search for: auth_failed

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

...en(state->filename, "rb"); + FILE *passwdfile = NULL; char line[MAX_LINE_LEN]; char *sep; thread_rwlock_rlock(&state->file_rwlock); + if (!state->allow_duplicate_users) { + if (auth_is_listener_connected(source, username)) { + return AUTH_FAILED; + } + } + passwdfile = fopen(state->filename, "rb"); if(passwdfile == NULL) { WARN2("Failed to open authentication database \"%s\": %s", state->filename, strerror(errno)); @@ -208,9 +239,12 @@ state = calloc(...

...es of > icecast. > > thoughts ? comments ? This is good, but I have one comment... > > thread_rwlock_rlock(&state->file_rwlock); > + if (!state->allow_duplicate_users) { > + if (auth_is_listener_connected(source, username)) { > + return AUTH_FAILED; Currently, we only have a generic 'AUTH_FAILED' here. I'd like to see an AUTH_FORBIDDEN (or some other name) added, which would be handled in the connection logic by returning a 403 (not a 401). What do you think of that? Mike --- >8 ---- List archives: http://www.xiph.org/ar...

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch,

Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes PAM kbd-int work with privilege separation. Contrary to what I have previously stated - it *does* handle multiple prompts. What it does not handle is multiple passes through the PAM conversation function, which would be required for expired password changing. I would really appreciate some additional eyes over the

The following is a patch (based on FreeBSD code) which gets kbd-int working with privsep. It moves the kbd-int PAM conversation to a child process and communicates with it over a socket. The patch has a limitation: it does not handle multiple prompts - I have no idea how common these are in real-life. Furthermore it is not well tested at all (despite my many requests on openssh-unix-dev@). -d

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file:

http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #619 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2004-05-31 23:25 -------

...get 'process-uuid' from reply dict [2013-05-11 06:38:59.077571] E [client-handshake.c:1397:client_setvolume_cbk] 0-dpkvol-client-0: SETVOLUME on remote-host failed: Authentication failed [2013-05-11 06:38:59.077606] I [client-handshake.c:1482:client_setvolume_cbk] 0-dpkvol-client-0: sending AUTH_FAILED event [2013-05-11 06:38:59.077647] E [fuse-bridge.c:4788:notify] 0-fuse: Server authenication failed. Shutting down. [2013-05-11 06:38:59.077680] I [fuse-bridge.c:5212:fini] 0-fuse: Unmounting '/mnt'. [2013-05-11 06:38:59.082462] W [glusterfsd.c:970:cleanup_and_exit] (-->/usr/lib64/libc....