Displaying 20 results from an estimated 66 matches for "do_pam_account".
2004 Jun 22
2
patch: openssh empty password fail with pam/sshv1
...i,
We've encountered a bug with OpenSSH 3.8.1p1 on Linux. With an account
that has an empty password and with PAM and Privilege Separation turned
on through the SSH1 protocol, the login fails with:
fatal: mm_request_receive_expect: read: rtype 24 != type 46
I believe the problem is a missing do_pam_account() call. The patch below
to auth1.c fixes the problem. If this is correct, can someone please
commit this?
Thanks,
Dave.
--- auth1.c 19 Jun 2004 00:51:06 -0000 1.1
+++ auth1.c 22 Jun 2004 04:07:38 -0000 1.5
@@ -81,8 +81,13 @@
(!options.kerberos_authentication || options.kerberos_or_local_pa...
2003 Dec 07
0
[PATCH] Do PAM chauthtok via keyboard-interactive.
Hi All.
Attached is another patch that attempts to do pam_chauthtok() via SSH2
keyboard-interactive authentication. It now passes the results from the
authentication thread back to the monitor (based on a suggestion from
djm).
Because of this, it doesn't call do_pam_account twice and consequently
now works on AIX 5.2, which the previous version didn't. I haven't tested
it on any other platforms yet, but there were few other changes so it
should still work (famous last words :-)
I would be interested to know if it works with unusual PAM configurations
or pla...
2004 Sep 14
1
PATCH: Public key authentication defeats passwd age warning.
...ised no one noticed
the puddle under the server. Perhaps you've all got raised floors,
and all the bits are now down under there where the gremlins live.
Below is a patch for this, but here's the verbal: To keep the basic
limited prototyping model this code seems to be following, I moved
do_pam_account() down below the definition of the function that I
wanted to use for the conversation function (sshpam_store_conv()).
Then, inside do_pam_account, I set PAM up with that conversation
function just before it calls pam_acct_mgmt(). However, this created
the side effect that any time do_pam_account()...
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
...t passed, all
password services should update their passwords.
[/quote]
Imagine my complete lack of surprise when this turns out to not be the
case. Even with that flag, Solaris attempts to change the password
regardless of whether or not it's expired. To work around this, I call
do_pam_account early and cache the result to prevent pam_account_mgmt
being called twice.
It works on Redhat. Kind of. The prompts don't have newlines where they
should, and although the password is updated successfully, the
last-changed time isn't, so you'll have to change it at each login.
Anno...
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
Hi All.
Attached is a patch to perform pam_chauthtok via SSH2
keyboard-interactive. It should be simpler, but since Solaris seems to
ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check
if it's expired. To minimise the change in behaviour, it also caches the
result so pam_acct_mgmt still only gets called once.
This doesn't seem to work on AIX 5.2, I don't know why. Works OK for me
on Redhat, Solaris & HP-UX. I'm interested in reports of success or...
2018 Sep 28
2
Support for RFC4252 in sshd with PAM
...tos 7 (using
PAM) and got into debug mode
In sshd_config I have
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
AuthenticationMethods password
I can see two phases where authentication is applied - the first.
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required)
debug3: sshpam_password_change_required 1
debug3: mm_request_sen...
1999 Dec 07
1
Serious Bug Report: OpenSSH
...==================================================================
RCS file: /var/cvs/openssh/sshd.c,v
retrieving revision 1.33
diff -u -r1.33 sshd.c
--- sshd.c 1999/12/04 09:24:48 1.33
+++ sshd.c 1999/12/07 03:55:18
@@ -1551,24 +1551,41 @@
get_remote_port(),
user);
-#ifdef HAVE_LIBPAM
- do_pam_account_and_session(pw->pw_name, client_user);
+#ifndef HAVE_LIBPAM
+ if (authenticated)
+ return;
- /* Clean up */
- if (client_user != NULL)
- xfree(client_user);
+ if (attempt > AUTH_FAIL_MAX)
+ packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+#else /* HAVE_LIBPAM */
+ if (authentic...
2003 Jul 18
0
PAM_RUSER never set under ssh2?
...o it in the archives. I have a pam module that requires
PAM_RUSER
to be set however Ive found that if I connect to the remote server (where
the pam
module is installed) via ssh the PAM_RUSER variable is never set.
The PAM_RUSER variable is set within auth-pam.c (line 239 in 3.6p1) as such:
int do_pam_account(char *username, char *remote_user)
{
...
if (remote_user) {
debug("PAM setting ruser to \"%.200s\"", remote_user);
pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user);
however do_pam_account() is called in only two locations (auth2.c and
monitor.c) and
in both...
2006 May 03
8
[Bug 1188] keyboard-interactive should not allow retry after pam_acct_mgmt fails
...To: bitbucket at mindrot.org
ReportedBy: dtucker at zip.com.au
OtherBugsDependingO 1155
nThis:
Because each keyboard-interactive attempt is effectively
self-contained, when the PAM account check fails, the user is
reprompted, even though they can never possible succeed (since
do_pam_account() caches the result). Eg:
$ ssh localhost
Password:
Your account has expired; please contact your system administrator
Password:
sshd should prevent further keyboard-interactive attempts if the PAM
account check fails.
------- You are receiving this mail because: -------
You are the assigne...
2012 Nov 01
5
[Bug 983] Required authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=983
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|pgsery at swcp.com |djm at mindrot.org
--- Comment #58 from Damien Miller
2005 Sep 21
23
[Bug 1087] SSH fails to show PAM password expiry message from LDAP on login
http://bugzilla.mindrot.org/show_bug.cgi?id=1087
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Group|Portable OpenSSH |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2003 Nov 20
2
[Bug 740] Sun's pam_ldap account management is not working
http://bugzilla.mindrot.org/show_bug.cgi?id=740
------- Additional Comments From dtucker at zip.com.au 2003-11-19 23:20 -------
According to the man page, pam_ldap doesn't support account management.
$ man pam_ldap
[snip]
The pam_ldap.so.1 module supports two components: the
Authentication component and the Password management com-
ponent.
------- You are
2000 May 31
1
pam_chauthtok placement
Can I ask for some advice, as to where in the code would be the logical
place to add code to ask a user to change his password? Presumably
do_pam_account is the *wrong* place. Guess I should build a
do_pam_password function, but who should be calling it?
2001 Mar 01
1
Bug report against openssh-2.3.0p1
...process takes
a SIGSEGV just after the debugging message 'PAM setting tty to ...'.
I think that the SIGSEGV is inside pam_open_session. Truss
shows that the lastlog file has just been opened for writing.
Non-interactive uses of ssh work.
The cause is that, on this route through the code,
do_pam_account is _not_ called, but do_pam_session is.
This results in pam_open_session being called with PAM_TTY
set but PAM_RHOST not set. (In the non-interactive case,
PAM_TTY is not set either, so the PAM module does not try
to update lastlog, and so does not look at PAM_RHOST).
The SIGSEGV might be regarded...
2001 Nov 13
1
Kerberos / PAM bug in OpenSSH CVS
In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then
xfree() the client_user string. The call to do_pam_account() later in the
function then tries to use this string, resulting in a corrupt remote user.
Finally, before exiting, the function frees client_user again, resulting in a
double free and much mess.
Patch attached.
Cheers,
Simon.
--
Simon Wilkinson <simon at sxw.org.uk>...
2002 Jun 24
1
Expired PAM accounts
Hi there,
is there any reason why the code for supporting expired PAM accounts in
auth-pam.c:do_pam_account is commented out?
Ie. it is not possible to log in to an expired account. When you enable this,
the login procedure asks for a new password - all of this seems to work fine.
This was enabled in version 3.1 or so, but now?
Thanks
Stephan
--
Stephan M?ller Stephan.Mueller at at...
2004 Feb 27
1
Minor Thread Bug In OpenSSH 3.8p1
There is a minor problem with the PAM support in OpenSSH 3.8p1. If you use
POSIX threads (as specified by defining USE_POSIX_THREADS) in auth-pam.c,
PAM authentication will fail in routine import_environments(). The purpose
of this routine is to import variables returned by do_pam_account() in
sshpam_thread(). However, those variable are only exported if USE_POSIX_THREADS
is NOT set. Consequently, import_environments() get upset when there's nothing
in the buffer when that macro IS set.
I have chosen to comment out the guts of routine import_environments() if
USE_POSIX_PTHREAD...
2020 Sep 08
23
[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails
...there are at least
PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In
these cases, openssh goes into unexpected code paths giving confusing
error messages, such as:
pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=client user=useruser
debug1: do_pam_account: called
pam_sss(sshd:account): Access denied for user useruser: 6 (Permission
denied)
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: ssh_msg_send: type 13
debug3: PAM: User account has expired
error: PAM: User account has expired for useruser from client
As far as I read...
2004 Jan 15
2
What is print_pam_messages() used for ?
Hi,
I was investigating why I don't see any warnings from
pam_ldap indicating the pending expiration of passwords as well as
for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account()
does not have a conversation function. Also, there is a function
print_pam_messages (currently empty) which look suspiciously like it
is ear marked to show just those error messages:
/* auth-pam.c */
void print_pam_messages(void)
{
/* XXX */
}
By any chance, is someone working on a patch t...
2004 Mar 04
3
[Bug 808] segfault if not using pam/keyboard-interactive mech and password's expired
...Sparc
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: buckh at pobox.com
if you don't authenticate via pam/keyboard-interactive, then when
do_pam_account figures out your password is expired and calls
pam_password_change_required, the latter will probably segfault when it
dereferences the uninitialized int *force_pwchange. this is b/c, if you
don't authenticate using the PRIVSEP(sshpam_device), sshpam_init_ctx is
never called, so force_pwchange...