search for: kerberos_or_local_passwd

...a passwordless login is a bug in OpenSSH. I have applied the following patch to my copy. It seems to fix the problem. *** auth1.c Thu Mar 1 17:33:31 2001 --- auth1.c.patched Thu Mar 1 17:33:18 2001 *************** *** 455,461 **** (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM ! auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, --- 455,461 ---- (!options.kerber...

Can anyone with Heimdal KrbV verify this? -------------- next part -------------- An embedded message was scrubbed... From: Dag-Erling Smorgrav <des at ofug.org> Subject: Kerberos buglet in OpenSSH-3.3p1 Date: 25 Jun 2002 14:52:10 +0200 Size: 1291 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/347e123e/attachment.mht

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...auth1.c =================================================================== RCS file: /var/cvs/openssh/auth1.c,v retrieving revision 1.30 diff -u -r1.30 auth1.c --- auth1.c 2001/02/12 07:02:24 1.30 +++ auth1.c 2001/02/12 18:58:22 @@ -97,7 +97,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif #ifdef USE_PAM - auth_pam_password(pw, password)) { + auth_pam_password(pw, "")) { #else auth_password(pw, "")) { #endif

...; /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && + if (options.password_authentication && options.permit_empty_passwd && #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif

...ssing do_pam_account() call. The patch below to auth1.c fixes the problem. If this is correct, can someone please commit this? Thanks, Dave. --- auth1.c 19 Jun 2004 00:51:06 -0000 1.1 +++ auth1.c 22 Jun 2004 04:07:38 -0000 1.5 @@ -81,8 +81,13 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif PRIVSEP(auth_password(authctxt, ""))) { - auth_log(authctxt, 1, "without authentication", ""); - return; +#ifdef USE_PAM + if (options.use_pam && (PRIVSEP(do_pam_account()))) +#endif + { + auth_log(authctxt, 1, "without auth...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...int do_pam_account(char *username, char *remote_user); diff -uNr openssh-3.0.2p1.orig/auth1.c openssh-3.0.2p1/auth1.c --- openssh-3.0.2p1.orig/auth1.c Tue Nov 13 04:46:19 2001 +++ openssh-3.0.2p1/auth1.c Fri Feb 15 02:15:02 2002 @@ -85,7 +85,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif #ifdef USE_PAM - auth_pam_password(pw, "")) { + auth_pam_password(pw, "", PAM_PROMPT_ECHO_OFF)) { #elif defined(HAVE_OSF_SIA) 0) { #else @@ -252,7 +252,8 @@ #ifdef USE_PAM /* Do PAM auth with password */ - authenticated = auth_pam_pa...

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

...am_password(pw, response, SSH_CMSG_AUTH_TIS); + xfree(response); + } + break; #else case SSH_CMSG_AUTH_TIS: /* TIS Authentication is unsupported */ @@ -503,7 +532,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM - auth_pam_password(pw, "")) { + auth_pam_password(pw, "", SSH_CMSG_AUTH_PASSWORD)) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL,...

...-77,6 +78,7 @@ options->hostbased_authentication = -1; options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; + options->certkey_authentication = -1; options->pubkey_authentication = -1; options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; @@ -134,6 +136,8 @@ _PATH_HOST_DSA_KEY_FILE; } } + if (options->ca_key_file == NULL) + options->ca_key_file = _PATH_CA_KEY_FILE; if (options->num_ports == 0) options->ports[options->num_ports++] = SSH_DEFAULT_PORT; if (options->listen_addrs == NULL) @@ -...

...========================================== RCS file: /home/hack/jakob/mycvs/sshgss/servconf.c,v retrieving revision 1.1.1.2 retrieving revision 1.5 diff -u -r1.1.1.2 -r1.5 --- servconf.c 10 Aug 2003 14:06:52 -0000 1.1.1.2 +++ servconf.c 10 Aug 2003 14:25:01 -0000 1.5 @@ -69,6 +69,9 @@ options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; options->kerberos_tgt_passing = -1; + options->afs_token_passing = -1; + options->gss_authentication=-1; + options->gss_cleanup_creds = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1;...