search for: kerberos_authentication

Dear users, I can access an database oracle database using sql developer. This was done by importing an xml file that contains the login details - username, password and specifies that it uses the KERBEROS_AUTHENTICATION. I'm trying to connect R - so that it can access this database - do sql queries and convert the resulting tables into dataframes. I am a novice in SQL and database access - but a friend provided me with the following approach: library(DBI) library(RMySQL) drvr<-dbDriver("MySQL&quo...

Can anyone with Heimdal KrbV verify this? -------------- next part -------------- An embedded message was scrubbed... From: Dag-Erling Smorgrav <des at ofug.org> Subject: Kerberos buglet in OpenSSH-3.3p1 Date: 25 Jun 2002 14:52:10 +0200 Size: 1291 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/347e123e/attachment.mht

...000 *************** *** 52,57 **** --- 52,58 ---- options->rhosts_authentication = -1; options->rhosts_rsa_authentication = -1; options->rsa_authentication = -1; + options->rsa_host_other_authentication = -1; options->dsa_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; *************** *** 130,135 **** --- 131,138 ---- options->rhosts_rsa_authentication = 0; if (options->rsa_authentication == -1) options->rsa_authentication = 1; + if (options->rsa_host_other_authentication == -1) + options->rsa_host_other_authentication = 0; i...

...ally all authentication. No users have local passwords on machines. We'd like to start allowing SSH2 connections, but OpenSSH 2.3.0p1 will not authenticate Kerberos passwords for SSH2 connections. In auth2.c: #ifdef KRB4 /* turn off kerberos, not supported by SSH2 */ options.kerberos_authentication = 0; #endif If I remove this snippet of code, then all works as expected and SSH2 users can authenticate. Why is this code here? Will I open a security hole by removing the code? I understand that ticket-forwarding, etc won't work. -Kevin -------------- next part -------------- A non-tex...

...re to set PAM_RHOST in the case of a passwordless login is a bug in OpenSSH. I have applied the following patch to my copy. It seems to fix the problem. *** auth1.c Thu Mar 1 17:33:31 2001 --- auth1.c.patched Thu Mar 1 17:33:18 2001 *************** *** 455,461 **** (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM ! auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, --- 455,4...

.../auth-passwd.c.org Tue Jul 3 23:21:15 2001 --- openssh-2.9.9p2/auth-passwd.c Tue Oct 2 10:13:47 2001 *************** *** 147,153 **** } #endif #ifdef WITH_AIXAUTHENTICATE ! return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); #endif #ifdef KRB4 if (options.kerberos_authentication == 1) { --- 147,157 ---- } #endif #ifdef WITH_AIXAUTHENTICATE ! if (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) ! return 1; ! loginfailed(authctxt->user, ! get_canonical_hostname(options.reverse_mapping_check), "ssh"); ! return 0; #endif...

...ns.permit_root_login != PERMIT_YES) { + retval=0 ; goto out; + } #endif - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + if (ret == 1 || ret == 0) { + retval=ret ; goto out; + } /* Fall back to ordinary passwd authentication. */ } #endif @@ -138,29 +147,34 @@ if (is_winnt) { HANDLE hToken = cygw...

...#endif @@ -145,7 +146,11 @@ } #endif #ifdef WITH_AIXAUTHENTICATE - return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + while (reenter) { + rc = authenticate (pw->pw_name,password,&reenter,&authmsg) + } + return (rc); #endif #ifdef KRB4 if (options.kerberos_authentication == 1) { ----------------- /cut ------------------- It kind of looks like it's a slip that this isn't fixed in auth-passwd.c, as 'int reenter = 1;' is already available inside WITH_AIXAUTHENTICATE. -jf

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

OpenSSH 7.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support. OpenSSH also includes transitional support for the legacy SSH 1.3 and 1.5 protocols that may be enabled at compile-time. Once again, we would like to thank the OpenSSH community

...44 > > --- a/sshd.c > > +++ b/sshd.c > > @@ -1641,7 +1641,8 @@ main(int ac, char **av) > > > > /* Store privilege separation user for later use if required. */ > > if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { > > - if (use_privsep || options.kerberos_authentication) > > + if ((use_privsep || options.kerberos_authentication) > > + && (getuid() == 0 || geteuid() == 0)) > > fatal("Privilege separation user %s does not exist", > > SSH_PRIVSEP_USER); > > } else { > > @@ -1767,7 +1768,7 @@ main(...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

...k from 127.0.0.1 port 49568 Index: auth1.c =================================================================== RCS file: /var/cvs/openssh/auth1.c,v retrieving revision 1.30 diff -u -r1.30 auth1.c --- auth1.c 2001/02/12 07:02:24 1.30 +++ auth1.c 2001/02/12 18:58:22 @@ -97,7 +97,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif #ifdef USE_PAM - auth_pam_password(pw, password)) { + auth_pam_password(pw, "")) { #else auth_password(pw, "")) { #endif

...gal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && + if (options.password_authentication && options.permit_empty_passwd && #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

...e 46 I believe the problem is a missing do_pam_account() call. The patch below to auth1.c fixes the problem. If this is correct, can someone please commit this? Thanks, Dave. --- auth1.c 19 Jun 2004 00:51:06 -0000 1.1 +++ auth1.c 22 Jun 2004 04:07:38 -0000 1.5 @@ -81,8 +81,13 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { - auth_log(authctxt, 1, "without authentication", ""); - return; +#ifdef USE_PAM + if (options.use_pam && (PRIVSEP(do_pam_account()))) +#endif + { + auth...

.... */ if (pw == NULL) - return 0; + auth_result(0); if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + auth_result(0); if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + auth_result(0); #ifdef KRB5 if (options.kerberos_authentication == 1) { - int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + success = auth_krb5_password(authctxt, password); + if (success == 1 || success == 0) + if (auth_result(success) == 1) + return 1; /* Fall back to ordinary passwd authentication. */...

...authenticated = auth_pam_password(pw, response, SSH_CMSG_AUTH_TIS); + xfree(response); + } + break; #else case SSH_CMSG_AUTH_TIS: /* TIS Authentication is unsupported */ @@ -503,7 +532,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM - auth_pam_password(pw, "")) { + auth_pam_password(pw, "", SSH_CMSG_AUTH_PASSWORD)) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonic...

...en, 4 + dlen, type); + if (!auth_afs_token(authctxt, token_string)) + verbose("AFS token REFUSED for %.100s", authctxt->user); + xfree(token_string); + } + //continue; +#endif /* AFS */ + #if defined(KRB4) || defined(KRB5) case SSH_CMSG_AUTH_KERBEROS: if (!options.kerberos_authentication) { @@ -169,9 +185,9 @@ packet_send_debug("Kerberos TGT passing disabled before authentication."); break; #ifdef AFS - case SSH_CMSG_HAVE_AFS_TOKEN: - packet_send_debug("AFS token passing disabled before authentication."); - break; +// case SSH_CMSG_HAVE_AFS_TOKEN:...