Displaying 20 results from an estimated 600 matches similar to: "[Bug 2541] New: Add explicit_bzero() before free() in OpenSSH-7.1p2 for auth1.c/auth2.c/auth2-hostbased.c"
2005 Oct 06
1
Possible security problem in hostbased user authentication?
In auth2-hostbased.c, line #146
if (auth_rhosts2(pw, cuser, chost, chost) == 0)
^^^^^
shouldn't this be
if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0)
^^^^^^
The code was found in 4.2.
Best regards,
Choung S.Park
2001 Sep 28
2
openssh-2.9p2, auth2.c
Even with option "HostbasedUsesNameFromPacketOnly yes", the trailing
dot in chost should be stripped before auth_rhosts2() is called from
hostbased_key_allowed().
Hans Werner Strube strube at physik3.gwdg.de
Drittes Physikalisches Institut, Univ. Goettingen
Buergerstr. 42-44, D-37073 Goettingen, Germany
Suggested change:
*** auth2.c.ORI Wed Apr 25 14:44:15 2001
---
2002 May 08
1
[PATCH] Strip trailing . when using HostbasedUsesNameFromPacketOnly
The following simple patch (against openssh-3.1) moves the test for a
trailing dot in the client-supplied hostname so that it is also stripped
when using the server option HostbasedUsesNameFromPacketOnly.
Please CC me on any replies, as I'm not subscribed to the list.
Cheers,
Bill Rugolsky
--- ssh/auth2.c~ Sun Feb 24 14:14:59 2002
+++ ssh/auth2.c Wed May 8 16:26:26 2002
@@ -709,15
2002 Jul 01
3
3.4p1: 'buffer_append_space: alloc 10506240 not supported'
I have been trying to install 3.4p1 on a number of machines.
Servers on ia64 Linux, i386 Linux and SPARC Solaris are all working
like charms. On the other hand, I am having trouble at least with
HPUX 11, DEC OSF 5.1 and Unixware: on all those systems, sshd bails
out after authentication with an error in buffer_append_space.
Here is the output of sshd -d on the UnixWare machine
(uname -a:
2003 Feb 28
1
Hostbased Authentication Question
Hi,
I am still working on getting hostbased authentication working in
OpenSSH 3.5p1. I emailed the user list, and got no response. It seems so
simple, yet I have continued to have problems getting it working properly.
I've read posts about it on this list, and the openssh-unix-dev list, and
nothing I have tried seems to work. My question is this, does it matter
which key, either
2016 Jan 14
0
Announce: Portable OpenSSH 7.1p2 released
OpenSSH 7.1p2 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.
Once again, we would like to thank the OpenSSH
2006 Feb 12
1
sshd double-logging
Hi all.
As Corinna pointed out, there are some cases where sshd will log some
authentications twice when privsep=yes.
This can happen on any platform although it seems most obvious on the
ones that don't do post-auth privsep. It also occurs when sshd logs
to stderr (eg running under daemontools) or when you have a /dev/log in
the privsep chroot.
The patch below attempts to solve this for
2019 Aug 06
2
[PATCH v2] Remove sshkey_load_private()
Remove sshkey_load_private(), as this function's role
is similar to sshkey_load_private_type().
---
Dependency:
This change depends over recently merged change in openbsd:
https://github.com/openbsd/src/commit/b0c328c8f066f6689874bef7f338179145ce58d0
Change log:
v1->v2
- Remove declaration of sshkey_load_private() in authfile.h
authfile.c | 38
2006 May 15
0
[PATCH 4/12] bug fix: openssh-4.3p2 memory leak
If the operation in the function is not allowed memory is leaked in
three variables which were xmalloc'ed with buffer_get_string. In the
allowed case these variables are pointed to by variables with a greater
scope thus the reason this is a condtional leak. This entire set of
patches passed the regression tests on my system. Resource leak bugs
found by Coverity.
Signed-off-by:
2016 Jul 21
4
Openssh use enumeration
On Wed, Jul 20, 2016 at 09:02:57PM -0600, Selphie Keller wrote:
> I wonder if could be useful to set the fall back account to something user
> defined to avoid suggesting people add passwords to root, though I do like
> root since the account is always there,
Since committing that diff I've heard of people running in production
with no root password (ie *LK*, !! or similar).
2003 Sep 13
3
Trailing dot is not removed from client hostname if HostbasedUsesNameFromPacketOnly is yes
If HostbasedUsesNameFromPacketOnly is set to yes, sshd does not remove
the trailing dot from the client supplied hostname, causing sshd to
attempt to look up "foo.example.com." (note trailing period) in
known_hosts and .shosts instead of "foo.example.com"
Trivial patch attached.
--
Carson
-------------- next part --------------
An embedded and charset-unspecified text was
2002 Jan 10
1
OpenSSH 3.0.Xp1, AIX -> Sun trusted host problem
Hi, Folks ...
Apologies in advance for the length of this message, but I wanted to
be thorough, and provide as much info as I could. I'm trying to
figure out a problem in trusted-host authentication using AIX hosts
as clients, and a Sun host as the server; either I'm missing
something real obvious, or there might be a bug somewhere in some
piece of software involved here.
-- All of
2002 Jul 16
0
[Bug 356] New: 3.4p1 hostbased authentication between Linux and Solaris
http://bugzilla.mindrot.org/show_bug.cgi?id=356
Summary: 3.4p1 hostbased authentication between Linux and Solaris
Product: Portable OpenSSH
Version: -current
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: ssh
AssignedTo: openssh-unix-dev at mindrot.org
2002 Aug 07
0
[Bug 382] New: Privilege Separation breaks HostbasedAuthentication
http://cvs-mirror.mozilla.org/webtools/bugzilla/show_bug.cgi?id=382
Summary: Privilege Separation breaks HostbasedAuthentication
Product: Portable OpenSSH
Version: -current
Platform: Sparc
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at
2016 Feb 13
4
[Bug 2540] New: Adds xstrndup() to xmalloc.h/xmalloc.c in OpenSSH 7.x
https://bugzilla.mindrot.org/show_bug.cgi?id=2540
Bug ID: 2540
Summary: Adds xstrndup() to xmalloc.h/xmalloc.c in OpenSSH 7.x
Product: Portable OpenSSH
Version: 7.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee:
2024 Feb 03
1
a little note on sshbuf_reset()
Hello!
I have a minor observation about code in sshbuf.c, not sure if it would be
useful, but here it is.
sshbuf_reset() is currently implemented like this:
void
sshbuf_reset(struct sshbuf *buf)
{
u_char *d;
if (buf->readonly || buf->refcount > 1) {
/* Nonsensical. Just make buffer appear empty */
buf->off = buf->size;
return;
}
if (sshbuf_check_sanity(buf) != 0)
2005 Aug 23
1
compile R with Portland Group compiler
Hi,
Can anyone advise me on how to compile R with Portland Group
compiler on a Opeteron machine with Red Hat Enterprise Linux WS release
4 installed?
I've edit config.site file to pick portland group compilers instead of
gcc. Here is the list of modified flags:
CC=/usr/pgi/linux86-64/6.0/bin/pgcc
CFLAGS='-g -O2'
CPPFLAGS='-I/usr/pgi/linux86-64/6.0/include
2001 Nov 09
2
openssh-3.0p1, auth2.c
openssh-3.0p1 still contains the bug which I already reported on Sept. 28 2001
for 2.9p2, namely, the trailing dot in chost should be stripped before calling
auth_rhosts2() even with option "HostbasedUsesNameFromPacketOnly yes".
Otherwise, the host names in /etc/hosts.equiv and .rhosts would have to be
dot-terminated. Fix: Move lines 776-779 of auth2.c upwards to after line 767.
(These
1999 Dec 07
1
Serious Bug Report: OpenSSH
Adrian Baugh wrote:
>
> Hi,
> I'm using the Linux port of OpenSSH 1.2-pre15.
> One of my users complained of not being able to log in using password
> authentication but being able to log in okay using RSA authentication.
> I set up the server in debug mode and got the following for RSA
> authentication (usernames, machine names and IPs obfuscated):
I think I have found
2002 May 09
1
Bug report: OpenSSH 3.1p1
I believe auth-rhosts.c, function check_rhosts_file(), contains a bug
that shows up when doing host-based authentication where the
client_user name is not the same as the server_user name.
Line 76 reads:
strlcpy(userbuf, server_user, sizeof(userbuf));
I believe it should read:
strlcpy(userbuf, client_user, sizeof(userbuf));
Otherwise later in the function this test will fail:
/* Verify that