headers
Damien Miller | 1 Jul 2003 07:18

Re: [Bug 609] empty password accounts can login with random password


On Tue, 1 Jul 2003 bugzilla-daemon <at> mindrot.org wrote:

> http://bugzilla.mindrot.org/show_bug.cgi?id=609
>
>
>
>
>
> ------- Additional Comments From advax <at> triumf.ca  2003-07-01 14:23 -------
> OK, after messing around trying 3.6.1p2 I realize I had a "DenyUsers" line
> in sshd_config on the RedHat 8 system which I had forgotten about.
> The RedHat sshd.pam does not have nullok but it is chained to system-auth
> which does. I guess unchaining it might work but I don't want to depart
> too much from the stock distro especially in things I don't really understand
> (like PAM)
>
> So the issue is that PermitEmptyPasswords is ignored if PAM is used.
> If PAM is really broken like this then maybe a note in the sshd_config manpage
> is in order.
>
>
>
>
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
> _______________________________________________
> openssh-bugs mailing list
> openssh-bugs <at> mindrot.org
(Continue reading)

Permalink | Reply | 0 comments |
headers
l.gautrot | 1 Jul 2003 09:39
Picon
Favicon

French translation for the manpages -> possible inclusion ?

I translated OpenSSH manpages and the manpages for some related utilities (at
least for the 3.4 release of OpenSSH).

Those manpages are hosted at Gérard Delafond website
(http://www.delafond.org/traducmanfr/index.php). Gérard then dispatches the
manpages in some of the major Linux distributions (as far as I know Debian
GNU/Linux, Mandrake GNU/Linux et RedHat, maybe others ...).

Recently, an user and developper for Debian asked me if I contacted OpenSSH dev
team for a possible inclusion of the translated manpages in OpenSSH distribution.

So what ? ;)

Below is the list of available translations :
scp.1
sftp.1
sftp-server.8
ssh.1
ssh-add.1
ssh-agent.1
ssh_config.5
sshd.8
sshd_config.5
ssh-keygen.1
ssh-keyscan.1
ssh-keysign.8
x11-ssh-askpass.1
scanssh.1
ssh-copy-id.1
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andreas Gidom | 1 Jul 2003 09:58

X11 forwarding when pw is aged

Hi All,

1st Simple question: bug or feature ?

sshd version OpenSSH_3.6.1p2-pwexp20 on solaris sparc
X11 forwarding works fine
Set pw to aged (3rd entry in /etc/shadow to 0)

login as: steffenb
Sent username "steffenb"
steffenb <at> saturn's password:
Warning: Your password has expired, please change it now.
passwd:  Changing password for steffenb
Enter login password:
New password:
Re-enter new password:
passwd (SYSTEM): passwd successfully changed for steffenb
Last login: Mon Jun 30 14:56:01 2003 from hclberagi.munic
Sun Microsystems Inc.   SunOS 5.6       Generic August 1997
steffenb <at> saturn:~ > /usr/X11R6/bin/xterm
/usr/X11R6/bin/xterm Xt error: Can't open display:
steffenb <at> saturn:~ > set
BASH=/bin/bash
BASH_VERSINFO=([0]="2" [1]="02" [2]="0" [3]="1" [4]="release"
[5]="sparc-sun-solaris2.6")
BASH_VERSION='2.02.0(1)-release'
COLUMNS=80
DIRSTACK=()
EUID=504
----- break ---
(Continue reading)

Permalink | Reply | 1 comment |
headers
Darren Tucker | 1 Jul 2003 10:34
Picon
Picon

Re: X11 forwarding when pw is aged

Andreas Gidom wrote:
> 1st Simple question: bug or feature ?

It's a Security Feature.  All forwarding is disabled when the password is
expired, otherwise you could request forwards with an expired password.

The problem with re-enabling it afterwards is that your password is
changed in the process that becomes the shell, but the forwarding flags
are checked in the ssh daemon (the slave if privsep is in use) and there's
no easy way to report a successful change.

At one point I tried using a signal to reset the flags but that wasn't
popular.

It might be possible to make it work by checking if the password is still
expired when a forwarding request arrives.  I'm not sure how hard that is
(it's likely to be difficult with PAM for example).

--

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Permalink | Reply | 0 comments |
headers
Elwell, AD (Andrew | 1 Jul 2003 15:32
Picon
Picon

2 poss improvements to 3.6.1p2/passexpire21

Hi again folks,

The new passexpire21 patch works well (ta Darren) but...

1) is it possible to display the "your password has expired and needs
changing" 
to the users *before* calling the password change routine?

ie ssh shows...
$: ssh 193.62.122.26
ade45 <at> 193.62.122.26's password: 
Changing password for "ade45"
ade45's Old password:
ade45's New password:
Re-enter ade45's new password:
3004-609 Your password has expired.     Please choose a new password.Last
unsuccessful login: Tue  1 Jul 09:21:49 2003 on /dev/dtlogin/_0
Last login: Tue  1 Jul 14:34:01 2003 on ssh from l1f01

whereas rlogin (yes I know.... it's a development box) shows
$: rlogin !$
rlogin 193.62.122.26
ade45's Password: 
3004-609 Your password has expired.
        Please choose a new password.

ade45's New password: 

2) when a password is *due* to expire soon (ie within the pwdwarntime range)
(Continue reading)

Permalink | Reply | 1 comment |
headers
Lindsey, Kelly (WMG Corp | 1 Jul 2003 15:41
Favicon

certificates breaking ssh?

Does anyone know why verisign certificates in a ldap authenticating sun box
are causing ssh to fail but telnet to continue working?
Permalink | Reply | 0 comments |
headers
Darren Tucker | 1 Jul 2003 15:59
Picon
Picon

Re: 2 poss improvements to 3.6.1p2/passexpire21

"Elwell, AD (Andrew)" wrote:
> The new passexpire21 patch works well (ta Darren) but...
> 
> 1) is it possible to display the "your password has expired and needs
> changing"
> to the users *before* calling the password change routine?

It used to, last time I tried it on AIX.  What configure options are you
using if any?

There are actually 2 sets of messages: the "expire message" and the "login
message".  The former is supposed to hold "Your password will expire/has
expired" messages, the latter "Last login was.." type messages.  The
expire messages are supposed to be displayed before the change (see
session.c:764).

> 2) when a password is *due* to expire soon (ie within the pwdwarntime range)
> 
> the message could do with a carriage return...

That one should be easy.  ISTR that AIX's expiry messages had their own
newlines, maybe that varies with the version?  What version of AIX are we
talking about?

--

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Greg Lambert | 1 Jul 2003 16:07
Picon
Favicon

Question about comment field for keys

The manual page for ssh-keygen says:

"For RSA1 keys, there is also a comment field in the key file this is only for convenience to the user to help
identify the key."

It seems though that RSA2 and DSA keys also have comment fields, not just RSA1.  Is this just an error in the documentation?

Also the documentation says that only RSA1 key comments can be changed with ssh-keygen's -c option and this
appears to be the case.  Is there a reason for this?

I just want to verify my impression that all types of keys have comment fields(regardless of what the man
page says) that can be initialized to different comments when the key is created but the comment can only be
modified for RSA1 keys.

Greg Lambert

---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
Permalink | Reply | 1 comment |
headers
Greg Lambert | 1 Jul 2003 16:50
Picon
Favicon

Generating DSA keys of different length


When I try to create a dsa set of key files with -b 999, the key appears to be created with the default of 1024.
This does not happen for type rsa or rsa1 keys. They get created with the number of bits I specified.   I can't
find this problem in the archives.

DSA key generation:

SY1 97 /SYSTEM/tmp> ssh-keygen -b 999 -t dsa 

Generating public/private dsa key pair. 

Enter file in which to save the key (/tmp/.ssh/id_dsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /tmp/.ssh/id_dsa. 

Your public key has been saved in /tmp/.ssh/id_dsa.pub. 

The key fingerprint is: 

4b:24:3d:ed:a8:ef:20:d8:a3:da:80:4e:db:32:c9:d4 WELLIE <at> OMVSH 

SY1 98 /SYSTEM/tmp> ssh-keygen -l -f .ssh/id_dsa 

1024 4b:24:3d:ed:a8:ef:20:d8:a3:da:80:4e:db:32:c9:d4 .ssh/id_dsa.pub 

RSA key generation:
(Continue reading)

Permalink | Reply | 6 comments |
headers
Markus Friedl | 1 Jul 2003 17:47
Picon
Favicon

Re: Question about comment field for keys

ssh2 keys have no editable comment field.

On Tue, Jul 01, 2003 at 07:07:05AM -0700, Greg Lambert wrote:
> The manual page for ssh-keygen says:
>  
> "For RSA1 keys, there is also a comment field in the key file this is only for convenience to the user to help
identify the key."
>  
> It seems though that RSA2 and DSA keys also have comment fields, not just RSA1.  Is this just an error in the documentation?
>  
> Also the documentation says that only RSA1 key comments can be changed with ssh-keygen's -c option and
this appears to be the case.  Is there a reason for this?
>  
> I just want to verify my impression that all types of keys have comment fields(regardless of what the man
page says) that can be initialized to different comments when the key is created but the comment can only be
modified for RSA1 keys.
>  
> Greg Lambert
> 
> 
> ---------------------------------
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev <at> mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Permalink | Reply | 0 comments |

Gmane