search for: do_authloop

Cf. http://seclists.org/fulldisclosure/2008/Jul/0090.html This Mrdkaaa character claims to have exploited this, but does not say how. The issue is that if do_pam_account() fails, do_authloop() will call packet_disconnect() with loginmsg as the format string (classic printf(foo) instead of printf("%s", foo) bug). The stuff that do_authloop() appends to loginmsg is harmless (the user name is safe, since at this point we know the account exists). The question is, what does log...

Folks, During testing, we found a couple of issues with openssh3.0.2p1: 1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c), the foll. check: if (authctxt->failures++ > AUTH_FAIL_MAX) is never satisfied and thus packet_disconnect() never gets called. I suspect the code just drops out of the dispatch_run function list instead. This should be an == instead of >. While looking at the debug output w...

...lenge_dialog(RSA *); #ifdef KRB4 diff -ru openssh-3.1p1/auth1.c openssh-3.1p1-mods/auth1.c - --- openssh-3.1p1/auth1.c Thu May 9 12:18:26 2002 +++ openssh-3.1p1-mods/auth1.c Thu May 9 12:19:54 2002 @@ -63,7 +63,7 @@ * return only if authentication is successful */ static void - -do_authloop(Authctxt *authctxt) +do_authloop(Authctxt *authctxt, const char *realname) { int authenticated = 0; u_int bits; @@ -229,7 +229,7 @@ fatal("do_authloop: BN_new failed"); packet_get_bignum(n); p...

Okay, here's where I've gotten to so far, which isn't far, but it doesn't appear that "case SSH_CMSG_AUTH_RHOSTS:" is very being triggered in do_authloop() in sshd.c ... Now, from what I can tell, in do_authloop(), this case is triggered by a packet from the client, with: /* Get a packet from the client. */ type = packet_read(&plen); So, if I'm right, the client isn't sending over what is necessary? c...

I set sshd to deny root login. But I still get a password prompt! So if I get the password right, I get one error message: Received disconnect: ROOT LOGIN REFUSED FROM example.com while if I simply put in a wrong password three times I get Permission denied. If this means I set it up wrong please mail me directly - I'm not subscribed to the list. Otherwise please fix this. -- The

In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then xfree() the client_user string. The call to do_pam_account() later in the function then tries to use this string, resulting in a corrupt remote user. Finally, before exiting, the function frees client_user again, resulting in a doubl...

...s in fact segfaulting shortly after the point where the krb4 auth is failing. Some gdb traces show that this segfault is happening in malloc(). The cause of this is a free() in the auth_krb4 function (in auth-krb4.c) of a pointer, client_user, passed by reference (as *client) to that function. The do_authloop function in auth1.c, which calls auth_krb4, expects that this pointer is either valid or NULL on return, since it will free any non-NULL pointer later in the loop. One solution, represented by the attached patch, is to set the pointer to NULL after it is free'd; another solution is to not free...

If I configure openssh-2.1.1p4 with the --with-skey option on a Redhat Linux 6.2 system which has openssl-0.9.5a and skey (the logdaemon 6.2 version) installed, the compile fails with the following errors: auth1.c: In function `do_authloop': auth1.c:331: warning: implicit declaration of function `skey_keyinfo' auth1.c:331: warning: initialization makes pointer from integer without a cast auth1.c:353: warning: implicit declaration of function `skey_haskey' auth1.c:354: warning: implicit declaration of function `skey_passch...

...th_remove_from_list(&options.required_auth1, >+ meth_name) != 1) >+ fatal("INTERNAL ERROR: authenticated method " >+ "\"%s\" not in required list \"%s\"", >+ meth_name, options.required_auth1); >+ debug2("do_authloop: required list now: %s", >+ options.required_auth1 == NULL ? >+ "DONE" : options.required_auth1); >+ authenticated = 0; Unless I'm misreading it, this can't complete. Once the last method in the list is successful, "authenticated" is set and...

...follows. Thanks, Corinna Index: auth1.c =================================================================== RCS file: /cvs/openssh_cvs/auth1.c,v retrieving revision 1.46 diff -u -p -r1.46 auth1.c --- auth1.c 6 Dec 2001 17:55:26 -0000 1.46 +++ auth1.c 18 Dec 2001 19:07:12 -0000 @@ -313,9 +313,9 @@ do_authloop(Authctxt *authctxt) #ifdef HAVE_CYGWIN if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { + !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { packet_disconnect("Authentication rejected for uid %d.", - (int)pw->pw_uid...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

...-wrappers --with-skey .. .... ...... gcc -o sshd sshd.o auth-rhosts.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o md5crypt.o -L. -L/usr/local/ssl/lib -lssh -lz -lcrypto -lutil -lpam -lskey -lwrap sshd.o: In function `do_authloop': /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1d68): undefined reference to `skey_keyinfo' /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1d8a): undefined reference to `skey_fake_keyinfo' /usr/local/src/openssh-1.2.2/sshd.c(.text+0x1e52): undefined reference to `skey_haskey' /usr/local...

...erloop.o bsd-login.o md5crypt.o session.o -L. -L/usr/local/openssl-0.9.5a/lib -L/usr/local/skey-1.1/lib -lssh -ldl -lnsl -lz -lutil -lpam -lcrypto -lskey -lwrap auth1.o: In function `do_fake_authloop1': auth1.o(.text+0x126): undefined reference to `skey_fake_keyinfo' auth1.o: In function `do_authloop': auth1.o(.text+0x803): undefined reference to `skey_fake_keyinfo' collect2: ld returned 1 exit status make: *** [sshd] Error 1 Any Idea? Help would be very appreciated. Axel Wagner -- ---------------------------------------------------------------- Axel Wagner Interne...

...tter the logs. Looking at the code, it seems that the getaddrinfo failures don't seem to result in the connection being rejected, even though the man page would seem to indicate so[2] though is not explicit about it. It also seems that the possible authentication methods are only checked (do_authloop in SSH1) after it has been verified whether the user exists (causing these log messages). Likewise, in auth.c getpwnam() is executed for the attempted user even if the user is not listed in AllowUsers. Would it make sense to check the usernames and hosts later, avoiding unnecessary log clutte...

...IX) will do the job, otherwise, no token can be obtained and therefore no pag is needed. I noticed that because normally root wants to login without a pag, which is not possible now. I attached a small patch, that moves the do_setpag-part from do_authentication to the afs-token-passing section of do_authloop, maybe you'll find that useful. cheers, --leo ----------------------------------------------------------------------- Alexander (Leo) Bergolth leo at leo.wu-wien.ac.at WU-Wien - Zentrum fuer Informatikdienste http://leo.wu-wien.ac.at Info Center...

...tz_convert (timer=0xbfffee8c, use_localtime=1, tp=0x40148460) at tzset.c:582 #6 0x400d9c9c in localtime (t=0xbfffee8c) at localtime.c:43 #7 0x400d9bd8 in ctime (t=0xbfffee8c) at ctime.c:32 #8 0x80501b6 in skey_fake_keyinfo (username=0x80ed5d8 "blah") at auth-skey.c:145 #9 0x804eb9c in do_authloop (pw=0x0, luser=0x80ed5d8 "blah") at auth1.c:279 #10 0x804ef77 in do_authentication () at auth1.c:473 #11 0x804dc4a in main (ac=2, av=0xbffffa3c) at sshd.c:1088 (gdb) I might be talking complete BS, but I think that problem lies somewhere among these lines: -- auth-skey.c - skey_fake_key...

...0x4004f648 in pam_fail_delay () from /lib/libpam.so.0 #6 0x4004f9ce in _pam_dispatch () from /lib/libpam.so.0 #7 0x400512cc in pam_authenticate () from /lib/libpam.so.0 #8 0x804ef47 in auth_pam_password (pw=0xbffff24c, password=0x80826c0 "asdf") at auth-pam.c:136 #9 0x804c75d in do_authloop (pw=0xbffff24c) at sshd.c:1445 #10 0x804c329 in do_authentication () at sshd.c:1248 #11 0x804bb58 in main (ac=4, av=0xbffff8a4) at sshd.c:873 I hope this report helps finding the bug. If you would like me to perform further tests, please let me know. Best regards, Stefan and Bernd (who origina...

...ates a record_failed_login() function in sshlogin.c to go along with record_login(). This new function holds the platform-specific code. At the moment, this is AIX and UNICOS, but it will provide an obvious place for any other platforms that support this type of thing. auth_log() is called from do_authloop (proto 1) or userauth_finish (proto 2) and calls record_failed_login() for each failed password authentication. The next question is should this function get called for public-key authentications and, if so, under what circumstances? My best guess is that it should be called once if one or more...

...letey dropped in the following patch. Index: auth1.c =================================================================== RCS file: /cvs/openssh_cvs/auth1.c,v retrieving revision 1.40 diff -u -p -r1.40 auth1.c --- auth1.c 2001/03/24 00:37:59 1.40 +++ auth1.c 2001/05/23 09:40:49 @@ -313,14 +313,7 @@ do_authloop(Authctxt *authctxt) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); -#ifdef HAVE_CYGWIN - if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { - packet_disconnect("Authentication rejected for u...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the