search for: do_pam_authenticate

...0; disallows a login to an empty password account by providing empty password. However if the user provides a random non-empty password the user is able to login to an account that has empty password. This is because the "pam_authenticate" function which is called from "do_pam_authenticate" is always called with "flags" set to "0". If the system PAM authentication configuration is tightened this can be disallowed. However, since users rely on the SSH configuration this non-intuitive and buggy behaviour may be dangerous. >How-To-Repeat:...

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 ------- Created an attachment (id=55) Patch to do pw aging in kbd-interactive ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...o options.max_authtries/2 failures (which used to be hard-coded to AUTH_FAIL_MAX/2 = 3) it will only get logged at "verbose" level anyway. >+ if (!options.password_authentication || !options.permit_empty_passwd) >+ return(0); Handled in auth-passwd.c (see above). >- retval = (do_pam_authenticate(0) == PAM_SUCCESS); >+ retval = (do_pam_authenticate(options.permit_empty_passwd == 0 >+ ? PAM_DISALLOW_NULL_AUTHTOK >+ : 0) == PAM_SUCCESS); > dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); This one should probably be ported to -current (will attach a patch)....

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM

...9;\0' && options.permit_empty_passwd == 0) + if (*password == '\0' && options.permit_empty_passwd == 0 && + prompt_type == PAM_PROMPT_ECHO_OFF) return 0; __pampasswd = password; pamstate = INITIAL_LOGIN; + pamprompt = prompt_type; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); if (pam_retval == PAM_SUCCESS) { diff -uNr openssh-3.0.2p1.orig/auth-pam.h openssh-3.0.2p1/auth-pam.h --- openssh-3.0.2p1.orig/auth-pam.h Mon Mar 26 22:12:24 2001 +++ openssh-3.0.2p1/auth-pam.h Fri Feb 15 02:15:02 2002 @@ -...

...to openssh3.4p-1 and it's compiled with pam. The problem I'm getting is that SecurID auth works OK, but normal password auth doesn't. I narrowed down the failure to the following section in auth-pam.c : __pampasswd = password; pamstate = INITIAL_LOGIN; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); but I can't see how this works. Can anyone enlighten me please? I know that the password is correct but pam_retval is still not equal to PAM_SUCCESS. Cheers, Ed. ______________________________________________...

...%.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } } /* Set PAM credentials */ diff -u -r openssh-3.5p1/auth-pam.h openssh-3.5p1a/auth-pam.h --- openssh-3.5p1/auth-pam.h Tue Jul 23 02:44:07 2002 +++ openssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002 @@ -39,6 +39,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); diff -u -r openssh-3....

.../* Set PAM credentials */ void do_pam_setcred(int init) { Only in openssh-3.4p1-dw: auth-pam.c.orig diff -u -r openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h --- openssh-3.4p1/auth-pam.h Thu Apr 4 13:02:28 2002 +++ openssh-3.4p1-dw/auth-pam.h Tue Jul 16 07:54:05 2002 @@ -12,6 +12,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); Only in openssh-3.4p1...

...S 0:00 sshd: admin [priv] 25573 ? Z 0:00 [sshd <defunct>] I have propretory PAM module which hooks in my authentication mechanism to sshd. Based upon my pam module logs and sshd debug messages i can say that authentication went on smoothly and it returned PAM_SUCCESS to do_pam_authenticate. After this the shell just hangs. I can see this error in var log messages when run either by [ ./sshd -ddd] or [./sshd] PAM [dlerror: /lib/security/$ISA/pam_deny.so: cannot open shared object file: No such file or directory] My /etc/pam.d/sshd looks like this #%PAM-1.0 auth sufficient...

...r); + return (r); +} - conv2.appdata_ptr = authctxt; - do_pam_set_conv(&conv2); +/* + * Peek at first byte of next message. + */ +static int +pam_peek(struct pam_ctxt *ctxt) +{ + char ch; - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); - retval = (do_pam_authenticate(0) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); + if (recv(ctxt->pam_sock, &ch, 1, MSG_PEEK) < 1) + return (-1); + return (ch); +} - return retval; +/* + * Receive a message from parent or child. + */ +static char * +pam_receive(struct pam_ctxt *ctxt) +{ + cha...

...> pam. The problem I'm getting is that SecurID auth works OK, but normal > password auth doesn't. I narrowed down the failure to the following > section > in auth-pam.c : > > __pampasswd = password; > > pamstate = INITIAL_LOGIN; > pam_retval = do_pam_authenticate( > options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK > : > 0); > > but I can't see how this works. Can anyone enlighten me please? I know > that > the password is correct but pam_retval is still not equal to > PAM_SUCCESS. > > Cheers, &g...

...turn (r); +} - conv2.appdata_ptr = authctxt; - do_pam_set_conv(&conv2); +/* + * Peek at first byte of next message. + */ +static int +sshpam_peek(struct sshpam_ctxt *ctxt) +{ + char ch; - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); - retval = (do_pam_authenticate(0) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); + if (recv(ctxt->sock, &ch, 1, MSG_PEEK) < 1) + return (-1); + return (ch); +} - return retval; +/* + * Receive a message from parent or child. + */ +static char * +sshpam_receive(struct sshpam_ctxt *ctxt) +{ +...

...turn (r); +} - conv2.appdata_ptr = authctxt; - do_pam_set_conv(&conv2); +/* + * Peek at first byte of next message. + */ +static int +sshpam_peek(struct sshpam_ctxt *ctxt) +{ + char ch; - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); - retval = (do_pam_authenticate(0) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); + if (recv(ctxt->sock, &ch, 1, MSG_PEEK) < 1) + return (-1); + return (ch); +} - return retval; +/* + * Receive a message from parent or child. + */ +static char * +sshpam_receive(struct sshpam_ctxt *ctxt) +{ +...