search for: 3pam

...s not calling, or ignoring non-success return values of pam_acct_mgmt() yet still allowing access to the account, then the application has a gaping hole and is at fault. - A PAM module may defer authentication and authorization, in password-change-required situations, to pam_sm_chauthtok(3PAM), but if so it must: a) return PAM_SUCCESS from its pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from its pam_sm_acct_mgmt(3PAM). Kerberos V and LDAP BIND type modules typically do this. If it does otherwise then it will either not support password aging or spo...

Hello, We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a non-root user with PAM [pam-kerberos] then I get the following error. debug3: PAM: opening session debug1: PAM: reinitializing credentials PAM: pam_setcred(): Failure setting user credentials This is particularly for non-root users with PrivSep YES. When I connect to a root user with PrivSep YES or to a non-root

http://bugzilla.mindrot.org/show_bug.cgi?id=926 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------

...eeded?? Because you are supposed to call pam functions in this order: pam_start(pamh,...); pam_authenticate(pamh, ...); pam_acct_mgmt(pamh, pam_setcred(pamh, PAM_ESTABLISH_CRED) ... pam_setcred(pamh, PAM_DELETE_CRED); pam_end(pamh); This is quite clear from the Solaris man page for pam_setcred(3pam) " The pam_setcred() function is used to establish, modify, or delete user credentials. It is typically called after the user has been authenticated and after a session has been opened. See pam_authenticate(3PAM), pam_acct_mgmt(3PAM), and pam_open_session(3P...

...>credentials as pam_get_item(PAM_USER)." That is wrong and is one thing the XSSO doc is clear on: "The pam_setcred() function is used to establish, modify, or delete the credentials of the current user associated with the authentication handle, pamh. " The Solaris pam_setcred(3pam) man page is less clear - I'll file a man page bug for Solaris to get it clarified better. >And, given what OpenSSH does, it seems that >pam_setcred(PAM_REINITIALIZE_CREDS) should be called with >(euid==0 || uid==0) and gid/egid/groups setup to be the PAM_USER's. That depends and...

maybe this is a silly question ;-) But why is it possible to login on a machine with a locked account (passwd -l ) via pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not happen. If this is the normal behaviour and built in intentionally what would be the easiest way to lock an account without deleting the users authorized_keys ?

http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM