Displaying 20 results from an estimated 113 matches for "pam_acct_mgmt".
2006 May 03
8
[Bug 1188] keyboard-interactive should not allow retry after pam_acct_mgmt fails
http://bugzilla.mindrot.org/show_bug.cgi?id=1188
Summary: keyboard-interactive should not allow retry after
pam_acct_mgmt fails
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: bitbucket at mindrot.org
ReportedBy: dtucke...
2003 May 14
1
[Bug 564] new PAM code only calls pam_acct_mgmt for challenge-response clients
http://bugzilla.mindrot.org/show_bug.cgi?id=564
Summary: new PAM code only calls pam_acct_mgmt for challenge-
response clients
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix...
2002 May 22
3
Openssh still logs in while passwd is locked
...Whilst I could do other things such as
>moving their .ssh directory, removing their account home directory, etc,
>etc, is there some 'nicer' way to inform ssh that the account is now locked
>and thus to not allow them to login?
The pam_unix.so module doesn't check for *LK* in pam_acct_mgmt since it
was assuming that pam_authenticate() had been called already - in those
cases it would fail. If however you are using publickey authentication
rather than going through PAM with a password pam_acct_mgmt is called
without first going to pam_authenticate().
This has been fixed in the new p...
2020 Sep 08
23
[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210
Bug ID: 3210
Summary: Confusing errors when pam_acct_mgmt() fails
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Repo...
2004 Nov 16
1
conversation function for pam_acct_mgmt failing?
I'm trying to use PAM on Solaris 8 with sshd (openssh 3.9p1) to run
the pam_acct_mgmt function and give some feedback to the user
if/when their account doesn't meet the necessary local requirements.
Things work fine when I use rlogin, i.e. a user gets authenticated
by typing in their password, and if their account has been suspended
(locally written programs maintain a database...
2004 Sep 14
1
PATCH: Public key authentication defeats passwd age warning.
...ng period for you, shouldn't you get that warning?
Anyway, philosophy aside, I figgered out what happened to the
missing passwd age warning. It turns out that even when you are
using public key authentication, the PAM function that checks up on
such things and is supposed to produce warnings (pam_acct_mgmt())
does actually get called. However, it appears that since nobody
ever needed to interact with the lUser up until that point, no
conversation function was ever set up for the PAM library to use.
So, although pam_acct_mgmt() does actually figger out that the
lUser needs a warning, it can't com...
2003 Jul 30
7
[Bug 564] new PAM code only calls pam_acct_mgmt for challenge-response clients
http://bugzilla.mindrot.org/show_bug.cgi?id=564
------- Additional Comments From djm at mindrot.org 2003-07-30 11:48 -------
Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly -
suggestions wanted.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2011 Mar 18
1
Problem with pam-auth and winbind
...9:43:29 pop3-login: Info: Aborted login (auth failed, 1 attempts):
user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured
I'll be apreciate for any hints.
but in /var/log/dovecot/error.log we have information:
Mar 14 09:43:29 auth-worker(default): Error: pam(tt1,10.10.10.38):
pam_acct_mgmt() failed: Authentication failure
This test was done with windbindd Version 3.5.3.
When I test it on another machine with windbind Version 3.0.24 (config
file are the same) authentication prosess is done properly.
Any HINTS????
2005 Jun 08
1
Possible security flaw in OpenSSH and/or pam_krb5
...9;m not very
familiar with how PAM works or the OpenSSH codebase for that matter,
so I'm including some of his tips in case it helps in the
investigation of the problem:
------------------------------------------
- If the application is not calling, or ignoring non-success return
values of pam_acct_mgmt() yet still allowing access to the account,
then the application has a gaping hole and is at fault.
- A PAM module may defer authentication and authorization, in
password-change-required situations, to pam_sm_chauthtok(3PAM), but
if so it must: a) return PAM_SUCCESS from its
pam_sm_au...
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
...-/* PAM conversation function. This is really a kludge to get the password */
-/* into PAM and to pick up any messages generated by PAM into pamconv_msg */
+/* states for pamconv() */
+typedef enum { INITIAL_LOGIN, OTHER } pamstates;
+static pamstates pamstate = INITIAL_LOGIN;
+/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
+static int password_change_required = 0;
+
+/*
+ * PAM conversation function.
+ * There are two states this can run in.
+ *
+ * INITIAL_LOGIN mode simply feeds the password from the client into
+ * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
+ * me...
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
Hi All.
Attached is a patch to perform pam_chauthtok via SSH2
keyboard-interactive. It should be simpler, but since Solaris seems to
ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check
if it's expired. To minimise the change in behaviour, it also caches the
result so pam_acct_mgmt still only gets called once.
This doesn't seem to work on AIX 5.2, I don't know why. Works OK for me
on Redhat, Solaris & HP-UX. I'm interested in reports of success or
otherwise.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 8...
2002 Mar 26
2
SSH / PAM / Kerberos / password aging
...PAM_KRB5 implementations tend to return PAM_SUCCESS from
pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt()
to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user
can't be said to be authenticated at that point.
The problem with this is that by the time pam_acct_mgmt() is called in
OpenSSH userauth has been completed, so kbd-interactive is not used for
the password changing and instead the work is relegated till the TTY
session is setup. By then the login process has begun and the user even
has a UTMP entry.
To make matters worse, OpenSSH calls pam_setcred() b...
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
...}
buffer_put_cstring(&buffer, "OK");
ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
buffer_free(&buffer);
@@ -532,11 +544,16 @@ finish_pam(void)
u_int
do_pam_account(void)
{
+ if (sshpam_account_status != -1)
+ return (sshpam_account_status);
+
sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
- if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD)
- return (0);
+ if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
+ sshpam_account_status = 0;
+ r...
2005 Jan 27
1
Dovecot doesn't call pam_open_session, thus dodging pam_mkhomedir
...#39;t get created automatically. There's the handy pam
module pam_mkhomedir.so to automagically create home directories, but
unfortunatly Dovecot wasn't calling pam_open_session to run the session
setup pam modules. I made a small patch to passdb-pam.c to call
pam_open_session between pam_acct_mgmt and pam_get_item and now I my
home dirs are automagically created and everyone is happy.
So, I figured I'd share the little patch in case someone else finds it
useful. My patch doesn't properly close the session which will probably
iritate more advanced session modules that actually...
2016 Mar 04
7
[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
...|
pam_start |
| |
fork ----- (authentication 'thread') |
| | |
| pam_authenticate |
| | |
| pam_acct_mgmt |
| | |
| pam_chauthtok |
| | |
| X |
| |
| X
|
pam_setcred
|
pam_open_sessi...
2005 Sep 21
23
[Bug 1087] SSH fails to show PAM password expiry message from LDAP on login
http://bugzilla.mindrot.org/show_bug.cgi?id=1087
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Group|Portable OpenSSH |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2011 Mar 24
2
Problem with pam-auth and winbind
...o: Aborted login (auth failed, 1 attempts):
user=<tt1>, method=PLAIN, rip=10.10.10.38, lip=10.10.10.38, secured
I'll be apreciate for any hints.
but in dovecot error log file /var/log/dovecot/error.log we have information:
Mar 23 10:37:50 auth-worker(default): Error: pam(tt1,10.10.10.38):
pam_acct_mgmt() failed: Authentication failure
This test was done with windbindd Version 3.5.3.
When I test it on another machine with windbind Version 3.0.24 (config
file are the same) authentication prosess is done properly.
Any HINTS????
2003 Oct 09
1
[Bug 740] Sun's pam_ldap account management is not working
...ntering
debug3: mm_request_send entering: type 44
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug2: monitor_read: 52 used once, disabling now
debug3: mm_request_receive_expect entering: type 44
debug3: mm_request_receive entering
debug3: do_pam_account: pam_acct_mgmt = 9
debug3: mm_request_send entering: type 45
debug3: mm_do_pam_account returning 0
===
pam_acct_mgmt returns 9 (PAM_AUTH_ERR) even though the account is valid (not
expired, etc).
The same box works fine with the native Solaris 9 sshd, telnetd and other
services, so the account management DOES wo...
2002 Mar 27
4
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 -------
Created an attachment (id=55)
Patch to do pw aging in kbd-interactive
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2002 Jun 14
0
[Bug 278] ssh allows auto login even if account is locked
...---
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From Darren.Moffat at Sun.COM 2002-06-15 04:56 -------
This happens because sshd with public-key login does not call pam_authenticate,
but does call pam_acct_mgmt. In the pam_unix.so module that is shipped in
Solaris 8 there is no explicity account locked check.
This has been fixed in Solaris 9 and a fix for Solaris 8 is currently underway.
OpenSSH is not broken in anyway, this is a Solaris bug that only appears
when PAM applications call pam_acct_mgmt wit...