search for: do_pam_account

...i, We've encountered a bug with OpenSSH 3.8.1p1 on Linux. With an account that has an empty password and with PAM and Privilege Separation turned on through the SSH1 protocol, the login fails with: fatal: mm_request_receive_expect: read: rtype 24 != type 46 I believe the problem is a missing do_pam_account() call. The patch below to auth1.c fixes the problem. If this is correct, can someone please commit this? Thanks, Dave. --- auth1.c 19 Jun 2004 00:51:06 -0000 1.1 +++ auth1.c 22 Jun 2004 04:07:38 -0000 1.5 @@ -81,8 +81,13 @@ (!options.kerberos_authentication || options.kerberos_or_local_pa...

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any other platforms yet, but there were few other changes so it should still work (famous last words :-) I would be interested to know if it works with unusual PAM configurations or pla...

...ised no one noticed the puddle under the server. Perhaps you've all got raised floors, and all the bits are now down under there where the gremlins live. Below is a patch for this, but here's the verbal: To keep the basic limited prototyping model this code seems to be following, I moved do_pam_account() down below the definition of the function that I wanted to use for the conversation function (sshpam_store_conv()). Then, inside do_pam_account, I set PAM up with that conversation function just before it calls pam_acct_mgmt(). However, this created the side effect that any time do_pam_account()...

...t passed, all password services should update their passwords. [/quote] Imagine my complete lack of surprise when this turns out to not be the case. Even with that flag, Solaris attempts to change the password regardless of whether or not it's expired. To work around this, I call do_pam_account early and cache the result to prevent pam_account_mgmt being called twice. It works on Redhat. Kind of. The prompts don't have newlines where they should, and although the password is updated successfully, the last-changed time isn't, so you'll have to change it at each login. Anno...

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know why. Works OK for me on Redhat, Solaris & HP-UX. I'm interested in reports of success or...

...tos 7 (using PAM) and got into debug mode In sshd_config I have UsePAM yes PasswordAuthentication yes ChallengeResponseAuthentication no AuthenticationMethods password I can see two phases where authentication is applied - the first. debug3: mm_request_receive entering debug1: do_pam_account: called debug2: do_pam_account: auth information in SSH_AUTH_INFO_0 debug3: PAM: sshpam_passwd_conv called with 1 messages debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required) debug3: sshpam_password_change_required 1 debug3: mm_request_sen...

...================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.33 diff -u -r1.33 sshd.c --- sshd.c 1999/12/04 09:24:48 1.33 +++ sshd.c 1999/12/07 03:55:18 @@ -1551,24 +1551,41 @@ get_remote_port(), user); -#ifdef HAVE_LIBPAM - do_pam_account_and_session(pw->pw_name, client_user); +#ifndef HAVE_LIBPAM + if (authenticated) + return; - /* Clean up */ - if (client_user != NULL) - xfree(client_user); + if (attempt > AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); +#else /* HAVE_LIBPAM */ + if (authentic...

...o it in the archives. I have a pam module that requires PAM_RUSER to be set however Ive found that if I connect to the remote server (where the pam module is installed) via ssh the PAM_RUSER variable is never set. The PAM_RUSER variable is set within auth-pam.c (line 239 in 3.6p1) as such: int do_pam_account(char *username, char *remote_user) { ... if (remote_user) { debug("PAM setting ruser to \"%.200s\"", remote_user); pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user); however do_pam_account() is called in only two locations (auth2.c and monitor.c) and in both...

...To: bitbucket at mindrot.org ReportedBy: dtucker at zip.com.au OtherBugsDependingO 1155 nThis: Because each keyboard-interactive attempt is effectively self-contained, when the PAM account check fails, the user is reprompted, even though they can never possible succeed (since do_pam_account() caches the result). Eg: $ ssh localhost Password: Your account has expired; please contact your system administrator Password: sshd should prevent further keyboard-interactive attempts if the PAM account check fails. ------- You are receiving this mail because: ------- You are the assigne...

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|pgsery at swcp.com |djm at mindrot.org --- Comment #58 from Damien Miller

http://bugzilla.mindrot.org/show_bug.cgi?id=1087 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Group|Portable OpenSSH | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=740 ------- Additional Comments From dtucker at zip.com.au 2003-11-19 23:20 ------- According to the man page, pam_ldap doesn't support account management. $ man pam_ldap [snip] The pam_ldap.so.1 module supports two components: the Authentication component and the Password management com- ponent. ------- You are

Can I ask for some advice, as to where in the code would be the logical place to add code to ask a user to change his password? Presumably do_pam_account is the *wrong* place. Guess I should build a do_pam_password function, but who should be calling it?

...process takes a SIGSEGV just after the debugging message 'PAM setting tty to ...'. I think that the SIGSEGV is inside pam_open_session. Truss shows that the lastlog file has just been opened for writing. Non-interactive uses of ssh work. The cause is that, on this route through the code, do_pam_account is _not_ called, but do_pam_session is. This results in pam_open_session being called with PAM_TTY set but PAM_RHOST not set. (In the non-interactive case, PAM_TTY is not set either, so the PAM module does not try to update lastlog, and so does not look at PAM_RHOST). The SIGSEGV might be regarded...

In do_authloop() in auth1.c(), the Kerberos 4 and 5 code both allocate, then xfree() the client_user string. The call to do_pam_account() later in the function then tries to use this string, resulting in a corrupt remote user. Finally, before exiting, the function frees client_user again, resulting in a double free and much mess. Patch attached. Cheers, Simon. -- Simon Wilkinson <simon at sxw.org.uk>...

Hi there, is there any reason why the code for supporting expired PAM accounts in auth-pam.c:do_pam_account is commented out? Ie. it is not possible to log in to an expired account. When you enable this, the login procedure asks for a new password - all of this seems to work fine. This was enabled in version 3.1 or so, but now? Thanks Stephan -- Stephan M?ller Stephan.Mueller at at...

There is a minor problem with the PAM support in OpenSSH 3.8p1. If you use POSIX threads (as specified by defining USE_POSIX_THREADS) in auth-pam.c, PAM authentication will fail in routine import_environments(). The purpose of this routine is to import variables returned by do_pam_account() in sshpam_thread(). However, those variable are only exported if USE_POSIX_THREADS is NOT set. Consequently, import_environments() get upset when there's nothing in the buffer when that macro IS set. I have chosen to comment out the guts of routine import_environments() if USE_POSIX_PTHREAD...

...there are at least PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In these cases, openssh goes into unexpected code paths giving confusing error messages, such as: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=client user=useruser debug1: do_pam_account: called pam_sss(sshd:account): Access denied for user useruser: 6 (Permission denied) debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: ssh_msg_send: type 13 debug3: PAM: User account has expired error: PAM: User account has expired for useruser from client As far as I read...

Hi, I was investigating why I don't see any warnings from pam_ldap indicating the pending expiration of passwords as well as for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not have a conversation function. Also, there is a function print_pam_messages (currently empty) which look suspiciously like it is ear marked to show just those error messages: /* auth-pam.c */ void print_pam_messages(void) { /* XXX */ } By any chance, is someone working on a patch t...

...Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: buckh at pobox.com if you don't authenticate via pam/keyboard-interactive, then when do_pam_account figures out your password is expired and calls pam_password_change_required, the latter will probably segfault when it dereferences the uninitialized int *force_pwchange. this is b/c, if you don't authenticate using the PRIVSEP(sshpam_device), sshpam_init_ctx is never called, so force_pwchange...