search for: verify_response

A non-text attachment was scrubbed... Name: auth-chall.diff Type: text/x-patch Size: 981 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030131/3bbba852/attachment.bin

...rt */ +#undef OPIE + /* Define if you want S/Key support */ #undef SKEY diff -wur org/openssh-2.5.2p2/auth-chall.c openssh-2.5.2p2/auth-chall.c --- org/openssh-2.5.2p2/auth-chall.c Mon Mar 5 07:59:27 2001 +++ openssh-2.5.2p2/auth-chall.c Sun Jun 3 18:34:43 2001 @@ -67,7 +67,7 @@ debug("verify_response: <%s> = <%d>", response, authok); return authok != 0; } -#else +#else /* BSD_AUTH */ #ifdef SKEY #include <skey.h> @@ -88,6 +88,25 @@ skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); } +...

If an ssh1 client initiates challenge-response authentication but does not submit a response to the challenge, and instead switches to some other authentication method, verify_response() will never run, and the kbdint device context will never be freed. In some cases (such as when the FreeBSD PAM authentication code is being used) this may cause a resource leak leading to a denial of service. The attached patch adds abandon_challenge_response() to auth-chall.c, and code to auth...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

nuqneH, I've tried using TIS authsrv authentication via bsd auth and found it quite limited. The most important restriction it does not log ip and fqdn of the remote peer, nor the application name, to the authentication server. It does not matter much for TIS authsrv, but since other applications do provide such information, our authsrv version uses it for extra authentication restrictions.

...**deny_groups; +}; + + /* * Keyboard interactive device: * init_ctx returns: non NULL upon success @@ -133,6 +147,7 @@ void auth2_challenge_stop(Authctxt *); int allowed_user(struct passwd *); +int auth_allowed_user(struct passwd *, Authaccess); char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); Index: auth2.c =================================================================== RCS file: /cvs/openssh/auth2.c,v retrieving revision 1.91 diff -u -r1.91 auth2.c --- auth2.c 26 Feb 2002 18:09:43 -0000 1.91 +++ auth2.c 28 Mar 2002 16:44:29 -0000 @@ -51,6 +51,7 @@ #inclu...

...hal; + + if (authctxt->pw) { + tis_chal = tis_authenticate(authctxt->tis, authctxt->pw->pw_name); + } + else { + tis_chal = tis_fake_challenge(); + } + strlcpy(challenge, tis_chal, sizeof(challenge)); + xfree(tis_chal); + + return challenge; + } + return NULL; +} + +int +verify_response(Authctxt *authctxt, char *response) +{ + int res; + + if (!authctxt->tis) { + res = 0; + } + else { + res = tis_response(authctxt->tis, response); + tis_free(authctxt->tis); + authctxt->tis = NULL; + } + return res && authctxt->valid; +} + +#elif SKEY #include <skey....

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the