similar to: Requiring multiple auth mechanisms

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

Hello, We'd like to allow passwords only from the local network, and allow public key auth from on-campus or off-campus. The server runs SuSE Linux, and we might do the same on RHEL/CentOS & Mac OS X if we can get it to work. Unfortunately, Match allows PasswordAuthentication but not ChallengeResponseAuthentication. Is there any reason ChallengeResponseAuthentication cannot be

Could people please test -current? We will be making a release fairly soon. -d -- | By convention there is color, \\ Damien Miller <djm at mindrot.org> | By convention sweetness, By convention bitterness, \\ www.mindrot.org | But in reality there are atoms and space - Democritus (c. 400 BCE)

We have a system on which users are given a very restricted environment (their shell is a menu) where they should not be able to run arbitrary commands. However, because their shell is not statically linked, ld.so provides a nice clutch of holes for them to exploit. The patch below adds a new configuration option to sshd which quashes their attempts to set LD_PRELOAD etc. using ~/.ssh/environment

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the

I need a way to make sshd require S/KEY authentication to succeed before allowing either password or public-key authentication. Currently, we can only have S/KEY+password, by using PAM for authentication, and configuring PAM accordingly. But PAM of course can't handle SSH public keys. I thought for a while that ideally we could actually use PAM to tell sshd what methods of authentication to

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

This patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1438) creates a kbdint device that provides a server-based authentication mechanism. The server generates and emails you a random string when you attempt to login. You're authenticated if you can correctly answer the challenge. You can use a regular email account, a pager, cell phone or other email capable device to receive the

How do I setup Dovecot to read both local UNIX account maildirs and a separate virtual user area? Or do I need to run two servers? Daniel

The way things are now, input_userauth_request() calls the authmethod, and then does a bunch of checks, like the special case for root. If an authmethod requires a challenge-response conversation, these checks are skipped, unless they are duplicated by the authmethod. For example, in auth2-chall.c, some of the code is duplicated (logging, sending the reply), but the root special case is skipped.

Hallo Did you allow udp outgoing on 4569 as well.. i found udp bit different than tcp when comming to firewalls liaan ----- Original Message ----- From: "Bartosz Wegrzyn - asterisk" <junk@lexon.ws> To: <timebandit001@gmail.com>; "Asterisk Users Mailing List - Non-Commercial Discussion" <asterisk-users@lists.digium.com> Sent: Monday, February 21, 2005 12:29

Hi All, I am using Asterisk 1.4.26.2 and I am getting the following problem making connections to this server. My other servers are Version 1.2.x which have no problems and this 1.4.26.2 server can call the other 1.2.x servers. The error is: chan_iax2.c:4251 handle_call_token: Call rejected, CallToken Support required. If unexpected, resolve by placing address 192.168.25.250 in the

Hello, I have just installed OpenSSH 4.6p1 and it appears that ChallengeResponseAuthentication is not allowed unless I explicitly set it to "yes" in the sshd_config file. I am using the same config file as I did with 4.5p1 where it was allowed by default. Also, this is OpenSSH package from sunfreeware, but I believe that both versions were compiled with the same options. Is this the

How is -n supposed to work? When you say ssh -n, it sets stdin_null_flag but not batch mode. When the client is choosing authmethods, there is a batch_flag that is tested to see (presumably) if we are in batch mode or perhaps if -n has been given. But nothing sets it. It looks like it's supposed to point to options.batch_mode, but it's never even initialized! Even if it did point to

Hello, I'm trying to setup multimple auth. databases with Dovecot 1.0 alpha2. I wrote in dovecot.conf next lines (as was described at http://wiki.dovecot.org/moin.cgi/MultipleAuth) auth_debug = yes auth_verbose = yes auth default { mechanisms = plain user = root passdb sql { args = /usr/local/dovecot/etc/dovecot-mysql.conf } passdb pam

I need to have mail service working even when my postgresql server will fail. In postfix i set 2 different servers and if 1st fail, postfix try to use 2nd. Is there any way to do this in dovecot? ---------------------------------------------------------------------- Zostan internetowa dziewczyna wakacji! > http://link.interia.pl/f18ac

This may not strictly be an asterisk question, but not sure where else to post ... I have an Asterisk test server setup with two firefly clients, one on the local lan and one on an external ip address. Both clients are setup the same way and voice calls work fine. The asterisk console reports a "Registered" message for the external client at about one minute intervals but the

What settings are people using? I've seen the ones from dslreports but I'm in that lucky group of people that paid the 1 euro just to have it no longer work. Even after I setup a additional account over the weekend it still doesn't work. And, of course, etherreal only shows encrypted traffic so I can't snag any config settings from it. Any assistance? -----Original

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

Maybe I just can't read properly, but I just spent the best part of a day trying to work out why HostbasedAuthentication wouldn't work for me (with protocol 2 in openssh-2.9p1). It seems (though maybe there is something wrong with my install), that after enabling it in the sshd_config it doesn't work, since the client will not in fact request it (by default). I was fooled by the