search for: echo_on

...= xmalloc(sizeof(struct pam_response) * num_msg); - memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof **resp)) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_...

...= xmalloc(sizeof(struct pam_response) * num_msg); - memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof(struct pam_response))) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style)...

...= xmalloc(sizeof(struct pam_response) * num_msg); - memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof **resp)) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_...

nuqneH, I've tried using TIS authsrv authentication via bsd auth and found it quite limited. The most important restriction it does not log ip and fqdn of the remote peer, nor the application name, to the authentication server. It does not matter much for TIS authsrv, but since other applications do provide such information, our authsrv version uses it for extra authentication restrictions.

...12:13:02 -0000 1.59 +++ monitor_wrap.c 4 May 2006 01:57:46 -0000 @@ -776,8 +776,8 @@ mm_sshpam_query(void *ctx, char **name, *name = buffer_get_string(&m, NULL); *info = buffer_get_string(&m, NULL); *num = buffer_get_int(&m); - *prompts = xmalloc((*num + 1) * sizeof(char *)); - *echo_on = xmalloc((*num + 1) * sizeof(u_int)); + *prompts = xcalloc((*num + 1), sizeof(char *)); + *echo_on = xcalloc((*num + 1), sizeof(u_int)); for (i = 0; i < *num; ++i) { (*prompts)[i] = buffer_get_string(&m, NULL); (*echo_on)[i] = buffer_get_int(&m); Index: scard-opensc.c ==========...

...include "xmalloc.h" +#include "auth.h" + +static void * +opie_init_ctx(Authctxt *authctxt) +{ + return authctxt; +} + +#define PROMPT "\nOPIE Password: " + +static int +opie_query(void *ctx, char **name, char **infotxt, + u_int* numprompts, char ***prompts, u_int **echo_on) +{ + Authctxt *authctxt = ctx; + char challenge[OPIE_CHALLENGE_MAX+64], *p; + int len; + struct opie opie; + + if (opiechallenge(&opie, authctxt->user, challenge) != 0) + return -1; + + opieverify(&opie, ""); /* Zap lock again */ + + *name = xstrdup(""); + *in...

...uot; in mm_answer_pam_query() is not initialized before used if pam module has errors. This happens on HP-UX where the gcc compiler doesn't do default initialization. ------ code ------ int mm_answer_pam_query(int sock, Buffer *m) { char *name, *info, **prompts; u_int i, num, *echo_on; <== num is not initialized and could be a random large number int ret; debug3("%s", __func__); sshpam_authok = NULL; ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on); <== num may not be altered...

Hi. One thing that people seem to want to do with PAM is to deny a login immediately without interacting but return a message to the user. (Some platforms implement, eg, /etc/nologin via PAM this way.) Currently, sshd will just deny the login and the user will not be told why. Attached it a patch that return a keyboard-interactive packet with the message in the "instruction"

...t in the info_response code could actually be removed. --- auth2-chall.c.orig Wed Jun 26 18:40:14 2002 +++ auth2-chall.c Wed Jun 26 18:42:54 2002 @@ -217,6 +217,8 @@ if (kbdintctxt->device->query(kbdintctxt->ctxt, &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) return 0; + if (kbdintctxt->nreq > 100) + fatal("send_userauth_info_request: too many prompts"); packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); packet_put_cstring(name); /fc

...stuck in the conv. > function until the info response comes back, anyway. How do (will) > you handle restarting the authentication (client sends USERAUTH_REQUEST > instead of USERAUTH_INFO_RESPONSE)? > > In auth-pam.c:sshpam_thread_conv(), line 148, the two cases ECHO_OFF and > ECHO_ON should be combined into a single case, as should the ERROR_MSG > and TEXT_INFO cases; just as you do in sshpam_query(). > > The code as a whole /is/ far cleaner than what exists currently, so that > is a big plus. > > I dislike that kbdint is run via auth2_challenge() and all th...

...from /usr/lib/libc.so.1 #1 0x410a4 in atomicio (f=0x74198 <read>, fd=11, _s=0xefffeda8, n=4) at atomicio.c:45 #2 0x45970 in ssh_msg_recv (fd=11, m=0xefffee58) at msg.c:58 #3 0x31e64 in sshpam_query (ctx=0x88850, name=0xefffef1c, info=0xefffef18, num=0xefffef14, prompts=0xefffef10, echo_on=0xefffef0c) at auth-pam.c:433 #4 0x2bd84 in mm_answer_pam_query (socket=8, m=0xefffef90) at monitor.c:847 #5 0x2b494 in monitor_read (pmonitor=0x7c7c8, ent=0x75320, pent=0xeffff044) at monitor.c:413 #6 0x2b12c in monitor_child_preauth (pmonitor=0x7c7c8) at monitor.c:299 #7 0x1b40c in privse...