search for: sias

I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA, the root login attempts still get passed to the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In auth-passwd.c,

...if (!authctxt->user || pass == NULL || pass[0] == '\0') return (0); + if (ent) { + debug("Releasing old SIAENTITY!"); + sia_ses_release(&ent); + ent = NULL; + } + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, NULL, 0, NULL) != SIASUCCESS) return (0); @@ -64,31 +72,36 @@ if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { error("Couldn't authenticate %s from %s", authctxt->user, host); - if (ret & SIASTOP) + if (ret & SIASTOP) { sia_ses_release(&ent); + ent = NULL;...

I think I'm ready with the SIA (Security Integration Architecture) patches for Tru64 UNIX. All of the code was written by Tom Woodburn, an engineer at Compaq. I've only performed integration and testing of the patches with more help from Tom. Tom's original patches were included in the "other" ssh. We'd both like to see SIA support get into OpenSSH. SIA provides PAM-like

...p; options.permit_root_login != PERMIT_YES) + return (0); if (!authctxt->user || pass == NULL || pass[0] == '\0') return (0); + host = get_canonical_hostname(options.use_dns); if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, NULL, 0, NULL) != SIASUCCESS) return (0); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

./configure --with-sia # ./dovecot --build-options Build options: ioloop=poll ipv6 openssl SQL drivers: Passdb: checkpassword passwd passwd-file Userdb: checkpassword passwd prefetch passwd-file static # ./dovecot --version 1.0.8 # ./dovecot -n # 1.0.8: /usr/local/etc/dovecot.conf protocols: pop3 listen: *:10100 ssl_disable: yes disable_plaintext_auth: no login_dir:

...gt; +#include <siad.h> + +extern int saved_argc; +extern char **saved_argv; + +int +auth_sia_password (user, pass) + char *user; + char *pass; +{ + SIAENTITY *ent = NULL; + int ret; + + if (sia_ses_init (&ent, saved_argc, saved_argv, + get_canonical_hostname(), user, NULL, 0, NULL) != SIASUCCESS) + return 0; + if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) { + if (ret & SIASTOP) + sia_ses_release (&ent); + return 0; + } + if (sia_ses_estab (NULL, ent) != SIASUCCESS) + return 0; + sia_ses_release (&ent); + return 1; +} + +#endif /* HAVE_OSF_SIA */ diff...

I have recently written a (minimal) Tru64 Unix SIA password module for Dovecot as part of testing a Dovecot installation. Has anyone else written a Tru64 Unix SIA module? Is anyone else interested in such a module? If so, how might I/we go about getting this/such a module into the main Dovecot source? Thanks -- Simon L Jackson Carringbush.Net +- Carringbush.Net Hosting * Development *

...assword(char *user, char *pass) { int ret; const char *host; host = get_canonical_hostname(options.reverse_mapping_check); *************** *** 34,51 **** if (!user || !pass) return(0); ! if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, NULL) != SIASUCCESS) return(0); ! if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { error("couldn't authenticate %s from %s", user, host); if (ret & SIASTOP) ! sia_ses_release(&ent); return(0); } - sia_ses_release(&ent); return(1); } ---...

Well, I had just finally gotten around to downloading a snapshot to test the latest on Tru64 a couple of days ago but hadn't had a chance to build it yet, and 3.7p1 has now been released. Sigh. The problem is that Tru64 setreuid() and setregid() are broken, so privsep doesn't work. This could also be a security problem for SIA authentication in general (any version of OpenSSH on Tru64,

Hi All. There have recently (well, today :-) been changes to OpenSSH Portable's auth-passwd.c from OpenBSD to accomodate forced changes of expired passwords. (Rabid password expirers shoulon't get excited yet, it's currently bsdauth only, but support for other platforms should start trickling in shortly). As part of that, some individual platforms have gained their own

...d -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_coll...

...options.verify_reverse_mapping); > > - if (!user || !pass || pass[0] == '\0') > + if (!authctxt->user || !pass || pass[0] == '\0') > return(0); > > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, > - NULL) != SIASUCCESS) > + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, > + NULL, 0, NULL) != SIASUCCESS) > return(0); > > if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { > - error("Couldn't authenticate %s from %s&quot...

Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. I haven't been able to figure out what changed in the code, but the symptom seems to be that the TTY name being registered with SIA is truncated to eight characters. This apparently prevents it from matching with entries in the tty database, and the dreaded "Cannot obtain database information on this terminal

...d -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_coll...

...to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /* !HAVE_OSF_SIA && !USE_PAM */ At this stage pw could be NULL so obviously pw->pw_name isn't a valid thing to do. Should this just be 'user'? I'm not even 100% sure of the validity of passing NULL as collect function (acceptable in 4.0g manpage, not...

Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that a utmp entry does get made for

I'm using OpenSSH_3.5p1 (server protocol 2.0 ) on a Compaq device V5.1A with C2 Security (SIA) configured. I must set UsePrivilegeSeparation to no to get this working. Does anyone have PrivilegeSeparation working on a Compaq device with C2 Security configured? Source device: ssh user at destination ( produces these errors) sshd: /var/tcb/files/__db_lock.share: Permission denied sshd:

Hi, develop members: When I installed OpenSSH after reading the document INSTALL, I found one typo in this document. The configure option for OSF1's Security Integration Architecture is -ofssia, NOT -sia. The following is the patch for fixing this typo: ---(cut here)--- --- INSTALL.orig Thu Jul 25 13:36:25 2002 +++ INSTALL Wed May 21 06:21:12 2003 @@ -125,3 +125,3 @@ ---with-sia,

...sia.c openssh/auth-sia.c --- openssh_cvs/auth-sia.c Tue Feb 13 08:25:23 2001 +++ openssh/auth-sia.c Fri Apr 13 11:00:07 2001 @@ -61,35 +61,46 @@ host = get_canonical_hostname (options.reverse_mapping_check); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) - fatal("sia_ses_init failed"); + NULL) != SIASUCCESS) { + error("sia_ses_init failed"); + exit(1); + } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); - fatal("getpwnam(%s) failed: %s", user, strerror(errno)); + error("getpw...

...d -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +88,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +101,24 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_col...