similar to: [Bug 117] OpenSSH second-guesses PAM

http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 ------- > OpenSSH traditionally would not even start PAM, and > now starts it specifying 'NOUSER' as the login name. We have always used NOUSER, the recent patch just makes it consistent between protocols 1 and 2. > The second is to prevent username guessing

Hi ! Sorry to bring back the infamous "NOUSER" in the conversation but I didn't get the workaround on that problem. Firstly, I'm using : - openssh-3.1p1-15 which is the version which comes by default with my Red Hat Linux Advanced Server release 2.1AS. - I'm using PAM, set up to use radius. Please find below the /etc/pam.d/sshd file : #%PAM-1.0 auth

http://bugzilla.mindrot.org/show_bug.cgi?id=117 Summary: OpenSSH second-guesses PAM Product: Portable OpenSSH Version: -current Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: abartlet at

http://bugzilla.mindrot.org/show_bug.cgi?id=191 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From mouring at eviladmin.org

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2003-03-10 11:57 ------- Created an attachment (id=245) --> (http://bugzilla.mindrot.org/attachment.cgi?id=245&action=view) Use supplied username in pam_start calls always Make sshd always use supplied username (even if it is invalid) in calls to PAM ------- You are receiving this

http://bugzilla.mindrot.org/show_bug.cgi?id=117 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 10:26

http://bugzilla.mindrot.org/show_bug.cgi?id=580 Summary: disable kbdint if host key mismatch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: fcusack at

http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:40 ------- (From update of attachment 292) OK, except for the last bit, I think this is all done. >+#ifdef USE_PAM >+ options.permit_empty_passwd && >+#endif This is done in auth-passwd.c: if (*password == '\0' &&

http://bugzilla.mindrot.org/show_bug.cgi?id=582 Summary: Add 'KbdintXORPasswordAuthentication' option. Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org

Using samba 4.0.9 as an AD DC (no other domain servers). Since my UIDs and GIDs have changed, I was doing cleanup: find /srv/svn/ -xdev '(' -nouser -o -nogroup ')' -ls I noticed this was very slow -- iostat reported only about 2tps and 50kB/s to my disks. So I timed it with nsswitch.conf users & groups set to "files" vs. "files winbind": # with

http://bugzilla.mindrot.org/show_bug.cgi?id=118 Summary: Implement TIS (protocol 1) via PAM Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at

I have about 40 SCO 5.0.5 servers on which I am installing samba (I've tried 2.0.3 and 2.0.7, I'm having the same trouble with both). For my example, assume the following: NT domain: ORLANDO_ADMIN NT PDC: ORLANDO_PDC NT user: Administrator (I have tried other users as well) samba server: CLASS guest account (on UNIX server): nouser A generic Unix account exists called samba. My goal

Hello all, I have a CentOS 4.2 server that gives me these error messages in my /var/log/secure file, I realise that these are SSH attacks, but where does the extra line "Could not get shadow information for NOUSER" come from? This doesn't make any sense. I have many servers running CentOS 4.2, but don't get this error message on any others. I hate junk in my logs. Is there

this is at the bottom of auth.c. What is it? struct passwd * fakepw(void) { static struct passwd fake; memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; fake.pw_uid = -1; fake.pw_gid = -1; fake.pw_class =

BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's authentication library. However, BSDI's patches have several problems: 1. They don't run the approval phase, so they can allow users to login who aren't supposed to be able to. 2. They don't patch configure to automatically detect the BSDI auth system, so they're not ready to use in a general portable

Hi All, I have tried logging into ftp using my NT username and password and it works. It is only SSH which has this problem. http://216.109.117.135/search/cache?p=pam+NOUSER&ei=UTF-8&fl=0&u=www.publicsource.apple.com/darwinsource/10.0.4/OpenSSH-9/openssh/auth2.c&w=pam+nouser&d=E6EA31C37E&icp=1&.intl=us The above link gave me this hint. Found it while looking for

Hi All, I am unable to authenticate users through pam_winbind. "wbinfo -u", "wbinfo -g", "getent passwd", "getent group", "wbinfo -a DOMAIN\\Administrator%password" all work and suggest that samba and winbind are correctly configured. For some strange reason PAM seems to be sending Winbind "NOUSER" as the username to authenticate

I was browsing the OpenSSH sources (which are very readable, thankyou very much) and noticed that PAM was only being told what host the user is logging in from for account processing - not for password processing. As I can see no reason not to put this in start_pam this is exactly what I have done - and attached a patch to this effect. This allows PAM to fill in rhost= in its audit messages

It's sometimes desired to be able to alter login policy depending upon how the person was connecting for the ssh server. For example you might want different rules on the internal and external interface of a gateway. In another setup you might want an sshd with a different login policy running on a different port - and setup different firewalling rules (for example). I have implemented such