search for: postauth

https://bugzilla.mindrot.org/show_bug.cgi?id=2681 Bug ID: 2681 Summary: postauth processes to log via monitor Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=2263 Bug ID: 2263 Summary: sshd privsep monitor process doesn't handle SIGXFSZ signal Product: Portable OpenSSH Version: 6.6p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd

Hi all, When a client requests dynamic remote forwarding with -R it delays forking into the background. In ssh.c we see if (options.fork_after_authentication) { if (options.exit_on_forward_failure && options.num_remote_forwards > 0) { debug("deferring postauth fork until remote forward " "confirmation received"); } else fork_postauth(ssh); } This seems to depend on forwarding_success() for it to then call fork_postauth. If I'm reading this correctly the client sends out a number of forward reques...

...shares. Some users can connect one day but then lose the ability the next. When the problem starts to occur the log.smbd displays: =============================================== check_ntlm_password: authentication for user [user1] -> [user1] -> [MYDOMAIN\user1] succeeded ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[user1] domain=[MYDOMAIN] workstation=[MACHINE] =============================================== The file server in question is running Version 4.5.2-GIT-0d08df6 The PDC (a different server) is running Version 3.6.24-SerNet-Debian Connecting using smbclient from two o...

I realize that the splitting of the sshd binaries is a work in progress. Nonetheless I am trying to make a diagram of the situation as of 9.8. How close have I gotten? Is it correct that currently for a basic session, binaries are run four ways? 1. A privileged binary to listen for incoming connections (66717 below) 2. A privileged session monitor to track the session, for the duration of the

Hi, I?m trying to develop a PAM module with OpenSSH, and I realized I need to retrieve something in a later stage that was saved in another previous stage. As far as my tests on OpenSSH 7.6 go, the password auth route goes through PAM auth, account, session, and the session stage is in a different UNIX process from the process where auth and account take place. For the key auth route, auth stage

...equests dynamic remote forwarding with -R it delays forking > into the background. In ssh.c we see > > if (options.fork_after_authentication) { > if (options.exit_on_forward_failure && > options.num_remote_forwards > 0) { > debug("deferring postauth fork until remote forward " > "confirmation received"); > } else > fork_postauth(ssh); > } > > > This seems to depend on forwarding_success() for it to then call > fork_postauth. > > If I'm reading this correctly th...

...day but then lose the ability > the next. > > When the problem starts to occur the log.smbd displays: > =============================================== >   check_ntlm_password:  authentication for user [user1] -> [user1] -> > [MYDOMAIN\user1] succeeded >   ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[user1] > domain=[MYDOMAIN] workstation=[MACHINE] > =============================================== > > The file server in question is running Version 4.5.2-GIT-0d08df6 > The PDC (a different server) is running Version 3.6.24-SerNet-Debian > > Co...

...TR cipher to MT-AES-CTR after authentication and then forcing a rekey. Throughput improvements of more than 50% were seen on test systems. MT-AES-CTR is cipherstream compatible with the default implementation. 2) In order to reduce the complexity of the patch sets I've finally stripped the postauth NONE cipher switching from the patchsets. It's now a standalone patch. Thanks for your time! Chris Rapier

..._t context is not used anymore (sftp runs under context of the actual user). [1] 3) The last bits so far are related to the privilege separation SELinux context (the net child is confined as sshd_net_t). 4) root logins can be also confined by SELinux, so we should not skip privilege separation in postauth phase (skipping also requires additional permissions to be available for selinux context of this user). [1] Sorry for posting all patches in one, but they are quire closely related. If there is something not clear from description, I am free to explain further the reasons behind each line. [1] ht...

...: fd 4 setting O_NONBLOCK debug3: fd 4 is O_NONBLOCK debug3: fd 4 is O_NONBLOCK debug1: channel 0: new [/home/tbrown/.ssh/mux/192.168.1.100_22_tbrown] debug3: muxserver_listen: mux listener channel 0 fd 4 debug2: fd 3 setting TCP_NODELAY debug3: ssh_packet_set_tos: set IP_TOS 0x20 debug1: deferring postauth fork until remote forward confirmation received debug1: Entering interactive session. debug1: pledge: id debug2: set_control_persist_exit_time: schedule exit in 14400 seconds debug3: receive packet: type 80 debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug3: r...

...early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in mm_answer_pwnamallow(). However, this doesn't actually work as it tries to enable it in the monitor_dispatch table (which doesn't even have a REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled in the monitor_postauth table instead. So, you can either make it MON_PERMIT like above or you can fix it to not do the monitor_permit() on the passed in table, but do it on the appropriate postauth table instead. I'm using the above patch for now, but if you fix openssh I'll go with the vendor's fix once...

Hello, I'm migrating many accounts to a new server with vpopmail 5.4.33 and dovecot 2.0.11. I've already vpopmail 5.4.32 and dovecot 1.2.16 on others servers running without problems. With dovecot 2.0.11 my lastauth file is not updated. This file usually is update on any access (smtp, pop3, imap) with the client's IP, for every mailbox. Now it's updated only when a client