search for: do_pam_session

heres a fix for pam support im openssh, inline and attached.. openssh calls do_pam_session early, before a fork(). it does this on the proc still running as root, so it checks the users limits, against what root has running, and depending on limits can fail at the fork() (and almost always does). this patch moves it past the fork. ive been running it for a couple of weeks and everythi...

http://bugzilla.mindrot.org/show_bug.cgi?id=423 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |627 nThis| | Status|NEW |ASSIGNED ------- Additional

...al SIGSEGV, Segmentation fault. 0xff133a9c in strncpy () from /usr/lib/libc.so.1 (gdb) bt #0 0xff133a9c in strncpy () from /usr/lib/libc.so.1 #1 0xff0b61b0 in pam_sm_open_session () from /usr/lib/security/pam_unix.so.1 #2 0xff372b88 in pam_open_session () from /usr/lib/libpam.so.1 #3 0x2cc88 in do_pam_session (username=0x115fb0 "wyodlows", ttyname=0x0) at auth-pam.c:283 #4 0x32360 in do_exec_no_pty (s=0x1108ac, command=0x121950 "ls") at session.c:433 #5 0x32884 in do_exec (s=0x1108ac, command=0x121950 "ls") at session.c:668 #6 0x34008 in session_exec_req (s=0x110...

...irly new to the list and new to submitting patches. Can someone please verify the attached patch for running a HP-UX Trusted System with PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify the user via __pamh after the call to permanently_set_uid in session.c. So I called do_pam_session prior to the call and added a function do_pam_set_tty in order to set the tty after allocation. -- Dan Wanek -------------- next part -------------- diff -u -r openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c --- openssh-3.4p1/auth-pam.c Tue May 7 21:27:56 2002 +++ openssh-3.4p1-dw/auth-pam....

...002) setrlimit, through the pam session setup, isn't called in the appropriate place to allow specified users to have higher ulimits than the server is started with. This ought to work, as pam limits are allowed to specify arbitrarily high limits for users listed. The problem appears to be that do_pam_session is being called after we drop to the user's uid. Without privsep turned on, this all work, as we drop to the user's uid after do_pam_session. Specifically: with privsep on, do_setusercontext in privsep_postauth (sshd.c) is called before do_pam_session in do_exec_pty (session.c). Without pri...

...dentials */ diff -u -r openssh-3.5p1/auth-pam.h openssh-3.5p1a/auth-pam.h --- openssh-3.5p1/auth-pam.h Tue Jul 23 02:44:07 2002 +++ openssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002 @@ -39,6 +39,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); diff -u -r openssh-3.5p1/session.c openssh-3.5p1a/session.c --- openssh-3.5p1/session.c Thu Sep 26 02:38:50 20...

...started. To fix this, I moved the pam_open_session :call into do_login: : :--- session.c Fri Oct 12 13:05:58 2001 :+++ .snapshot/nightly.3/session.c Mon Oct 8 15:52:02 2001 :@@ -541,6 +541,11 @@ : ptyfd = s->ptyfd; : ttyfd = s->ttyfd; : :+#if defined(USE_PAM) :+ do_pam_session(s->pw->pw_name, s->tty); :+ do_pam_setcred(1); :+#endif :+ : /* Fork the child. */ : if ((pid = fork()) == 0) { : :@@ -698,11 +703,6 @@ : last_login_time = get_last_login_time(pw->pw_uid, :pw->pw_name, : hostname, sizeof(hostname)...

Hi, I am running FreeBSD 4.7 and openssh 3.7.1p1. I have enabled PAM usage and indeed, I can use PAM for authentication purposes. Since configure does login_cap.h, the preprocessor is side stepping do_pam_session() altogether in session.c:do_setusercontext(). Here is my patch for session.c. My understanding about portability issues is rather limited. I would very much appreciate if you guys could check this and verify that I am not introducing more problems with this. So far this works for me. --- ses...

Hello I've got a problem with pam-script and ssh. pam-script is a module for PAM that enables execution of given script while pam session opens and/or closes. I try to use it with ssh while logging in and out: it is kind of login and logout scripts. PAM session creation is done in function do_pam_session which is invoked by do_setusercontext which is invoked by do_child. do_child function is invoked after fork. In a child process do_pam_session function sets global variable sshpam_session_open to remember that session was opened. After execution of do_setusercontext and do_pam_session function do_c...

...which does *not* interoperate with the deprecated "gssapi" method) provides proper validation of the session ID between the client and the server. Some of the highlights (more in the ChangeLog): - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, and use it for do_pam_session. Fixes problems like pam_motd not displaying anything. ok djm@ - jakob at cvs.openbsd.org 2003/11/12 16:39:58 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] update SSHFP validation. ok markus@ - markus at cvs.openbsd.org 2003/11/17 11:06:07 [auth2-gss.c gss-genr.c gss-serv.c m...

With OpenSSH 2.9.9p2 as the server, I'm not able to do scp or "ssh machinename command" in general to any of my Suns! I tracked this down a bit; the problem occurs only when PAM support is enabled. However, if I remove line 430 of session.c, "do_pam_session(s->pw->pw_name, NULL);" inside of do_exec_no_pty, the problem goes away. It looks like the following entry in the Changelog may be responsible: 20010627 - (djm) Reintroduce pam_session call for non-pty sessions. Let me know if you need any additional info to track this down. Thank...

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the authentication is postponed and the messages...

...sion.c =================================================================== --- session.c (revision 15) +++ session.c (working copy) @@ -394,8 +394,10 @@ session_proctitle(s); #if defined(USE_PAM) - if (options.use_pam && !use_privsep) + if (options.use_pam && !use_privsep) { + do_pam_session(); do_pam_setcred(1); + } #endif /* USE_PAM */ /* Fork the child. */ @@ -531,8 +533,10 @@ #if defined(USE_PAM) if (options.use_pam) { do_pam_set_tty(s->tty); - if (!use_privsep) + if (!use_privsep) { + do_pam_session(); do_pam_setcred(1); + } } #endif Index: auth-pam....

Hi, I didn't know if this was the correct spot to send openSSH bugs/problems so I thought I'd try... Anyway, I have encountered the following compile time problems for openssh-1.2pre15 / Solaris 2.6 / gcc 2.8.1 - * daemon code (bsd-daemon.[ch]) exists but is not linked in. Also, header is not included. Same might apply to bsd-login. * rsa.h needs __P() define to work

...mindrot.org ReportedBy: wknox at mitre.org The last login time that gets reported with a Solaris PAM enabled build of OpenSSH 3.0.2p1 is the login time of the current session. Examining the mail archive, this was reported by Benn Oshrin on 10/12/2001, and he sent in a patch that moved the do_pam_session call into the do_login function in session.c. I can't find any discussion about why that patch did not get applied, but it hasn't, so I propose, instead of moving the do_pam_session call, to move the call to get_last_login_time into do_exec_pty and pass the resultant information to do_login...

...====================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.222 diff -u -r1.222 session.c --- session.c 26 Sep 2002 00:38:50 -0000 1.222 +++ session.c 21 Dec 2002 11:39:07 -0000 @@ -454,7 +454,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -581,7 +580,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->t...

...H Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: dtucker at zip.com.au Because a failure in do_pam_session causes an immediate fatal(), the connection exits uncleanly, eg, with the following PAM config: session required pam_motd.so motd=/etc/mynologin session required pam_deny.so Attempting to log in will result in: testuser at localhost's password: Read from remote host localhost: Connection reset...

...|REOPENED Resolution|FIXED | --- Comment #9 from Yann Rouillard <yann at pleiades.fr.eu.org> 2010-12-20 01:21:01 EST --- I am reopening this bug because I am still able to reproduce it on Solaris 10 with openssh 5.6p1. It seems to be caused by the same reason: do_pam_session updates the /var/adm/lastlog before record_login / store_lastlog_message is called. I don't understand why the fix doesn't work but do_exec_pty doesn't seem to be called before do_pam_session. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are...

...do_pam_setcred(); > +#endif /* USE_PAM */ > + > /* Fork the child. */ > if ((pid = fork()) == 0) { > /* Child. Reinitialize the log since the pid has changed. */ > @@ -593,6 +597,11 @@ > ptyfd = s->ptyfd; > ttyfd = s->ttyfd; > > +#ifdef USE_PAM > + do_pam_session(pw->pw_name, s->tty); > + do_pam_setcred(); > +#endif /* USE_PAM */ > + > /* Fork the child. */ > if ((pid = fork()) == 0) { > /* Child. Reinitialize the log because the pid has changed. */ > @@ -1142,11 +1151,6 @@ > #ifdef HAVE_LOGIN_CAP > shell = login_g...

Hello all, I'd greatly appreciate a patch that will stop PAM mucking around after I log in with a Kerberos 4 ticket and forward an AFS ticket (KTH Kerberos 1.1.1 used for libkrb/libkafs). The trouble is, I need pam_krb4, so that folks, who log in with without tickets using tunnelled plaintext password, would get Kerberos 4 tickets for the box. I rebuilt sshd without PAM in order to verify