search for: kbdinteract

Hello all, I just noticed that 'KbdInteractiveAuthentication' is not mentioned in sshd.8 or anywhere else on the man page. Someone with better knowledge about it than me, please fix this :-) Also, there were talks about supporting cryptocards about 3 months ago. Is there work being done on this? -- Pekka Savola "...

What are the chances of getting the SecurID patch integrated into OpenSSH? I think I asked before and was told that it could be done with PAM, but I (and others) are not satisfied with the PAM support. This "tight" integration seems to work much better. If not, I'll just sit on my rogue patches :-( -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB

...might be generally useful, and solicit > opinions on whether such a patch would be acceptable to the maintainers as > a pull request. Why not just use a different PAM stack? The new release allows specifying the stack name. This should do what you want with no code changes using Password / KbdInteractive AuthN. -- Carson

I have in the sshd_config the following to disable password authentication Match Group dummies PasswordAuthentication no KbdInteractive no Normally I use denyhosts to detect incorrect logins, but it seems that failed sshkey logins are not logged in auth.log And I really like to have them in order to detect them and use the denyhosts script. Looked in the last nightly builds, but it seems that only method ' password' is...

...olicit > > opinions on whether such a patch would be acceptable to the maintainers > as > > a pull request. > > Why not just use a different PAM stack? The new release allows > specifying the stack name. This should do what you want with no code > changes using Password / KbdInteractive AuthN. > > -- > > Carson > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >

...hether such a patch would be acceptable to the maintainers > > as > > > a pull request. > > > > Why not just use a different PAM stack? The new release allows > > specifying the stack name. This should do what you want with no code > > changes using Password / KbdInteractive AuthN. > > > > -- > > > > Carson > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > ____...

I have just checked in a change which makes PAM support optional and disabled by default. Previously PAM support was detected and enabled automatically if found. The change was made because there is no workable way to make PAM work 'out of the box'. Each vendor implements PAM a little differently and there appears to be no standard on the naming of modules or the augments they take. To

...able to the > maintainers > > > as > > > > a pull request. > > > > > > Why not just use a different PAM stack? The new release allows > > > specifying the stack name. This should do what you want with no code > > > changes using Password / KbdInteractive AuthN. > > > > > > -- > > > > > > Carson > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > https://lists.mindrot.org/mailman/...

...platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction" block but with zero prompts (this is permitted by kbdinteract-06 section 3.4). The next question is whether or not it's a good idea to send extra info to a denied login. As a rule, sshd doesn't, but this condition only occurs if the admin explicitly configures PAM to behave this way. This won't happen with the recently re-added PAM-via-pass...

...ners >> > > as >> > > > a pull request. >> > > >> > > Why not just use a different PAM stack? The new release allows >> > > specifying the stack name. This should do what you want with no code >> > > changes using Password / KbdInteractive AuthN. >> > > >> > > -- >> > > >> > > Carson >> > > >> > > _______________________________________________ >> > > openssh-unix-dev mailing list >> > > openssh-unix-dev at mindrot.org >> > &gt...

...s > >> > > > a pull request. > >> > > > >> > > Why not just use a different PAM stack? The new release allows > >> > > specifying the stack name. This should do what you want with no code > >> > > changes using Password / KbdInteractive AuthN. > >> > > > >> > > -- > >> > > > >> > > Carson > >> > > > >> > > _______________________________________________ > >> > > openssh-unix-dev mailing list > >> > > openssh-u...

...> > > a pull request. >> >> > > >> >> > > Why not just use a different PAM stack? The new release allows >> >> > > specifying the stack name. This should do what you want with no code >> >> > > changes using Password / KbdInteractive AuthN. >> >> > > >> >> > > -- >> >> > > >> >> > > Carson >> >> > > >> >> > > _______________________________________________ >> >> > > openssh-unix-dev mailing list >&...

Could someone provide a description of the config setting KbdInteractiveDevices And how it would be used. There is no mention of this here: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current And a quick glance of the source doesn't seem to reveal much. Thanks in advance, scott _______...

Hi folks, I've recently started to work on a patch for openssh that introduces a new option to disable authentication. I'd like to explain why I think this might be generally useful, and solicit opinions on whether such a patch would be acceptable to the maintainers as a pull request. *Why is this useful?* Openssh has useful capabilities such as remote and local port-forwarding, as well

Hi, I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. Is there any way of making ssh1 work with radius on

Hello folks, this looks about the only place I can find on issues dealing with the subject line. The message that got me posting is included below the line of *'s. Basically I've tried getting this working with Pam authentication and using the new login binary that comes with Opie 2.32. No joy. I am using RedHat 6.0 OpenSSH 2.3.0p1 Pam 0.66-18 I can get the opie challenge only on a