similar to: A question about LDAP Public Key authentication with openssh 9.8p1

On 12/10/2024 13:19, Qingtao Cao wrote: > Since there is no nss-ldap (not to mention sssd), a separate PAM > module has been used once the public key authentication is a success, > to allocate an unused uid/gid for the remote user, also creating its > home directory?(which are all specified on the LDAP server but there > is no nss-ldap to fetch these configuration) so that the

I'm trying to understand the code around PAM support in auth2.c and auth2-chall.c. I'm working with the OpenSSH 3.7.1p2 sources on FreeBSD 4.x. The scenario I'm trying to make work is SSH login to a captive accout for users in a RADIUS database but whose login does not appear in /etc/passwd or getpwnam(). I understand that if the username is not found in getpwnam(), then the

Thank you Brian for your prompt response, much appreciated! Yes, your question just helps me connect dots together. On my device using musl there is no nss-ldap support, no wonder the getpwnam() will return NULL since remote-only users don't exist locally. Since there is no nss-ldap (not to mention sssd), a separate PAM module has been used once the public key authentication is a success, to

On 12/10/2024 12:04, Qingtao Cao wrote: > 4. Putting the #2 and #3 points above together, that "goto out;" line will > make the non-local user unable to login the device, despite of the fact > that its RSA public key has been setup properly on the remote LDAP server Suppose that user were allowed to login: what UID, GID and home directory would you expect them to be assigned?

Hi, I am working on the following SSH solution and I need some help: 1. User ssh against my node where he/she does not have an account 2. Firstly the node synchronize its user database from a remote db with ldap. (just refresh the database, no authentication here) 3. Authenticate the user with a PAM module I am using my synchronisation script as a PAM module but it seems that the authentication

http://bugzilla.mindrot.org/show_bug.cgi?id=899 Summary: sshd displays illegal usernames through setproctitle() Product: Portable OpenSSH Version: 3.8.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org

Hello! Please consider including the attached patch in the next release. It allows one to drop privilege separation code while building openssh by using '--disable-privsep' switch of configure script. If one doesn't use privilege separation at all, why don't simply allow him to drop privilege separation support completely? -- Sincerely Your, Dan. -------------- next part

Hello Steve, Hello OpenSSH-portable developers, I am building OpenSSH for our (EBCDIC-based) BS2000 mainframe operating system, and I noticed you do the same for OS/390. Because my initial ssh port was based on IBM's OSS port (ssh-1.2.2 or some such), I thought it was fair enough to help with a little co-operation; we might come up with a unified EBCDIC patch which could be contributed to

Hi, I'm following Samba AD schema extensions wiki page to add sshPublicKeys to schema, but ldbmodify returned the following error: # LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbmodify -H /var/lib/samba/private/sam.ldb Sshpubkey.ldif.txt --option="dsdb:schema update allowed"=true ERR: (Constraint violation) "000020B5: Referenced object not found at

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I am not sure if this is the correct place to ask these question, if I am at the wrong place please advise. I am currently working on some modifications to openssh which record the users rsa/dsa identity comment file to a log file when the user logs in (password authentication is disabled). The ssh1 portion of the modification works

Hi, the following patch removes some of the Cygwin specific code from OpenSSH. Since Cygwin is able to change the user context on NT/W2K even without a password since the new Cygwin version 1.3.2, there's no need anymore to allow changing the user context only if the sshd user is the same user as the one which logs in or when a password is given. For that reason the whole function

I added a few features to openssh for my local use that I think would be more broadly useful. I basically added access control lists to control who would be allowed public key authentication. I added four config file entries for the server: PubkeyAllowUsers PubkeyDenyUsers PubkeyAllowGroups PubkeyDenyGroups These follow the same sematics as the already existing entries for

Hi, there's a change made to 4.4p1, which gave some irritation on the Cygwin mailing list. It's a change from 20060907: - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can be used to drop privilege to; fixes Solaris GSSAPI crash reported by Magnus Abrante; suggestion and feedback dtucker@ NB. this change will require that the privilege separation user must

Hi, the following patch fixes a potential security hole in the Cygwin version of sshd. If you're logging in to a Cygwin sshd with version 2 protocol using an arbitrary user name which is not in /etc/passwd, the forked sshd which is handling this connection crashes with a segmentation violation. The client side encounters an immediate disconnect ("Connection reset by peer").

Hi All. For various reasons, we're currently looking at extending (or even overhauling) the config parser used for sshd_config. Right now the syntax I'm looking at is a cumulative "Match" keyword that matches when all of the specified criteria are met. This would be similar the the Host directive used in ssh_config, although it's still limiting (eg you can't easily

When using PAM to do password authenticaion the attempt/failure counter appears to be getting confused. This is using a rh62 system with the openssh-2.9p2-1 rpms... On the client side... [matthewm at toadhall (7) matthewm]$ grep Auth /etc/ssh/ssh_config RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication no PubkeyAuthentication yes

this is at the bottom of auth.c. What is it? struct passwd * fakepw(void) { static struct passwd fake; memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; fake.pw_uid = -1; fake.pw_gid = -1; fake.pw_class =

Hallo Andrew, thanks for the answer (for the hints in particular, I'm new on samba mailing list), I'm working on a fax server based on the original implamentation of Pedro Fraile you can read all the particular here: http://www.linuxgazette.com/issue79/fraile.html The goal of "my" fax server implementation: Users authentication via samba/winbind/pam Automatic creation of the

This patch against OpenBSD -current adds a simple form of PKI to OpenSSH. We'll be using it at work. See README.certkey (the first chunk of the patch) for details. Everything below is BSD licensed, sponsored by Allamanda Networks AG. Daniel --- /dev/null Wed Nov 15 15:14:20 2006 +++ README.certkey Wed Nov 15 15:13:45 2006 @@ -0,0 +1,176 @@ +OpenSSH Certkey + +INTRODUCTION + +Certkey allows

Here is a patch I just wrote and tested which may be of interest to those who wish to use KerberosGetAFSToken (currently requires Heimdal libkafs) in combination with GSSAPIDelegateCredentials. The patch is in the public domain and comes with no warranty whatsoever. Applies to pristine 3.8p1. Works for me on Solaris and Tru64. I'd probably have used Doug Engert's patch from 2004-01-30 if