Displaying 20 results from an estimated 25 matches for "user_key_allowed".
2002 Oct 15
1
ssh output
.../root/.ssh/authorized_keys
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug2: user_key_allowed: check options: '-----BEGIN RSA PRIVATE KEY-----
'
debug2: key_type_from_name: unknown key type 'RSA'
debug3: key_read: no key found
debug2: user_key_allowed: advance: 'RSA PRIVATE KEY-----
'
debug3: key_read: no space
debug2: user_key_allowed: check options:
'MIICWgIBAA...
2002 Jan 24
1
PATCH: krb4/krb5/... names/patterns in auth_keys entries
...ions.c
- added auth_set_key_env() implementation
- modified auth_parse_options() to return (-1) when new deny-access
option is encountered
- auth-rsa.c
- modified auth_parse_options() return value check according to the
change made to auth_parse_options()
- auth2.c
- user_key_allowed() is not static now
- modified user_key_allowed2() to:
- try key_match() if key_equal() fails
- check the result of auth_parse_options() for negative, 0, or
positive values.
- modified userauth_pubkey() to check for a positive return from
user_key_allowed()
-...
2002 Aug 08
0
Bugzilla bug entry #342
...acceptable
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file //.ssh/authorized_keys
debug1: trying public key file //.ssh/authorized_keys
debug2: key_type_from_name: unknown key type
'from="remotehost.company.com",command="/usr/local/sbin/rdi
std'
debug2: user_key_allowed: check options:
'from="remotehost.company.com",command="/usr/local/sbin/rdistd
-S",no-port-forwarding,no-pty 1024 35
118666268659798484966286942768944312049369367774475796933061557373
5184611555265728566411312811406856737929757975480139103308242922399077936668236290647466407...
2019 May 20
4
Authenticate against key files before AuthorizedKeysCommand
Hello,
Currently OpenSSH has a fixed order on how the key authenticates the
user: at first it tries to authenticate against TrustedUserCAKeys,
afterwards it does it against the output keys from the
AuthorizedKeysCommand and finally against the files as set in
AuthorizedKeysFile. I have an use-case where this order is not ideal.
This is because in my case the command fetches keys from the cloud
2006 Feb 22
2
Kerberos and authorizied_keys
How reasonable, acceptable and difficult would it be to "enhance" openssh
so authorizations using kerberos (specifically kerberos tickets) consulted
the authorized_keys file? And to be a bit more precise... consulted
authorized_keys so it could utilize any "options" (eg. from=, command=,
environment=, etc) that may be present?
I'm willing to make custom changes, but
2002 May 09
0
functions : server_input_channel_req userauth_pubkey
...sa identity comment file to
a log file when the user logs in (password authentication
is disabled).
The ssh1 portion of the modification works perfectly
but the ssh2 portion has me completely lost.
in userauth_pubkey() [ in auth2.c ]
i defined a variable realname (char 40).
which gets set after user_key_allowed2 is processed.
i want to pass this variable to server_input_channel_req
but i can not find where these two functions are being called
from.
vix at osr5: openssh-3.1p1 > grep -l "userauth_pubkey" *.c
auth2.c
sshconnect2.c
vix at osr5: openssh-3.1p1 > grep -l server_input_channel_re...
2001 Aug 15
0
[ossh patch] principal name/patterns in authorized_keys2
...- added auth_set_key_env() implementation
- modified auth_parse_options() to return (-1) when new deny-access
option is encountered
- auth-rsa.c
- modified auth_parse_options() return value check according to the
change made to auth_parse_options()
- auth2.c
- modified user_key_allowed() to:
- try key_match() if key_equal() fails
- check the result of auth_parse_options() for negative, 0, or
positive values.
- modified userauth_pubkey() to check for positive return value of
user_key_allowed()
- sshd.8
- added documentation
- gss-serv.c...
2001 Jun 04
1
[PATCH]: Add check_ntsec to ownership/mode tests
...) {
int fail = 0;
char buf[1024];
Index: auth2.c
===================================================================
RCS file: /cvs/openssh_cvs/auth2.c,v
retrieving revision 1.59
diff -u -p -r1.59 auth2.c
--- auth2.c 2001/04/25 12:44:15 1.59
+++ auth2.c 2001/06/04 10:05:35
@@ -696,6 +696,9 @@ user_key_allowed(struct passwd *pw, Key
restore_uid();
return 0;
}
+#ifdef HAVE_CYGWIN
+ if (check_ntsec(file))
+#endif
if (options.strict_modes) {
int fail = 0;
char buf[1024];
--
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com
2015 Nov 17
4
[Bug 2496] New: sshd hangs when using AuthorizedKeysCommand
...ation:
Match User git
AuthorizedKeysCommand /usr/local/sbin/ssh-lookup-key-git
Relevant server debug output:
debug3: subprocess: AuthorizedKeysCommand command
"/usr/local/sbin/ssh-lookup-key-git git" running as sshkeys
debug3: subprocess: AuthorizedKeysCommand pid 86183
debug2: user_key_allowed: check options:
'command="/usr/local/git/bin/gitolite-shell
tom at torchbox.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-dss
AAAAB3NzaC1kc3MAAACBALtPYyEOw+gvvWvW45iTR7SAkdH8FIML+4SBFPeXBp4ntT0JaRrkaTwm2C2PkZUaOShvFHCcTc7muNBMB/qmLYuWAcbCeKoxv08RMruGheGp6BB/...
2017 Mar 04
6
[Bug 2688] New: Long log messages to stderr missing newlines
...to long log message),
then the snprintf() simply copies fmtbuf and ignores the "\r\n".
This was observed when testing certificate-based logins at LogLevel
DEBUG3.
For example, 3 logs messages appear on one line like this (with ...
replacing long OpenSSH certificate public key):
debug2: user_key_allowed: check options: 'ssh-rsa-cert-v01 at openssh.com
AAAA...debug2: user_key_allowed: advance: 'AAAA...debug2: key not found
Notice multiple debug2 messages all on the same line. Each log line
should with with a newline character.
Suggested Fix
Since the intent is to append "\r\n"...
2016 Sep 15
2
[Bug 2615] New: LoginGraceTime bypass (DoS)
...mportant (user's home dir has
been moved to another server, but the directory was never unmounted, so
NFS client was still trying to access the old server, where nfs/server
service has already been disabled.)
The monitor processes are blocked in open(), called from
auth_openfile(), called from user_key_allowed():
core 'core.sshd.699975' of 699975: /usr/lib/ssh/sshd -R
00007ff5c3658fbe __systemcall6 () + 1e
00007ff5c3622d4a __open () + 1a
00007ff5c363dbee open () + 12e
000000000045a20d auth_openfile () + 3d
0000000000465ccc user_key_allowed () + 3fc
0000...
2002 Jul 03
3
[Bug 333] X11 forwarding not working in OpenSSH 3.4p1
http://bugzilla.mindrot.org/show_bug.cgi?id=333
------- Additional Comments From stevesk at pobox.com 2002-07-04 05:41 -------
i will guess configure did not find an xauth when
it was built ($PATH is irrelevant here). please
verify.
see $HOME/.ssh/rc example in sshd.8 which can be used
as a workaround in this case.
djm: autoconf-2.53 exposes a bug for xauth path detection.
------- You
2001 Jun 28
1
Adding 'name' key types
...s2 file entries can.
So, after looking around, especially in key.h and key.c and auth2.c, it
occurred to me that a new key type could be added for dealing with named
keys, that is, names which can be authenticated (e.g., certificate
names, Kerberos principal names).
The neat thing is that auth2.c:user_key_allowed() is key-type
independent (so arguably it doesn't belong in auth2.c), and thus could
be called from ssh_gssapi_userok() [instead of, or in addition to the
GSS mechanism specific *userok() methods].
The only questions, in my mind, are
- how to format key names for use in authorized_keys2?...
2002 Aug 07
1
Unrelated (was RE: so-called-hang-on-exit)
"ssh -n ..." means ssh will close stdin and open /dev/null for stdin. It does not mean losing th eoutput of ssh.
Nico
--
> -----Original Message-----
> From: Eric Garff [mailto:egarff at omniture.com]
> Sent: Wednesday, August 07, 2002 12:11 PM
> To: openssh-unix-dev at mindrot.org
> Subject: Re: Unrelated (was RE: so-called-hang-on-exit)
>
>
> Sadly, no such
2001 Nov 20
0
Patch: 3.0.1p1: rename a conflicting variable
...ons = NULL;
+ char *cp, *optionsp = NULL;
linenum++;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -703,7 +703,7 @@
/* no key? check if there are options for this key */
int quoted = 0;
debug2("user_key_allowed: check options: '%s'", cp);
- options = cp;
+ optionsp = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
@@ -720,7 +720,7 @@
}...
2012 Aug 30
1
Patch to allow glob patterns as authorized keys file names
...Gitolite does.)
Kind regards,
-Maurice Bos-
Author: Maurice Bos <m-ou.se at m-ou.se>
Date: Thu Aug 30 15:14:49 2012 +0200
Allow glob patterns in authorized keys file names.
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -454,9 +454,16 @@ user_key_allowed(struct passwd *pw, Key *key)
return success;
for (i = 0; !success && i < options.num_authkeys_files; i++) {
+ int j;
+ glob_t glob_result;
file = expand_authorized_keys(
options.authorized_keys_files...
2006 Apr 21
4
Solaris 8 x86 rsa pubkey auth problem
...#39; authenticating on 'module' ( pubkey failed )
I've already compiled gdb and openssh with debug info. I've also
started two debug sshd yesterday, but due two my not so cool knowledge
of
openssh sources and maybe schema of forking and privelege separation I
still can't reach user_key_allowed function.
Thank you for your great work. And thanks for help beforehand.
Here's debug output:
1) kdc# ssh -vvv -i ~/.ssh/auditor_rsa_id root at 192.168.10.10
OpenSSH_4.3p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /usr/pkg/etc/ssh/ssh_config
debug2: ssh_connect: needpriv...
2001 Dec 04
0
PATCH: log key fingerprint upon successful login
...ons = NULL;
+ char *cp, *optionsp = NULL;
linenum++;
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
@@ -703,7 +708,7 @@
/* no key? check if there are options for this key */
int quoted = 0;
debug2("user_key_allowed: check options: '%s'", cp);
- options = cp;
+ optionsp = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
@@ -720,10 +725,14 @@
}...
2008 May 26
4
[Bug 1472] New: Authentication options not cleared in privileged process
...ct to localhost. When prompted for the public key passphrase,
press Enter; then enter your normal password when prompted to do so.
Observe that "hello" is printed and no shell is given.
I believe that the problem here is that, if authentication fails after
calling auth_rsa_key_allowed or user_key_allowed in the privileged
process, authentication options are only cleared in the monitor rather
than in the privileged process. The obvious fix seems to be to clear
them in both processes. This is implemented by the attached patch.
This is only reproducible if the last key offered by the client is the
on...
2006 Feb 12
1
sshd double-logging
...d = compat20 ? "keyboard-interactive/pam" :
+ "challenge-response";
if (ret == 0)
sshpam_authok = sshpam_ctxt;
return (0);
@@ -980,17 +981,20 @@ mm_answer_keyallowed(int sock, Buffer *m
case MM_USERKEY:
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
+ auth_method = "publickey";
break;
case MM_HOSTKEY:
allowed = options.hostbased_authentication &&
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
+ auth_method = "hostbased";
break;
case MM_RSAHOSTK...