search for: jpake

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692 The NIST advisory says that all versions of OpenSSH potentially contain the flaw. ?But is that really true? ?For example, I looked at the 3.8.1p1 distribution and didn't find any reference to JPAKE at all. Thanks.

Hello, running Coccinelle (http://coccinelle.lip6.fr/) on the DragonFly source tree with a patch to find issues of this kind turned up this one. Please see the attached diff (against OpenBSD). Regards, Sascha

...iewing source code for OpenSSH-6.1p1, I found instances of deprecated library calls still within various source code files. Examples of deprecated calls are: bzero() (replaced with memset() which is ANSI compliant), index() (replaced with strchr() which is also ANSI compliant). In file 'auth2-jpake.c', I've replaced all the bzero() calls with the equivalent memset() calls. The patch file is below in (diff -u) format: --- auth2-jpake.c.orig 2012-12-19 17:01:52.817528171 -0800 +++ auth2-jpake.c 2012-12-19 17:05:59.044554766 -0800 @@ -178,7 +178,7 @@ fatal("...

...; writes: > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1692 > > The NIST advisory says that all versions of OpenSSH potentially contain > the flaw. ?But is that really true? ?For example, I looked at the > 3.8.1p1 distribution and didn't find any reference to JPAKE at all. Hi. The NVD advisory is inaccurate. JPAKE experimental code was first introduced in OpenSSH 5.2, iirc. Also, the advisory should be taken with a grain of salt as the vulnerable code is not activated without pro-active user code modification. --mancha

..., newname, newlen - len); - if ((cx = index(cx + 1, ':'))) + if ((cx = strchr(cx + 1, ':'))) strlcat(newctx, cx, newlen); debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx); -------------- next part -------------- --- auth2-jpake.c.orig 2012-12-19 17:01:52.817528171 -0800 +++ auth2-jpake.c 2012-12-19 17:05:59.044554766 -0800 @@ -178,7 +178,7 @@ fatal("%s: not enough bytes for rawsalt (want %u have %u)", __func__, len, digest_len); memcpy(rawsalt, digest, len); - bzero(digest, digest_len); + memse...

Dear All, X.509 certificates support for OpenSSH version 6.0p1 was published. I brief new version include : - support for Android platform; - engine implementation is now considered stable; - various regression test improvements including fixes for OpenSSL FIPS enabled 1.0.1 stable release and korn shell Yours sincerely, Roumen Petrov -- Get X.509 certificates support in OpenSSH:

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

Hello all Support for Secure Remote Password (SRP) for OpenSSH was last discussed in 2004: http://marc.info/?l=openssh-unix-dev&w=2&r=1&s=SRP&q=b There's a SRP patch for OpenSSL that's about 2 years in the making: http://rt.openssl.org/Ticket/Display.html?id=1794 Tom Wu from Stanford has been working on that. Has anything changed since 2004 that would make inclusion

...hd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o roaming_common.o roaming_serv.o -L. -Lopenbsd-compat/ -pie -z relro -z...

...Makefile.in @@ -73,7 +73,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o + jpake.o schnorr.o ssh-pkcs11.o krl.o kexc25519.o kexc25519c.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ @@ -93,7 +93,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ sftp-serv...

...ex->sign(server_host_private, server_host_public, &signature, &slen, + hash, hashlen); /* destroy_sensitive_data(); */ diff --git a/monitor.c b/monitor.c index 7286126..8f289b5 100644 --- a/monitor.c +++ b/monitor.c @@ -97,6 +97,7 @@ #include "ssh2.h" #include "jpake.h" #include "roaming.h" +#include "authfd.h" #ifdef GSSAPI static Gssctxt *gsscontext = NULL; @@ -686,6 +687,8 @@ mm_answer_moduli(int sock, Buffer *m) return (0); } +extern AuthenticationConnection *auth_conn; + int mm_answer_sign(int sock, Buffer *m) { @@ -71...

Hi, It's that time again... OpenSSH 6.2 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: