search for: do_pam_setcr

https://bugzilla.mindrot.org/show_bug.cgi?id=2426 Bug ID: 2426 Summary: OpenSSH doesn't need the second call to do_pam_setcred() on non-Linux platforms Product: Portable OpenSSH Version: 6.9p1 Hardware: Sparc OS: Solaris Status: NEW Severity: minor Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org...

...S or to a non-root user with PrivSep NO, then no issues. This is tested on 3.7.1p2 and 3.8.1p1 and two versions behave alike. This is not the case when USE_POSIX_THREADS is disabled and it works for PrivSep yes and no for root and non-root users. Just to check the pid that call the pam_setcred in do_pam_setcred, I used the getpid() call in the do_pam_setcred function and for both THREAD enabled and disabled builds, the child pid and the pid that call this function are the same and inspite of this similarity this problem is seen. Any help will be much appreciated. Regards, Kumar.

...for what it's worth :) ]), followed by the correct password. Investigation (using copious debug() statements) has isolated the problem down to one line of code: pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); in auth-pam.c, function do_pam_setcred(). It appears that this function is being called twice: once with init set, once without (ie: once with PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call to pam_setcred(__pamh, PAM_REINITIALIZE_CRED) that the seg fault occurs. To clarify why we're using PAM: the syst...

http://bugzilla.mindrot.org/show_bug.cgi?id=423 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |627 nThis| | Status|NEW |ASSIGNED ------- Additional

...-------- next part -------------- --- sshd.c Mon Dec 27 23:09:36 1999 +++ sshd.c Tue Dec 28 10:57:00 1999 @@ -149,6 +149,7 @@ int do_pam_auth(const char *user, const char *password); void do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, char *ttyname); +void do_pam_setcred(); void pam_cleanup_proc(void *context); static struct pam_conv conv = { @@ -230,6 +231,12 @@ PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credent...

...t;PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { Only in openssh-3.4p1-dw: auth-pam.c.orig diff -u -r openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h --- openssh-3.4p1/auth-pam.h Thu Apr 4 13:02:28 2002 +++ openssh-3.4p1-dw/auth-pam.h Tue Jul 16 07:54:05 2002 @@ -12,6 +12,7 @@ int do_pam_authenticate(int flags); int do_pam_...

...nSSH-portable tree, he'll know what to do with it... -d. --- http://www.monkey.org/~dugsong/ --- old/session.c Sat Dec 1 18:37:08 2001 +++ session.c Tue Feb 12 00:03:37 2002 @@ -437,7 +437,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -494,6 +493,9 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ +#if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); +#endif /* USE_...

...Tue Jul 23 02:44:07 2002 +++ openssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002 @@ -39,6 +39,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); diff -u -r openssh-3.5p1/session.c openssh-3.5p1a/session.c --- openssh-3.5p1/session.c Thu Sep 26 02:38:50 2002 +++ openssh-3.5p1a/session.c Wed Oct 16 15:01:40 2002 @@ -454,7 +454,6 @@ session_proctitle(s);...

...into do_login: : :--- session.c Fri Oct 12 13:05:58 2001 :+++ .snapshot/nightly.3/session.c Mon Oct 8 15:52:02 2001 :@@ -541,6 +541,11 @@ : ptyfd = s->ptyfd; : ttyfd = s->ttyfd; : :+#if defined(USE_PAM) :+ do_pam_session(s->pw->pw_name, s->tty); :+ do_pam_setcred(1); :+#endif :+ : /* Fork the child. */ : if ((pid = fork()) == 0) { : :@@ -698,11 +703,6 @@ : last_login_time = get_last_login_time(pw->pw_uid, :pw->pw_name, : hostname, sizeof(hostname)); : } :- :-#if defined(USE_PAM) :- do_pam_...

...t;PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM...

...=================== > RCS file: /var/cvs/openssh/session.c,v > retrieving revision 1.80 > diff -u -r1.80 session.c > --- session.c 2001/02/21 05:53:33 1.80 > +++ session.c 2001/02/21 16:28:40 > @@ -481,6 +481,10 @@ > > session_proctitle(s); > > +#ifdef USE_PAM > + do_pam_setcred(); > +#endif /* USE_PAM */ > + > /* Fork the child. */ > if ((pid = fork()) == 0) { > /* Child. Reinitialize the log since the pid has changed. */ > @@ -593,6 +597,11 @@ > ptyfd = s->ptyfd; > ttyfd = s->ttyfd; > > +#ifdef USE_PAM > + do_pam_sessio...

...krb4, so that folks, who log in with without tickets using tunnelled plaintext password, would get Kerberos 4 tickets for the box. I rebuilt sshd without PAM in order to verify that PAM destroys the tokens but I've not enough time to analyse the code in more details. I guess # ifdef USE_PAM do_pam_setcred(0); # endif /* USE_PAM */ in session.c is the culprit. By the way, I've had to disable privsep because otherwise /etc/srvtab cannot be read. I hope I've provided enough information. Thanks in advance, Gintas

...e comments for details. diff -ur openssh-2.9p2.dist/session.c openssh-2.9p2/session.c Index: openssh-2.9p2/session.c --- openssh-2.9p2.dist/session.c Sat Jun 16 23:40:51 2001 +++ openssh-2.9p2/session.c Thu Sep 6 11:48:04 2001 @@ -456,10 +456,6 @@ session_proctitle(s); -#if defined(USE_PAM) - do_pam_setcred(1); -#endif /* USE_PAM */ - /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ @@ -509,6 +505,13 @@ perror("dup2 stderr"); #endif /* USE_PIPES */ +#if defined(USE_PAM) + /* pam_setcred might print things that belo...

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy:

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy:

...porter: ryan_cox at byu.edu Created attachment 2583 --> https://bugzilla.mindrot.org/attachment.cgi?id=2583&action=edit openssh_permit_gid_override.diff I would like to allow pam_setcred/pam_sm_setcred to override the gid that is normally set for a user. Currently the openssh code calls do_pam_setcred then it sets the gid to the user's gid as listed in /etc/passwd, LDAP, or whatever regardless of what the pam module set it to. I would instead like a pam module to be able to set the gid with setgid() and not have it overwritten by openssh. I wrote a patch that does just that by comparing...

Hi, I was investigating why I don't see any warnings from pam_ldap indicating the pending expiration of passwords as well as for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not have a conversation function. Also, there is a function print_pam_messages (currently empty) which look suspiciously like it is ear marked to show just those error messages: /* auth-pam.c

...t;PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM...

...===================================================== --- session.c (revision 15) +++ session.c (working copy) @@ -394,8 +394,10 @@ session_proctitle(s); #if defined(USE_PAM) - if (options.use_pam && !use_privsep) + if (options.use_pam && !use_privsep) { + do_pam_session(); do_pam_setcred(1); + } #endif /* USE_PAM */ /* Fork the child. */ @@ -531,8 +533,10 @@ #if defined(USE_PAM) if (options.use_pam) { do_pam_set_tty(s->tty); - if (!use_privsep) + if (!use_privsep) { + do_pam_session(); do_pam_setcred(1); + } } #endif Index: auth-pam.c =================...

...ssh/session.c.orig Mon Oct 22 22:42:46 2001 +++ openssh/session.c Mon Oct 22 22:43:31 2001 @@ -430,7 +430,7 @@ do_exec_no_pty(Session *s, const char *c session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); +/* do_pam_session(s->pw->pw_name, NULL); */ do_pam_setcred(1); #endif /* USE_PAM */