similar to: [PATCH] Virtual Token (VToken) challenge authentication method

https://bugzilla.mindrot.org/show_bug.cgi?id=1439 Summary: Adds Virtual Token (VToken) authentication method to kbdint Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2

https://bugzilla.mindrot.org/show_bug.cgi?id=1439 Summary: Adds Virtual Token (VToken) authentication method to kbdint Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2

https://bugzilla.mindrot.org/show_bug.cgi?id=1438 Summary: Adds an out-of-band challenge (OBC) authentication method (via kbdint) Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal

This patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1438) creates a kbdint device that provides a server-based authentication mechanism. The server generates and emails you a random string when you attempt to login. You're authenticated if you can correctly answer the challenge. You can use a regular email account, a pager, cell phone or other email capable device to receive the

If an ssh1 client initiates challenge-response authentication but does not submit a response to the challenge, and instead switches to some other authentication method, verify_response() will never run, and the kbdint device context will never be freed. In some cases (such as when the FreeBSD PAM authentication code is being used) this may cause a resource leak leading to a denial of service.

http://bugzilla.mindrot.org/show_bug.cgi?id=580 Summary: disable kbdint if host key mismatch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: fcusack at

I need a way to make sshd require S/KEY authentication to succeed before allowing either password or public-key authentication. Currently, we can only have S/KEY+password, by using PAM for authentication, and configuring PAM accordingly. But PAM of course can't handle SSH public keys. I thought for a while that ideally we could actually use PAM to tell sshd what methods of authentication to

Hello, I have to find a solution logon through OpenSSH to OpenBSD machines from anywhere in the world (unsave computers). So I think I must use a challenge-response system with an hardware token that isn't connected to the computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I can't use challenge response mode with cryptocard, because I want to protect it against

I took Markus Friedl's advice and set up a KbdintDevice for Kerberos password authentication/expiry. It took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_creds_password() (along with the prompter) to work

https://bugzilla.mindrot.org/show_bug.cgi?id=1393 Summary: patch modifies gnome-ssh-askpass to optionally use one- time password Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All URL: http://www.swcp.com/~pgsery OS/Version: Linux Status: NEW Keywords:

http://bugzilla.mindrot.org/show_bug.cgi?id=568 Summary: Kerberos password auth/expiry kbdint patch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P4 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pgsery at swcp.com --- Comment #18 from Damien Miller <djm at mindrot.org> 2008-06-13 13:56:12 --- *** Bug

Hi All. Damien merged a bunch of changes today which caused compile errors on a few platforms (which you can see live and in colour at [0]). a) Solaris, early AIX: ../crc32.c:100: `u_int32_t? undeclared (first use in this function) On these platforms u_int32_t is defined in defines.h which is not included by crc32.c. Fixed by attached patch. b) PAM platforms (Redhat, Solaris once a) is

Hello, I was chasing some unexpected behaviour from OpenSSH, and have come across an oddity in the source code which may or may not be a bug. In auth2-kbdint.c, the Authmethod struct declares options.kbd_interactive_authentication as the enabled flag for this method. However in the implementation function a few lines above, it checks options.challenge_response_authentication to decide whether to

Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction"

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:15.openssh Security Advisory The FreeBSD Project Topic: OpenSSH PAM challenge/authentication error Category: core Module: openssh Announced:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:15.openssh Security Advisory The FreeBSD Project Topic: OpenSSH PAM challenge/authentication error Category: core Module: openssh Announced:

Jefferson Ogata's patch http://marc.info/?l=openssh-unix-dev&m=108134938701018&w=2 adds a multiple authentication methods option to sshd. I updated the patch to 4.7p1 and added logic to allow it to work with privilege separation. https://bugzilla.mindrot.org/show_bug.cgi?id=1435 -------------- next part -------------- A non-text attachment was scrubbed... Name:

https://bugzilla.mindrot.org/show_bug.cgi?id=2246 Bug ID: 2246 Summary: PAM enhancements for OpenSSH server Product: Portable OpenSSH Version: 6.6p1 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=983 --- Comment #26 from Paul Sery <pgsery at swcp.com> 2010-01-08 08:09:14 EST --- The configuration below is incorrect. When using protocol 2, it should read: ... RequiredAuthentications2 password Also, there's no need to specify publickey in conjunction with other authentication methods because it will always be tried first (as specified