search for: __pamh

...e preferrable to skip credentials deletion on HP-UX... Cheers! Michael diff -u -r openssh-3.5p1/auth-pam.c openssh-3.5p1a/auth-pam.c --- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002 +++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002 @@ -186,12 +186,14 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (...

...now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s...

...now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s...

Hello all, On Redhat 6.2, the PAM_unix module logs the session opening, but not the session closing. This was logged as of 2.3.0p1. Upgrading to 2.5.1p1 makrs the start of the problem. Thanks in advance, Victor -- Victor J. Orlikowski ====================== v.j.orlikowski at gte.net orlikowski at apache.org vjo at us.ibm.com

As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message on logout: Cannot delete credentials. This occurs when in auth-pam.c, function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is called under UID 0. I suggested a patch for this on Nov 22, 2001, based on openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0 by "if (!flag) setuid(0);" does not actually work but seems not to be required.] Now in 3.4p1 with privilege separati...

I'm fairly new to the list and new to submitting patches. Can someone please verify the attached patch for running a HP-UX Trusted System with PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify the user via __pamh after the call to permanently_set_uid in session.c. So I called do_pam_session prior to the call and added a function do_pam_set_tty in order to set the tty after allocation. -- Dan Wanek -------------- next part -------------- diff -u -r openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c --- o...

...const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); +/* XXX: move to header file */ +const char * +get_remote_name_or_ip(void); + /* module-local variables */ static struct pam_conv conv = { do_pam_conversation, @@ -356,9 +360,9 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); debug("PAM setting rhost to \"%.200s\"", - get_canonical_hostname(options.reverse_mapping_check)); + get_remote_name_or_ip()); pam_retval = pam_set_item(__pamh, PAM_RHOST, - get_canonical_hostname(options.reverse_mapping_check)); + get_remote_nam...

...with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } + if (session_opened) + return; /*Be idempotent so we can be called in monitor and child*/ pam_retval = pam_open_session(__pamh, 0); if (pam_retval != PAM_SUCCESS) fatal("PAM session setup failed[%d]: %.200s", @@ -304,6 +306,8 @@ do_pam_set_conv(&conv...

...2001 @@ -272,6 +272,12 @@ do_pam_set_conv(&conv); +#ifdef PAM_SUN_CODEBASE + if (ttyname == NULL) { + ttyname = ""; + } +#endif /* PAM_SUN_CODEBASE */ + if (ttyname != NULL) { debug("PAM setting tty to \"%.200s\"", ttyname); pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); Obviously that expands the meaning of PAM_SUN_CODEBASE a bit from its current definition, but it seemed a fairly reasonable thing to use, since this appears to be another misbehavior of PAM under Solaris. I don't honestly know enough about the inner workings of PAM to know...

...denied" errors are still issued when exiting a session. *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM es...

...sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM establi...

>Okay, this appears to be a problem with pam_unix.so - the code in >pam_sm_open_session is written with the assumption that the tty name is of >the form "/dev/" + something else on the end. I'm not sure why the pam_sm_open_session in pam_unix on Solaris now does this: /* report error if ttyn or rhost are not set */ if ((ttyn == NULL) || (rhost == NULL))

...ngth initially; subsequent tests worked for a password of just five characters ["hello", for what it's worth :) ]), followed by the correct password. Investigation (using copious debug() statements) has isolated the problem down to one line of code: pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); in auth-pam.c, function do_pam_setcred(). It appears that this function is being called twice: once with init set, once without (ie: once with PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call to pam_setcred...

...@@ -378,10 +378,13 @@ void start_pam(const char *user) extern ServerOptions options; extern u_int utmp_len; const char *rhost; + char buf[1024]; debug("Starting up PAM with username \"%.200s\"", user); - pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh); + strlcpy(buf, SSHD_PAM_SERVICE, sizeof(buf)); + strlcat(buf, options.pam_service_name_append, sizeof(buf)); + pam_retval = pam_start(buf, user, &conv, &__pamh); if (pam_retval != PAM_SUCCESS) fatal("PAM initialisation failed[%d]: %.200s", Index: servconf.c ==============...

...extern char *__progname; - extern int use_privsep; RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); @@ -381,7 +379,7 @@ debug("Starting up PAM with username \"%.200s\"", user); - pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh); + pam_retval = pam_start(options.pam_service_name, user, &conv, &__pamh); if (pam_retval != PAM_SUCCESS) fatal("PAM initialisation failed[%d]: %.200s", diff -ru openssh-3.5p1.orig/auth-pam.h openssh-3.5p1/auth-pam.h --- openssh-3.5p1.orig/auth-pam.h Tue Jul 23 01:44:07 20...

...e_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@ -352,6 +350,8 @@ if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); + else + password_change_required = 0; #if 0 /* XXX: This would need to be done in the parent process, * but there...

...gent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); return(0); }

...M_RUSER variable is never set. The PAM_RUSER variable is set within auth-pam.c (line 239 in 3.6p1) as such: int do_pam_account(char *username, char *remote_user) { ... if (remote_user) { debug("PAM setting ruser to \"%.200s\"", remote_user); pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user); however do_pam_account() is called in only two locations (auth2.c and monitor.c) and in both cases remote_user is passed as NULL. As such the PAM_RUSER variable is never set. Although auth1.c (i.e SSH1) does indeed seem to pass something useful to do_pam_account unfor...

I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any