similar to: locked account accessable via pubkey auth

>Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the >'passwd -l ...' command to lock the users password. However, the user can >still access the system via ssh. Whilst I could do other things such as >moving their .ssh directory, removing their account home directory, etc, >etc, is there some 'nicer' way to inform ssh that the account is now

Hi! I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled. It seems that if I use public key authentication I can log in to an account that is locked (/etc/shadow has *LK* as password). Login is also allowed even if the user does not have a valid shell. Is this a bug or am I missing something? -- Osmo Paananen

Is there a security issue with turning an RSA1 key into an RSA key? One might want to do this, e.g., to move to protocol 2 without having to update authorized_keys files. I thought there was a problem with this, but Google doesn't find anything. thanks /fc

How reasonable, acceptable and difficult would it be to "enhance" openssh so authorizations using kerberos (specifically kerberos tickets) consulted the authorized_keys file? And to be a bit more precise... consulted authorized_keys so it could utilize any "options" (eg. from=, command=, environment=, etc) that may be present? I'm willing to make custom changes, but

Here is a patch to add the missing scp -1 and -2 options to eliminate confusion for users familiar with the commercial version of SSH. This patch and others are maintained on the secure nfs (SNFS) web page: http://www.math.ualberta.ca/imaging/snfs/ -- John Bowman University of Alberta diff -ur openssh-3.0.2p1/scp.c openssh-3.0.2p1J2/scp.c --- openssh-3.0.2p1/scp.c Sun Oct 21 18:53:59 2001 +++

I'm trying to update an ssh 1.2.27 to OpenSSH 3.0.2p1 and am running into a problem. I've successfully built zlib 1.1.4, OpenSSL 0.9.6c, and tcp_wrappers , but when I attempt to run configure, I get the error about the missing posix regex. So I attempted to download and use pcre (the Perl hack to expose perl regex to posix. But I can't build that since it calls strtoul() (string to

Hello, I had downloaded the samba 2.2.7a tarball, the pubkey and the samba-2.2.7a.tar.asc files from your website. The import of the samba-pubkey.asc works probably, but by the verify I get the errormessage that no path to this signature is defined and the signature can't verified. The distribution of Linux is the SuSE 8.0 and I used this lines. gpg --import samba-pubkey.asc

HD Moore from MetaSploit has noted that, given a pubkey (and not the corresponding private key, as might be found in authorized_keys), he can determine if he'd be able to log into an account. It's a small thing, but he's using it for very interesting recon/deanonymization. He'll be releasing a paper shortly, not overplaying the characteristic, but certainly showing it can be used

Is there any way to disable the authentication agent globally? I'm not quite sure I understand it's purpose. Here is some background info: workstation: Key pair (dsa). host1: No key pair. No authorized_keys. host2: Has my workstation's key in authorized_keys. I ssh to host1 from my workstation. I ssh to host2 from host1. I am asked for a password. Good. I ssh to host2 from my

Hey, Judging from the (private) responses I?ve got, there is quite a bit of interest in the U2F feature I proposed a while ago. Therefore, I?ve taken some time to resolve the remaining issues, and I think the resulting patch (attached to this email) is in quite a good state now. I also posted the new version of the patch to https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (which I?ve opened

I'm unable to get dovecot-lda with sieve filtering to deliver into maildir folders. The examples on the wiki explicitly say "mbox", so I'm wondering, does the dovecot-lda sieve implementation not support filtering into maildir folders? -frank

http://bugzilla.mindrot.org/show_bug.cgi?id=633 Summary: Password authentication fails in HP-UX trusted mode due to DISABLE_SHADOW Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

Hi, is there a particular reason why this feature is "user" based and not "user-pubkey" based? What I mean is that it works for installation with small number of pubkeys per user. But imagine i.e. a GitHub scale - all users logging in as user "git". On each auth request all the keys from database would be fetched and feeded to OpenSSH. Now I am only asking this out

I've installed Sun's SUNWski package on Solaris 8 (32-bit) that provides a /dev/random interface. It appears to as cat'ing it gives me a bunch of well, random data. However, when I ran my configure, it gives me the WARNING.RND message to the effect that I'm using the built-in. I've seen allusions on this list to building openssl with to get random support, so I rebuilt it

Hey everyone, Basically, I'm trying to figure out if I can configure sshd to require that the user has a key that has been signed by a trusted user CA *and* is listed separately as an authorised key (or the user has a signed key and a different authorised key)? The closest I've come is having an `authorized_keys` file have two entries consisting of the CA key and a normal key with

This adds a customize option: virt-customize --ssh-inject USER[=KEY] virt-builder --ssh-inject USER[=KEY] virt-sysprep --ssh-inject USER[=KEY] In each case this either injects the current (host) user's ssh pubkey into the guest user USER (adding it to ~USER/.ssh/authorized_keys in the guest), or you can specify a particular key. For example: virt-builder fedora-20 --ssh-inject root

Can shared/public namespaces' prefixes have a common prefix? :) namespace public { separator = / prefix = zz/shared/ location = maildir:/var/maildir/shared:INDEX=/var/maildir/%n/shared subscriptions = no } # to share other employees mailboxes (term'd or admin access) namespace shared { separator = / prefix = zz/shared/%%u/ location =

Hi there, I just tried out OpenSSH3.0p1 running on Solaris 8 with PAM (--with-PAM). The problem was mentioned some time ago and is still there :-( When a password is expired you are prompted to change it now, enter your login password and after doing so you are instantly disconnected. I think this is a problem with PAM and not SSH, but how can I get a solution on this ? sshd is running without

I'm trying to use HostbasedAuthentication. Running ssh -v -v -v user at host the following error occurs: debug3: authmethod_is_enabled hostbased debug1: next auth method to try is hostbased debug2: userauth_hostbased: chost <host> debug2: we did not send a packet, disable method What does this mean ? I enabled HostbasedAuthentication in /etc/ssh/ssh_config and as it looks, this setting

Hello, I hope it's the correct ML to get support for "advanced" ssh use (sorry if it's not the case) And I would be very grateful if someone could help me on this issue. Here is my challenge : - I have X devices (around 30) and one SSH server - Each of them have a unique public key and create one dynamic reverse port forwarding on the server - All of them connect with the