search for: challenge_response_authentication

...r from OpenSSH, and have come across an oddity in the source code which may or may not be a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also disabling keyboard-interactive authentication, even if "KbdInteractiveAuthentication yes" is specified. I'd call this a bug, but other...

...int) + /* In the normal case, try PAM if challenge-response failed. + However, if this was a prerequisite challenge-response + authentication attempt, and PAM auth is permitted as a + secondary method, then force the client to come back + with a second attempt instead. */ + if (!options.challenge_response_authentication_first && + authenticated == 0 && options.pam_authentication_via_kbd_int) authenticated = auth2_pam(authctxt); #endif xfree(devs); Index: auth2.c =================================================================== RCS file: /cvs/openssh/auth2.c,v retrieving revision 1.112 d...

...+ sshd_config 24 Jul 2002 16:55:27 -0000 @@ -75,6 +75,7 @@ #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes +#PermitUserEnvironment yes #Compression yes #MaxStartups 10 --- servconf.h 20 Jun 2002 23:05:55 -0000 1.58 +++ servconf.h 24 Jul 2002 16:55:26 -0000 @@ -97,6 +97,7 @@ int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ + int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; ---...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...= auth_pam_password(pw, password, + PAM_PROMPT_ECHO_OFF); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ authenticated = auth_sia_password(authctxt->user, @@ -269,6 +270,15 @@ case SSH_CMSG_AUTH_TIS: debug("rcvd SSH_CMSG_AUTH_TIS"); if (options.challenge_response_authentication == 1) { +#ifdef USE_PAM + if (options.tis_via_pam == 1) { + authenticated = auth_pam_password(pw, "", + PAM_PROMPT_ECHO_ON); + break; + } else { +#else + { +#endif /* USE_PAM */ char *challenge = get_challenge(authctxt); if (challenge != NULL) {...

Hello, I have just installed OpenSSH 4.6p1 and it appears that ChallengeResponseAuthentication is not allowed unless I explicitly set it to "yes" in the sshd_config file. I am using the same config file as I did with 4.5p1 where it was allowed by default. Also, this is OpenSSH package from sunfreeware, but I believe that both versions were compiled with the same options. Is this the

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...ehaviour from OpenSSH, and have come across an oddity in the source code which feels like a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in the behaviour of "ChallengeResponseAuthentication no" also disabling keyboard-interactive authentication, even if "KbdInteractiveAuthentication yes" is specified. (Also, the KbdInteractiveAuthentica...

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...=========================== RCS file: /var/cvs/openssh/auth2.c,v retrieving revision 1.100 diff -u -r1.100 auth2.c --- auth2.c 23 Apr 2002 10:28:49 -0000 1.100 +++ auth2.c 24 Apr 2002 01:03:17 -0000 @@ -119,8 +119,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); @@ -370,10 +368,6 @@ if (options.chall...

...bdint.c =================================================================== RCS file: /var/cvs/openssh/auth2-kbdint.c,v retrieving revision 1.1 diff -u -r1.1 auth2-kbdint.c --- auth2-kbdint.c 6 Jun 2002 20:27:56 -0000 1.1 +++ auth2-kbdint.c 2 Jul 2002 02:19:35 -0000 @@ -49,10 +49,6 @@ if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); -#ifdef USE_PAM - if (authenticated == 0 && options.pam_authentication_via_kbd_int) - authenticated = auth2_pam(authctxt); -#endif xfree(devs); xfree(lang); #ifdef HAVE_CYGWIN Index: auth2-pam.c ===================================...

...dint.c =================================================================== RCS file: /var/cvs/openssh/auth2-kbdint.c,v retrieving revision 1.1 diff -u -r1.1 auth2-kbdint.c --- auth2-kbdint.c 6 Jun 2002 20:27:56 -0000 1.1 +++ auth2-kbdint.c 25 Jun 2002 01:42:11 -0000 @@ -49,10 +49,6 @@ if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); -#ifdef USE_PAM - if (authenticated == 0 && options.pam_authentication_via_kbd_int) - authenticated = auth2_pam(authctxt); -#endif xfree(devs); xfree(lang); #ifdef HAVE_CYGWIN Index: auth2-pam.c ===================================...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

...f diff -r -U 8 openssh-3.9p1.orig/servconf.c openssh-3.9p1.jpmg/servconf.c --- openssh-3.9p1.orig/servconf.c 2004-08-13 12:30:24.000000000 +0100 +++ openssh-3.9p1.jpmg/servconf.c 2005-01-20 10:11:54.385791373 +0000 @@ -78,16 +78,17 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; + options->num_allow_users_fixedname = 0; options->num_deny_users = 0;...

...,6 +41,7 @@ #include "cipher.h" #include "kex.h" #include "mac.h" +#include "channels.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -102,6 +105,9 @@ options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; + options->permit_tcp_listen = -1; + options->restricted_shell = NULL; + options->restrictions = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; @@ -...

...hostfile; goto parse_string; @@ -1002,6 +1013,8 @@ options->gateway_ports = -1; options->use_privileged_port = -1; options->rsa_authentication = -1; + options->certkey_authentication = -1; + options->ca_key_file = NULL; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -1088,6 +1101,10 @@ options->use_privileged_port = 0; if (options->rsa_authentication == -1) options->rsa_authentication = 1; + if (options->certkey_authentication == -1) + options->certkey_authentication = 0; + if (options-&gt...

...authctxt->success == TRUE */ @@ -114,8 +136,11 @@ { Authctxt *authctxt = authctxt_new(); + char realname[40] = "unknown"; + x_authctxt = authctxt; /*XXX*/ + /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; @@ -125,7 +150,7 @@ dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - - do_a...