search for: userauth_pubkey

...run the AIX clients, I'm concentrating on that; However, so far, the Workday client exhibits similar log messages/fails: For successes, we see this in the logs (aix7.2 ssh/sftp/scp to RHEL9): note that it makes rsa-sha2-512 references 2024 Feb 2 13:33:27 RHEL9 [authpriv.debug] sshd: debug2: userauth_pubkey: valid user USERREDACTED querying public key rsa-sha2-512 PUBLICKEYREDACTED [preauth] 2024 Feb 2 13:33:27 RHEL9 [authpriv.debug] sshd: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:RSASIGNATUREREDACTED [preauth] 2024 Feb 2 13:33:27 RHEL9 [authpriv.debug] sshd: debug1: /home/U...

...advise. I am currently working on some modifications to openssh which record the users rsa/dsa identity comment file to a log file when the user logs in (password authentication is disabled). The ssh1 portion of the modification works perfectly but the ssh2 portion has me completely lost. in userauth_pubkey() [ in auth2.c ] i defined a variable realname (char 40). which gets set after user_key_allowed2 is processed. i want to pass this variable to server_input_channel_req but i can not find where these two functions are being called from. vix at osr5: openssh-3.1p1 > grep -l "userauth_pubkey...

...c 26 Feb 2002 18:09:43 -0000 1.91 +++ auth2.c 28 Mar 2002 16:44:29 -0000 @@ -51,6 +51,7 @@ #include "hostfile.h" #include "canohost.h" #include "match.h" +#include "groupaccess.h" /* import */ extern ServerOptions options; @@ -85,6 +86,7 @@ static int userauth_pubkey(Authctxt *); static int userauth_hostbased(Authctxt *); static int userauth_kbdint(Authctxt *); +static int pubkey_allowed_user(struct passwd *); Authmethod authmethods[] = { {"none", @@ -408,6 +410,13 @@ debug2("userauth_pubkey: disabled because of invalid user");...

...to get the patch to apply cleanly to the portable source for whatever reason, so I manually made the changes and got a little further. I now get past the "no mutual signature algorithm" client message, and get an error on the server side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017): userauth_pubkey: unsupported public key algorithm: rsa-sha2-512-cert-v01 at openssh.com [preauth] Along the way I noticed that there seems to be duplicated entries in the keytypes[] array - is this intentional? ie the following 2 contiguous sections appear to be identical. I ended up changing both on my client to...

A co-worker argues we can login using only password to a "ssh-key restricted host (PasswordAuthentication no)", without being asked by any passphase; just by putting a key (no need to be the private key) on another password-based host. It that true? I do not think so. I would name that as an "important OpenSSH daemon security bug". That is because I think it is not true.

...k on the user's home permissions? debug3: secure_filename: checking '/ftpdata/pxdata/pold/data/.ssh' debug3: secure_filename: checking '/ftpdata/pxdata/pold/data' Authentication refused: bad ownership or modes for directory /ftpdata/pxdata/fold/data debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for bold from 3.72.144.164 port 1201 ssh2 Authentication refused: bad ownership or modes for directory

...duced by running ssh-agent from gnome- keyring (pageant or others should do the same) and connect to the server with the above patch. In the server log, we can notice the following messages (where hash_alg=1 is SSH_DIGEST_SHA1): debug1: Verifying signature with ktype=ssh-rsa and hash_alg=1 debug2: userauth_pubkey: authenticated 1 pkalg rsa-sha2-512 So even though all the current messages say that sha2 is used, something else is going on here. Nor client nor server is verifying that the signature itself is done using the requested algorithm. So how to get around that? The most robust solution would be to...

...nabled; but it does work if privsep is disabled. Here are excerpts of debug from the server. -----------UsePrivilegeSeparation DISABLED------- ... Found matching DSA key: 56:9d:72:b0:4f:67:2e:ed:06:e7:41:03:e2:86:52:0d^M debug1: restore_uid^M debug1: ssh_dss_verify: signature correct^M (*) debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss^M (*) Root login accepted for forced command.^M debug2: pam_acct_mgmt() = 0^M Accepted publickey for root from xx.xx.xx.xx port 1091 ssh2^M debug1: Entering interactive session for SSH2.^M debug1: fd 5 setting O_NONBLOCK^M debug1: fd 9 setting O_NONBLOCK^M debug1: ser...

On 30/06/2023 09:56, Damien Miller wrote: > It's very hard to figure out what is happening here without a debug log. > > You can get one by stopping the listening sshd and running it manually > in debug mode, e.g. "/usr/sbin/sshd -ddd" Or starting one in debug mode on a different port, e.g. "-p99 -ddd"

...xt->pw, password) == 1) #elif defined(HAVE_OSF_SIA) @@ -418,10 +411,6 @@ userauth_kbdint(Authctxt *authctxt) #endif xfree(lang); xfree(devs); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) - return(0); -#endif return authenticated; } @@ -524,10 +513,6 @@ userauth_pubkey(Authctxt *authctxt) debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); xfree(pkalg); xfree(pkblob); -#ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) - return(0); -#endif return authenticated; } Index: openbsd-compat/bsd-cygw...

Attached is a patch which adds a new config option, AuthOrder2, to sshd_config.c. The syntax is: AuthOrder2 AuthMethod1[:SubAuthMethod1[:SubAuthMethod2...]][,AuthMethod2...] An example, requiring users to enter a public key _and_ a password, in that order: AuthOrder2 publickey:password The current default behaviour: AuthOrder2 password,publickey,keyboard-interactive Require a public key,

...h-agent on login. When connecting to an account accepting the key everything is fine. If the key is not accepted, slogin will not recognize that the key was already tried from ssh-agent and will ask me again to enter the password to unlock the key (for another failure). This is due to sshconnect2.c:userauth_pubkey() where this retrial is not performed for KEY_RSA1 but for other keys. I did not dig into the functionality yet. Is there a way to "remember" which pubkeys were already tried from ssh-agent and to not try again from file (and hence ask for the passphrase)? Best regards, Lutz -- Lutz Ja...

...ve entering debug2: input_userauth_request: try method none Failed none for illegal user root from xxx.xxx.xxx.xxx port 45624 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug2: userauth_pubkey: disabled because of invalid user Failed publickey for illegal user root from xxx.xxx.xxx.xxx port 45624 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 2 debug2: input_userauth_request: try method publickey debug2: userauth_pubkey: dis...

...yaykc14A2Ko6NoTvvLZw71XBqkpTHp8BAlVffsyhVTXAmAHuVLhEb7EaHbq4MQKmYqNXGK29mj28duWQpQJ72JD2OqyDDwZf2voyk1BOI3myA== root@ remotehost ' debug1: matching key found: file //.ssh/authorized_keys2, line 1 Found matching DSA key: f7:a2:2d:a0:c0:ee:4c:3f:1e:47:c3:3c:36:11:b8:e9 debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Postponed publickey for root from 10.100.100.8 port 39955 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 0/1 (e=0) debug...

...kes it 6 in total: debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for janp debug2: input_userauth_request: try method none Failed none for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 2 failures 2 debug2: input_userauth_request: try method publickey debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for janp from 127.0.0.1 port 52777 ssh2 debug1: attempt 3...

...bug1: SSH2_MSG_KEXINIT received [...] debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/matthewm/.ssh/id_dsa debug1: authentications that can continue: publickey,keyboard-interactive debug1: try privkey: /home/matthewm/.ssh/identity debug1: try pubkey: /home/matthewm/.ssh/id_dsa debug1: authentications that can continue: publickey,keyboard-interactive de...

On Sun, Mar 01, 2015 at 03:23:04AM +1100, Damien Miller wrote: > > > On Sat, 28 Feb 2015, The Doctor wrote: > > > BSD/OS issues > > > > with 1.0.2a dev > > Thanks for testing. > You are welcome. > > make tests > > > > regress/netcat.c:656: `on' undeclared (first use in this function) > > regress/netcat.c:656: (Each

...t the attached typescripts for me, please? Here's the relevant part from the server log and I don't understand it: debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1005/1005 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for incomingmail from cl.ie.nt.ip port 29365 ssh2 Another thing that puzzles me is why does it start asking for s/key authentication? I don't even have opie setup on the server side. I am pretty sure it has something to do with FreeBSD "loc...

...connect with the keys to this new server even after having added, as found in several internet pages, this directive at the end of /etc/ssh/sshd_config of the CentOS 8 server: # Accept also DSA keys PubkeyAcceptedKeyTypes=+ssh-dss and systemctl restart sshd I kept getting in journal the message: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] I saw that the sshd process had started with the option ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512...

...->pw, password) == 1) @@ -404,7 +404,7 @@ userauth_kbdint(Authctxt *authctxt) xfree(devs); xfree(lang); #ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) + if (check_nt_auth(0, authctxt->pw) == 0) return(0); #endif return authenticated; @@ -510,7 +510,7 @@ userauth_pubkey(Authctxt *authctxt) xfree(pkalg); xfree(pkblob); #ifdef HAVE_CYGWIN - if (check_nt_auth(0, authctxt->pw->pw_uid) == 0) + if (check_nt_auth(0, authctxt->pw) == 0) return(0); #endif return authenticated; Index: openbsd-compat/bsd-cygwin_util.c =====================================...