search for: initial_login

I have been unable to use any challenge/response based pam module (eg. pam_opie.so) for ssh authentication, because the challenge (needed to compute an appropriate response) is never shown during login. do_pam_conversation() in auth-pam.c will not print any prompts while in the INITIAL_LOGIN state, queueing them for later printing. Should users be able to override this (usually correct) default behaviour, perhaps by means of a sshd configuration variable ?

...ic pam_handle_t *pamh = NULL; static const char *pampasswd = NULL; static char *pam_msg = NULL; -/* PAM conversation function. This is really a kludge to get the password */ -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +/* states for pamconv() */ +typedef enum { INITIAL_LOGIN, OTHER } pamstates; +static pamstates pamstate = INITIAL_LOGIN; +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +static int password_change_required = 0; + +/* + * PAM conversation function. + * There are two states this can run in. + * + * INITIAL_LOGIN mode simply feeds the p...

...22:58:46 2001 *************** *** 203,208 **** --- 203,209 ---- { extern ServerOptions options; int pam_retval; + int flags=0; do_pam_set_conv(&conv); *************** *** 217,223 **** __pampasswd = password; pamstate = INITIAL_LOGIN; ! pam_retval = do_pam_authenticate(0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for " "user \"%.100s\"", pw->pw_name); --- 218,227 ---- __pampasswd = password; pamstate = INITIAL_LO...

Is there a way for a PAM module to force a client (and the server) to use kbd-interactive? As far as I can tell, when in the INITIAL_LOGIN phase, all communication with the client returns a PAM_CONV_ERR. I am trying to write a PAM module that will prompt a user for a second username and a second password in order for the module to succeed so that proper authentication relies on the ability to authenticate against n machines, whe...

Hi all, I need a help. I have got a user registration form, where the user signs up and then an activation link is sent to the user email id for activating his/her account. Now I need to send an another email to the user, only after he logs in for the first time in my site, then the second email should be sent. Can anybody give me some suggestion on how to do it ?? NB: When the user clicks on

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...02:17:19 2002 @@ -26,6 +26,8 @@ #ifdef USE_PAM #include "ssh.h" +#include "ssh1.h" +#include "packet.h" #include "xmalloc.h" #include "log.h" #include "auth-pam.h" @@ -54,6 +56,8 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; +/* which type of prompts we should handle, set in auth_pam_password */ +static int pamprompt; /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded...

...========================================================= RCS file: /cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 20 Nov 2002 13:12:12 -0000 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; @@ -256,...

...i, I have the securID patch applied to openssh3.4p-1 and it's compiled with pam. The problem I'm getting is that SecurID auth works OK, but normal password auth doesn't. I narrowed down the failure to the following section in auth-pam.c : __pampasswd = password; pamstate = INITIAL_LOGIN; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); but I can't see how this works. Can anyone enlighten me please? I know that the password is correct but pam_retval is still not equal to PAM_SUCCESS. Cheers, Ed. ____...

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

...sh3.4p-1 and it's compiled with > > pam. The problem I'm getting is that SecurID auth works OK, but normal > password auth doesn't. I narrowed down the failure to the following > section > in auth-pam.c : > > __pampasswd = password; > > pamstate = INITIAL_LOGIN; > pam_retval = do_pam_authenticate( > options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK > : > 0); > > but I can't see how this works. Can anyone enlighten me please? I know > that > the password is correct but pam_retval is still not e...