similar to: Kerberos password auth/expiry kbdint patch

Attached is a patch that allows for an interactive Kerberos password change via keyboard-interactive, and also reports any banners received from krb5_g_i_c_p() (e.g., password expiration notification if you have krb5-1.2.x patched appropriately). This could probably be refactored a bit and probably done better, but I'm sending this in in case anyone finds it useful. The major drawback is

http://bugzilla.mindrot.org/show_bug.cgi?id=568 Summary: Kerberos password auth/expiry kbdint patch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P4 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

of the remotely connected socket is in in monitor_read(). The easiest way to pass them in would be to add fields to the Authctxt structure, which gets passed down into auth_krb5_password(), although possibly not the best. Perhaps using a prompter isn't the best way to go, either, I'm not sure. Ultimately, I'm simply looking for any pointers as to the best way to proceed, even if

I have everything in place to move to a Samba/Heimdal/OpenLDAP auth database and have just discovered that some of the Windows products we use are required to run on a domain controller. Since domain sync doesn't work between Samba and NT4 it looks like I'm stuck: either ditch all the software we run on domain controllers, stay with our current 2-auth-db system, or move at least our

http://bugzilla.mindrot.org/show_bug.cgi?id=568 ------- Additional Comments From michael.houle at atcoitek.com 2004-04-06 06:04 ------- Can someone please enlighten me on whether this kind of code is going to be included in the main development ? I thought this would be handled automatically by the krb5 libraries, so I was suprised to find that password changing doesn't work in the SSH

The attached patch restricts any keyboard-int method from allowing root password authentication. Other methods (bsdauth? I don't even really know what that is) could be added as well. FWIW, it appears that when using the "password" method the code in auth.c is never reached due to the following code in auth-passwd.c: #ifndef HAVE_CYGWIN if (pw &&

This bug causes a segfault when compiled against heimdal, but not MIT krb5. Either way, I think this code is correct. HTH. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu

I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any

http://bugzilla.mindrot.org/show_bug.cgi?id=701 Summary: With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority:

Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes PAM kbd-int work with privilege separation. Contrary to what I have previously stated - it *does* handle multiple prompts. What it does not handle is multiple passes through the PAM conversation function, which would be required for expired password changing. I would really appreciate some additional eyes over the

The following is a patch (based on FreeBSD code) which gets kbd-int working with privsep. It moves the kbd-int PAM conversation to a child process and communicates with it over a socket. The patch has a limitation: it does not handle multiple prompts - I have no idea how common these are in real-life. Furthermore it is not well tested at all (despite my many requests on openssh-unix-dev@). -d

http://bugzilla.mindrot.org/show_bug.cgi?id=701 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |iand at ekit-inc.com ------- Additional Comments From dtucker at zip.com.au 2004-03-30 12:00 ------- *** Bug 713 has been marked as a

Dear R-Help list: I'm using the Matrix library to operate on 600 X ~5000 element unsymmetrical sparse arrays. So far, so good, but if I find I need more speed or functionality, how hard would it be to utilize other sparse matrix toolsets from within R, say MUMPS, PARDISO or UMFPACK, that do not have explicit R interfaces? More information on these is available here

What I'm trying to do: upload files from my local machine to an rsync server running on a remote host. What I don't know: syntax on how to do this. I initially set the conf file so that I could download from the remote machine to my local machine, the syntax: rsync -azv --delete rsync://user@remote.machine.com:12923:blah destdir This worked fine. So then, I wanted to go the other

Due to difficulties in getting PAM (with krb5) password expiry working consistently on multiple platforms, I'd like to see if I could hack something into auth-krb5.c to do so. Here's a backtrace when stopped in auth_krb5_password: #0 auth_krb5_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-krb5.c:270 #1 0x274d8 in auth_password (authctxt=0x8e148,

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file:

http://bugzilla.mindrot.org/show_bug.cgi?id=580 Summary: disable kbdint if host key mismatch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: fcusack at

https://bugzilla.mindrot.org/show_bug.cgi?id=1438 Summary: Adds an out-of-band challenge (OBC) authentication method (via kbdint) Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal

> + * The basic principle of a queue-based spinlock can best be understood > + * by studying a classic queue-based spinlock implementation called the > + * MCS lock. The paper below provides a good description for this kind > + * of lock. > + * > + * http://www.cise.ufl.edu/tr/DOC/REP-1992-71.pdf > + * > + * This queue spinlock implementation is based on the MCS lock,