similar to: GSSAPI patch sync from OpenBSD to Portable

this is the proposed gssapi diff against OpenSSH-current (non-portable). note: if this goes in, the old krb5 auth (ssh.com compatible) will be removed. please comment. jakob Index: auth.h =================================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for

Hi All. I'm looking for some help to merge an outstanding Kerberos credential cache change from OpenBSD into Portable. I don't know enough about Kerberos to figure out how that change should be applied for the non-Heimdal(?) code path. The outstanding diff is attached. Any volunteers? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4

Hi guys While debugging a GSSAPI memory allocation problem not related to OpenSSH, I found a memory leak in OpenSSH when storing forwarded GSSAPI credentials resulting in a growing process segment for each connection that uses GSSAPI credentials forwarding. What happens is the following: In the privileged parent, we are calling ssh_gssapi_storecreds() which itself calls

http://bugzilla.mindrot.org/show_bug.cgi?id=918 Summary: ssh_gssapi_storecreds called to late to be usable by PAM in sesion.c Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo:

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Will Simon Wilkinson's GSSAPI Key Exchange patch ever be incorporated into the OpenSSH source? http://www.sxw.org.uk/computing/patches/openssh.html I'm sure I'm not the only one that uses it and would like to see it become part of the OpenSSH source. Is there something missing or is there some technical/philosophical reason for not including it?

https://bugzilla.mindrot.org/show_bug.cgi?id=1601 Summary: Memory leak caused by forwarded GSSAPI credential store Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at

http://bugzilla.mindrot.org/show_bug.cgi?id=751 Summary: KRB5CCNAME set incorrectly in GSSAPI code Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: openssh-bugs at mindrot.org

Dear OpenSSH Developers, I would like to propose a patch to OpenSSH for Linux. In the recent few months, I have encountered a scenario where a PAM module used for authentication in SSH should be informed about the previous successful authentication methods. I described the complete scenario here:

Signed-off-by: Johannes L?thberg <johannes at kyriasis.com> --- gss-serv-krb5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 795992d9..a12bb244 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) } else retval = 0; +#ifdef USE_PAM + if

Hi, first of: my familiarity with OpenSSH/Pam code-base is very limited.. Please excuse me if some of this does not make any sense or seems stupid! I'm investigating if it is possible for a PAM module to find out which public key was accepted (when 'AuthenticationMethods publickey,keyboard-interactive' is used). From my digging in the source, it seems it is currently not. Would

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1930 --- Comment #34 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:24 EST --- Retarget unresolved

what about this? can we do about this if we break the protocol? -------------- next part -------------- An embedded message was scrubbed... From: Love <lha at stacken.kth.se> Subject: gss userauth Date: Fri, 22 Aug 2003 16:06:27 +0200 Size: 2878 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030822/f7bb85a0/attachment.mht

I've been looking for a while and can't figure out for sure if variables allowed by AcceptEnv are readable by a PAM module. I looked through the openssh source code and found a few calls to pam_putenv(), which looks like the relevant call, but I don't see anything that would copy over AcceptEnv variables. Am I correct that the variables are not available to PAM? I'm

We're using an internal PAM module (Linux) that sets a few environment variables using pam_putenv (on pam_sm_authenticate). In version 3.6.1p1i such variables are visible to the user (as expected), but since 3.7p1 they are not... Is this the expected behaviour? Thanks in advance, Jose ____________________________________________________________________________ Jose A. Rodriguez

I'm getting these over and over again in my dovecot [CVS] logs. I'm using PAM for authentication- something that worked a few weeks ago. Apr 6 15:22:11 [PAM-env] Unknown PAM_ITEM: <XAUTHORITY> Apr 6 15:22:11 [dovecot-auth] PAM pam_putenv: delete non-existent entry; XAUTHORITY dovecot: Apr 06 15:22:16 Warning: Killed with signal 2 dovecot: Apr 06 15:22:16 Error: child 25731 (imap)

Dear developers, I am already playing with openssh + heimdal krb5 + gssapi on Tru64Unix 5.1a and Irix 6.5.20, but with no much success. The worst problem I experience is following: - gethostbyname on tru64unix returns short host name instead of fqdn. But even if I overcome this problem by appending the domain name to the lname variable in gss-genr.c file and get over this problem, gss-api does

http://bugzilla.mindrot.org/show_bug.cgi?id=671 Summary: vis.h is not #includ'ed in OpenBSD 3.1 build of OpenSSH portable 3.7p1 Product: Portable OpenSSH Version: 3.7p1 Platform: ix86 OS/Version: OpenBSD Status: NEW Severity: normal Priority: P2 Component: Build system

http://bugzilla.mindrot.org/show_bug.cgi?id=672 Summary: vis.h is not #includ'ed in OpenBSD 3.1 build of OpenSSH portable 3.7p1 Product: Portable OpenSSH Version: 3.7p1 Platform: ix86 OS/Version: OpenBSD Status: NEW Severity: normal Priority: P2 Component: Build system