search for: sia_ses_auth

Hi- I built openssh-3.0p1 on a Tru64 4.0G without any problem. The system uses enhanced security, so the sia_* routines are used by sshd. Unfortunately, password authentication fails because sia_ses_authent() returns 0 in auth-sia.c. The thing is, the password is CORRECT; I verified this by inserting debugging statements before the call to sia_ses_authent(). The call to sia_ses_init() succeeds. I checked some of the fields of the entity, but I don't know which fields should be filled in. Th...

...ation only happens once, the session is only released once. This makes SIA modules that require authentication in order to perform certain actions during the session launch call work properly. For example, we have a Kerberos 5 / AFS SIA module here that requires that the user authenticate durring sia_ses_authent and then uses the information stored in the SIAENTITY during ses_launch to fetch krb tickets and afs tokens. diff -c openssh-3.0.2p1/auth-sia.c openssh-3.0.2p1-tschroed/auth-sia.c *** openssh-3.0.2p1/auth-sia.c Mon Apr 16 04:37:05 2001 --- openssh-3.0.2p1-tschroed/auth-sia.c Thu Dec 6 13:02:26...

...int saved_argc; +extern char **saved_argv; + +int +auth_sia_password (user, pass) + char *user; + char *pass; +{ + SIAENTITY *ent = NULL; + int ret; + + if (sia_ses_init (&ent, saved_argc, saved_argv, + get_canonical_hostname(), user, NULL, 0, NULL) != SIASUCCESS) + return 0; + if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) { + if (ret & SIASTOP) + sia_ses_release (&ent); + return 0; + } + if (sia_ses_estab (NULL, ent) != SIASUCCESS) + return 0; + sia_ses_release (&ent); + return 1; +} + +#endif /* HAVE_OSF_SIA */ diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2....

http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From simon at sxw.org.uk 2003-05-21 00:49 ------- The existing code only handles the situation where Kerberos credentials are created by the OpenSSH's krb5 code. What would appear to be happening under OSF/1 is that one of the calls used to verify the users login is, as a by-product, creating the credentials

...> > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, > - NULL) != SIASUCCESS) > + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, > + NULL, 0, NULL) != SIASUCCESS) > return(0); > > if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { > - error("Couldn't authenticate %s from %s", user, host); > + error("Couldn't authenticate %s from %s", authctxt->user, > + host); > if (ret & SIASTOP) > sia_ses_release(&ent); &gt...

...er || !pass || pass[0] == '\0') return(0); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, - NULL) != SIASUCCESS) + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, + NULL, 0, NULL) != SIASUCCESS) return(0); if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { - error("Couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", authctxt->user, + host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -77,48 +75,35 @@ }...

...0') return (0); + if (ent) { + debug("Releasing old SIAENTITY!"); + sia_ses_release(&ent); + ent = NULL; + } + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, NULL, 0, NULL) != SIASUCCESS) return (0); @@ -64,31 +72,36 @@ if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { error("Couldn't authenticate %s from %s", authctxt->user, host); - if (ret & SIASTOP) + if (ret & SIASTOP) { sia_ses_release(&ent); + ent = NULL; + } return (0); } - sia_ses_release(&ent); - return...

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /*