Displaying 20 results from an estimated 2000 matches similar to: "Sending immediate PAM auth failure messages via kbd-int"
2002 Jun 25
4
PAM kbd-int with privsep
The following is a patch (based on FreeBSD code) which gets kbd-int
working with privsep. It moves the kbd-int PAM conversation to a child
process and communicates with it over a socket.
The patch has a limitation: it does not handle multiple prompts - I have
no idea how common these are in real-life. Furthermore it is not well
tested at all (despite my many requests on openssh-unix-dev@).
-d
2002 Jul 02
3
New PAM kbd-int diff
Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes
PAM kbd-int work with privilege separation.
Contrary to what I have previously stated - it *does* handle multiple
prompts. What it does not handle is multiple passes through the PAM
conversation function, which would be required for expired password
changing.
I would really appreciate some additional eyes over the
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
Hi All.
This patch calls pam_chauthtok() to change an expired password via PAM
during keyboard-interactive authentication (SSHv2 only). It is tested on
Redhat 8 and Solaris 8.
In theory, it should have simply been a matter of calling pam_chauthtok
with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is
if it's expired, right? From the Solaris pam_chauthtok man page:
2002 Apr 26
0
PAM keyboard-interactive
The following patch (relative to -current) makes PAM a proper
kbd-interactive citizen. There are a few limitations (grep for todo), but
the code seems to work OK for protocols 1 & 2 with and without privsep.
Please have a play!
auth2-pam.c is based on code from FreeBSD.
Index: auth2-chall.c
===================================================================
RCS file:
2010 Jul 13
5
[Bug 1795] New: An integer variable "num" in mm_answer_pam_query() is not initialized before used
https://bugzilla.mindrot.org/show_bug.cgi?id=1795
Summary: An integer variable "num" in mm_answer_pam_query() is
not initialized before used
Product: Portable OpenSSH
Version: 5.5p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
2006 Sep 12
1
openssh (OpenBSD) , bsdauth and tis authsrv
nuqneH,
I've tried using TIS authsrv authentication via bsd auth and found
it quite limited. The most important restriction it does not log
ip and fqdn of the remote peer, nor the application name, to
the authentication server. It does not matter much for TIS authsrv,
but since other applications do provide such information, our
authsrv version uses it for extra authentication restrictions.
2002 Jun 27
1
[PATCH] kbdintctxt->nreq test
If the info_response code is going to test that the # of responses is < 100,
then the info_request code should check that < 100 prompts are sent. It
would be rude to send 101 prompts and then fail when the responses come
back.
I actually think the test should be removed altogether, the limit seems
quite arbitrary, but here is a patch to not send > 100 prompts. With
this patch, the test
2001 Jul 22
1
[patch] ignore SSH2_MSG_IGNORE packets
Hi,
protocolkeepalives sends ssh_msg_ignore, which the ssh2 server handles
incorrectly (i.e. it produces some output to syslog, instead of
ignoring the packet):
Jul 9 11:58:07 ren sshd[16580]: error: Hm, dispatch protocol error:
type 32 plen 4
This patch implements a highly advanced function to ignore these
packets ;)
Matthew
-------------- next part --------------
An embedded and
2001 Oct 23
2
PAM problem - sshd segfault on Solaris
I'm using OpenSSH-2.9.9p2 on Solaris 8 sparc64. 2.9p2 worked fine, but
2.9.9p2+ is giving me trouble with one thing - sshd segfaults if I try to
connect and execute a command, such as "ssh machine ls". Otherwise it
works great. sshd will fork, and the child process segfaults.
CVS snapshot does the same thing.
I've narrowed this down somewhat. It will only happen if you use
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes
PAM authentication take place in a separate process or thread
(launched from sshpam_init_ctx() in auth-pam.c). By default (if you
don't define USE_POSIX_THREADS) the code "fork"s a separate process.
Or if you define USE_POSIX_THREADS it will create a new thread (a
second one, in addition to the primary thread).
The
2014 Jul 15
3
GSSAPI
If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches?
---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
2006 Mar 29
7
sshd config parser
Hi All.
For various reasons, we're currently looking at extending (or even
overhauling) the config parser used for sshd_config.
Right now the syntax I'm looking at is a cumulative "Match" keyword that
matches when all of the specified criteria are met. This would be
similar the the Host directive used in ssh_config, although it's still
limiting (eg you can't easily
2004 Jan 19
3
Security suggestion concering SSH and port forwarding.
Hi,
sorry if it is the wrong approuch to suggest improvments to OpenSSH,
but here comes my suggestion:
I recently stumbled upon the scponly shell which in it's chroot:ed form is
an ideal solution when you want to share some files with people you trust
more or less.
The problem is, if you use the scponlyc as shell, port forwarding is still
allowed. This can of course be dissallowed in
2013 Sep 23
57
[PATCH RFC v13 00/20] Introduce PVH domU support
This patch series is a reworking of a series developed by Mukesh
Rathor at Oracle. The entirety of the design and development was done
by him; I have only reworked, reorganized, and simplified things in a
way that I think makes more sense. The vast majority of the credit
for this effort therefore goes to him. This version is labelled v13
because it is based on his most recent series, v11.
2003 Feb 26
0
PAM merge from FreeBSD
A few things to keep in mind:
- kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if
required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during
kbd-int so that modules in each of those PAM stacks can prompt the
user (pam_open_session(), for example, may prompt a user with an
informational message akin to the last login message)
- all userauth methods should
2006 May 04
2
xmalloc(foo*bar) -> xcalloc(foo, bar) for Portable
Hi All.
While wandering in auth-pam.c I noticed that there's a few Portable-specific
escapees from the xmalloc(foo * bar) cleanup.
There's also a "probably can't happen" integer overflow in
ssh-rand-helper.c with the memset:
num_cmds = 64;
- entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t));
+ entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
2001 Nov 04
2
OPIE patch for current CVS
I redid my previous OPIE patch for the current ssh tree. It seems
to work fine here, and I'ld love to see it merged before the 3.0
release.
Wichert.
diff -x CVS -wNur ../cvs/other/openssh_cvs/Makefile.in openssh_cvs/Makefile.in
--- ../cvs/other/openssh_cvs/Makefile.in Mon Oct 22 02:53:59 2001
+++ openssh_cvs/Makefile.in Sun Nov 4 01:18:19 2001
@@ -50,7 +50,7 @@
SSHOBJS= ssh.o
2018 Jun 12
16
[Bug 2876] New: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2876
Bug ID: 2876
Summary: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not
honoured during PAM authentication
Product: Portable OpenSSH
Version: 7.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
2000 Oct 24
3
openssh-SNAP-20001016
Using openssh-SNAP-20001016 all of our problems with hanging connections
have gone away (woohoo!), and it seems to be working flawlessly, but I am
seeing messages like this in syslog:
Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we
do not read, but chan_read_failed for istate 8
Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor
Oct 24 16:58:30
2008 Aug 27
2
[PATCH] libxc: Use vcpu_guest_context_any_t instead of two pages
libxc: Use vcpu_guest_context_any_t instead of two pages
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
diff -r 14a9a1629590 tools/libxc/xc_dom_boot.c
--- a/tools/libxc/xc_dom_boot.c wed aug 27 10:26:50 2008 +0100
+++ b/tools/libxc/xc_dom_boot.c wed aug 27 12:07:28 2008 +0100
@@ -187,7 +187,7 @@ int xc_dom_boot_image(struct xc_dom_imag
int xc_dom_boot_image(struct