include -I/usr/local/include -DHAVE_CONFIG_H -c port-aix.c In file included from port-aix.c:33: ../auth.h:39:22: bsd_auth.h: No such file or directory In file included from port-aix.c:33: ../auth.h:63: error: parse error before "auth_session_t" ../auth.h:63: warning: no semicolon at end of struct or union ../auth.h:74: error: parse error before '}' token make[1]: *** [port-aix.o] Error 1 make[1]: Lea...

...2-chall.c =================================================================== RCS file: /var/cvs/openssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 21 Jun 2002 00:41:52 -0000 1.18 +++ auth2-chall.c 25 Jun 2002 01:42:11 -0000 @@ -40,11 +40,17 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; #else #ifdef SKEY extern KbdintDevice skey_device; +extern KbdintDevice mm_skey_device; #endif #endif +#ifdef USE_PAM +extern KbdintDevice sshpam_device; +extern KbdintDevice mm_sshpam_device; +#endif KbdintDevice...

...Resolution|--- |WONTFIX Status|REOPENED |RESOLVED --- Comment #6 from Damien Miller <djm at mindrot.org> --- I don't think we'll ever implement OPIE; better 2FA mechanisms exist now. If we were to offer some non-PAM, non-bsd_auth system it would need to be more general than just OPIE. -- You are receiving this mail because: You are the assignee for the bug. You are watching someone on the CC list of the bug.

I have been reading that there may be a patch floating around to enable krb5 auth in dovecot <1.0, namely 0.99.10.8 (openbsd port). It could be I have something misconfigured, for openbsd supports kerberos and most programs which use the operating system's auth features use kerberos transparently through login(1). If there is a patch, I would be very interested in testing it. -- John

...d 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.2.2: ============================ This release fixes several problems in OpenSSH 3.2.2: - a defect in the BSD_AUTH access control handling for OpenBSD and BSD/OS systems: Under certain conditions, on systems using YP with netgroups in the password database, it is possible that sshd does ACL checks for the requested user name but uses the password database entry of a different user...

I just commited 35 of the 36 patches to bring up in sync with the OpenBSD tree. The patch for BSD_AUTH to auth-passwd.c from stevesk@ has not been applied because the portable tree code is so horrible.. EXTREMELY HORRIBLE that I can't safely pick my way through that mine field. So I'll get it appled as soon as I clean up that section of code. Things to be mindful: 1. PrivSep is turn on by...

http://bugzilla.mindrot.org/show_bug.cgi?id=933 Summary: compile problem on tru64 5.1A code outside of a #ifdef that should not be included on tru64 Product: Portable OpenSSH Version: 3.8p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: Build

...mpat && make) make[1]: Entering directory `/tmp/openssh-3.9p1/openbsd-compat' gcc -s -O3 -march=i686 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/include -I/usr/local/include -DHAVE_CONFIG_H -c port-aix.cIn file included from port-aix.c:27: ../auth.h:39:22: bsd_auth.h: No such file or directory In file included from port-aix.c:27: ../auth.h:62: error: parse error before "auth_session_t" ../auth.h:62: warning: no semicolon at end of struct or union ../auth.h:72: error: parse error before '}' token make[1]: *** [port-aix.o] Error 1 make[1]: Lea...

...auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + success = auth_krb5_password(authctxt, password); + if (success == 1 || success == 0) + if (auth_result(success) == 1) + return 1; /* Fall back to ordinary passwd authentication. */ } #endif #ifdef BSD_AUTH - if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", - (char *)password) == 0) - return 0; - else + success = (auth_userokay(user, authctxt->style, "auth-ssh", + (char *)password) == 0); + if (auth_result(success) == 1) return 1; #else /* Check f...

Hello, I was searching the internet for an challenge-response system to authenticate an Openssh session with an hardware token. Now i found this, its very old, so i want to now how's the situation today. I couldn't find much documentation. Re: SSH with SecureID > Is there any documentation I'm missing on how to integrate the two? > We'd love to go with 2-factor