search for: input_userauth_info_response_pam

...n, and is already present in the latest version of the Mickey Mouse Hacking Squadron award winning network vulnerability assessment tool. After the previous command was executed, the freshly spawned sshd process has to be examined with a debugger, in order to set the correct breakpoints within the input_userauth_info_response_pam() function of OpenSSH, as demonstrated in the Global InterSec LLC advisory: # gdb sshd 6552 (gdb) disassemble input_userauth_info_response_pam [...] 0x80531bc <input_userauth_info_response_pam+192>: push %esi 0x80531bd <input_userauth_info_response_pam+193>: call 0x807306...

...it is the correct password or not. Also it is disconnecting becuase of too many requests not too many failures which doesn't seem right does it? Looking at the source it seems authctxt->attempt++ is being incrimented twice, once in auth2.c:input_userauth_request() and again in auth2-pam.c:input_userauth_info_response_pam(). Attached is a patch that fixed these symptoms for me. Attempt/failure are incimented one at a time, the last password prompt is no longer ignored, and the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6 attempts. I am not completly certain this behaviour matches the o...

...will allow PAM authentication when using sun's pam_krb5 before pam_unix in the PAM stack. without this patch a pam.conf entry like: sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 sshd auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass would fail with the error "input_userauth_info_response_pam: no authentication context". NOTE: when authenticating against pam_krb5 a user with an expired passwd cannot login. when authenticating against pam_unix a user with an expired passwd can login and is not prompted to change their password. NOTE: "pam_setcred: error Permission denied&q...

...Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: b_smith44 at hotmail.com when authenticating against pam_krb5 before pam_unix the user can not login, sshd logs the error "input_userauth_info_response_pam: no authentication context". i don't know why this is failing, this patch fixes the problem by removing the check for an authentication context. users can now login with the pam.conf entry: sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 sshd auth required /usr/lib/security/...

...quot;packet.h" #include "xmalloc.h" -#include "dispatch.h" #include "log.h" +#include "monitor_wrap.h" -static int do_pam_conversation_kbd_int(int num_msg, - const struct pam_message **msg, struct pam_response **resp, - void *appdata_ptr); -void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); - -struct { - int finished, num_received, num_expected; - int *prompts; - struct pam_response *responses; -} context_pam2 = {0, 0, 0, NULL}; - -static struct pam_conv conv2 = { - do_pam_conversation_kbd_int, - NULL, +struct pam_ctxt { + char *pam_user; + pid...

...quot;xmalloc.h" -#include "dispatch.h" #include "log.h" +#include "monitor_wrap.h" + +extern char *__progname; -static int do_pam_conversation_kbd_int(int num_msg, - const struct pam_message **msg, struct pam_response **resp, - void *appdata_ptr); -void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); - -struct { - int finished, num_received, num_expected; - int *prompts; - struct pam_response *responses; -} context_pam2 = {0, 0, 0, NULL}; - -static struct pam_conv conv2 = { - do_pam_conversation_kbd_int, - NULL, +struct sshpam_ctxt { + char *user; + pid_...

...quot;xmalloc.h" -#include "dispatch.h" #include "log.h" +#include "monitor_wrap.h" + +extern char *__progname; -static int do_pam_conversation_kbd_int(int num_msg, - const struct pam_message **msg, struct pam_response **resp, - void *appdata_ptr); -void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); - -struct { - int finished, num_received, num_expected; - int *prompts; - struct pam_response *responses; -} context_pam2 = {0, 0, 0, NULL}; - -static struct pam_conv conv2 = { - do_pam_conversation_kbd_int, - NULL, +struct sshpam_ctxt { + char *user; + pid_...

with the following pam.conf entries, after being prompted for a login password the connection is closed: other auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass the system logs the error: sshd[4215]: fatal: input_userauth_info_response_pam: no authentication context if the pam.conf entry is changed to the following less than desirable entry: other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 other auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass and 'UseLogin' is set to 'yes' then...

If the info_response code is going to test that the # of responses is < 100, then the info_request code should check that < 100 prompts are sent. It would be rude to send 101 prompts and then fail when the responses come back. I actually think the test should be removed altogether, the limit seems quite arbitrary, but here is a patch to not send > 100 prompts. With this patch, the test