search for: kerberostgtpass

Hey All, Found a very minor problem with client implementation of KerberosTgtPassing command line flag in ssh.c (first diff). We also made some readability patches to the config files and manpages to make the option clearer (the remainder of the diffs). diffs are against -current Index: ssh.c =================================================================== RCS file: /cv...

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token pa...

A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token pa...

...tc/sshd_config: line 69: Bad configuration option: KerberosOrLocalPasswd /usr/local/etc/sshd_config: line 70: Bad configuration option: KerberosTicketCleanup /usr/local/etc/sshd_config: line 74: Bad configuration option: AFSTokenPassing /usr/local/etc/sshd_config: line 77: Bad configuration option: KerberosTgtPassing /usr/local/etc/sshd_config: terminating, 5 bad configuration options Experimentation reveals that these are the only options that sshd does not recognize. ssh does not like these configuration options, either: /usr/local/etc/ssh_config: line 20: Bad configuration option: AFSTokenPassing /usr/...

...was the only one I was able to find. In case you don't want to look at all the stuff below, the situation is briefly that I am trying to compile openssh with kerberos 4 support, which it apparently has. However, it can't find krb.h, which is right there. And it compiles OK, but gives "KerberosTgtPassing yes" as a bad option, which can't be good, and I don't get properly authenticated when I log in, which is obviously the whole point. If this ssh cannot be compiled with this krb4 version, can you suggest a version it *would* compile correctly with? It is possible the configure file...

...rdAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no

...) && defined(KRB4) #include <krb.h> #include <radix.h> @@ -211,4 +211,4 @@ return 1; } -#endif /* AFS */ +#endif /* AFS && KRB4 */ --- readconf.c 2002/01/23 12:18:23 1.1 +++ readconf.c 2002/01/23 12:23:17 @@ -102,7 +102,7 @@ #if defined(AFS) || defined(KRB5) oKerberosTgtPassing, #endif -#ifdef AFS +#if defined(AFS) && defined(KRB4) oAFSTokenPassing, #endif oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, @@ -147,7 +147,7 @@ #if defined(AFS) || defined(KRB5) { "kerberostgtpassing", oKerberosTgtPassing }, #endif -#ifdef...

...ntication no PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override d...

...this may bypass the setting of ''PasswordAuthentication'' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding yes X11DisplayOffset 256 PrintMotd no #PrintLastLog no KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /opt/talisen/ssh/rsftp-server --------- end of file --------- Anyone know what I''m m...

...on yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/libexec/openssh/sftp-server Carl

http://bugzilla.mindrot.org/show_bug.cgi?id=774 Summary: banner is displaying twice (/etc/issue) Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: Solaris Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy:

This is the 2nd revision of the Advisory. Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH with AFS/Kerberos token passing compiled in and enabled (either in the system or in sshd_config) contain a buff...

...rdAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no

...and refuses to run if you set options about them in ssh_config or sshd_config. I'm not sure if this is the intended (or good?) behaviour. Should it be better to modify the man pages when ./configuring too? Like, adding a small sentence about stuff disabled at compile time. An example: KerberosTgtPassing Specifies whether a Kerberos TGT will be forwarded to the server. This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be ``yes'' or ``no''. This option has been disabled at...

...and refuses to run if you set options about them in ssh_config or sshd_config. I'm not sure if this is the intended (or good?) behaviour. Should it be better to modify the man pages when ./configuring too? Like, adding a small sentence about stuff disabled at compile time. An example: KerberosTgtPassing Specifies whether a Kerberos TGT will be forwarded to the server. This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be ``yes'' or ``no''. This option has been disabled at...

...gs like kinit to fail with a somewhat uninformative error message. The relevant sshd_config lines I use are: # To change Kerberos options KerberosAuthentication yes KerberosOrLocalPasswd yes #AFSTokenPassing no KerberosTicketCleanup yes # Kerberos TGT Passing does only work with the AFS kaserver KerberosTgtPassing no I'm using MIT Kerberos. As far as I can tell (after scanning the code for a few hours and I'm not a programmer) the problem is in auth_krb5_password. 244 problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:", 245 &authctxt->krb5_fwd...

This is the 2nd revision of the Advisory. Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH with AFS/Kerberos token passing compiled in and enabled (either in the system or in sshd_config) contain a buff...

...entication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #Keep...

...nterval 0 ClientAliveCountMax 3 Compression yes #DenyGroups * #DenyUsers * GatewayPorts no HostbasedAuthentication no HostKey /etc/ssh/ssh_host_rsa_key IgnoreRhosts yes IgnoreUserKnownHosts no KeepAlive yes #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTgtPassing no #KerberosTicketCleanup yes KeyRegenerationInterval 3600 Port 22 ListenAddress 0.0.0.0 LoginGraceTime 300 LogLevel INFO MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 MaxStartups 10 #PAMAuthenticationViaKbdInt no PasswordAuthentication no PermitEmpt...

...entication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes PrintLastLog yes KeepA...