Displaying 20 results from an estimated 300 matches similar to: "[RFC][PATCH] Require S/KEY before other authentication methods."
2002 Jul 25
3
[PATCH] prevent users from changing their environment
We have a system on which users are given a very restricted environment
(their shell is a menu) where they should not be able to run arbitrary
commands. However, because their shell is not statically linked, ld.so
provides a nice clutch of holes for them to exploit. The patch below
adds a new configuration option to sshd which quashes their attempts
to set LD_PRELOAD etc. using ~/.ssh/environment
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=118
Summary: Implement TIS (protocol 1) via PAM
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: fcusack at
2005 Jan 20
0
AllowUsers - proposal for useful variations on the theme
A short while ago, I looked at using the AllowUsers configuration option
in openssh (v3.8p1 , but I believe this to be unchanged in 3.9p1) to
restrict access such that only specific remote machines could access
specific local accounts.
I swiftly discovered that
a) specifying wildcarded IP numbers to try to allow a useful IP range
was pointless: if I specified
AllowUsers joe at
2004 Apr 07
2
Requiring multiple auth mechanisms
I looked around for a while, but couldn't find any code for requiring multiple
authentication mechanisms in openssh. So I wrote an implemention.
I thought at first I should change the PasswordAuthentication,
PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some
funky stuff in auth2.c with respect to keyboard interactive auth that would make
this kind of
2002 Apr 26
0
PAM keyboard-interactive
The following patch (relative to -current) makes PAM a proper
kbd-interactive citizen. There are a few limitations (grep for todo), but
the code seems to work OK for protocols 1 & 2 with and without privsep.
Please have a play!
auth2-pam.c is based on code from FreeBSD.
Index: auth2-chall.c
===================================================================
RCS file:
2002 Jul 02
3
New PAM kbd-int diff
Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes
PAM kbd-int work with privilege separation.
Contrary to what I have previously stated - it *does* handle multiple
prompts. What it does not handle is multiple passes through the PAM
conversation function, which would be required for expired password
changing.
I would really appreciate some additional eyes over the
2002 Jun 25
4
PAM kbd-int with privsep
The following is a patch (based on FreeBSD code) which gets kbd-int
working with privsep. It moves the kbd-int PAM conversation to a child
process and communicates with it over a socket.
The patch has a limitation: it does not handle multiple prompts - I have
no idea how common these are in real-life. Furthermore it is not well
tested at all (despite my many requests on openssh-unix-dev@).
-d
2003 Jan 29
0
[PATCH] features for restricted shell environments
The patch below implements a couple of features which are useful
in an environment where users do not have a regular shell login.
It allows you to selectively disable certain features on a
system-wide level for users with a certain shell; it also allows
you to control and audit TCP forwarding in more detail.
Our system is an email server with a menu for the login shell;
we selectively allow port
2011 Jul 22
0
auth2-kbdint.c: Is it a bug that it mixes references to options.kbd_interactive_authentication and options.challenge_response_authentication ?
Hello,
I was chasing some unexpected behaviour from OpenSSH, and have come
across an oddity in the source code which may or may not be a bug.
In auth2-kbdint.c, the Authmethod struct declares
options.kbd_interactive_authentication as the enabled flag for this
method. However in the implementation function a few lines above, it
checks options.challenge_response_authentication to decide whether to
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch
in the sshd_config. You'd use it by having a PAM module that sets
PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs.
The patch is against the 2.9.9p2 distribution.
I'm not on the list, a reply if this patch is accepted would be great.
(But not required, I know some folks have a distaste for
2001 Mar 13
0
[PATCH] openssh 2.5.1p2 TIS authserv support
Hi,
We have updated our TIS authserv support patch for OpenSSH 2.5.1p2. You'll
find it attached to my message.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
-------------- next part --------------
diff -urN openssh-2.5.1p2/Makefile.in openssh-2.5.1p2-tis/Makefile.in
--- openssh-2.5.1p2/Makefile.in Sun Feb 18 20:13:33 2001
+++
2001 Nov 12
4
Please test -current
Could people please test -current? We will be making a release fairly
soon.
-d
--
| By convention there is color, \\ Damien Miller <djm at mindrot.org>
| By convention sweetness, By convention bitterness, \\ www.mindrot.org
| But in reality there are atoms and space - Democritus (c. 400 BCE)
[Bug 1922] New: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication
2011 Jul 30
0
[Bug 1922] New: Disabling ChallengeResponseAuthentication also disables KbdInteractiveAuthentication
https://bugzilla.mindrot.org/show_bug.cgi?id=1922
Bug #: 1922
Summary: Disabling ChallengeResponseAuthentication also
disables KbdInteractiveAuthentication
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.8p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
2001 Nov 20
3
problem with AFS token forwarding
Hello,
I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1
concerning the AFS token forwarding. That means that the new versions are
not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH
releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this
problem already existed in Openssh 2.9.9p1, but I have never used this
version (I only looked at the
2009 Oct 29
1
Match vs. ChallengeResponseAuthentication?
Hello,
We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work.
Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be
2003 Aug 10
9
updated gssapi diff
this is the proposed gssapi diff against OpenSSH-current (non-portable).
note: if this goes in, the old krb5 auth (ssh.com compatible) will be
removed.
please comment.
jakob
Index: auth.h
===================================================================
RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- auth.h
2002 Nov 24
1
[PATCH] PamServiceNameAppend
Hello,
Here's the situation I'm facing : I'm running OpenSSH on a server. On
a gateway, I forward TCP:22 to the server TCP:22. So far, so good. I can
log in from inside the lan by connecting using standard SSH port, or
from the other network through the gateway.
Now, I'd like a different configuration for connections from the
outside. I start another SSHd on the
2002 Dec 05
1
patch to add a PAMServiceName config option
I append a patch against openssh-3.5p1.tar.gz which adds a config option
PAMServiceName. The option allows one to specify the PAM service at
runtime in the config file rather than using __progname or having it
hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful
if one wants to run multiple instances of sshd using different PAM
configurations.
With this patch
2001 Aug 16
4
Idletimeout patch
While I was updating our ssh-servers, I rewrote my old patch that adds
idletimeout (just like in old ssh1) parameter to openssh. Since reapplying
the patch for all new versions of openssh is not fun at all, I would like
to have it included in the official openssh, if you consider the patch
worthy.
Unlike ClientAlive, idletimeout works for both protocol versions. It also
works together with
2001 Aug 20
1
Idletimeout patch, third attempt
Here is my third attempt at the idletimeout patch. I tried to address
the points which Marcus Friedl brought up.
It is actually bigger than the previous patches, but not as intrusive.
It is big because it moves some stuff from serverloop.c to packet.c.
- I moved all the logic to packet.c. This means that I also had to move
the actual select() call, which used to be in serverloop.c to packet.c.