search for: pam_acct_mgmt

http://bugzilla.mindrot.org/show_bug.cgi?id=1188 Summary: keyboard-interactive should not allow retry after pam_acct_mgmt fails Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org ReportedBy: dtucke...

http://bugzilla.mindrot.org/show_bug.cgi?id=564 Summary: new PAM code only calls pam_acct_mgmt for challenge- response clients Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix...

...Whilst I could do other things such as >moving their .ssh directory, removing their account home directory, etc, >etc, is there some 'nicer' way to inform ssh that the account is now locked >and thus to not allow them to login? The pam_unix.so module doesn't check for *LK* in pam_acct_mgmt since it was assuming that pam_authenticate() had been called already - in those cases it would fail. If however you are using publickey authentication rather than going through PAM with a password pam_acct_mgmt is called without first going to pam_authenticate(). This has been fixed in the new p...

https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Bug ID: 3210 Summary: Confusing errors when pam_acct_mgmt() fails Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Repo...

I'm trying to use PAM on Solaris 8 with sshd (openssh 3.9p1) to run the pam_acct_mgmt function and give some feedback to the user if/when their account doesn't meet the necessary local requirements. Things work fine when I use rlogin, i.e. a user gets authenticated by typing in their password, and if their account has been suspended (locally written programs maintain a database...

...ng period for you, shouldn't you get that warning? Anyway, philosophy aside, I figgered out what happened to the missing passwd age warning. It turns out that even when you are using public key authentication, the PAM function that checks up on such things and is supposed to produce warnings (pam_acct_mgmt()) does actually get called. However, it appears that since nobody ever needed to interact with the lUser up until that point, no conversation function was ever set up for the PAM library to use. So, although pam_acct_mgmt() does actually figger out that the lUser needs a warning, it can't com...

http://bugzilla.mindrot.org/show_bug.cgi?id=564 ------- Additional Comments From djm at mindrot.org 2003-07-30 11:48 ------- Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly - suggestions wanted. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...9:43:29 pop3-login: Info: Aborted login (auth failed, 1 attempts): user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured I'll be apreciate for any hints. but in /var/log/dovecot/error.log we have information: Mar 14 09:43:29 auth-worker(default): Error: pam(tt1,10.10.10.38): pam_acct_mgmt() failed: Authentication failure This test was done with windbindd Version 3.5.3. When I test it on another machine with windbind Version 3.0.24 (config file are the same) authentication prosess is done properly. Any HINTS????

...9;m not very familiar with how PAM works or the OpenSSH codebase for that matter, so I'm including some of his tips in case it helps in the investigation of the problem: ------------------------------------------ - If the application is not calling, or ignoring non-success return values of pam_acct_mgmt() yet still allowing access to the account, then the application has a gaping hole and is at fault. - A PAM module may defer authentication and authorization, in password-change-required situations, to pam_sm_chauthtok(3PAM), but if so it must: a) return PAM_SUCCESS from its pam_sm_au...

...-/* PAM conversation function. This is really a kludge to get the password */ -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +/* states for pamconv() */ +typedef enum { INITIAL_LOGIN, OTHER } pamstates; +static pamstates pamstate = INITIAL_LOGIN; +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +static int password_change_required = 0; + +/* + * PAM conversation function. + * There are two states this can run in. + * + * INITIAL_LOGIN mode simply feeds the password from the client into + * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output + * me...

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know why. Works OK for me on Redhat, Solaris & HP-UX. I'm interested in reports of success or otherwise. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 8...

...PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user can't be said to be authenticated at that point. The problem with this is that by the time pam_acct_mgmt() is called in OpenSSH userauth has been completed, so kbd-interactive is not used for the password changing and instead the work is relegated till the TTY session is setup. By then the login process has begun and the user even has a UTMP entry. To make matters worse, OpenSSH calls pam_setcred() b...

...} buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -532,11 +544,16 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + r...

...#39;t get created automatically. There's the handy pam module pam_mkhomedir.so to automagically create home directories, but unfortunatly Dovecot wasn't calling pam_open_session to run the session setup pam modules. I made a small patch to passdb-pam.c to call pam_open_session between pam_acct_mgmt and pam_get_item and now I my home dirs are automagically created and everyone is happy. So, I figured I'd share the little patch in case someone else finds it useful. My patch doesn't properly close the session which will probably iritate more advanced session modules that actually...

...| pam_start | | | fork ----- (authentication 'thread') | | | | | pam_authenticate | | | | | pam_acct_mgmt | | | | | pam_chauthtok | | | | | X | | | | X | pam_setcred | pam_open_sessi...

http://bugzilla.mindrot.org/show_bug.cgi?id=1087 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Group|Portable OpenSSH | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...o: Aborted login (auth failed, 1 attempts): user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured I'll be apreciate for any hints. but in dovecot error log file /var/log/dovecot/error.log we have information: Mar 23 10:37:50 auth-worker(default): Error: pam(tt1,10.10.10.38): pam_acct_mgmt() failed: Authentication failure This test was done with windbindd Version 3.5.3. When I test it on another machine with windbind Version 3.0.24 (config file are the same) authentication prosess is done properly. Any HINTS????

...ntering debug3: mm_request_send entering: type 44 debug3: mm_request_receive_expect entering: type 45 debug3: mm_request_receive entering debug2: monitor_read: 52 used once, disabling now debug3: mm_request_receive_expect entering: type 44 debug3: mm_request_receive entering debug3: do_pam_account: pam_acct_mgmt = 9 debug3: mm_request_send entering: type 45 debug3: mm_do_pam_account returning 0 === pam_acct_mgmt returns 9 (PAM_AUTH_ERR) even though the account is valid (not expired, etc). The same box works fine with the native Solaris 9 sshd, telnetd and other services, so the account management DOES wo...

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 ------- Created an attachment (id=55) Patch to do pw aging in kbd-interactive ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...--- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From Darren.Moffat at Sun.COM 2002-06-15 04:56 ------- This happens because sshd with public-key login does not call pam_authenticate, but does call pam_acct_mgmt. In the pam_unix.so module that is shipped in Solaris 8 there is no explicity account locked check. This has been fixed in Solaris 9 and a fix for Solaris 8 is currently underway. OpenSSH is not broken in anyway, this is a Solaris bug that only appears when PAM applications call pam_acct_mgmt wit...