similar to: OpenSSH allows guessing of root password?

Can some people post some configurations they've implemented when deploying an * system for let's say 25-50 stations and maybe a larger 200 station system? I would assume some kind of chassis with some DSP boards and some kind of system board with a hard drive for running the system and storing the voice mails - obviously I'm interested in specific chassises and boards used and

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated

Is it possible to configure a sip phone by MAC address instead of by IP address? Obviously if you're using DHCP it's not a good idea to set up phones by IP address - so how can someone set up a sip phone by MAC address? Thanks, Philip

I am not 100% positive of the security implications of this, but I really can't see any potential for harm. If this patch is applied (I coded it against the now-current openssh-2.2.0p1), then if (a) the authorized_keys entry has command="whatever" to force a specific command, and also (b) the invoker specified some command on their ssh cmdline, then the invoked command will be

Hi all, among other things, we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose

A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator

The previous version broke the case of internal-sftp without arguments. This is a fixed version. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-19 11:28:29.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if

Hi, This patch makes things like ForceCommand internal-sftp -l INFO work (current code in 5.1 would just end the session). Please consider for inclusion into mainline. Michael. --- /var/tmp/session.c 2008-08-18 21:07:10.000000000 -0700 +++ session.c 2008-08-18 21:12:51.000000000 -0700 @@ -781,7 +781,7 @@ if (options.adm_forced_command) { original_command = command;

BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's authentication library. However, BSDI's patches have several problems: 1. They don't run the approval phase, so they can allow users to login who aren't supposed to be able to. 2. They don't patch configure to automatically detect the BSDI auth system, so they're not ready to use in a general portable

Folks, During testing, we found a couple of issues with openssh3.0.2p1: 1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c), the foll. check: if (authctxt->failures++ > AUTH_FAIL_MAX) is never satisfied and thus packet_disconnect() never gets called. I suspect the code just drops out of the dispatch_run function list instead. This should be an == instead of >.

In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then xfree() the client_user string. The call to do_pam_account() later in the function then tries to use this string, resulting in a corrupt remote user. Finally, before exiting, the function frees client_user again, resulting in a double free and much mess. Patch attached. Cheers, Simon. -- Simon Wilkinson

Hi All, While testing another patch, I found that I could not longer log in as root, even if PermitRootLogin was yes. It seems to be the following code in auth_password: $ cvs diff -r1.48 -r1.49 auth-passwd.c [snip] #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login !=

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

http://bugzilla.mindrot.org/show_bug.cgi?id=983 ------- Comment #7 from dtucker at zip.com.au 2006-04-17 22:00 ------- (From update of attachment 807) This bit doesn't seem right: >+ /* Loop until the required authmethods are done */ >+ if (authenticated &amp;&amp; options.required_auth1 != NULL) { >+ if (auth_remove_from_list(&amp;options.required_auth1, >+

Hello ml, i've set up a ssh server with public-key authentication. But soon i realized that wrong pubkey authentications are not shown in the logs. So i wrote a small patch for monitor.c included as attachement. patch against 3.8.1p1 $ patch -p0 < /path/to/keyauth-loggin.patch Kindly regards, Jan Gehring

I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA, the root login attempts still get passed to the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In auth-passwd.c,

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

Hi, the following patch fixes a potential security hole in the Cygwin version of sshd. If you're logging in to a Cygwin sshd with version 2 protocol using an arbitrary user name which is not in /etc/passwd, the forked sshd which is handling this connection crashes with a segmentation violation. The client side encounters an immediate disconnect ("Connection reset by peer").