Displaying 20 results from an estimated 1000 matches similar to: "OpenSSH Certkey (PKI)"
2004 Feb 27
1
[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Here is a patch I just wrote and tested which may be of interest to
those who wish to use KerberosGetAFSToken (currently requires Heimdal
libkafs) in combination with GSSAPIDelegateCredentials. The patch is
in the public domain and comes with no warranty whatsoever. Applies
to pristine 3.8p1. Works for me on Solaris and Tru64.
I'd probably have used Doug Engert's patch from 2004-01-30 if
2003 Aug 08
1
Help request: merging OpenBSD Kerberos change into Portable.
Hi All.
I'm looking for some help to merge an outstanding Kerberos
credential cache change from OpenBSD into Portable. I don't know enough
about Kerberos to figure out how that change should be applied for the
non-Heimdal(?) code path.
The outstanding diff is attached.
Any volunteers?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4
2002 May 09
0
functions : server_input_channel_req userauth_pubkey
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
I am not sure if this is the correct place to ask these question,
if I am at the wrong place please advise.
I am currently working on some modifications to openssh
which record the users rsa/dsa identity comment file to
a log file when the user logs in (password authentication
is disabled).
The ssh1 portion of the modification works
2006 Sep 18
1
BSD Auth: set child environment variables requested by login script [PATCH]
Hello,
in the BSD Authentication system the login script can request environment
variables to be set/unset. The call to auth_close() in auth-passwd.c does
change the current environment, but those changes are lost for the child
environment.
It would be really useful to add some kind of mechanism to get
those changes into the child environment. I've added two possible
solutions. Both
2002 Jul 31
2
privsep+kerb5+ssh1
please test Olaf Kirch's patch. it looks fine to me, but i don't to K5.
i'd like to see this in the next release. thx
-m
-------------- next part --------------
--- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002
+++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002
@@ -73,18 +73,17 @@
* from the ticket
*/
int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char
2001 May 23
1
[PATCH]: Drop the use of `check_nt_auth'.
Hi,
the following patch removes some of the Cygwin specific code from
OpenSSH.
Since Cygwin is able to change the user context on NT/W2K even without
a password since the new Cygwin version 1.3.2, there's no need anymore
to allow changing the user context only if the sshd user is the same
user as the one which logs in or when a password is given.
For that reason the whole function
2001 Dec 18
2
[PATCH]: Fix potential security hole in Cygwin version
Hi,
the following patch fixes a potential security hole in the Cygwin
version of sshd.
If you're logging in to a Cygwin sshd with version 2 protocol using an
arbitrary user name which is not in /etc/passwd, the forked sshd which
is handling this connection crashes with a segmentation violation. The
client side encounters an immediate disconnect ("Connection reset by
peer").
2012 May 17
0
puppet cert first run doesn't encrypt ca private key but puppet ca does?
Can anyone validate this? I am attempting to run the puppet cert/ca
standlone commands.
I am running form an unchanged master branch and if I run (simplified
for the example):
puppet cert generate host
the resulting ca_key.pem is not encrypted.
If I run :
puppet ca generate host
the resulting ca_key.pem is encrypted.
In both cases the ca.pass file is created but the code path through
cert does
2003 Oct 28
2
Privilege separation
Hello!
Please consider including the attached patch in the next release. It
allows one to drop privilege separation code while building openssh by using
'--disable-privsep' switch of configure script. If one doesn't use privilege
separation at all, why don't simply allow him to drop privilege separation
support completely?
--
Sincerely Your, Dan.
-------------- next part
2018 Feb 23
2
Attempts to connect to Axway SFTP server result in publickey auth loopin
On Fri, Feb 23, 2018 at 05:01:00PM +1100, Darren Tucker wrote:
> You could try this patch which defers resetting the "tried" flag on the
> pubkeys until the list of authentication methods changes. I don't have
> a server with this behaviour so I'm not sure if it helps (and I'm not
> sure it's the right thing to do anyway).
I think this is a better way to
2000 Nov 30
1
Problem and Patch: Multiple keys in ssh.com V2 agent
Hello!
I recently discoverd a problem with ssh.com's ssh-agent2 and OpenSSH:
If I have more than one key in my agent, then the agent tries to
authenticicate me with every one of them at the OpenSSH server; but none
of them is a valid key for that server. The Problem is that the Server
increments the authctxt->attempt at every of that tries. So even if you
want to login with a password at
2003 Aug 09
0
Timing attacks and owl-always-auth
Hi All.
Attached is a patch against OpenBSD, based in part on the owl-always-auth
patch.
The idea is that the only way out of auth_passwd for the failure case is
the "return 0" at the bottom.
I don't know if this is a good way to do it or not, it's presented for
discussion.
Also, I don't think 3.6.1p2 is quite right WRT these timing issues (eg,
you get a fast failure
2001 Jun 03
1
OPIE support patch
I just cobbled up a little patch to add support for OPIE to
OpenSSH. Currently untested, but feedback is welcome.
Wichert.
--
_________________________________________________________________
/ Nothing is fool-proof to a sufficiently talented fool \
| wichert at cistron.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250
2003 Aug 10
9
updated gssapi diff
this is the proposed gssapi diff against OpenSSH-current (non-portable).
note: if this goes in, the old krb5 auth (ssh.com compatible) will be
removed.
please comment.
jakob
Index: auth.h
===================================================================
RCS file: /home/hack/jakob/mycvs/sshgss/auth.h,v
retrieving revision 1.1.1.2
retrieving revision 1.3
diff -u -r1.1.1.2 -r1.3
--- auth.h
2003 Mar 02
0
[RFC][PATCH] Require S/KEY before other authentication methods.
I need a way to make sshd require S/KEY authentication to succeed before
allowing either password or public-key authentication.
Currently, we can only have S/KEY+password, by using PAM for
authentication, and configuring PAM accordingly. But PAM of course can't
handle SSH public keys.
I thought for a while that ideally we could actually use PAM to tell
sshd what methods of authentication to
2001 May 02
2
2.9p1?? core dump in auth_log
auth.c:auth_log contains the following code:
authlog("%s %s for %s%.100s from %.200s port %d%s",
authmsg,
method,
authctxt->valid ? "" : "illegal user ",
---> authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" :
authctxt->user,
get_remote_ipaddr(),
2004 Sep 07
0
Please review openssh patch for selinux
As posted, here is an updated patch which allows openssh to be built
with non-selinux config.
(Hi openssh guys, forwarding this to you incase you interested including
it into the devel version of openssh. Please let us know if you have any
suggestions or changes that need to be made)
Regards
Nigel Kukard
On Thu, Sep 02, 2004 at 04:11:54PM -0400, Daniel J Walsh wrote:
> New SSH patch.
>
2007 May 24
2
[RFC][PATCH] Detect and handle PAM changing user name
I've implemented a patch to openssh which allows the PAM auth layer
to detect if the PAM stack has changed the user name and then adjusts
its internal data structures accordingly. (imagine a PAM stack that
uses individual credentials to authenticate, but assigns the user to
a role account).
First, is the openssh community interested in this patch?
Second, if there is interest in the patch,
2011 Jun 02
2
preauth privsep logging via monitor
Hi,
This diff (for portable) makes the chrooted preauth privsep process
log via the monitor using a shared socketpair. It removes the need
for /dev/log inside /var/empty and makes mandatory sandboxing of the
privsep child easier down the road (no more socket() syscall required).
Please test.
-d
Index: log.c
===================================================================
RCS file:
2001 Feb 16
1
OpenSSH 2.3.0p1 port to BSDI BSD/OS
BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's
authentication library. However, BSDI's patches have several
problems:
1. They don't run the approval phase, so they can allow users to login
who aren't supposed to be able to.
2. They don't patch configure to automatically detect the BSDI auth
system, so they're not ready to use in a general portable