search for: permit_yes

...ile testing another patch, I found that I could not longer log in as root, even if PermitRootLogin was yes. It seems to be the following code in auth_password: $ cvs diff -r1.48 -r1.49 auth-passwd.c [snip] #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_NO_PASSWD) return 0; #endif [snip] Was this intentional? -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement com...

...S file: /openssh/openssh_cvs/auth-passwd.c,v retrieving revision 1.86 diff -u -r1.86 auth-passwd.c --- auth-passwd.c 5 Aug 2006 02:39:39 -0000 1.86 +++ auth-passwd.c 14 Sep 2006 10:54:12 -0000 @@ -88,7 +88,7 @@ #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - ok = 0; + return 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; Index: auth-sia.c =================================================================== RCS file: /openssh/openssh_cvs/auth-sia.c,v retrieving revision 1.18 diff -u -r1.18 aut...

...lse struct passwd * pw = authctxt->pw; char *encrypted_password; @@ -118,19 +123,23 @@ #endif /* deny if no user. */ - if (pw == NULL) - return 0; + if (pw == NULL) { + retval=0 ; goto out; + } #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) { + retval=0 ; goto out; + } #endif - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) {...

...uth-passwd.c,v retrieving revision 1.45 diff -u -p -r1.45 auth-passwd.c --- auth-passwd.c 15 May 2002 15:59:17 -0000 1.45 +++ auth-passwd.c 14 Jun 2002 08:15:04 -0000 @@ -124,13 +124,6 @@ auth_password(Authctxt *authctxt, const if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; #endif -#ifdef HAVE_CYGWIN - /* - * Empty password is only possible on NT if the user has _really_ - * an empty password and authentication is done, though. - */ - if (!is_winnt) -#endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #if...

...h> *************** *** 114,119 **** --- 117,125 ---- /* deny if no user. */ if (pw == NULL) return 0; + #ifdef _UWIN + return(uwin_mktoken(pw->pw_name,password,UWIN_TOKCLOSE)!=0); + #endif #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; *** readconf.c.orig Mon Feb 04 20:26:35 2002 --- readconf.c Thu May 30 16:55:00 2002 *************** *** 200,206 **** u_short host_port) { Forward *fwd; ! #ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid !...

...what that is) could be added as well. FWIW, it appears that when using the "password" method the code in auth.c is never reached due to the following code in auth-passwd.c: #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif meaning that this message in auth.c isn't logged in this case: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); If no one has any problems with the patch I'll open a bugzilla PR. -----------------------------------------...

...authctxt, const char *password) { struct passwd * pw = authctxt->pw; + char *user = authctxt->user; + int success; + + auth_ok = authctxt->valid; /* deny if no user. */ if (pw == NULL) - return 0; + auth_result(0); if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + auth_result(0); if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + auth_result(0); #ifdef KRB5 if (options.kerberos_authentication == 1) { - int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret;...

http://bugzilla.mindrot.org/show_bug.cgi?id=701 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |971 ------- Additional Comments From dtucker at zip.com.au 2005-01-11 18:25 ------- Patch attachment #766 in bug #971 should fix this.

...ites with PermitRootLogin set to 'without-password' who are using PAM for logins and who are unaware that root can still log in with a password. Also, the following code in auth-password.c #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif seems to prevent the auth.c:auth_root_allowed() routine from ever being called, meaning that the following log line in auth.c doesn't get called: logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); When the code in auth-passwd.c is commente...

...- case AF_UNSPEC: - return "any"; - default: - return "UNKNOWN"; - } - } - if (code == sPermitRootLogin) { - switch (val) { - case PERMIT_NO_PASSWD: - return "without-password"; - case PERMIT_FORCED_ONLY: - return "forced-commands-only"; - case PERMIT_YES: - return "yes"; - } + u_int i; + + if (val == -1) + return "unset"; + for (i = 0; m[i].key != NULL; i++) { + if (m[i].value == val) + return m[i].key; } - if (code == sProtocol) { + return "UNKNOWN"; +} + +static const char * +fmt_intarg(ServerOpCodes code, i...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...num, p); + break; + + case sPermitTcpListen: + intptr = &options->permit_tcp_listen; goto parse_flag; case sUsePrivilegeSeparation: --- servconf.h 28 Jan 2003 18:06:52 -0000 1.1.1.2 +++ servconf.h 29 Jan 2003 21:26:12 -0000 1.7 @@ -32,6 +33,13 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* restrictions */ +#define RESTRICT_AGENT 1 +#define RESTRICT_ENV 2 +#define RESTRICT_RC 4 +#define RESTRICT_TCP 8 +#define RESTRICT_X11 16 + typedef struct { u_int num_ports; @@ -98,6 +106,9 @@ int permit_empty_passwd; /* If false, do not permit empty * passwords. */...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the