similar to: PermitRootLogin and Tru64 SIA

Hi all, among other things, we provide shell access to various unix based platforms for our students and university staff. Recently, there has been increasing number of root login attacks on one particular Tru64 machine running OpenSSH. The host is configured with "PermitRootLogin no" but every once in a while SIA auth with TCB enhanced security locks the root account. I suppose

Hi All. There have recently (well, today :-) been changes to OpenSSH Portable's auth-passwd.c from OpenBSD to accomodate forced changes of expired passwords. (Rabid password expirers shoulon't get excited yet, it's currently bsdauth only, but support for other platforms should start trickling in shortly). As part of that, some individual platforms have gained their own

Hi All, While testing another patch, I found that I could not longer log in as root, even if PermitRootLogin was yes. It seems to be the following code in auth_password: $ cvs diff -r1.48 -r1.49 auth-passwd.c [snip] #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login !=

A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams <cmadams at hiwaay.net> Systems and Network Administrator

I think I'm ready with the SIA (Security Integration Architecture) patches for Tru64 UNIX. All of the code was written by Tom Woodburn, an engineer at Compaq. I've only performed integration and testing of the patches with more help from Tom. Tom's original patches were included in the "other" ssh. We'd both like to see SIA support get into OpenSSH. SIA provides PAM-like

http://bugzilla.mindrot.org/show_bug.cgi?id=802 Summary: sshd of openssh-3.8p1 doesn't link on Tru64. Product: Portable OpenSSH Version: 3.8p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=933 Summary: compile problem on tru64 5.1A code outside of a #ifdef that should not be included on tru64 Product: Portable OpenSSH Version: 3.8p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: Build

It works for the "yes" case but not for the "without-password" case. The function that checks (auth_root_allowed(auth_method) is special cased for "password". The Pam case sends "keyboard-interactive/pam" which like all other authentication methods except password succeeds. Here is a patch to make it work for me. Please feel free to criticize as

I have recently written a (minimal) Tru64 Unix SIA password module for Dovecot as part of testing a Dovecot installation. Has anyone else written a Tru64 Unix SIA module? Is anyone else interested in such a module? If so, how might I/we go about getting this/such a module into the main Dovecot source? Thanks -- Simon L Jackson Carringbush.Net +- Carringbush.Net Hosting * Development *

./configure --with-sia # ./dovecot --build-options Build options: ioloop=poll ipv6 openssl SQL drivers: Passdb: checkpassword passwd passwd-file Userdb: checkpassword passwd prefetch passwd-file static # ./dovecot --version 1.0.8 # ./dovecot -n # 1.0.8: /usr/local/etc/dovecot.conf protocols: pop3 listen: *:10100 ssl_disable: yes disable_plaintext_auth: no login_dir:

Well, I had just finally gotten around to downloading a snapshot to test the latest on Tru64 a couple of days ago but hadn't had a chance to build it yet, and 3.7p1 has now been released. Sigh. The problem is that Tru64 setreuid() and setregid() are broken, so privsep doesn't work. This could also be a security problem for SIA authentication in general (any version of OpenSSH on Tru64,

Something really hosed Digital/Tru64 UNIX SIA support in 2.5.2p1. I haven't been able to figure out what changed in the code, but the symptom seems to be that the TTY name being registered with SIA is truncated to eight characters. This apparently prevents it from matching with entries in the tty database, and the dreaded "Cannot obtain database information on this terminal

http://bugzilla.mindrot.org/show_bug.cgi?id=325 ------- Additional Comments From hlein at progressive-comp.com 2002-07-13 06:14 ------- Seeing this here too; it appears that when auth2.c:userauth_finish is called, forced_command has been cleared (or perhaps, never set in that forked sshd) so the call to auth_root_allowed(method) returns 0. The following patch makes forced-command logins as

Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that a utmp entry does get made for

I have found the following patches to be desirable for using sshd on a Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from Heimdal. These patches do the following: 1) preserve context between the password authentication and the session setup phases. This is necessary because the Heimdal SIA module stores Kerberos context information as mechanism-specific data in

http://bugzilla.mindrot.org/show_bug.cgi?id=701 Summary: With 'PermitRootPassword without-password' set, root w/pass can still log in with a using 'keyboard-int/pam' Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority:

Okay, here is a fixed version of the patch I sent before for fixing the problems I know about with Digital Unix SIA: displaying too much info (MOTD, last login, etc.) when access is denied, and the loss of the error message sometimes when access is denied. It does break some code out of do_login into a couple of separate functions. I did this to avoid duplicating the code in a couple of places.

Hi All. OpenSSH 4.1 will be released in the next couple of weeks and we invite interested parties to test a snapshot. The changes since 4.0 are mostly bugfixes, for a detailed list see http://bugzilla.mindrot.org/show_bug.cgi?id=994 Running the regression tests supplied with Portable does not require installation and is a simply: $ ./configure && make tests Testing on suitable

Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu <kevin at tgivan dot com> Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This

http://bugzilla.mindrot.org/show_bug.cgi?id=802 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |821 nThis| | Summary|sshd of openssh-3.8p1 |sshd configured with SIA