similar to: [Bug 975] Kerberos authentication timing can leak information about account validity

http://bugzilla.mindrot.org/show_bug.cgi?id=975 Summary: Kerberos authentication timing can leak information about account validity Product: Portable OpenSSH Version: -current Platform: All URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=110371328918329&w=2 OS/Version: All

http://bugzilla.mindrot.org/show_bug.cgi?id=975 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |1155 nThis| | ------- You are receiving this mail because: ------- You are the assignee for

http://bugzilla.mindrot.org/show_bug.cgi?id=928 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #2 from simon at sxw.org.uk 2006-08-19 08:31 ------- I'd rather see us move towards just using

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #5 from simon at sxw.org.uk 2006-08-19 08:28 ------- There isn't an easy fix for this, at

http://bugzilla.mindrot.org/show_bug.cgi?id=488 simon at sxw.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From simon at sxw.org.uk 2005-07-07

I note with interest that Kerberos support is now available (for the version 1 protocol, at least) in OpenSSH 2.9.9p2. However, it does not build with MIT Kerberos, due to the usual Heimdal/MIT library differences. These look, by and large, like the same problems I encountered when porting Dan Kouril's patch to MIT Kerberos - so I'm having a go at fixing them (my GSSAPI patches need

https://bugzilla.mindrot.org/show_bug.cgi?id=928 --- Comment #9 from Darren Tucker <dtucker at zip.com.au> 2010-01-11 17:11:06 EST --- Created an attachment (id=1775) --> (https://bugzilla.mindrot.org/attachment.cgi?id=1775) sshd-gssapi-multihomed.patch I updated patch #1182 to OpenBSD current and fixed a few minor whitespace things. I also removed this warning from the man page:

In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then xfree() the client_user string. The call to do_pam_account() later in the function then tries to use this string, resulting in a corrupt remote user. Finally, before exiting, the function frees client_user again, resulting in a double free and much mess. Patch attached. Cheers, Simon. -- Simon Wilkinson

The following patch *) Adds a configure option to turn on the existing Kerberos v5 support in the portable version *) Extends the code to support MIT Kerberos in addition to Heimdal The patch is against the current CVS tree. I've tested it against MIT Keberos 1.2.2, I'd appreciate it if someone could confirm that Heimdal works with the portable configuration stuff. Coming RSN -

The attached patch adds support for Heimdal and MIT Kerberos in protocol v1 in the portable code. The Heimdal side of things just enables the code that's present in OpenBSD's 3.0 release, the MIT specific code adds compatibility for those areas in which the Heimdal API differs. This adds a new configuration option --with-kerberos5=<path>, which will detect which version of the

Hi I'd also like to express interest in Simon's kerb 5 patches being integrated into the openssh distribution. Are there currently any plans for this to happen and if so, what's the expected time frame? Ben. Simon Wilkinson <sxw at dcs.ed.ac.uk> wrote: > My patches for SSH version 1 Kerberos 5 support (heavily based upon > work done by Dan Kouril) are now available from

http://bugzilla.mindrot.org/show_bug.cgi?id=1008 --- Comment #9 from Simon Wilkinson <simon at sxw.org.uk> 2007-09-15 20:59:25 --- I've noted this on the mailing list too, but just for the record, the simplified patch is incorrect. GSSAPI != Kerberos, and even within the Kerberos space, some vendors ship with canonicalisation disabled. If we are going to ship a workaround for

http://bugzilla.mindrot.org/show_bug.cgi?id=616 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org, | |simon at sxw.org.uk --- Comment #2 from

Hi, Just wondering if anyone was looking at implementing draft-ietf-secsh-gsskeyex-00 in OpenSSH? My patches for SSH version 1 Kerberos 5 support (heavily based upon work done by Dan Kouril) are now available from http://www.sxw.org.uk/computing/patches/ Is there any interest in integrating these into the distribution? If so, I'd be happy to update them to the development version. Cheers,

An updated version of my patch for Kerberos v5 support is now available from http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch This patch includes updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on

I've now completed updating my patches for GSSAPI in protocol v2 to OpenSSH 3.1p1 See http://www.sxw.org.uk/computing/patches/openssh.html As previously, you will need to apply the protocol v1 krb5 patch before the GSSAPI one, and run autoreconf from an autoconf later than 2.52 There are a number of improvements and minor bug fixes over previous patches. However, due to protocol changes this

https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Summary: Memory leak caused by forwarded GSSAPI credential store Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at

http://bugzilla.mindrot.org/show_bug.cgi?id=1220 Summary: Fix error messages for multiple mechanism GSSAPI libraries Product: Portable OpenSSH Version: 4.3p2 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=1218 Summary: GSSAPI client code permits SPNEGO usage Product: Portable OpenSSH Version: 4.3p2 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: bitbucket at mindrot.org ReportedBy:

I've updated the Kerberos v5 support patches I'm maintaining to work with OpenSSH 2.5.1p1. They're available for download from http://www.sxw.org.uk/computing/patches/ In addition to the upgrade from 2.3.0p1 to 2.5.1p1, there's a minor bug fix - KRB5CCNAME was being set to "" if ticket forwarding failed, which confused some utilities. Please note that these patches