Displaying 19 results from an estimated 19 matches for "__pamh".
Did you mean:
__name
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
...e preferrable to skip credentials deletion on HP-UX...
Cheers!
Michael
diff -u -r openssh-3.5p1/auth-pam.c openssh-3.5p1a/auth-pam.c
--- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002
+++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002
@@ -186,12 +186,14 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+#ifndef __hpux
if (__pamh && creds_set) {
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+#endif
if (...
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
...now."
-#define NEW_AUTHTOK_MSG_PRIVSEP \
- "Your password has expired, the session cannot proceed."
static int do_pam_conversation(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
@@ -186,12 +184,15 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */
+#ifndef __hpux
if (__pamh && creds_set) {
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s...
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
...now."
-#define NEW_AUTHTOK_MSG_PRIVSEP \
- "Your password has expired, the session cannot proceed."
static int do_pam_conversation(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
@@ -186,12 +184,15 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */
+#ifndef __hpux
if (__pamh && creds_set) {
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s...
2001 Feb 26
1
2.5.1p1 on Redhat Linux 6.2 using PAM does not log closing of session
Hello all,
On Redhat 6.2, the PAM_unix module logs the session opening, but not
the session closing. This was logged as of 2.3.0p1. Upgrading to
2.5.1p1 makrs the start of the problem.
Thanks in advance,
Victor
--
Victor J. Orlikowski
======================
v.j.orlikowski at gte.net
orlikowski at apache.org
vjo at us.ibm.com
2002 Oct 09
0
Again: Cannot delete credentials
As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message
on logout: Cannot delete credentials. This occurs when in auth-pam.c,
function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is
called under UID 0. I suggested a patch for this on Nov 22, 2001, based on
openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0
by "if (!flag) setuid(0);" does not actually work but seems not to be
required.]
Now in 3.4p1 with privilege separati...
2002 Jul 16
2
HP-UX PAM with Trusted System patch
I'm fairly new to the list and new to submitting patches. Can someone
please verify the attached patch for running a HP-UX Trusted System with
PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify
the user via __pamh after the call to permanently_set_uid in session.c.
So I called do_pam_session prior to the call and added a function
do_pam_set_tty in order to set the tty after allocation.
--
Dan Wanek
-------------- next part --------------
diff -u -r openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c
--- o...
2001 Mar 30
1
PAM and -u0
...const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
+/* XXX: move to header file */
+const char *
+get_remote_name_or_ip(void);
+
/* module-local variables */
static struct pam_conv conv = {
do_pam_conversation,
@@ -356,9 +360,9 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
debug("PAM setting rhost to \"%.200s\"",
- get_canonical_hostname(options.reverse_mapping_check));
+ get_remote_name_or_ip());
pam_retval = pam_set_item(__pamh, PAM_RHOST,
- get_canonical_hostname(options.reverse_mapping_check));
+ get_remote_nam...
2002 Jun 26
3
pam session as root
...with moving the
pam_open_session (and pam_setcred) stuff to the parent (root) process?
(E.g., via the patch below.)
--
Mike Stone
diff -u -r1.4 auth-pam.c
--- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4
+++ auth-pam.c 25 Jun 2002 20:33:41 -0000
@@ -286,6 +286,8 @@
pam_retval, PAM_STRERROR(__pamh,
pam_retval));
}
+ if (session_opened)
+ return; /*Be idempotent so we can be called in monitor and
child*/
pam_retval = pam_open_session(__pamh, 0);
if (pam_retval != PAM_SUCCESS)
fatal("PAM session setup failed[%d]: %.200s",
@@ -304,6 +306,8 @@
do_pam_set_conv(&conv...
2001 Oct 29
2
pam_open_session w/o tty on Solaris
...2001
@@ -272,6 +272,12 @@
do_pam_set_conv(&conv);
+#ifdef PAM_SUN_CODEBASE
+ if (ttyname == NULL) {
+ ttyname = "";
+ }
+#endif /* PAM_SUN_CODEBASE */
+
if (ttyname != NULL) {
debug("PAM setting tty to \"%.200s\"", ttyname);
pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname);
Obviously that expands the meaning of PAM_SUN_CODEBASE a bit from its
current definition, but it seemed a fairly reasonable thing to use,
since this appears to be another misbehavior of PAM under Solaris.
I don't honestly know enough about the inner workings of PAM to know...
2002 Feb 27
0
openssh & solaris
...denied" errors are still issued when
exiting a session.
*** auth-pam.c- Mon Feb 25 18:36:04 2002
--- auth-pam.c Tue Feb 26 10:05:31 2002
***************
*** 297,304 ****
do_pam_set_conv(&conv);
debug("PAM establishing creds");
! pam_retval = pam_setcred(__pamh,
! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
if (pam_retval != PAM_SUCCESS) {
if (was_authenticated)
fatal("PAM setcred failed[%d]: %.200s",
--- 297,303 ----
do_pam_set_conv(&conv);
debug("PAM es...
2002 Feb 27
0
[Bug 127] New: PAM with ssh authentication and pam_krb5 doesn't work properly
...sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
*** auth-pam.c- Mon Feb 25 18:36:04 2002
--- auth-pam.c Tue Feb 26 10:05:31 2002
***************
*** 297,304 ****
do_pam_set_conv(&conv);
debug("PAM establishing creds");
! pam_retval = pam_setcred(__pamh,
! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
if (pam_retval != PAM_SUCCESS) {
if (was_authenticated)
fatal("PAM setcred failed[%d]: %.200s",
--- 297,303 ----
do_pam_set_conv(&conv);
debug("PAM establi...
2001 Oct 25
6
Regarding PAM_TTY_KLUDGE and Solaris 8...
>Okay, this appears to be a problem with pam_unix.so - the code in
>pam_sm_open_session is written with the assumption that the tty name is of
>the form "/dev/" + something else on the end. I'm not sure why the
pam_sm_open_session in pam_unix on Solaris now does this:
/* report error if ttyn or rhost are not set */
if ((ttyn == NULL) || (rhost == NULL))
2001 Aug 28
1
OpenSSHd barfs upon reauthentication: PAM, Solaris 8
...ngth initially; subsequent tests worked for a
password of just five characters ["hello", for what it's worth :) ]),
followed by the correct password.
Investigation (using copious debug() statements) has isolated the problem
down to one line of code:
pam_retval = pam_setcred(__pamh,
init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
in auth-pam.c, function do_pam_setcred(). It appears that this function
is being called twice: once with init set, once without (ie: once with
PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call
to pam_setcred...
2002 Nov 24
1
[PATCH] PamServiceNameAppend
...@@ -378,10 +378,13 @@ void start_pam(const char *user)
extern ServerOptions options;
extern u_int utmp_len;
const char *rhost;
+ char buf[1024];
debug("Starting up PAM with username \"%.200s\"", user);
- pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh);
+ strlcpy(buf, SSHD_PAM_SERVICE, sizeof(buf));
+ strlcat(buf, options.pam_service_name_append, sizeof(buf));
+ pam_retval = pam_start(buf, user, &conv, &__pamh);
if (pam_retval != PAM_SUCCESS)
fatal("PAM initialisation failed[%d]: %.200s",
Index: servconf.c
==============...
2002 Dec 05
1
patch to add a PAMServiceName config option
...extern char *__progname;
-
extern int use_privsep;
RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
@@ -381,7 +379,7 @@
debug("Starting up PAM with username \"%.200s\"", user);
- pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh);
+ pam_retval = pam_start(options.pam_service_name, user, &conv, &__pamh);
if (pam_retval != PAM_SUCCESS)
fatal("PAM initialisation failed[%d]: %.200s",
diff -ru openssh-3.5p1.orig/auth-pam.h openssh-3.5p1/auth-pam.h
--- openssh-3.5p1.orig/auth-pam.h Tue Jul 23 01:44:07 20...
2002 Nov 20
0
[PATCH #9] Password expiration via /bin/passwd.
...e_privsep ?
NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
@@ -267,7 +266,6 @@
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
-#endif
default:
log("PAM rejected by account configuration[%d]: "
"%.200s", pam_retval, PAM_STRERROR(__pamh,
@@ -352,6 +350,8 @@
if (pam_retval != PAM_SUCCESS)
fatal("PAM pam_chauthtok failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ else
+ password_change_required = 0;
#if 0
/* XXX: This would need to be done in the parent process,
* but there...
2003 Feb 20
0
"if 0" in auth-pam.c
...gent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
#endif
default:
log("PAM rejected by account configuration[%d]: "
"%.200s", pam_retval, PAM_STRERROR(__pamh,
pam_retval));
return(0);
}
2003 Jul 18
0
PAM_RUSER never set under ssh2?
...M_RUSER variable is never set.
The PAM_RUSER variable is set within auth-pam.c (line 239 in 3.6p1) as such:
int do_pam_account(char *username, char *remote_user)
{
...
if (remote_user) {
debug("PAM setting ruser to \"%.200s\"", remote_user);
pam_retval = pam_set_item(__pamh, PAM_RUSER, remote_user);
however do_pam_account() is called in only two locations (auth2.c and
monitor.c) and
in both cases remote_user is passed as NULL. As such the PAM_RUSER variable
is never
set.
Although auth1.c (i.e SSH1) does indeed seem to pass something useful to
do_pam_account
unfor...
2003 Mar 20
4
Call for testing for 3.6: password expiry?
I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible:
http://bugzilla.mindrot.org/show_bug.cgi?id=14
On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1:
http://bugzilla.mindrot.org/show_bug.cgi?id=125
In fact, both patches work together, apparently.
If I have any