search for: auth_pam_password

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...h" +#include "packet.h" #include "xmalloc.h" #include "log.h" #include "auth-pam.h" @@ -54,6 +56,8 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; +/* which type of prompts we should handle, set in auth_pam_password */ +static int pamprompt; /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded or not */ @@ -98,6 +102,10 @@ int count; char buf[1024]; + u_int dlen; + int plen, type; + char *...

...xstrdup(pampasswd); - break; + } + break; case PAM_TEXT_INFO: reply[count].resp_retcode = PAM_SUCCESS; reply[count].resp = xstrdup(""); @@ -123,29 +173,34 @@ } } -/* Attempt password authentation using PAM */ -int auth_pam_password(struct passwd *pw, const char *password) +/* Attempt authentication using PAM */ +int auth_pam_password(struct passwd *pw, const char *password, int auth_type) { extern ServerOptions options; int pam_retval; + if (auth_type != current_auth_type) { + finish_pam(); +...

...nclude <siad.h> -#endif - /* import */ extern ServerOptions options; extern char *forced_command; -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif /* HAVE_OSF_SIA */ /* * convert ssh auth msg type into description @@ -310,11 +301,7 @@ authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - if (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) { - authenticated = 1; - } + authenticated = auth_sia_password...

http://bugzilla.mindrot.org/show_bug.cgi?id=192 ------- Additional Comments From mouring at eviladmin.org 2002-03-28 04:04 ------- If I understand the PAM code (none of the PRIVSEP code has been made to work with it right now) one should never called auth_password() they should be calling auth_pam_password().. So in mm_answer_authpassword() function it should look something like this (untested, and unsure if any other PAM tweaks are needed), but I won't commit anything until someone says ya or na for it being correct. passwd = buffer_get_string(m, &plen); /* Only authent...

...uthentication failure; logname=XXX uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost user=XXX After looking at the code I noticed the following in the portability p2 patch: +++ openssh-3.6.1p2/auth-passwd.c 2003-04-29 19:12:08.000000000 +1000 ... ... + +#if defined(USE_PAM) + return auth_pam_password(authctxt, password) && ok; +#elif defined(HAVE_OSF_SIA) ... ... That should really be + return ok && auth_pam_password(authctxt, password); (Note that ok is checked first, as I said in the subject its a trivial micro fix) I changed that and it works fine now. This should be...

...e cause is that the Cygwin specific function check_nt_auth() is called in auth1.c and auth2.c with implicitly dereferencing the pointer to struct passwd to get the pw_uid member as parameter. This struct passwd pointer can be NULL if the user isn't found in /etc/passwd. Other similar funcs as auth_pam_password() are called getting the structy passwd pointer itself as parameter, testing it for NULL inside of the function. Changing the check_nt_auth() to behave that way and changing auth1.c and auth2.c accordingly solves that problem. Patch follows. Thanks, Corinna Index: auth1.c ======================...

Is anyone maintaining the OSF_SIA support in openssh? This seems to be an obvious bug triggered if you try to connect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /*

...========= RCS file: /var/cvs/openssh/auth1.c,v retrieving revision 1.30 diff -u -r1.30 auth1.c --- auth1.c 2001/02/12 07:02:24 1.30 +++ auth1.c 2001/02/12 18:58:22 @@ -97,7 +97,7 @@ (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif #ifdef USE_PAM - auth_pam_password(pw, password)) { + auth_pam_password(pw, "")) { #else auth_password(pw, "")) { #endif

...py. It seems to fix the problem. *** auth1.c Thu Mar 1 17:33:31 2001 --- auth1.c.patched Thu Mar 1 17:33:18 2001 *************** *** 455,461 **** (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ #ifdef USE_PAM ! auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, --- 455,461 ---- (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* K...

I noticed while investigating Debian Bug #93200 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=93200&repeatmerged=yes) that sshd refuses a login if /etc/pam.d/ssh doesn't specify "nullok" after the pam_unix.so module -- is there any way to resolve this problem? It seems that OpenSSH should override PAM in this case, someone posted a patch on 6/19 that appears to address this

...n 21 08:05:13 2002 +++ openssh-3.4p1/auth-passwd.c Mon Jul 29 16:39:48 2002 @@ -89,14 +89,19 @@ int auth_password(Authctxt *authctxt, const char *password) { + int retval = 0; #if defined(USE_PAM) - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_pam_password(authctxt, password); + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } + retval=auth_pam_password(authctxt, password); + goto out; #elif defined(HAVE_OSF_SIA) - if (*password == '\0' && options.permit_empty_passwd == 0) - re...

...h2.c --- auth2.c 2001/04/25 12:44:15 1.59 +++ auth2.c 2001/05/23 09:40:49 @@ -354,10 +354,6 @@ userauth_none(Authctxt *authctxt) if (authctxt->valid == 0) return(0); -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw->pw_uid) == 0) - return(0); -#endif #ifdef USE_PAM return auth_pam_password(authctxt->pw, ""); #elif defined(HAVE_OSF_SIA) @@ -380,9 +376,6 @@ userauth_passwd(Authctxt *authctxt) password = packet_get_string(&len); packet_done(); if (authctxt->valid && -#ifdef HAVE_CYGWIN - check_nt_auth(1, authctxt->pw->pw_uid) && -#endif...

...ecked authorization and account (my pam_useradd is an account module). First, pw is sent by to start_pam(). start_pam() only uses pw->pw_name though, so I suggest sending in user instead of pw. Second, pw is used to compare uid if not running as root. This check I suppose could be done after auth_pam_password() ? If these changes aren't good for non-pam situations, maybe considering splitting it up more so that pam-users have a totally separate procedure? I haven't looked at it yet, but I guess RSA-authentication could be made a pam-module also? Regards, EOF PS: Please cc all replies to me,...

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 ------- > OpenSSH traditionally would not even start PAM, and > now starts it specifying 'NOUSER' as the login name. We have always used NOUSER, the recent patch just makes it consistent between protocols 1 and 2. > The second is to prevent username guessing

...k () from /lib/security/pam_unix.so #4 0x40017a5d in pam_sm_authenticate () from /lib/security/pam_unix.so #5 0x4004f648 in pam_fail_delay () from /lib/libpam.so.0 #6 0x4004f9ce in _pam_dispatch () from /lib/libpam.so.0 #7 0x400512cc in pam_authenticate () from /lib/libpam.so.0 #8 0x804ef47 in auth_pam_password (pw=0xbffff24c, password=0x80826c0 "asdf") at auth-pam.c:136 #9 0x804c75d in do_authloop (pw=0xbffff24c) at sshd.c:1445 #10 0x804c329 in do_authentication () at sshd.c:1248 #11 0x804bb58 in main (ac=4, av=0xbffff8a4) at sshd.c:873 I hope this report helps finding the bug. If you wo...

...pam.h Tue Jul 23 01:44:07 2002 +++ openssh-3.5p1/auth-pam.h Tue Dec 3 14:13:52 2002 @@ -27,10 +27,6 @@ #include "includes.h" #ifdef USE_PAM -#if !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE __progname -#endif - void start_pam(const char *user); void finish_pam(void); int auth_pam_password(Authctxt *authctxt, const char *password); diff -ru openssh-3.5p1.orig/servconf.c openssh-3.5p1/servconf.c --- openssh-3.5p1.orig/servconf.c Thu Sep 5 05:35:15 2002 +++ openssh-3.5p1/servconf.c Tue Dec 3 14:22:00 2002 @@ -48,6 +48,8 @@ /* Use of privilege separation or not */ extern int use_pri...

...as follows: Using ssh the user tries to logon to the machine using an account that has empty password. If the user presses enter on the password prompt (NULL password) access is disallowed. However upon entry of any random string the user is granted successful login. In "auth_pam_password" function (auth_pam.c) the lines: if(*password == '\0' && options.permit_empty_passwd == 0) return 0; disallows a login to an empty password account by providing empty password. However if the user provides a random non-empty password the user is able to l...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the