search for: do_pam_chauthtok

...lways has UID == EUID == 0, so the password change fails and the user is logged out, effectively locking the user out of the system (unless they use some other method of logging in, such as rlogin or telnet). A possible fix for this involves passing the user's password entry from session.c to do_pam_chauthtok(). do_pam_chauthtok() then changes the RUID to the user's uid, call pam_chauthtok(), and changes it back after the call. I am including some diffs of the fix as I made it - the official version may wish to have it enclosed in #ifdef's. diff auth-pam.h /extra/openssh-3.1p1/auth-pam.h | mor...

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

...to "static pam_handle_t *pamh", remove unnecessary casts "(pam_handle_t *)" * fix typo in NEW_AUTHTOK_MSG * extend pamconv() to support real interactive prompting and display, in addition to the kludge to feed the user's password into PAM during initial login * add function do_pam_chauthtok() to call pam_chauthtok() if needed, once interactive session has been established auth-pam.h: * add prototype for do_pam_chauthtok() session.c: * add call to do_pam_chauthtok() after print_pam_messages() I am subscribed to openssh-unix-dev, so you do not have to copy any list discussion to me p...

Hello All. Attached is an update to my previous patch to make do_pam_chauthtok and privsep play nicely together. First, a question: does anybody care about these or the password expiration patches? Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after the pty has been allocated but before it's made the controlling tty. This allows the child...

http://bugzilla.mindrot.org/show_bug.cgi?id=423 ------- Additional Comments From djm at mindrot.org 2003-03-10 12:06 ------- The patch looks good, but the only thing that makes me wary is the use of signals for IPC. Would it not be possible to do the chauthtok call earlier? E.g. after the call to do_pam_session() in do_exec_pty()? ------- You are receiving this mail because: ------- You

http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |793 nThis| | ------- You are receiving this mail because: ------- You are on the CC list for

...and a couple of cases of pilot error). If they are likely to go in, please let me know what you'd like done with them (eg, merge them into a single patch or make 2 "stacked" patches to be applied sequentially, and particularly what if anything should be done with the interaction with do_pam_chauthtok). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list op...

http://bugzilla.mindrot.org/show_bug.cgi?id=423 ------- Additional Comments From stevesk at pobox.com 2003-01-02 11:52 ------- regarding log() clash, shouldn't the HP libsec log() be static or renamed or ? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...("dup2 stdin: %s", strerror(errno)); + if (dup2(ttyfd, 1) < 0) + error("dup2 stdout: %s", strerror(errno)); + if (dup2(ttyfd, 2) < 0) + error("dup2 stderr: %s", strerror(errno)); + close(ttyfd); + /* execl("/bin/sh", "sh", NULL); */ + do_pam_chauthtok(); + if(is_pam_password_change_required()) + exit(1); /* failed */ + else + exit(0); /* success */ + } + close(ttyfd); + + if (waitpid(pid, &status, 0) == -1) + fatal("Couldn't wait for child: %s", strerror(errno)); + + if (WEXITSTATUS(status)) + fatal("do_pam_chau...

...am_chauthtok_conv(int n, const struct p return (PAM_CONV_ERR); } +static struct pam_conv tty_conv = { pam_tty_conv, NULL }; + /* * XXX this should be done in the authentication phase, but ssh1 doesn't * support that @@ -669,15 +654,10 @@ pam_chauthtok_conv(int n, const struct p void do_pam_chauthtok(void) { - struct pam_conv pam_conv; - - pam_conv.conv = pam_chauthtok_conv; - pam_conv.appdata_ptr = NULL; - if (use_privsep) fatal("Password expired (unable to change with privsep)"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&pam_conv); + (co...

...; return(authsuccess); #endif @@ -232,4 +246,43 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !USE_PAM && !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty + * Like do_pam_chauthtok(), it throws a fatal error if the password can't be changed. + */ +void +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(...

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

...o authenticate the user using password. Returns true if @@ -248,4 +251,81 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty. Like do_pam_chauthtok(), + * it throws a fatal error if the password can't be changed. + */ +int +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerr...

...g; #endif extern ServerOptions options; +extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -168,4 +172,81 @@ } # endif #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty. Like do_pam_chauthtok(), + * it throws a fatal error if the password can't be changed. + */ +int +do_tty_change_password(struct passwd *pw) +{ + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerr...

Hi All. With one eye on the do_pam_chauthtok() stuff I've merged contributions by Pablo Sor and Mark Pitt into a patch against -current. I'm interested in testers and suggestions for improvements. The patch extends the loginrestrictions test to include expired accounts (but unlike Mark's patch, doesn't log accounts with exp...

http://bugzilla.mindrot.org/show_bug.cgi?id=564 ------- Additional Comments From djm at mindrot.org 2003-07-30 11:48 ------- Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly - suggestions wanted. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...and /dev/tty. Since the user doesn't get a pty until quite late in the login process, this function is only used for pam_chauthtok() in some cases, and always after sshd has forked to set up for the user's shell. The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's do_pam_chauthtok() in auth-pam.c): static struct pam_conv tty_conv = { pam_tty_conv, NULL }; [...] sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_...

Hello there, We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various Solaris boxes with PAM and an LDAP server back end. Recently we have added a requirement for users to have complex passwords. The problem is, if a user's password has expired, when they log in they are prompted for a new password (good) but if they enter a non-complex new password the session is closed rather than

http://bugzilla.mindrot.org/show_bug.cgi?id=423 ------- Additional Comments From michael_steffens at hp.com 2002-11-02 02:40 ------- Created an attachment (id=162) --> (http://bugzilla.mindrot.org/attachment.cgi?id=162&action=view) Patch: Workaround for pw change in privsep mode (3.5.p1) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are

We are heading into a lock here. So we need to get people to test their respective platforms if they wish them to be supported out of the tar file. So if you have any patches you need to ensure your platform works speak up. We are looking at a lock on the 17th. I believe I have an AIX/Cray patch and a Tru64 patch sitting in my mailbox that I'll be looking at soon and more than likely