search for: skeyauthentication

Hi, I'm having trouble getting an answer to the following problem on -questions - I hope someone here has done something similar and can help. I'd like to compile support for FreeBSD OPIE into sshd. Presently I have to use PAM to achieve one-time password support. On a 4.x system I have in /etc/ssh/sshd_config ChallengeResponseAuthentication yes and in /etc/pam.conf sshd auth

Hello Can someone tell me, how to enable s/key auth via OpenSSH ? I tried to enable ChallengeResponseAuthentication yes in sshd_config and SkeyAuthentication yes ChallengeResponseAuthentication yes in ssh_config As i can read in man: -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentica- tion, and configuration problems. The verbose mode is also...

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

...VS -wNur ../cvs/other/openssh_cvs/readconf.c openssh_cvs/readconf.c --- ../cvs/other/openssh_cvs/readconf.c Wed Oct 3 19:39:39 2001 +++ openssh_cvs/readconf.c Sun Nov 4 01:44:19 2001 @@ -141,6 +141,7 @@ { "challengeresponseauthentication", oChallengeResponseAuthentication }, { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */ + { "opieauthentication", oChallengeResponseAuthentication }, /* alias */ #if defined(KRB4) || defined(KRB5) { "kerberosauthentication",...

...sAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no

...sAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no

1. Versions affected: All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables

...sAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no Anything I'm missing? Thank you! -jeremy ===...

...sshd -D for monitoring scripts or inittab ssh -t multiple -t force tty allocation b) Obsolete: DsaAuthentication (use PubkeyAuthentication instead) HostDsaKey (use HostKey) Identityfile2 (use Identityfile or -i) SkeyAuthentication (use ChallengeResponseAuthentication) TisAuthentication (use ChallengeResponseAuthentication) OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. -d -- | Damien Miler <djm at mindrot.org> \ ``E-mail attachments...

...sshd -D for monitoring scripts or inittab ssh -t multiple -t force tty allocation b) Obsolete: DsaAuthentication (use PubkeyAuthentication instead) HostDsaKey (use HostKey) Identityfile2 (use Identityfile or -i) SkeyAuthentication (use ChallengeResponseAuthentication) TisAuthentication (use ChallengeResponseAuthentication) OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. -d -- | Damien Miler <djm at mindrot.org> \ ``E-mail attachments...

...otd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, @@ -345,6 +353,7 @@ static struct { { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ + { "challengeresponseauthenticationfirst", sChallengeResponseAuthenticationFirst }, { "checkmail", sDeprecated }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -679,6 +688,10...

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...tication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, @@ -304,6 +305,7 @@ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ + { "tisviapam", sTISviaPAM }, { "checkmail", sDeprecated }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -648,6 +650,10 @@ case sChallengeResponseAuthentication: in...

...ion no # # For this to work you will also need host keys in /etc/opt/openssh/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no #KbdInteractiveAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no #UseLogin no # Uncomment if you...

...>skey_authentication = 1; #endif +#ifdef PAM_TIS + if (options->tis_authentication == -1) + options->tis_authentication = 1; +#endif if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) @@ -182,6 +189,9 @@ #ifdef SKEY sSkeyAuthentication, #endif +#ifdef PAM_TIS + sTISAuthentication, +#endif sPasswordAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, @@ -222,6 +232,9 @@ #ifdef SKEY { "skeyaut...

...hentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no #KbdInteractiveAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no #UseLogin no # Uncomment if you...

....3.0p1-tis/readconf.c --- openssh-2.3.0p1/readconf.c Sat Oct 14 07:23:12 2000 +++ openssh-2.3.0p1-tis/readconf.c Thu Dec 7 18:38:42 2000 @@ -313,7 +313,7 @@ goto parse_flag; case oTISAuthentication: - /* fallthrough, there is no difference on the client side */ + /* fallthrough */ case oSkeyAuthentication: intptr = &options->skey_authentication; goto parse_flag; diff -urN openssh-2.3.0p1/servconf.c openssh-2.3.0p1-tis/servconf.c --- openssh-2.3.0p1/servconf.c Mon Oct 16 03:14:42 2000 +++ openssh-2.3.0p1-tis/servconf.c Thu Dec 7 18:41:00 2000 @@ -64,6 +64,9 @@ options->kbd_interact...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the