search for: kbdint

http://bugzilla.mindrot.org/show_bug.cgi?id=580 Summary: disable kbdint if host key mismatch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy...

https://bugzilla.mindrot.org/show_bug.cgi?id=1438 Summary: Adds an out-of-band challenge (OBC) authentication method (via kbdint) Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: sshd AssignedTo: bitbuck...

http://bugzilla.mindrot.org/show_bug.cgi?id=568 Summary: Kerberos password auth/expiry kbdint patch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P4 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jfh...

Hello, I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which may or may not be a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to actually proceed with the authentication. This results in...

https://bugzilla.mindrot.org/show_bug.cgi?id=1439 Summary: Adds Virtual Token (VToken) authentication method to kbdint Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucke...

https://bugzilla.mindrot.org/show_bug.cgi?id=1439 Summary: Adds Virtual Token (VToken) authentication method to kbdint Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucke...

I took Markus Friedl's advice and set up a KbdintDevice for Kerberos password authentication/expiry. It took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_cred...

http://bugzilla.mindrot.org/show_bug.cgi?id=568 ------- Additional Comments From michael.houle at atcoitek.com 2004-04-06 06:04 ------- Can someone please enlighten me on whether this kind of code is going to be included in the main development ? I thought this would be handled automatically by the krb5 libraries, so I was suprised to find that password changing doesn't work in the SSH

...ResponseAuthenticationFirst' option for sshd, which makes it do what I require, offering only skey to a client at first, then offering other auth methods after skey has succeeded. Is there any point in trying to make it more generic? What other setups are people likely to want? Index: auth2-kbdint.c =================================================================== RCS file: /cvs/openssh/auth2-kbdint.c,v retrieving revision 1.1 diff -u -p -r1.1 auth2-kbdint.c --- auth2-kbdint.c 6 Jun 2002 20:27:56 -0000 1.1 +++ auth2-kbdint.c 1 Mar 2003 17:37:41 -0000 @@ -50,7 +50,13 @@ userauth_kbdint(Auth...

...----------------------------------------------- | none | sshd-none | ----------------------------------------------- | password | sshd-password | ----------------------------------------------- | keyboard-interactive | sshd-kbdint | ----------------------------------------------- | pubkey | sshd-pubkey | ----------------------------------------------- | hostbased | sshd-hostbased | ----------------------------------------------- | gssapi-with-mic...

Hi, Is there a fix available from openssh for the reported vulnerability when pam is enabled. http://www.securityfocus.com/bid/11781 thanks -logu

...platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction" block but with zero prompts (this is permitted by kbdinteract-06 section 3.4). The next question is whether or not it's a good idea to send extra info to a denied login. As a rule, sshd doesn't, but this condition only occurs if the admin explicitly configures PAM to behave this way. This won't happen with the recently re-added PAM-via...

...igure --with-zlib=/usr/local/include cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o -L. -Lopenbsd-compat/ -L/usr/local/include -lssh -lopenbs...

...nssh 4.6p1 on irix using mipspro 7.4.x. c99 -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o -L. -Lopenbsd-compat/ -L/usr/local/lib -L/usr/local2...

http://bugzilla.mindrot.org/show_bug.cgi?id=936 Summary: S/Key authentication fails if UsePAM=no Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: ulm at

Is it intentional that password auth using PAM continues trying to log on (giving password 3 prompts) in the case that a user is disabled (so that pam_account returns an error code). It can be argued both ways (saying 'you are disabled' is giving out too much information, making it look like you are entering the wrong password confuses and frustrates the user)

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

...-------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Comment #2 from djm at mindrot.org 2005-11-06 03:46 ------- WONTFIX - admins can just disable either PasswordAuthentication or KbdInteractiveAuthentication if they are functionally equivalent. Our default config, and most distributor configs do this already. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...is, early AIX: ../crc32.c:100: `u_int32_t? undeclared (first use in this function) On these platforms u_int32_t is defined in defines.h which is not included by crc32.c. Fixed by attached patch. b) PAM platforms (Redhat, Solaris once a) is fixed, probably others) gcc -o sshd sshd.o [snip] auth2-kbdint.o: In function `userauth_kbdint?: /home/dtucker/openssh/openssh-tinderbox/Linux-2.4.18-24.8.0/../auth2-kbdint.c:54: undefined reference to `auth2_pam? collect2: ld returned 1 exit status Not sure about this one... -Daz. [0] http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html --...

If an ssh1 client initiates challenge-response authentication but does not submit a response to the challenge, and instead switches to some other authentication method, verify_response() will never run, and the kbdint device context will never be freed. In some cases (such as when the FreeBSD PAM authentication code is being used) this may cause a resource leak leading to a denial of service. The attached patch adds abandon_challenge_response() to auth-chall.c, and code to auth1.c to call it if challenge-respo...