search for: pam_set_item

...in that particular group, whilst not affecting the users who browse the box via network neighborhood. But this seemed to work fine for a few hrs and now no one in the Winbind group can login to ssh. Looking thru the /var/log/secure, Iam getting the error: Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle passed Feb 15 10:21:27 yoda sshd[28182]: PAM pam_set_item: NULL pam handle passed Feb 15 10:21:27 yoda sshd[28182]: Failed password for illegal user MMEBS+mark from 192.168.*.* port 2166 Feb 15 10:21:29 yoda sshd[28182]: Connection closed by 192.168.*.* If comment out the Allowgr...

...s", - pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + pw->pw_name, PAM_STRERROR(pamh, pam_retval)); return 0; } } @@ -157,33 +190,35 @@ int pam_retval; debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + pam_retval = pam_set_item(pamh, PAM_RHOST, get_canonical_hostname()); if (pam_retval != PAM_SUCCESS) { fatal("PAM set rhost failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } if (...

...m_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); + pam_get_item(grab_pamh(0, NULL), PAM_USER, (const void **)&pam_user); setproctitle("%s [pam]", pam_user); #endif @@ -224,11 +287,11 @@ sshpam_conv.appdata_ptr = ctxt; buffer_init(&buffer); - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_authenticate(sshpam_handle, 0); + sshpam_err = pam_authenticate(grab_pamh(0, NULL), 0); if (sshpam_err !...

Hi. I'm one of the OpenSSH developers, and I've done some of the work on sshd's PAM interface recently. I've discovered some behaviour peculiar to LinuxPAM that I can't explain: changing the conversation function does not appear to work, even though the pam_set_item() call claims to succeed. The previous conversation function is still called. Background: the PAM API is a poor fit for the SSH protocol, so the conversation function needs to do vastly different things at different points in the protocol. Instead of one enormous multi-mode function, sshd...

...lookup(ctx->request)); if (string == NULL) i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); break; @@ -240,7 +253,7 @@ static void set_pam_items(struct auth_request *request, pam_handle_t *pamh) host = net_ip2addr(&request->remote_ip); if (host != NULL) (void)pam_set_item(pamh, PAM_RHOST, host); - (void)pam_set_item(pamh, PAM_RUSER, request->user); + (void)pam_set_item(pamh, PAM_RUSER, pam_username_lookup(request)); /* TTY is needed by eg. pam_access module */ (void)pam_set_item(pamh, PAM_TTY, "dovecot"); } @@ -262,7 +275,7 @@ pam_verify_plain_call...

<<pam_user.patch>> Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions, let me know. Thanks, Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_user.patch Type: application/octet-stream Size: 8581 bytes Desc: pam_user.patch Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/a...

...> > debugging this? > > well its obviously blowing up on pam_open_session, so you need to validate > your "pamh" handle somehow. thank you, and how would one do this? considering that my 'pamh' handle is being used three times prior to that, in: pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); all in the same function, I would have thought that this would have been okay...all of the above go through successfu...

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 ------- > OpenSSH traditionally would not even start PAM, and > now starts it specifying 'NOUSER' as the login name. We have always used NOUSER, the recent patch just makes it consistent between protocols 1 and 2. > The second is to prevent username guessing

...tch calls 'chown root.root', is good to have the certs owned by root? patch: dovecot-1.0.beta2-pam-setcred.patch is dissables the call to pam_setcred() because there is no other call to pam_setcred() in order to release the resources patch: dovecot-1.0.beta2-pam-tty.patch it add a call to pam_set_item() I don't to attach the patches to the list, but I can if anyone could not extract them from the .src.rpm Many thanks Oliver -- Oliver Schulze L. <oliver at samera.com.py>

...abartlet at pcug.org.au -------------- next part -------------- --- auth-pam.c.orig Sat Feb 10 13:01:35 2001 +++ auth-pam.c Sat Feb 10 14:14:53 2001 @@ -191,14 +191,6 @@ { int pam_retval; - debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item(pamh, PAM_RHOST, - get_canonical_hostname()); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } - if (remote_user != NULL) { debug("PAM setting ruser to \"%.200s\"", remote_user)...

...rror' auth/pampass.o(.text+0xcb6): In function `smb_pam_end': : undefined reference to `pam_end' auth/pampass.o(.text+0xde1): In function `smb_pam_start': : undefined reference to `pam_start' auth/pampass.o(.text+0xe7c): In function `smb_pam_start': : undefined reference to `pam_set_item' auth/pampass.o(.text+0xeec): In function `smb_pam_start': : undefined reference to `pam_set_item' auth/pampass.o(.text+0xfea): In function `smb_pam_auth': : undefined reference to `pam_authenticate' auth/pampass.o(.text+0x1317): In function `smb_pam_account': : undefined re...

Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on. Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector. Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk" Jul 3

A little problem, which is bugging me: when using PAM authentication, Dovecot (0.99.5) does not set the PAM_RHOST item, so the PAM modules cannot know who the client is. We need this for some PAM module doing access control. Changing passdb-pam.c to pam_set_item it seems trivial, but I'm bugged as to how to get the client name from there. It seems not to be available in the auth_request strut or anything from there. I tried even adding an upwards reference from there to the struct client *, but then I see that there are three structs named client and...

...acket_write_wait(); -#endif + debug("%s: %s", __func__, **prompts); + buffer_append(&loginmsg, **prompts, + strlen(**prompts)); xfree(**prompts); **prompts = NULL; } @@ -551,21 +549,6 @@ do_pam_account(void) } void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("P...

Hello, I use cvs to download samba with pserver.samba.org i get the 2.0.4b version ! where can i get the last stable release (2.0.7) and alpha versions with cvs and anonymous ? Thanks Guy Roussin

...p1.udel.edu sshd[21223]: [ID 800047 local4.debug] debug1: PAM: initializing for "ed" Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 800047 local4.debug] debug1: PAM: setting PAM_RHOST to "polycut.nss.udel.edu" Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 859314 local4.debug] pam_set_item(4) Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 800047 local4.debug] debug1: PAM: setting PAM_TTY to "ssh" Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 859314 local4.debug] pam_set_item(3) Sep 22 13:12:41 ldap1.udel.edu sshd[21223]: [ID 800047 local4.info] Failed none for ed from 12...

...logically the bug is in the part of the conversation routine that isn't checking to see if stdin/stdout is a TTY before trying to prompt the user for info. Conversely, the conversation routine is just a glorified "printf", then where in the heck is the password read in, and where is pam_set_item() being called to fill in the details before the call to pam_chauthtok() can actually update the password? Thanks, Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public...

...29 15:32:08 2001 @@ -272,6 +272,12 @@ do_pam_set_conv(&conv); +#ifdef PAM_SUN_CODEBASE + if (ttyname == NULL) { + ttyname = ""; + } +#endif /* PAM_SUN_CODEBASE */ + if (ttyname != NULL) { debug("PAM setting tty to \"%.200s\"", ttyname); pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); Obviously that expands the meaning of PAM_SUN_CODEBASE a bit from its current definition, but it seemed a fairly reasonable thing to use, since this appears to be another misbehavior of PAM under Solaris. I don't honestly know enough about the inner workings of PAM...

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

...f. Now having updated to the latest snapshot (which may be released as beta1), I stumbled on it again: In src/auth/passdb-pam.c, where the client host is passed to PAM, the code looks like this: #ifdef PAM_RHOST const char *host = net_ip2addr(&request->remote_ip); if (host != NULL) pam_set_item(pamh, PAM_RHOST, host); #endif For some reason there is a preprocessor/compile-time check whethere there exists such a preprocessor symbol as the PAM item PAM_RHOST (why check that? IIRC PAM_RHOST is standard and in all PAM implementations). However, PAM_RHOST (or other PAM items, for that matte...