search for: auth_failed

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

...en(state->filename, "rb"); + FILE *passwdfile = NULL; char line[MAX_LINE_LEN]; char *sep; thread_rwlock_rlock(&state->file_rwlock); + if (!state->allow_duplicate_users) { + if (auth_is_listener_connected(source, username)) { + return AUTH_FAILED; + } + } + passwdfile = fopen(state->filename, "rb"); if(passwdfile == NULL) { WARN2("Failed to open authentication database \"%s\": %s", state->filename, strerror(errno)); @@ -208,9 +239,12 @@ state = calloc(...

...es of > icecast. > > thoughts ? comments ? This is good, but I have one comment... > > thread_rwlock_rlock(&state->file_rwlock); > + if (!state->allow_duplicate_users) { > + if (auth_is_listener_connected(source, username)) { > + return AUTH_FAILED; Currently, we only have a generic 'AUTH_FAILED' here. I'd like to see an AUTH_FORBIDDEN (or some other name) added, which would be handled in the connection logic by returning a 403 (not a 401). What do you think of that? Mike --- >8 ---- List archives: http://www.xiph.org/ar...

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

From: Marco Trevisan (Trevi?o) <mail at 3v1n0.net> PAM modules can change the user during their execution, in such case ssh would still use the user that has been provided giving potentially access to another user with the credentials of another one. So prevent this to happen, by ensuring that the final PAM user is matching the one that initiated the transaction. See also:

I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch,

Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes PAM kbd-int work with privilege separation. Contrary to what I have previously stated - it *does* handle multiple prompts. What it does not handle is multiple passes through the PAM conversation function, which would be required for expired password changing. I would really appreciate some additional eyes over the

The following is a patch (based on FreeBSD code) which gets kbd-int working with privsep. It moves the kbd-int PAM conversation to a child process and communicates with it over a socket. The patch has a limitation: it does not handle multiple prompts - I have no idea how common these are in real-life. Furthermore it is not well tested at all (despite my many requests on openssh-unix-dev@). -d

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file:

http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #619 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2004-05-31 23:25 -------

...get 'process-uuid' from reply dict [2013-05-11 06:38:59.077571] E [client-handshake.c:1397:client_setvolume_cbk] 0-dpkvol-client-0: SETVOLUME on remote-host failed: Authentication failed [2013-05-11 06:38:59.077606] I [client-handshake.c:1482:client_setvolume_cbk] 0-dpkvol-client-0: sending AUTH_FAILED event [2013-05-11 06:38:59.077647] E [fuse-bridge.c:4788:notify] 0-fuse: Server authenication failed. Shutting down. [2013-05-11 06:38:59.077680] I [fuse-bridge.c:5212:fini] 0-fuse: Unmounting '/mnt'. [2013-05-11 06:38:59.082462] W [glusterfsd.c:970:cleanup_and_exit] (-->/usr/lib64/libc....