Displaying 20 results from an estimated 3000 matches similar to: "[Bug 2415] New: Public key failures are not counted and therefore not logged into syslog"
2001 May 02
2
2.9p1?? core dump in auth_log
auth.c:auth_log contains the following code:
authlog("%s %s for %s%.100s from %.200s port %d%s",
authmsg,
method,
authctxt->valid ? "" : "illegal user ",
---> authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" :
authctxt->user,
get_remote_ipaddr(),
2006 Feb 12
1
sshd double-logging
Hi all.
As Corinna pointed out, there are some cases where sshd will log some
authentications twice when privsep=yes.
This can happen on any platform although it seems most obvious on the
ones that don't do post-auth privsep. It also occurs when sshd logs
to stderr (eg running under daemontools) or when you have a /dev/log in
the privsep chroot.
The patch below attempts to solve this for
2001 Dec 26
3
auth*.c
Folks,
During testing, we found a couple of issues with openssh3.0.2p1:
1. In userauth_finish() in auth2.c (as well as in do_authloop in auth1.c),
the foll. check:
if (authctxt->failures++ > AUTH_FAIL_MAX)
is never satisfied and thus packet_disconnect() never gets called. I
suspect the code just drops out of the dispatch_run function list instead.
This should be an == instead of >.
2004 Jul 01
4
[Bug 559] PAM fixes
http://bugzilla.mindrot.org/show_bug.cgi?id=559
------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:40 -------
(From update of attachment 292)
OK, except for the last bit, I think this is all done.
>+#ifdef USE_PAM
>+ options.permit_empty_passwd &&
>+#endif
This is done in auth-passwd.c:
if (*password == '\0' &&
2004 Feb 27
1
[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Here is a patch I just wrote and tested which may be of interest to
those who wish to use KerberosGetAFSToken (currently requires Heimdal
libkafs) in combination with GSSAPIDelegateCredentials. The patch is
in the public domain and comes with no warranty whatsoever. Applies
to pristine 3.8p1. Works for me on Solaris and Tru64.
I'd probably have used Doug Engert's patch from 2004-01-30 if
2003 Jan 27
1
[PATCH] Creation of record_failed_login() in sshlogin.c
Hi All,
I've been poking around various parts of the auth code for a while.
Some platforms support failed login counters and it occurs to me that
there's as few too many instances of:
#ifdef [PLATFORM]
if (authenticated == 0 && strcmp(method, "password") == 0)
some_login_failure_func();
#endif
The attached patch creates a record_failed_login() function in
2006 Sep 18
1
BSD Auth: set child environment variables requested by login script [PATCH]
Hello,
in the BSD Authentication system the login script can request environment
variables to be set/unset. The call to auth_close() in auth-passwd.c does
change the current environment, but those changes are lost for the child
environment.
It would be really useful to add some kind of mechanism to get
those changes into the child environment. I've added two possible
solutions. Both
2006 Sep 14
3
[PATCH] PermitRootLogin woes
Hi all,
among other things, we provide shell access to various unix based
platforms for our students and university staff. Recently, there has been
increasing number of root login attacks on one particular Tru64 machine
running OpenSSH.
The host is configured with "PermitRootLogin no" but every once in a while
SIA auth with TCB enhanced security locks the root account.
I suppose
2001 Dec 18
2
[PATCH]: Fix potential security hole in Cygwin version
Hi,
the following patch fixes a potential security hole in the Cygwin
version of sshd.
If you're logging in to a Cygwin sshd with version 2 protocol using an
arbitrary user name which is not in /etc/passwd, the forked sshd which
is handling this connection crashes with a segmentation violation. The
client side encounters an immediate disconnect ("Connection reset by
peer").
2015 Jun 03
30
[Bug 2408] New: Expose authentication information to PAM
https://bugzilla.mindrot.org/show_bug.cgi?id=2408
Bug ID: 2408
Summary: Expose authentication information to PAM
Product: Portable OpenSSH
Version: -current
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee:
2001 Jun 03
1
OPIE support patch
I just cobbled up a little patch to add support for OPIE to
OpenSSH. Currently untested, but feedback is welcome.
Wichert.
--
_________________________________________________________________
/ Nothing is fool-proof to a sufficiently talented fool \
| wichert at cistron.nl http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250
2001 Nov 08
2
logging of root logins
On Thu, Nov 08, 2001 at 01:59:25PM +0100, Arthur de Jong wrote:
> root and warthur both have user id 0. Sorry, I should have made that
> clearer. They both have different passwords and rsa keys and I would like
> to be able to make the distinction in the logs. Currently ssh only logs
> that a ROOT user has logged in, not which one.
hm, i don't think uid sharing is a standard unix
2001 Feb 16
1
OpenSSH 2.3.0p1 port to BSDI BSD/OS
BSD/OS 4.2 comes with OpenSSH 2.1.1p4, patched to support BSDI's
authentication library. However, BSDI's patches have several
problems:
1. They don't run the approval phase, so they can allow users to login
who aren't supposed to be able to.
2. They don't patch configure to automatically detect the BSDI auth
system, so they're not ready to use in a general portable
2013 May 17
19
[Bug 2107] New: seccomp sandbox breaks GSSAPI
https://bugzilla.mindrot.org/show_bug.cgi?id=2107
Bug ID: 2107
Summary: seccomp sandbox breaks GSSAPI
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.2p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Kerberos support
2000 Nov 24
2
Getting the authctxt
My port forwarding changes require an authorization (authentication)
context in channel_connect_to(). I'd like to change the dispatch_*
functions so that they accept an Authctxt * instead of a void * (this
parameter is already used this way). In addition, I'd have to pass
the authctxt all the way down to channel_connect_to(). As a side
effect, it's possible to get rid of the global
2002 Jan 24
1
PATCH: krb4/krb5/... names/patterns in auth_keys entries
This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and
other principal names in authorized_keys entries.
It's a sort of replacement for .klogin and .k5login, but it's much more
general than .k*login as it applies to any authentication mechanism
where a name is associated with the ssh client and it supports name
patterns and all the normal authorized_keys entry options
2002 Jan 23
1
Fix AFS and Kerberos interaction
Hello,
I going to use ssh with Kerberos V5 support along with support for AFS. I
don't want to use Kerberos V4 or AFS token passing. The only thing I need
from AFS is creating an AFS token (using appropriate function from krb5 API)
after user's authentication. It seems to me that such scenario is not much
supported by the current code. Rather it is assumed only Kerberos 4 will be
used
2017 Mar 02
61
[Bug 2687] New: Coverity scan fixes
https://bugzilla.mindrot.org/show_bug.cgi?id=2687
Bug ID: 2687
Summary: Coverity scan fixes
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
2001 Feb 04
1
minor aix patch to auth1.c
--- auth1.c.orig Sat Feb 3 18:17:53 2001
Bringa AIX modes in line with latest changes to auth1.c
+++ auth1.c Sat Feb 3 18:19:15 2001
@@ -347,7 +347,7 @@
if (authctxt->failures++ > AUTH_FAIL_MAX) {
#ifdef WITH_AIXAUTHENTICATE
- loginfailed(user,get_canonical_hostname(),"ssh");
+
2001 Nov 04
2
OPIE patch for current CVS
I redid my previous OPIE patch for the current ssh tree. It seems
to work fine here, and I'ld love to see it merged before the 3.0
release.
Wichert.
diff -x CVS -wNur ../cvs/other/openssh_cvs/Makefile.in openssh_cvs/Makefile.in
--- ../cvs/other/openssh_cvs/Makefile.in Mon Oct 22 02:53:59 2001
+++ openssh_cvs/Makefile.in Sun Nov 4 01:18:19 2001
@@ -50,7 +50,7 @@
SSHOBJS= ssh.o