similar to: Pending OpenSSH release: contains Kerberos/GSSAPI changes

On Jan 17, 2017, at 9:57 AM, Douglas E Engert <deengert at gmail.com> wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462.

I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: Since the user authentication process by its nature authenticates only the client,

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

How reasonable, acceptable and difficult would it be to "enhance" openssh so authorizations using kerberos (specifically kerberos tickets) consulted the authorized_keys file? And to be a bit more precise... consulted authorized_keys so it could utilize any "options" (eg. from=, command=, environment=, etc) that may be present? I'm willing to make custom changes, but

this is the proposed gssapi diff against OpenSSH-current (non-portable). note: if this goes in, the old krb5 auth (ssh.com compatible) will be removed. please comment. jakob Index: auth.h =================================================================== RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v retrieving revision 1.1.1.2 retrieving revision 1.3 diff -u -r1.1.1.2 -r1.3 --- auth.h

http://bugzilla.mindrot.org/show_bug.cgi?id=1073 Summary: if userok rejects a user their creds still get set Product: Portable OpenSSH Version: 3.9p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: bitbucket at mindrot.org

Does SAMBA 3.0 use the PAC information available within a Microsoft Kerberos ticket? Thanks. -dan -------------------------------------- Daniel Wachdorf drwachd@sandia.gov Sandia National Laboratories System Security Research and Integration 505-284-8060

I am doing some testing in Samba 3.0. I am using security=ADS. I am wondering if Samba has any support for cross-realm trust. For example, I have one AD forest SANDIA.GOV that has trust with SANDIA2.GOV. I have the Samba server on linux.sandia2.gov. I have a local user account on linux.sandia2.gov called user. When I log into a win2k client as SANDIA2.GOV/user and connect, it works fine.

On 09/26/2013 01:44 AM, Jeffrey Hutzelman wrote: > Yes; you can configure your DHCP server to hand out different values for > the pxelinux.configfile option to specific clients, matching on MAC > address or a variety of other conditions. Of course, this means that > the config file for that machine will need to know what firmware to > expect and thus what path to set. Hi Jeffrey,

On Fri, Mar 7, 2014 at 4:00 PM, Jeffrey Hutzelman <jhutz at cmu.edu> wrote: > On Fri, 2014-03-07 at 05:49 -0500, Gene Cumm wrote: >> 1) Thinking about the responses again, I'm absolutely surprised that >> you can even boot PXELINUX. I would have expected the response from >> the Altiris server to override your attempts to block it. > > Nope. The PXE spec

When in VGA graphics mode, BIOS int 10h ah=09h doesn't seem to treat high-order attribute bits as a background color; instead, it apparently always uses black. This means that a background color requested via <SI> in a DISPLAY file is not honored in VGA mode. However, the BIOS supports an "XOR" mode, in which the pixels to be written are XORed with pixels already on the

When Syslinux is running in a VMWare virtual machine and Ctrl-P is typed while editing the boot command line, insert the contents of VMware's clipboard. This allows text to be copied from the host (or wherever the console client is running) into Syslinux. Signed-off-by: Jeffrey Hutzelman <jhutz at cmu.edu> --- core/ui.inc | 72

On Thu, 2013-08-29 at 06:14 -0700, H. Peter Anvin wrote: > One of the main reasons for the code restructuring into ELF libraries is > that we should be able to set up configurations in memory. There are > two ways we could do that... either by manipulating the menu data > structures and just making them persistent, or by introducing a concept > of "in-memory files" which

Hello, Based on the GSS userauth code that went into 3.7p1, I have made a patch to make OpenSSH support an alternative Kerberos 5 implementation called Shishi, via an alternative GSS-API implementation called GSSLib. The reason behind this message is mostly to let you know that another pair of eyes has been reading GSS userauth code in OpenSSH, and my impression is that it looks pretty good. I

On 01/30/2014 10:25 AM, Jeffrey Hutzelman wrote: > > Correct. Like most UDP-based inetd services, tftpd is intended to be > run in 'wait' mode. When the first request arrives, inetd starts the > service but does not read the incoming packet (it can't, because it has > no way to pass it along to the server). After that, inetd ignores that > socket until the server

On Wed, 12 Jun, at 11:43:24AM, Jeffrey Hutzelman wrote: > Right, so assuming you switch to the linked-list model, PATH needs to > split its argument on colons and add each of the resulting directories > to the path. Then the present problem can be solved by introducing a > new directive which does _not_ split its argument. Hmm... actually a new directive that allows a more complex

On Sat, 2014-01-11 at 06:31 -0500, Gene Cumm wrote: > On Sat, Jan 11, 2014 at 12:12 AM, Ronald F. Guilmette > <rfg at tristatelogic.com> wrote: > > > Unfortunately, regardless of whether I perform Step #4 (i.e. running > > the "makeboot.bat" script) while logged in as a user with Admin privs, > > > Accessing physical drive: Access is denied.

Dear all, I'd like to have a DHCP/PXE server for different arch of clients, i.e. BIOS, EFI32, and EFI64 clients. As described here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720589 What Daniel has proposed (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720589#10) should work, i.e. Using a file called pxelinux.cfg/bios containing the following 2 lines:

I know quite a few people have interest in internationalizing the menu system. This is a tricky problem, since have a full-blown rendering engine for the more complex languages (Indic, Semitic and East Asian languages being the main ones that have substantial complexities.) Given that, I was thinking that the most sensible thing might be to pre-render strings (basically menu items and

Hello, Im building my own linux CD, For booting I use isolinux. Problem: isolinux cant find kernel. Hierarchy of CD is: /boot/bzImage /boot/isolinux.bin /boot/isolinux.cfg isolinux.cfg file: DEFAULT linux LABEL linux KERNEL bzImage and for maiking iso I use: mkisofs -o name.iso \ -b boot/isolinux.bin -c boot/boot.cat \ -no-emul-boot -boot-info-table -boot-load-size 4 \ -v -J -R -D -A