search for: mon_auth

..._proto20[] {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query}, - {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, + {MONITOR_REQ_PAM_RESPOND, MON_AUTH, mm_answer_pam_respond}, {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, #endif #ifdef SSH_AUDIT_EVENTS @@ -231,8 +231,8 @@ struct mon_table mon_dispatch_proto15[] {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, {MONITOR_REQ_SESSID, MON_ONCE, mm_an...

...ng then it should be immediately apparent - the server will drop connections during user-authentication. -d diff --git a/monitor.c b/monitor.c index fc006eb..ee76516 100644 --- a/monitor.c +++ b/monitor.c @@ -228,9 +228,9 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, #ifdef GSSAPI {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, - {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, - {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, - {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},...

nuqneH, I've tried using TIS authsrv authentication via bsd auth and found it quite limited. The most important restriction it does not log ip and fqdn of the remote peer, nor the application name, to the authentication server. It does not matter much for TIS authsrv, but since other applications do provide such information, our authsrv version uses it for extra authentication restrictions.

...*); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -154,6 +158,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -196,6 +203,9 @@ {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_R...

..., char **, u_int *, char ***, u_int **); +extern int sshpam_respond(void *, u_int , char **); +extern void sshpam_free_ctx(void *); #endif static Authctxt *authctxt; @@ -155,7 +166,11 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM + {MONITOR_REQ_PAM_INIT_CTX, 0, mm_answer_sshpam_init_ctx}, {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, +...

..., char **, u_int *, char ***, u_int **); +extern int sshpam_respond(void *, u_int , char **); +extern void sshpam_free_ctx(void *); #endif static Authctxt *authctxt; @@ -155,7 +166,11 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM + {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_sshpam_init_ctx}, {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespon...

...KRB5 +int mm_answer_krb5(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -201,6 +205,9 @@ #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif +#ifdef KRB5 + {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, +#endif {0, 0, NULL} }; @@ -1333,6 +1340,42 @@ return (success); } + +#ifdef KRB5 +int +mm_answer_krb5(int socket, Buffer *m) +{ + krb5_data tkt, reply; + char *client_user; + unsigned int len; + int success; + + /* use temporary var to avoid size issues on 64bit arch...

...; +#endif + #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); int mm_answer_pam_account(int, Buffer *); @@ -178,6 +182,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef WITH_SELINUX + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -602,6 +609,9 @@ else { /* Allow service/s...

...mm_answer_gss_setup_ctx(int, Buffer *); +int mm_answer_gss_accept_ctx(int, Buffer *); +int mm_answer_gss_userok(int, Buffer *); +#endif static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -168,6 +178,11 @@ #ifdef KRB5 {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, #endif +#ifdef GSSAPI + {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, + {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, + {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, +#endif {0, 0, NULL} }; @@ -320,7 +335,6 @@ monitor_pe...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |