search for: ssh_smsg_failure

Hi ! I hacked together a couple of patches for Openssh 2.1.1p4 port forwarding. It is a one patch file that does the following two things: First: If the server is configured not to allow port forwardings it sends SSH_SMSG_FAILURE (protocol 1) while openssh client expects SSH_SMSG_SUCCESS. When the client gets the failure it exists with protocol error message. This patch will accept both failure and success messages. Second: I added a new configuration option to sshd_config: PortForwarding that can be used to disable port f...

...(listen_port); packet_put_cstring(host_to_connect); packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. + + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + * forwardings. Read the server reply. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + type = packet_read(&payload_len); /* Expect reply from server */ + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAI...

...(client_user); + + if (password != NULL) { + memset(password, 0, strlen(password)); + xfree(password); + } + packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } +#endif /* HAVE_LIBPAM */ /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE);

...nt for my school work and testing it with OpenSSH servers. Unfortunately I cannot execute commands after succesful login without allocate pty. My client send SSH_CMSG_EXEC_SHELL packet on server, but dont receive any answer. According RFC defined SSH1, server should send SSH_SMSG_SUCCESS or SSH_SMSG_FAILURE message. So I tried send SSH_CMSG_EXEC_CMD with command, but after executing command server send EXIT_STATUS message. I dont understand why, because RFC document define EXEC_CMD message this way: "Starts executing the given command, and enters interactive session mode." Would you...

...if it accepted the authentication. */ + if (type == SSH_SMSG_SUCCESS) { ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication accepted by server."); return 1; } + + + /* Otherwise it should return failure. */ if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error waiting RSA auth response: %d", @@ -234,7 +247,8 @@ xfree(comment); return 0; } - /* Otherwise, the server should respond with a challenge. */ + + /* Otherwise, the server should respond with a challenge. */ if (type != SSH_SMSG_AUTH...

...nt(listen_port); packet_put_cstring(host_to_connect); packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + * forwardings. Read the server reply. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + type = packet_read(&payload_len); + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAILURE: + log("Warnin...

...L_MAX) { +#ifdef WITH_AIXAUTHENTICATE + loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); +#endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); @@ -430,7 +432,7 @@ unsigned int ulen; char *user; #ifdef WITH_AIXAUTHENTICATE - char *loginmsg; + extern char *aixloginmsg; #endif /* WITH_AIXAUTHENTICATE */ /* Get the name of the user that we wish to log in as. */ @@ -501,7 +503,9 @@ /* The user has been authenticated and accepte...

...+ #ifdef KRB5 krb5_context context = NULL; krb5_auth_context auth_context = NULL; #endif int i, type; int payload_len; - + if (supported_authentications == 0) fatal("ssh_userauth1: server supports no auth methods"); @@ -1139,6 +1140,23 @@ goto success; if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", type); +#ifdef AFS + /* Try Kerberos v4 TGT passing if the server supports it. */ + if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && + options.kerberos_tgt_passing) { + if...

...(listen_port); packet_put_cstring(host_to_connect); packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. + + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + * forwardings. Read the server reply. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + type = packet_read(&payload_len); /* Expect reply from server */ + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAI...

.../* * convert ssh auth msg type into description */ *************** *** 150,155 **** --- 154,160 ---- unsigned int ulen; int type = 0; void (*authlog) (const char *fmt,...) = verbose; + int authenticated_so_far = 0; /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); *************** *** 371,376 **** --- 376,404 ---- break; } + /* + * If we require both RSA host and some other authentication + * check that we've obtained two distinct authentications. + */ + if ( options.rsa_host_other_authentication && authenticated ) { +...

...ot;,&loginmsg); + #endif packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); *************** *** 1178,1183 **** --- 1194,1200 ---- int type = 0; void (*authlog) (const char *fmt,...) = verbose; + /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); packet_send(); *************** *** 1261,1267 **** * authentication is insecure. (Another is * IP-spoofing on a local network.) */ ! client_user = packet_get_string(&ulen); packet_integrity_check(plen, 4 + ulen, type); /* Try to authenticate using /etc/host...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

...SKEY case SSH_CMSG_AUTH_TIS_RESPONSE: return "s/key"; @@ -91,6 +103,9 @@ unsigned int ulen; int type = 0; void (*authlog) (const char *fmt,...) = verbose; +#ifdef TIS_AUTH + struct tis_context *tis = NULL; +#endif /* Indicate that authentication is needed. */ packet_start(SSH_SMSG_FAILURE); @@ -267,7 +282,54 @@ xfree(password); break; -#ifdef SKEY +#ifdef TIS_AUTH + case SSH_CMSG_AUTH_TIS: + debug("rcvd SSH_CMSG_AUTH_TIS"); + if (options.tis_authentication == 1) { + char *challenge = NULL; + + if (pw) { + tis_free(tis); + tis = tis_connect_...

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer