Displaying 14 results from an estimated 14 matches for "do_pam_authenticate".
2001 Nov 07
2
Flaw in empty password authentication in sshd
...0;
disallows a login to an empty password account by providing empty
password.
However if the user provides a random non-empty password the user is able
to login to an account that has empty password. This is because the
"pam_authenticate" function which is called from "do_pam_authenticate" is
always called with "flags" set to "0".
If the system PAM authentication configuration is tightened this can be
disallowed. However, since users rely on the SSH configuration this
non-intuitive and buggy behaviour may be dangerous.
>How-To-Repeat:...
2002 Mar 27
4
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 -------
Created an attachment (id=55)
Patch to do pw aging in kbd-interactive
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2004 Jul 01
4
[Bug 559] PAM fixes
...o options.max_authtries/2
failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get
logged at "verbose" level anyway.
>+ if (!options.password_authentication || !options.permit_empty_passwd)
>+ return(0);
Handled in auth-passwd.c (see above).
>- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
>+ retval = (do_pam_authenticate(options.permit_empty_passwd == 0
>+ ? PAM_DISALLOW_NULL_AUTHTOK
>+ : 0) == PAM_SUCCESS);
> dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
This one should probably be ported to -current (will attach a patch)....
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch
in the sshd_config. You'd use it by having a PAM module that sets
PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs.
The patch is against the 2.9.9p2 distribution.
I'm not on the list, a reply if this patch is accepted would be great.
(But not required, I know some folks have a distaste for
2003 May 12
10
[Bug 559] PAM fixes
http://bugzilla.mindrot.org/show_bug.cgi?id=559
Summary: PAM fixes
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: fcusack at fcusack.com
- start PAM
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
...9;\0' && options.permit_empty_passwd == 0)
+ if (*password == '\0' && options.permit_empty_passwd == 0 &&
+ prompt_type == PAM_PROMPT_ECHO_OFF)
return 0;
__pampasswd = password;
pamstate = INITIAL_LOGIN;
+ pamprompt = prompt_type;
pam_retval = do_pam_authenticate(
options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
if (pam_retval == PAM_SUCCESS) {
diff -uNr openssh-3.0.2p1.orig/auth-pam.h openssh-3.0.2p1/auth-pam.h
--- openssh-3.0.2p1.orig/auth-pam.h Mon Mar 26 22:12:24 2001
+++ openssh-3.0.2p1/auth-pam.h Fri Feb 15 02:15:02 2002
@@ -...
2002 Jul 24
0
pam problems with securid patch
...to openssh3.4p-1 and it's compiled with
pam. The problem I'm getting is that SecurID auth works OK, but normal
password auth doesn't. I narrowed down the failure to the following section
in auth-pam.c :
__pampasswd = password;
pamstate = INITIAL_LOGIN;
pam_retval = do_pam_authenticate(
options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK :
0);
but I can't see how this works. Can anyone enlighten me please? I know that
the password is correct but pam_retval is still not equal to PAM_SUCCESS.
Cheers,
Ed.
______________________________________________...
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
...%.200s",
+ pam_retval, PAM_STRERROR(__pamh, pam_retval));
+ }
}
/* Set PAM credentials */
diff -u -r openssh-3.5p1/auth-pam.h openssh-3.5p1a/auth-pam.h
--- openssh-3.5p1/auth-pam.h Tue Jul 23 02:44:07 2002
+++ openssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002
@@ -39,6 +39,7 @@
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
+void do_pam_set_tty(const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
diff -u -r openssh-3....
2002 Jul 16
2
HP-UX PAM with Trusted System patch
.../* Set PAM credentials */
void do_pam_setcred(int init)
{
Only in openssh-3.4p1-dw: auth-pam.c.orig
diff -u -r openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h
--- openssh-3.4p1/auth-pam.h Thu Apr 4 13:02:28 2002
+++ openssh-3.4p1-dw/auth-pam.h Tue Jul 16 07:54:05 2002
@@ -12,6 +12,7 @@
int do_pam_authenticate(int flags);
int do_pam_account(char *username, char *remote_user);
void do_pam_session(char *username, const char *ttyname);
+void do_pam_set_tty(const char *ttyname);
void do_pam_setcred(int init);
void print_pam_messages(void);
int is_pam_password_change_required(void);
Only in openssh-3.4p1...
2005 May 10
7
SSHD creates defunct process
...S 0:00 sshd: admin [priv]
25573 ? Z 0:00 [sshd <defunct>]
I have propretory PAM module which hooks in my authentication
mechanism to sshd. Based upon my pam module logs and sshd debug
messages i can say that authentication went on smoothly and it
returned PAM_SUCCESS to do_pam_authenticate. After this the shell just
hangs.
I can see this error in var log messages when run either by [ ./sshd
-ddd] or [./sshd]
PAM [dlerror: /lib/security/$ISA/pam_deny.so: cannot open shared
object file: No such file or directory]
My /etc/pam.d/sshd looks like this
#%PAM-1.0
auth sufficient...
2002 Apr 26
0
PAM keyboard-interactive
...r);
+ return (r);
+}
- conv2.appdata_ptr = authctxt;
- do_pam_set_conv(&conv2);
+/*
+ * Peek at first byte of next message.
+ */
+static int
+pam_peek(struct pam_ctxt *ctxt)
+{
+ char ch;
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
- &input_userauth_info_response_pam);
- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
+ if (recv(ctxt->pam_sock, &ch, 1, MSG_PEEK) < 1)
+ return (-1);
+ return (ch);
+}
- return retval;
+/*
+ * Receive a message from parent or child.
+ */
+static char *
+pam_receive(struct pam_ctxt *ctxt)
+{
+ cha...
2002 Jul 25
0
openssh-unix-dev digest, Vol 1 #505 - 15 msgs
...> pam. The problem I'm getting is that SecurID auth works OK, but normal
> password auth doesn't. I narrowed down the failure to the following
> section
> in auth-pam.c :
>
> __pampasswd = password;
>
> pamstate = INITIAL_LOGIN;
> pam_retval = do_pam_authenticate(
> options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK
> :
> 0);
>
> but I can't see how this works. Can anyone enlighten me please? I know
> that
> the password is correct but pam_retval is still not equal to
> PAM_SUCCESS.
>
> Cheers,
&g...
2002 Jul 02
3
New PAM kbd-int diff
...turn (r);
+}
- conv2.appdata_ptr = authctxt;
- do_pam_set_conv(&conv2);
+/*
+ * Peek at first byte of next message.
+ */
+static int
+sshpam_peek(struct sshpam_ctxt *ctxt)
+{
+ char ch;
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
- &input_userauth_info_response_pam);
- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
+ if (recv(ctxt->sock, &ch, 1, MSG_PEEK) < 1)
+ return (-1);
+ return (ch);
+}
- return retval;
+/*
+ * Receive a message from parent or child.
+ */
+static char *
+sshpam_receive(struct sshpam_ctxt *ctxt)
+{
+...
2002 Jun 25
4
PAM kbd-int with privsep
...turn (r);
+}
- conv2.appdata_ptr = authctxt;
- do_pam_set_conv(&conv2);
+/*
+ * Peek at first byte of next message.
+ */
+static int
+sshpam_peek(struct sshpam_ctxt *ctxt)
+{
+ char ch;
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
- &input_userauth_info_response_pam);
- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
+ if (recv(ctxt->sock, &ch, 1, MSG_PEEK) < 1)
+ return (-1);
+ return (ch);
+}
- return retval;
+/*
+ * Receive a message from parent or child.
+ */
+static char *
+sshpam_receive(struct sshpam_ctxt *ctxt)
+{
+...