search for: hostbased_key_allowed

Even with option "HostbasedUsesNameFromPacketOnly yes", the trailing dot in chost should be stripped before auth_rhosts2() is called from hostbased_key_allowed(). Hans Werner Strube strube at physik3.gwdg.de Drittes Physikalisches Institut, Univ. Goettingen Buergerstr. 42-44, D-37073 Goettingen, Germany Suggested change: *** auth2.c.ORI Wed Apr 25 14:44:15 2001 --- auth2.c Fri Sep 28 10:27:34 2001 *************** *** 801,815 **** deb...

According to the manpage: UseDNS Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ``yes''. Thing is, while sshd *checks*, this doesn't actually control whether or not the client is allowed to connect, it seems at most to be an option that causes

..._answer_keyallowed(int sock, Buffer *m case MM_USERKEY: allowed = options.pubkey_authentication && user_key_allowed(authctxt->pw, key); + auth_method = "publickey"; break; case MM_HOSTKEY: allowed = options.hostbased_authentication && hostbased_key_allowed(authctxt->pw, cuser, chost, key); + auth_method = "hostbased"; break; case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key);...

...all that. But here is an illustration of how it > could be: Please give the attached patch a try. -d -------------- next part -------------- diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e221417..0227d8e 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -212,8 +212,16 @@ hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, if (sshkey_is_cert(key) && sshkey_cert_check_authority_now(key, 1, 0, 0, lookup, &reason)) { - error("%s", reason); - auth_debug_add("%s", reason); + if ((fp = sshkey_fingerprint(key->cert->signature_key, +...

On 4/5/25 15:01, Lars Nood?n wrote: > I notice that when using log level INFO it seems sshd(8) provides very > little information about failed SSH certificate log in attempts: > > Apr? 5 14:44:41 server sshd-session[51695]: error: Certificate invalid: > not yet valid > > Apr? 5 14:45:31 server sshd-session[88953]: error: Certificate invalid: > expired > >

..._0_2p1_w_named_keys.1(w)/auth2.c Thu, 24 Jan 2002 10:52:24 -0500 @@ -76,7 +76,7 @@ /* helper */ static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); -static int user_key_allowed(struct passwd *, Key *); +int user_key_allowed(struct passwd *, Key *); static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* auth */ @@ -476,7 +476,7 @@ buffer_dump(&b); #endif /* test for correct signature */ - if (user_key_allowed(authctxt->pw, key) && + if (user_key_allowed(authctxt->pw, key) > 0 && key_verify(key, s...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

...-mods/auth2.c Thu May 9 12:19:55 2002 @@ -75,7 +75,7 @@ /* helper */ static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); - -static int user_key_allowed(struct passwd *, Key *); +static int user_key_allowed(struct passwd *, Key *, char *realname); static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* auth */ @@ -105,6 +105,28 @@ {NULL, NULL, NULL} }; +/* VIX + * this piece is my attempt to pass the value of realname from userauth_pubkey + * to server_input_channel_req but i have no idea what is really happening + * the value gets pa...

...============================== RCS file: /cvs/src/usr.bin/ssh/auth.h,v retrieving revision 1.58 diff -u -r1.58 auth.h --- auth.h 18 Aug 2006 09:15:20 -0000 1.58 +++ auth.h 15 Nov 2006 14:14:32 -0000 @@ -115,6 +115,7 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); +int user_cert_key_allowed(struct passwd *, Key *); #ifdef KRB5 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); Index: auth2.c ========================================...