similar to: [Bug 442] sshd allows login via public-key when account locked

http://bugzilla.mindrot.org/show_bug.cgi?id=442 Summary: sshd allows login via public-key when account locked Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=442 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #183 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-02-23 22:53 -------

http://bugzilla.mindrot.org/show_bug.cgi?id=442 ------- Additional Comments From dtucker at zip.com.au 2003-05-11 12:07 ------- Further info: it appears that in later patch sets, Solaris 8 and 9 now check the password string against *LK* in PAM and deny access even for non-password authentications (eg rhosts).

http://bugzilla.mindrot.org/show_bug.cgi?id=442 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-01-07 12:19

Hi Damien, I noticed you merged a couple of ifdefs in the fix for bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd =

Hi All. I (actually the tinderbox[1]) found a problem with the fix for bug #422: when PAM is enabled on a platform that uses /etc/shadow, the variable "passwd" in auth.c is used uninitialized. There's a simple patch attached to fix this. The question is: should the locked account test be done when PAM is enabled or should we rely on PAM to do the right thing? In theory they

Hi. I have found a error of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords. I reported a same type of error to Mr. Miller when openssh-1.2.1pre23 was released. On our systems, our local machines have shadowed /etc/passwd (and /etc/shadow) and our NIS server distributes non-shadowed password of general users. We have to use

I have used SSHD from openssh-3.7.1p1 on HP-UX 11:11. It works correctly and the entry in the logfile is: Sep 24 07:01:20 garm sshd[6625]: Accepted password for japs from 192.38.97.131 port 2463 Next I have upgraded to openssh-3.7.1p2 and restarted SSHD. It does not accept the password any more and the entries in the logfile are: Sep 24 12:21:38 garm sshd[19542]: User japs not allowed because

I'm looking at the password aging and account lock checks in auth.c:allowed_user(), and specifically their behaviour on HP-UX. First, should this code be ifdef'd away if we're using PAM? Next: /* Check account expiry */ if ((spw->sp_expire > 0) && (days > spw->sp_expire)) return 0; If I lock an account by entering too many incorrect passwords, sp_expire

http://bugzilla.mindrot.org/show_bug.cgi?id=278 Summary: ssh allows auto login even if account is locked Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=278 Darren.Moffat at Sun.COM changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From Darren.Moffat at Sun.COM

Hi! I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled. It seems that if I use public key authentication I can log in to an account that is locked (/etc/shadow has *LK* as password). Login is also allowed even if the user does not have a valid shell. Is this a bug or am I missing something? -- Osmo Paananen

https://bugzilla.mindrot.org/show_bug.cgi?id=1083 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #13 from Darren Tucker <dtucker at

http://bugzilla.mindrot.org/show_bug.cgi?id=1083 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1148| |ok? Flag| | ------- Comment #10 from dtucker at zip.com.au 2006-06-23 21:15 -------

http://bugzilla.mindrot.org/show_bug.cgi?id=1083 Summary: Disable login for locked account Product: Portable OpenSSH Version: 4.2p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: senthilkumar_sen at

This is an attempt to simplify the AIX expiry-via-passwd stuff and make it more generic. (There's actually a net reduction in #ifdefs). Patch against CVS: 1) configure finds passwd. 2) sshd uses passwd during session if required. 3) sshd uses passwd for PAM change if privsep disabled. 4) sshd uses Buffers for expire and post-login messages (no longer AIX specific). 5) password_change_required

I experienced a problem compiling openssh_cvs with IRIX 6.5.11f. % cc -version MIPSpro Compilers: Version 7.3.1.2m % cc -n32 -mips3 -O2 -OPT:Olimit=0 ..... -c auth.c cc-1515 cc: ERROR File = auth.c, Line = 100 A value of type "int" cannot be assigned to an entity of type "char *". while ((cp = getusershell()) != NULL) ^ 1 error detected in the

Hi All. As noted in a previous post, the logging of failed user logins is somewhat spread out. This patch creates a record_failed_login() function in sshlogin.c and moves the AIX and UNICOS code to it, eliminating 3 #ifdefs from the main code. It also provides an obvious place to add the code for any other platforms that support this. I've tested this on AIX 4.3.3. Wendy Palm was kind

Here is a patch I just wrote and tested which may be of interest to those who wish to use KerberosGetAFSToken (currently requires Heimdal libkafs) in combination with GSSAPIDelegateCredentials. The patch is in the public domain and comes with no warranty whatsoever. Applies to pristine 3.8p1. Works for me on Solaris and Tru64. I'd probably have used Doug Engert's patch from 2004-01-30 if

http://bugzilla.mindrot.org/show_bug.cgi?id=731 Summary: sshd terminates a session after a successful login Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org