similar to: OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt

Hello! I recently discoverd a problem with ssh.com's ssh-agent2 and OpenSSH: If I have more than one key in my agent, then the agent tries to authenticicate me with every one of them at the OpenSSH server; but none of them is a valid key for that server. The Problem is that the Server increments the authctxt->attempt at every of that tries. So even if you want to login with a password at

This looks like a bug (ssh -v output from user included below). AUTH_FAIL_MAX is reached before all supported authentication methods are tried. One possible solution is to count authentication failures separately for each method tried, and disconnect if one fails more than <configurable> times. Btw: The exit status bug is fixed in the CVS version of OpenSSH, but I'm not very

Here are some patches to re-enable support for AIX's authenticate routines. With them, ssh will honor locked & unlocked accounts, record successful and unsuccessful logins, and deny accounts that are prohibited to log in via the network. Tested with AIX 4.3. It also includes a fix for handling SIGCHLD that may be needed for other platforms (HP-UX 10.20, for example). If I get the time

dear sir, i encountered something very odd with openssh. when i try to connect to my sshd daemon, i get repeated password errors. this happens on all connections to my server. outbound connections to other ssh sites work with no problem. the remote site can connect to itself, but not to my site. i captured the output of the sshd -d -d -d -e -D command to provide you with some trace data. i

If I set it to "no", should I still be able to login with a typed-in password? I get messages such as these: --- Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.debug] debug1: userauth-request for user ed service ssh-connection method password Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.debug] debug1: attempt 1 failures 1 Jul 2 12:23:39 remedy.udel.edu

I've been installing OpenSSH 2.9p2 onto several RedHat Linux machines, after compiling in the GSSAPI/Kerberos5 patch from here: http://www.sxw.org.uk/computing/patches/openssh.html I've been using ssh both to let users in via passwords and Kerberos tickets, and both have been working fine... except for one irritating machine, which (for no good reason I can see) fails when using kerberos

Hi, I have hard figuring out what I did wrong ... On HPUX 11 I have compiled OpenSSH 2.9.2p2 with gcc 2.9 (taken from hp opensource server) and zlib also downloaded from hp. As long as I do passwd authentication everything work fine (I have used --with-pam), but if I tried publickey either in sshv1 or sshv2 authentication fails. I have tried a bunch of things but none worked so all

The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file:

Hi, I have installed OpenSSH 2.9p2 on Linux Redhat 7.0 with PAM support and using pam_radius_auth to authenticate of a radius server also running Redhat, My problem is that the request goes via the radius server fine and sends back a rad.accept to the pam module but ssh refuses to let me in, it looks like sometihng to do with rhosts but complains very loud about expired accounts. I've looked

Hi there, when enabling the option PAMAuthenticationViaKbdInt, a login with password is always possible, even though when you disabled it with PasswordAuthentication no and PermitRootLogin without-password! Is this intended? Why is there no documentation about this (or at least a waring in the default configuration file)? The problem is, it is enabled in the default installation of Debian

Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes PAM kbd-int work with privilege separation. Contrary to what I have previously stated - it *does* handle multiple prompts. What it does not handle is multiple passes through the PAM conversation function, which would be required for expired password changing. I would really appreciate some additional eyes over the

This is the 2nd revision of the Advisory. 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3

I'm using OpenSSH_3.7.1p2 on the client side and OpenSSH_2.9p2 on the server side. (The client can be upgraded easily; upgrading the server would be a bit of a hassle.) My client is correctly configured to use key authentication. I can log in to many servers using my key, just not this particular one. This server does have "PermitRootLogin" set to "yes". Client

This is the 2nd revision of the Advisory. 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3

Markus Friedl wrote: > > ?'m not sure where the 'bug' is and whether this is 'really' a bug. > > try to talk to the openssh-unix-dev list, i'm too busy right now :( > > -m > > On Thu, Aug 16, 2001 at 03:51:19PM +0100, Mark Reardon wrote: > > Hello Markus, > > > > I recently posted you with a mention of the 2.9p2 possible problem

Hi, I just grabed the 2.9p2 and can't forward X11 connections. This worked fine for me under 2.9p1 but with 2.9p2 it seems that $XAUTHORITY isn't getting set and when I try and set it manually connections to the Xserver still fail with: debug1: X11 connection uses different authentication protocol. debug1: X11 rejected 1 i1/o16 Verbose debugs below. client: OpenSSH_2.9p1, SSH

The following is a patch (based on FreeBSD code) which gets kbd-int working with privsep. It moves the kbd-int PAM conversation to a child process and communicates with it over a socket. The patch has a limitation: it does not handle multiple prompts - I have no idea how common these are in real-life. Furthermore it is not well tested at all (despite my many requests on openssh-unix-dev@). -d

This is the 4th revision of the Advisory. This document can be found at: http://www.openssh.com/txt/preauth.adv 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the

This is the 4th revision of the Advisory. This document can be found at: http://www.openssh.com/txt/preauth.adv 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the

this patch will allow PAM authentication when using sun's pam_krb5 before pam_unix in the PAM stack. without this patch a pam.conf entry like: sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 sshd auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass would fail with the error "input_userauth_info_response_pam: no authentication context". NOTE: when