Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
From: "Prentis Brooks" <prentis AT aol DOT net>
To: <rbh00 AT netcom DOT com>
Cc: "Cygwin" <cygwin AT sourceware DOT cygnus DOT com>
Subject: RE: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has a nasty bite]
Date: Tue, 30 May 2000 15:09:46 -0400
Message-ID: <NEBBLEPLMLJEEFHAGMDMAECNCAAA.prentis@aol.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
In-Reply-To: <s048jsc0d8a3j88k2r57mkkbs21qbac6jo@4ax.com>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300

Yes, that is the error I am trying to resolve... but after digging through
the OpenSSL source.... is RSAREF compiled in, or is it using SSLeay?  Or
does it matter?  *grin*

-----Original Message-----
From: Richard Hitt [mailto:rbh00 AT netcom DOT com]
Sent: Tuesday, May 30, 2000 3:02 PM
To: Prentis Brooks
Subject: Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has
a nasty bite]


Hi All

I came across what might be a related URL:
http://www.ssh.com/products/ssh/patches/patch-ssh-1.2.27-rsaref.buffer.overf
low

hth

Richard

On Tue, 30 May 2000 14:19:27 -0400, you wrote:

>Corinna,
>	your patches work great, one last quick question, then I am done, I hope
>:).  There is apparently an RSAREF patch out there with a buffer overflow
>problem, I am still trying to track down the patch number.  If you happen
to
>know of it, did you apply that patch to the OpenSSL code?  If you don't
know
>of the one I am talking about, then I guess there is not much we can do
>until I find that patch number ;)
>
>Thanks
>
>-----Original Message-----
>From: cygwin-owner AT sourceware DOT cygnus DOT com
>[mailto:cygwin-owner AT sourceware DOT cygnus DOT com]On Behalf Of Corinna Vinschen
>Sent: Sunday, May 28, 2000 5:25 AM
>To: Prentis Brooks
>Cc: cygwin
>Subject: Re: [ANNOUNCEMENT]: patched openSSH-1.2.2 [was Re: No this has
>a nasty bite]
>
>
>Prentis Brooks wrote:
>> different from what I was looking to do.  Would you mind telling me how
>you
>> solved the problem of unauthorized access to a another account?
>> (specifically, being able to login to RSA enabled SSHD eventhough your
RSA
>> key is not part of that SSHD's user's authorized_key file.)
>
>Password authentication leads to a valid hToken, any
>other authentication leads to hToken == INVALID_HANDLE_VALUE.
>So after authentication I check for non-password authentication
>and equality of getuid() to uid of authenticated user.
>
>==== SNIP ====
>@@ -1498,6 +1529,13 @@ do_authloop(struct passwd * pw)
>                        break;
>                }
>
>+#ifdef __CYGWIN__
>+                if (is_winnt && hToken == INVALID_HANDLE_VALUE &&
>+                    authenticated && getuid() != pw->pw_uid) {
>+                        packet_disconnect("Authentication rejected for
>uid %d.", (int) pw->pw_uid);
>+                        authenticated = 0;
>+                }
>+#endif
>                /* Raise logging level */
>                if (authenticated ||
>                    attempt == AUTH_FAIL_LOG ||
>==== SNAP ====
>
>Corinna
>
>--
>Corinna Vinschen
>Cygwin Developer
>Cygnus Solutions, a Red Hat company
>
>--
>Want to unsubscribe from this list?
>Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com


--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com