similar to: [Bug 445] User DCE Credentials do not get forwarded to child session

http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From djm at mindrot.org 2003-01-07 12:20 ------- The attached patch has been corrupted - please attach it (in "diff -u" format) to the bug using the "Create Attachment" link ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator

What do we loose by not having post-auth privsep? What code is executed between authorization and actual setting of the effective uid? On Tue, 3 Sep 2002, Chris Adams wrote: > Once upon a time, Toni L. Harbaugh-Blackford <harbaugh at nciaxp.ncifcrf.gov> said: > > It appears that the integration of the sia session setup will either > > have to be rethought or abandoned

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /*

http://bugzilla.mindrot.org/show_bug.cgi?id=445 Summary: User DCE Credentials do not get forwarded to child session Product: Portable OpenSSH Version: 3.4p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at

I have found the following patches to be desirable for using sshd on a Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from Heimdal. These patches do the following: 1) preserve context between the password authentication and the session setup phases. This is necessary because the Heimdal SIA module stores Kerberos context information as mechanism-specific data in

http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From djm at mindrot.org 2003-05-15 21:39 ------- I am not sure I understand (my Kerberos knowledge isn't so great): We already set this for Krb5 auth: #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ticket_file);

http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From dtucker at zip.com.au 2005-02-01 19:54 ------- I tested this with a fake KRB5CCNAME and it worked as expected. Since essentially the same code is already enabled for AIX, I'm going to commit #628 unless someone objects. ------- You are receiving this mail because: ------- You are the assignee for the

Hello. The following is a patch against OpenSSH 3.0.2p1 to fix OpenSSH's handling of Tru64 SIA authentication. The main changes are to make the SIAENTITY a global variable (so that it remains persistent across function calls), initialization only happens once, the session is only released once. This makes SIA modules that require authentication in order to perform certain actions during the

Here is a long-overdue (sorry about that) patch for Tru64. It is pretty minor mostly (minor formatting and removal of a couple of unneeded calls), and it disables post-auth privsep (so that OpenSSH will work "out of the box" on Tru64, avoiding the many questions). I'm also looking at getting setproctitle working. For Tru64 4.x, it isn't a big deal (normal PS_USE_CLOBBER_ARGV

Hi- I built openssh-3.0p1 on a Tru64 4.0G without any problem. The system uses enhanced security, so the sia_* routines are used by sshd. Unfortunately, password authentication fails because sia_ses_authent() returns 0 in auth-sia.c. The thing is, the password is CORRECT; I verified this by inserting debugging statements before the call to sia_ses_authent(). The call to sia_ses_init()

The recent patch posted by Steve VanDevender <stevev at darkwing.uoregon.edu> for fixing the session code on Tru64 isn't quite right -- it still fails in the case of NO tty being allocated. The problem is that s->tty is a char[TTYSZ] rather than a char *, and hence can't hold a NULL. Calling sia_ses_init() with the tty being an empty string doesn't signify no tty, and

Okay, here is a fixed version of the patch I sent before for fixing the problems I know about with Digital Unix SIA: displaying too much info (MOTD, last login, etc.) when access is denied, and the loss of the error message sometimes when access is denied. It does break some code out of do_login into a couple of separate functions. I did this to avoid duplicating the code in a couple of places.

Hi all, among other things, we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose

Full_Name: Gordon Lack Version: 2.2.0 OS: OSF1/Tur64 Submission from: (NULL) (193.128.25.20) R-2.2.0 fails to build on OSF1 systems. ..... make[4]: Leaving directory `..../R-2.2.0/src/library/tools/src Error in list.files(path, pattern, all.files, full.names, recursive) : invalid 'pattern' regular expression Execution halted make[3]: *** [all] Error 1 ..... I've tracked

Full_Name: Michael Hoffman Version: 2.0.0-beta-20041001 OS: OSF1 V5.1 Submission from: (NULL) (193.62.199.8) Hello. Building R 2.0.0-beta-20041001 on OSF1 V5.1 failed because the default configure sets R_XTRA_CFLAGS to "-std1 -ieee_with_inexact." The bzip2 directory includes C99 code that requires -std1 to not be set in order to compile. This halts the overall build process.

I could not find this question anywhere, but I apologize if it is and I just missed it. Running an Alpha, OSF1 V5.1 1885 configure went fine. compile failed: cc -I. -I. -g -DHAVE_CONFIG_H -I./popt -c lib/getaddrinfo.c -o lib/getaddrinfo.o cc: Error: lib/getaddrinfo.c, line 182: In this statement, "EAI_MAX" is not declared. (undeclared) if (ecode < 0 || ecode > EAI_MAX)

Hi, We have 2 problems with rsync over ssh that we haven't been able to replicate all the time. Basically, we have a developement server running Solaris 2.5.1 and another running Solaris 2.6, the development tree is shared via nfs. When minor changes are made they are distibuted to various mirror sites via a perl script which does some checks (path, etc) and runs 'rsync -e ssh ....'

This privsepifies OSF/1 SIA, but I'm still being told the same error occurs. I'm stumped. Without an OSF/1 box near me I can't do too much more help unless someone can either tell me what is wrong or show me why SIA is failing in their logs. (And tell me if it's different w/ or w/out this patch) - Ben Index: auth-sia.c

It still is not right, but thanks to Steve we have gotten this far.. The issue seems to be here: debug3: entering: type 26 debug3: entering debug1: session_new: init debug1: session_new: session 0 debug3: entering: type 26 : sendmsg(12): Invalid argument debug1: Calling cleanup 0x1200365c0(0x14000d9d8) debug1: session_pty_cleanup: session 0 release /dev/ttyp4 debug1: Calling cleanup