search for: permit_empty_passwd

...75,6 +75,7 @@ #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes +#PermitUserEnvironment yes #Compression yes #MaxStartups 10 --- servconf.h 20 Jun 2002 23:05:55 -0000 1.58 +++ servconf.h 24 Jul 2002 16:55:26 -0000 @@ -97,6 +97,7 @@ int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ + int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; --- servconf.c 23 Jun 2002 09:46:5...

...Jan --- openssh-3.4p1.orig/auth-passwd.c Fri Jun 21 08:05:13 2002 +++ openssh-3.4p1/auth-passwd.c Mon Jul 29 16:39:48 2002 @@ -89,14 +89,19 @@ int auth_password(Authctxt *authctxt, const char *password) { + int retval = 0; #if defined(USE_PAM) - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_pam_password(authctxt, password); + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } + retval=auth_pam_password(authctxt, password); + goto out; #elif defined(HAVE_OSF_SIA) - if (*password == '\0' &amp...

http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:40 ------- (From update of attachment 292) OK, except for the last bit, I think this is all done. >+#ifdef USE_PAM >+ options.permit_empty_passwd && >+#endif This is done in auth-passwd.c: if (*password == '\0' && options.permit_empty_passwd == 0) return 0; >- PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); >+ PRIVSEP(start_pam(user)); Fixed a while back. >- if (pam_retval =...

...d. If the user presses enter on the password prompt (NULL password) access is disallowed. However upon entry of any random string the user is granted successful login. In "auth_pam_password" function (auth_pam.c) the lines: if(*password == '\0' && options.permit_empty_passwd == 0) return 0; disallows a login to an empty password account by providing empty password. However if the user provides a random non-empty password the user is able to login to an account that has empty password. This is because the "pam_authenticate" function which i...

...assword(struct passwd *pw, const char *password, int prompt_type) { extern ServerOptions options; int pam_retval; @@ -211,12 +249,14 @@ return 0; if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) return 0; - if (*password == '\0' && options.permit_empty_passwd == 0) + if (*password == '\0' && options.permit_empty_passwd == 0 && + prompt_type == PAM_PROMPT_ECHO_OFF) return 0; __pampasswd = password; pamstate = INITIAL_LOGIN; + pamprompt = prompt_type; pam_retval = do_pam_authenticate( options.permit_empty_...

...17:37:42 -0000 @@ -100,6 +100,7 @@ initialize_server_options(ServerOptions options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; + options->challenge_response_authentication_first = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; options->use_login = -1; @@ -222,6 +223,13 @@ fill_default_server_options(ServerOption options->kbd_interactive_authentication = 0; if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; +...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

...!= current_auth_type) { + finish_pam(); + start_pam2(pw, auth_type); + } + /* deny if no user. */ if (pw == NULL) return 0; if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; - if (*password == '\0' && options.permit_empty_passwd == 0) + if (password!=NULL && *password == '\0' && options.permit_empty_passwd == 0) return 0; pampasswd = password; pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); if (pam_retval == PAM_SUCCESS) { - debug("PAM Password authentication accepted for...

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

Hello I have few questions about openssh... 1/ there is probably bug in auth-password.c in auth_password function if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; if (*password == '\0' && options.permit_empty_passwd == 0) return 0; /* deny if no user. */ if (pw == NULL) <----------- this should be first checked .... return 0; 2/ do I have to always read whole packed ? In example: I send packet with int and string as a data. Can I forget about reading string when I don't need it or there is a poss...

...txt->user; + int success; + + auth_ok = authctxt->valid; /* deny if no user. */ if (pw == NULL) - return 0; + auth_result(0); if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + auth_result(0); if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + auth_result(0); #ifdef KRB5 if (options.kerberos_authentication == 1) { - int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + success = auth_krb5_password(authctxt, password); + if (success == 1 || success == 0) + if (auth_r...

...-- diff -r -c openssh-2.5.1p1/servconf.c openssh-2.5.1p1-1/servconf.c *** openssh-2.5.1p1/servconf.c Wed Feb 14 19:08:27 2001 --- openssh-2.5.1p1-1/servconf.c Thu Mar 1 15:45:03 2001 *************** *** 81,86 **** --- 81,87 ---- options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; + options->sys_environment_file = NULL; options->allow_tcp_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; *************** *** 210,216 **** sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddres...

...n openssh-2.2.0p1chroot: enssh-2.2.0p1chroot2.patch diff --ignore-space-change -u openssh-2.2.0p1/servconf.c openssh-2.2.0p1chroot/servconf.c --- openssh-2.2.0p1/servconf.c Fri Aug 18 05:59:06 2000 +++ openssh-2.2.0p1chroot/servconf.c Sun Oct 22 18:59:49 2000 @@ -68,6 +68,8 @@ #endif options->permit_empty_passwd = -1; options->use_login = -1; + options->use_chroot = -1; + options->chroot_group = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -158,6 +160,10 @@ options->permit_empty_passwd = 0; if (options->use_login == -1...

...mp; options.permit_root_login != PERMIT_YES) return 0; #endif -#ifdef HAVE_CYGWIN - /* - * Empty password is only possible on NT if the user has _really_ - * an empty password and authentication is done, though. - */ - if (!is_winnt) -#endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #ifdef KRB5 -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com

Would anybody happen to have or know of a patch to make /etc/default/login PATH and SUPATH the default openssh path? We have customized paths for each school of engineering (each have their own customized site bin). This is easily controled with /etc/default/login. The --with-default-path option is too rigid. This is Solaris I am talking about. --mike

...000 +++ openssh-2.3.0p1-tis/servconf.c Thu Dec 7 18:41:00 2000 @@ -64,6 +64,9 @@ options->kbd_interactive_authentication = -1; #ifdef SKEY options->skey_authentication = -1; +#elif TIS_AUTH + options->tis_authentication = -1; + options->authserv_addrs = NULL; #endif options->permit_empty_passwd = -1; options->use_login = -1; @@ -155,6 +158,9 @@ #ifdef SKEY if (options->skey_authentication == -1) options->skey_authentication = 1; +#elif TIS_AUTH + if (options->tis_authentication == -1) + options->tis_authentication = 1; #endif if (options->permit_empty_passwd...

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

...c --- auth-passwd.c 5 Aug 2006 02:39:39 -0000 1.86 +++ auth-passwd.c 14 Sep 2006 10:54:12 -0000 @@ -88,7 +88,7 @@ #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - ok = 0; + return 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; Index: auth-sia.c =================================================================== RCS file: /openssh/openssh_cvs/auth-sia.c,v retrieving revision 1.18 diff -u -r1.18 auth-sia.c --- auth-sia.c 7 Sep 2006 23:54:41 -0000 1.18 +++ auth-sia.c 14 Sep 2006 10:54:12 -0000 @@ -55,12...

...quot;kex.h" #include "mac.h" +#include "channels.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -102,6 +105,9 @@ options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->permit_user_env = -1; + options->permit_tcp_listen = -1; + options->restricted_shell = NULL; + options->restrictions = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; @@ -226,6 +232,10 @@ options->permit_e...

http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM