search for: sia

I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA, the root login attempts still get passed to the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In...

I have found the following patches to be desirable for using sshd on a Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from Heimdal. These patches do the following: 1) preserve context between the password authentication and the session setup phases. This is necessary because the Heimdal SIA module stores Kerberos context information as mechanism-specific data in ent->mech[]. 2) Allow...

I think I'm ready with the SIA (Security Integration Architecture) patches for Tru64 UNIX. All of the code was written by Tom Woodburn, an engineer at Compaq. I've only performed integration and testing of the patches with more help from Tom. Tom's original patches were included in the "other" ssh. We'd bot...

...we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose the problem could be solved at two separate levels, for SIA only in auth-sia.c, or for any password using auth method in auth-passwd.c. I'd prefer a fix just for auth-passwd.c, are there any reasons to try out auth_krb5_passw...

./configure --with-sia # ./dovecot --build-options Build options: ioloop=poll ipv6 openssl SQL drivers: Passdb: checkpassword passwd passwd-file Userdb: checkpassword passwd prefetch passwd-file static # ./dovecot --version 1.0.8 # ./dovecot -n # 1.0.8: /usr/local/etc/dovecot.conf protocols: pop3 listen: *:10100 ssl_...

A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams <cmadams at hiwaay.n...

I have recently written a (minimal) Tru64 Unix SIA password module for Dovecot as part of testing a Dovecot installation. Has anyone else written a Tru64 Unix SIA module? Is anyone else interested in such a module? If so, how might I/we go about getting this/such a module into the main Dovecot source? Thanks -- Simon L Jackson Carringbush.N...

Hello. The following is a patch against OpenSSH 3.0.2p1 to fix OpenSSH's handling of Tru64 SIA authentication. The main changes are to make the SIAENTITY a global variable (so that it remains persistent across function calls), initialization only happens once, the session is only released once. This makes SIA modules that require authentication in order to perform certain actions during th...

...nd to downloading a snapshot to test the latest on Tru64 a couple of days ago but hadn't had a chance to build it yet, and 3.7p1 has now been released. Sigh. The problem is that Tru64 setreuid() and setregid() are broken, so privsep doesn't work. This could also be a security problem for SIA authentication in general (any version of OpenSSH on Tru64, using PrivSep or not), as I wrote auth-sia.c to use setreuid() (per the Tru64 SIA documentation), so the saved UID carries forward there. Patch below. It includes a patch to configure (so it is vs. the distributed .tar.gz file), so if ap...

...ired passwords. (Rabid password expirers shoulon't get excited yet, it's currently bsdauth only, but support for other platforms should start trickling in shortly). As part of that, some individual platforms have gained their own sys_auth_passwd functions. One that hasn't yet is SIA, because it would mean changing its behaviour to be called *after* Kerberos. Could someone confirm that this change (the patch attached) will work with SIA, or explain why it can't be called after Kerberos? (The patch will apply to snapshot 20040206 or later.) The next step is to banish...

This privsepifies OSF/1 SIA, but I'm still being told the same error occurs. I'm stumped. Without an OSF/1 box near me I can't do too much more help unless someone can either tell me what is wrong or show me why SIA is failing in their logs. (And tell me if it's different w/ or w/out this patch) - Ben In...

...aving post-auth privsep? What code is executed between authorization and actual setting of the effective uid? On Tue, 3 Sep 2002, Chris Adams wrote: > Once upon a time, Toni L. Harbaugh-Blackford <harbaugh at nciaxp.ncifcrf.gov> said: > > It appears that the integration of the sia session setup will either > > have to be rethought or abandoned in order for privsep to work. > > That was the conclusion I came to a while back. I'd like to keep > pre-auth privsep (because that works fine and does help somewhat), but I > don't think it is pos...

Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. I haven't been able to figure out what changed in the code, but the symptom seems to be that the TTY name being registered with SIA is truncated to eight characters. This apparently prevents it from matching with entries in the tty database, and the dreaded "Cannot ob...

...er-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 debug1: Calling cleanup 0x12003dc60(0x0) So I believe (I'm still checking with Steve VanDevender) that SIA is working, and we are now hitting a new issue. But unsure yet. I WISH COMPILER COMPANIES WOULD SUPPORT __func__!!! Tracing code from just debug data without it sucks. Mainly when it's used all over the place now.=( Current patch: Index: auth-sia.c ========================================...

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0,...

Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that...

I'm using OpenSSH_3.5p1 (server protocol 2.0 ) on a Compaq device V5.1A with C2 Security (SIA) configured. I must set UsePrivilegeSeparation to no to get this working. Does anyone have PrivilegeSeparation working on a Compaq device with C2 Security configured? Source device: ssh user at destination ( produces these errors) sshd: /var/tcb/files/__db_lock.share: Permission denied sshd: /...

Hi, develop members: When I installed OpenSSH after reading the document INSTALL, I found one typo in this document. The configure option for OSF1's Security Integration Architecture is -ofssia, NOT -sia. The following is the patch for fixing this typo: ---(cut here)--- --- INSTALL.orig Thu Jul 25 13:36:25 2002 +++ INSTALL Wed May 21 06:21:12 2003 @@ -125,3 +125,3 @@ ---with-sia, --without-sia will enable or disable OSF1's Security +--with-osfsia, --without-osfsia will enable or...

Okay, here is a fixed version of the patch I sent before for fixing the problems I know about with Digital Unix SIA: displaying too much info (MOTD, last login, etc.) when access is denied, and the loss of the error message sometimes when access is denied. It does break some code out of do_login into a couple of separate functions. I did this to avoid duplicating the code in a couple of places. If that's...

Ok.. I need wider testing for this. I'm getting reports back it works mostly. 'ssh site ls' fails, but they can login with Privsep enbled. Can I get those who are using Tru64 or OSF/1 that have SIA enabled to test? This should apple to either -cvs or the current snapshot (I would perfer not to use 3.4p1 due to bugs). I'm going on a trip next week and will be around very spotty at best. As a result I'm not dead sure when the final date for commits are for 3.5, but I still shooting f...