search for: loginfail

There are a couple of bugs in the openssh-3.7.1p2. The aix_setauthdb function does not work with other types of authentication such as AFS/DFS. The loginfailed test in configure is not correct. Also, AIX can use the wtmp logging which I added in configure. Attached is the patch. Thanks, Matt Richards -------------- next part -------------- *** openssh-3.7.1p2/openbsd-compat/port-aix.c Mon Jul 14 02:41:55 2003 --- openssh-3.7.1p2.patched/openbsd-compat/...

..._login_message': auth.c:341: warning: passing arg 1 of `loginsuccess' discards qualifiers from pointer target type auth.c:341: warning: passing arg 2 of `loginsuccess' discards qualifiers from pointer target type auth.c: In function `auth_log': auth.c:403: warning: passing arg 2 of `loginfailed' discards qualifiers from pointer target type auth.c:403: too few arguments to function `loginfailed' auth.c: In function `expand_filename': auth.c:481: warning: implicit declaration of function `snprintf' auth.c: In function `getpwnamallow': auth.c:630: warning: passing arg 1...

Hi David, I'm sure loginfailed(..) should be called immediately after authenticate(..) returned an error. It is directly related to an invalid password try. (Please see my attached mail from May 2001 to the list). I'm not so sure when loginsuccess(..) should be called (setting the loginfailed counter to zero): Either 1) wh...

...es some of the #includes for AIX. It moves the AIX-specific includes to port-aix.h and adds includes that contain the prototypes for many of the authentication functions. The idea isto fix some warnings. Unfortunately this exposes a couple of problems: * setpcred call does not match prototype * loginfailed on AIX 5.2 takes an (optional?) extra argument: Reason The patch changes the setpcred call to: setpcred(pw->pw_name, (char **)NULL); It also adds configure magic to detect a 4-arg loginfailed and #defines to use the appropriate call (hidden in port-aix.c, fortunately): loginfailed((char *)...

--- auth1.c.orig Sat Feb 3 18:17:53 2001 Bringa AIX modes in line with latest changes to auth1.c +++ auth1.c Sat Feb 3 18:19:15 2001 @@ -347,7 +347,7 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); + loginfailed(authctxt->user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); }

sorry, Darren. Long over due comments. [..] >+/* Record a failed login attempt. */ >+void >+record_failed_login(const char *user, const char *host, const char *ttyname) >+{ >+#ifdef WITH_AIXAUTHENTICATE >+ loginfailed(user, host, ttyname); >+#endif >+#ifdef _UNICOS >+ cray_login_failure((char *)user, IA_UDBERR); >+#endif /* _UNICOS */ >+} I like the patch idea, but I'd like to skip the whole 'chained function calls'. Plus it avoids closely packed #ifdef/#endifs. Just rename...

hello I have turned on my ftpd via INETD here is my ftpaccess file. how do I disallow anonymous ftp ------------------------------ class all real,guest,anonymous * email root@localhost loginfails 5 readme README* login readme README* cwd=* message /welcome.msg login message .message cwd=* compress yes all tar yes all chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no...

...s that support this. I've tested this on AIX 4.3.3. Wendy Palm was kind enough to test it on UNICOS (this patch includes the cast required to placate the Cray compiler). Note: this will call record_failed_login() in the case of a login attempt by a non-existant user. This is good for AIX (loginfailed replaces the username with UNKNOWN_USER). I'm not sure if that's the right thing on UNICOS or not. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usua...

...this. I've tested this on AIX 4.3.3. Wendy Palm was kind enough to test it on UNICOS (this patch includes the cast required to placate the Cray compiler). NOTE: this will call record_failed_login() in the case of a login attempt by a non-existant user. This is fine for AIX (loginfailed replaces the username with UNKNOWN_USER). I'm not sure if UNICOS does the same thing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from ba...

...on not to let this user try to log on... */ --- auth1.c.orig Wed May 10 15:53:51 2000 +++ auth1.c Thu May 11 15:13:37 2000 @@ -66,9 +66,7 @@ get_remote_port()); #ifdef WITH_AIXAUTHENTICATE - if (strncmp(get_authname(type),"password", - strlen(get_authname(type))) == 0) - loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); + loginfailed(user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ /* Indicate that authentication is needed. */ @@ -408,8 +406,12 @@ client_user = NULL; } - if (attempt > AUTH_FAIL_MAX) + if...

Can anyone explain why this fails? This was applied to source from openssh.org. Thanks, Ryan =========================== bash-2.05a$ /opt/freeware/bin/patch -p1 < ../openssh-3.6.1p2-passexpire20.patch patching file TODO Reversed (or previously applied) patch detected! Assume -R? [n] y patching file acconfig.h Reversed (or previously applied) patch detected! Assume -R? [n] y patching file

...ieving revision 1.67 diff -u -r1.67 auth.c --- auth.c 18 Jan 2003 05:24:06 -0000 1.67 +++ auth.c 27 Jan 2003 11:39:07 -0000 @@ -268,13 +268,11 @@ get_remote_port(), info); -#ifdef WITH_AIXAUTHENTICATE - if (authenticated == 0 && strcmp(method, "password") == 0) - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - + if (geteuid() == 0 && authenticated == 0 && + strcmp(method, "password") == 0) + record_failed_login(authctxt->user, +...

...is should be an == instead of >. While looking at the debug output when deliberately entering wrong passwords, I noticed one try for none, three for password, and then three for keyboard-interactive, at which point authctxt->failures is 6, and then the loop completes. 2. I'd like to move loginfailed() within the #ifdef WITH_AIXAUTHENTICATE of auth1.c and auth2.c to auth_log() instead, and call it on every password method failure, as well as an overall authctxt->failures == AUTH_FAIL_MAX check for the other methods. This should clean up the code a bit, and should fix the issue of the unsuc...

http://bugzilla.mindrot.org/show_bug.cgi?id=145 ------- Additional Comments From dtucker at zip.com.au 2002-06-21 23:43 ------- Created an attachment (id=116) Merge all previous patches and diff against -cvs ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=312 ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:07 ------- why is it required? i don't see any canohost.h functions in those files. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au A login attempt by an unknown user (eg via telnet) normally gets logged as: syslog: pts/4: failed login attempt for UNKNOWN_USER from my.host.com This is generated by a call to loginfailed(), which substitutes UNKNOWN_HOST for the username if it doesn't exist. AIX never finds out about it because getpwnamallow returns as soon as it finds no passwd entry. Following patch calls loginfailed before returning. It generates: syslog: ssh: failed login attempt for UNKNOWN_USER fro...

http://bugzilla.mindrot.org/show_bug.cgi?id=355 ------- Additional Comments From dtucker at zip.com.au 2002-08-25 18:10 ------- It looks like the call to loginsuccess() fails because it's done as a non-privileged user. This is bad because in addition to generating the message it also clears the failed login counter that leads to account lockout. The following patch fixes it for me

Using openssh-SNAP-20001016 all of our problems with hanging connections have gone away (woohoo!), and it seems to be working flawlessly, but I am seeing messages like this in syslog: Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor Oct 24 16:58:30

...hu Nov 30 10:37:56 2000 @@ -189,21 +189,14 @@ char *user, *service, *method; int authenticated = 0; + authctxt->attempt++; if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); - if (authctxt->attempt++ >= AUTH_FAIL_MAX) { -#ifdef WITH_AIXAUTHENTICATE - loginfailed(authctxt->user?authctxt->user:"NOUSER", - get_canonical_hostname(), "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - packet_disconnect("too many failed userauth_requests"); - } - user = packet_get_string(NULL); service = packet_get_string(NULL); method =...

...O| |793 nThis| | Status|NEW |ASSIGNED ------- Additional Comments From dtucker at zip.com.au 2004-01-24 19:20 ------- Perhaps configure could test for a 4-arg version the same as it does for loginfailed() on AIX, then add the define if required? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.