search for: monitor_req_pwnam

...cessary for authentication. The unprivileged child runs do_ssh2_kex() followed by do_authentication2(). I am working on a new KEX algorithm whose primary feature is performance. It is fast enough that do_authentication2() runs _before_ the monitor has a chance to permit the necessary requests (MONITOR_REQ_PWNAM in particular), and therefore authentication fails on the server with: monitor_read: unpermitted request 6 Could someone more experienced please look at this? Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signatur...

...he parent executes monitor_child_preauth() to allow certain privsep requests necessary for authentication. The unprivileged child runs do_ssh2_kex() followed by do_authentication2(). If KEX is fast enough, do_authentication2() runs before the monitor has a chance to permit the necessary requests (MONITOR_REQ_PWNAM in articular), and therefore authentication fails on the server with: monitor_read: unpermitted request 6 Damien Miller proposed setting up a pipe shared between the monitor and child, and making the child wait until the monitor end closes, which it should do after permitting the monitor calls....

...openssh-3.9p1_selinux/monitor.h 2004-09-07 18:08:22.000000000 +0200 @@ -30,7 +30,7 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.c openssh-3.9p1_selinux/monitor_wrap.c --- openssh-3.9p1_vanilla/monitor_wrap.c 2004-07-17 09:05:14.000000000 +0200 +++ openssh-3.9p1_selinux/monitor...

..._ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __func__); + + if (sshpam_auth_ctxt != NULL) + sshpam_free_ctx(sshpam_auth_ctxt); + + sshpam_auth_ctxt = NULL; return (0); } #endif @@ -1149,6 +1265,10 @@ /* Turn on permissions for getpwnam */ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); + +#ifdef USE_PAM + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif return (0); } Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Ju...

...(int socket, Buffer *m) +{ + debug3("%s: entering", __FUNCTION__); + + if (sshpam_auth_ctxt != NULL) + sshpam_free_ctx(sshpam_auth_ctxt); + + sshpam_auth_ctxt = NULL; return (0); } #endif @@ -1152,6 +1268,10 @@ /* Turn on permissions for getpwnam */ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); + +#ifdef USE_PAM + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif return (0); } Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Ju...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |