search for: rsa_authentication

Here's a bunch of changes I've made to the current portable version of OpenSSH. The aim is that the rsa_authentication flag in sshd_config can be given the values "without-nfs" This is really handy within a large organization where incorrectly secured home directories can allow authorized_keys(2) to be modified by someone other than the owner. So now rsa_authentication can take the values (no,without-nfs...

...wed. diff -c openssh-2.1.1p4.orig/servconf.c openssh-2.1.1p4/servconf.c *** openssh-2.1.1p4.orig/servconf.c Sat Jul 15 05:14:17 2000 --- openssh-2.1.1p4/servconf.c Fri Aug 4 10:49:16 2000 *************** *** 52,57 **** --- 52,58 ---- options->rhosts_authentication = -1; options->rhosts_rsa_authentication = -1; options->rsa_authentication = -1; + options->rsa_host_other_authentication = -1; options->dsa_authentication = -1; #ifdef KRB4 options->kerberos_authentication = -1; *************** *** 130,135 **** --- 131,138 ---- options->rhosts_rsa_authentication = 0; if...

...is happening... In sshd.c, auth_mask is set to "supported authentication methods": /* Declare supported authentication types. */ auth_mask = 0; if (options.rhosts_authentication) auth_mask |= 1 << SSH_AUTH_RHOSTS; if (options.rhosts_rsa_authentication) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) auth_mask |= 1 << SSH_AUTH_RSA; Now, in servconf.c, options.rhosts_authentication is set to 0 if IgnoreRhosts is no: case sIgnoreRhosts: intptr = &options->...

...k; + case oCAKeyFile: + charptr = &options->ca_key_file; + goto parse_string; + case oGlobalKnownHostsFile: charptr = &options->system_hostfile; goto parse_string; @@ -1002,6 +1013,8 @@ options->gateway_ports = -1; options->use_privileged_port = -1; options->rsa_authentication = -1; + options->certkey_authentication = -1; + options->ca_key_file = NULL; options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -1088,6 +1101,10 @@ options->use_privileged_port = 0; if (options->...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

...(options->gateway_ports == -1) options->gateway_ports = 0; if (options->use_privileged_port == -1) - options->use_privileged_port = 0; + options->use_privileged_port = 1; if (options->rhosts_authentication == -1) options->rhosts_authentication = 1; if (options->rsa_authentication == -1)

Can anyone with Heimdal KrbV verify this? -------------- next part -------------- An embedded message was scrubbed... From: Dag-Erling Smorgrav <des at ofug.org> Subject: Kerberos buglet in OpenSSH-3.3p1 Date: 25 Jun 2002 14:52:10 +0200 Size: 1291 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/347e123e/attachment.mht

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...#ifdef KRB5 if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && @@ -1202,6 +1220,7 @@ goto success; } } + /* Try RSA authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_RSA)) && options.rsa_authentication) { @@ -1226,6 +1245,7 @@ if (try_challenge_response_authentication()) goto success; } + /* Try password authentication if the server supports it. */ if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) && options.password_authentication && !options...

...ak; case MM_HOSTKEY: allowed = options.hostbased_authentication && hostbased_key_allowed(authctxt->pw, cuser, chost, key); + auth_method = "hostbased"; break; case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); + auth_method = "rsa"; break; default: fatal("%s: unknown key type %d", __func__, type); @@ -1010,6 +1014,9 @@ mm_answer_keyallowed(int sock, Buffer *m key_blobtype = type...