Displaying 14 results from an estimated 14 matches for "pam_change_expired_authtok".
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
Hi All.
This patch calls pam_chauthtok() to change an expired password via PAM
during keyboard-interactive authentication (SSHv2 only). It is tested on
Redhat 8 and Solaris 8.
In theory, it should have simply been a matter of calling pam_chauthtok
with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is
if it's expired, right? From the Solaris pam_chauthtok man page:
[quote]
PAM_CHANGE_EXPIRED_AUTHTOK
The password service should only update those pass-
words that have aged. If this flag is not passed, all
pa...
2003 May 02
6
openssh 3.6.1_p2 problem with pam (fwd)
----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> -----
Date: Fri, 2 May 2003 14:01:33 +0200
From: Andrea Barisani <lcars at infis.univ.trieste.it>
To: openssh at openssh.com
Subject: openssh 3.6.1_p2 problem with pam
Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour:
# ssh -l lcars mybox
[2 seconds delay]
lcars at mybox's
2003 Dec 07
0
[PATCH] Do PAM chauthtok via keyboard-interactive.
...v));
@@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp)
sshpam_err = pam_authenticate(sshpam_handle, 0);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+
+ if (compat20) {
+ if (do_pam_account()) {
+ if (sshpam_new_authtok_reqd) {
+ sshpam_err = pam_chauthtok(sshpam_handle,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+ pam_password_change_required(0);
+ }
+ } else {
+ goto auth_fail;
+ }
+ }
+
buffer_put_cstring(&buffer, "OK");
#ifndef USE_POSIX_THREADS
+ /* Export variables set by do_pam_account */
+ buffer_put_int(&buf...
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
...@ sshpam_thread(void *ctxtp)
sshpam_err = pam_authenticate(sshpam_handle, 0);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
+#ifndef DISABLE_KBDINT_CHAUTHTOK
+ if (compat20) {
+ if (do_pam_account() && sshpam_new_authtok_reqd) {
+ sshpam_err = pam_chauthtok(sshpam_handle,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (sshpam_err != PAM_SUCCESS)
+ goto auth_fail;
+ sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */
+ }
+ }
+#endif
buffer_put_cstring(&buffer, "OK");
ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
buffer_free(&buffer);
@@ -532,11 +546,16 @@ fi...
2004 Dec 28
2
LinuxPAM and sshd: changing conversation function doesn't work but claims to.
...e, PAM_CONV,
(const void *)&tty_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
debug("PAM: changing password");
sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
The conversation functions also have a debug() at the start announcing
that they've been called and the number of messages passed.
If I run the server[1] in debug mode with PAM enabled and privilege
separation off, and connect with SSHv1 with an account that has an
expired password, t...
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
...s expired. This needs to be called after an interactive
+ * session is established and the user's pty is connected to
+ * stdin/stout/stderr.
+ */
+void do_pam_chauthtok()
+{
+ int pam_retval;
+
+ if (password_change_required) {
+ pamstate = OTHER;
+ do {
+ pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ } while (pam_retval != PAM_SUCCESS);
}
}
@@ -238,12 +291,11 @@
debug("Starting up PAM with username \"%.200s\"", pw->pw_name);
- pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv,
- (pam_handle_t**)&pamh);
+ pam_retval = pam_start(SSHD_P...
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
...id *)&pam_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
- pam_strerror(sshpam_handle, sshpam_err));
+ pam_strerror(grab_pamh(0, NULL), sshpam_err));
debug("PAM: changing password");
- sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ sshpam_err = pam_chauthtok(grab_pamh(0, NULL), PAM_CHANGE_EXPIRED_AUTHTOK);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: pam_chauthtok(): %s",
- pam_strerror(sshpam_handle, sshpam_err));
+ pam_strerror(grab_pamh(0, NULL), sshpam_err));
}
/*
@@ -706,7 +803,7 @@
compou...
2006 Jan 19
5
Only one chance to enter a new password?
Hello there,
We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various
Solaris boxes with PAM and an LDAP server back end.
Recently we have added a requirement for users to have complex
passwords. The problem is, if a user's password has expired, when they
log in they are prompted for a new password (good) but if they enter a
non-complex new password the session is closed rather than
2018 Sep 28
2
Support for RFC4252 in sshd with PAM
...ug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug3: mm_auth_password: user authenticated [preauth]
However all I can see from the "password_change_required" is code in
auth-pam.c to set the auth token to PAM_CHANGE_EXPIRED_AUTHTOK, but no
RFC4252 style communication.
Then later.
debug2: ## DH: userauth_finish [preauth]
debug3: auth2_update_methods_lists: updating methods list after "password"
[preauth]
debug2: authentication methods list 0 complete [preauth]
debug2: ## DH: about to do_pam_account [preaut...
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
...tcred(int init)
{
@@ -344,17 +354,15 @@
do_pam_set_conv(&conv);
if (password_change_required) {
- if (use_privsep)
- fatal("Password changing is currently unsupported"
- " with privilege separation");
pamstate = OTHER;
pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
if (pam_retval != PAM_SUCCESS)
fatal("PAM pam_chauthtok failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
-#if 0
/* XXX: This would need to be done in the parent process,
* but there's currently no way to pass such request. */
+ password_chan...
2003 Mar 20
4
Call for testing for 3.6: password expiry?
I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible:
http://bugzilla.mindrot.org/show_bug.cgi?id=14
On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1:
http://bugzilla.mindrot.org/show_bug.cgi?id=125
In fact, both patches work together, apparently.
If I have any
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
...tcred(int init)
{
@@ -344,17 +354,15 @@
do_pam_set_conv(&conv);
if (password_change_required) {
- if (use_privsep)
- fatal("Password changing is currently unsupported"
- " with privilege separation");
pamstate = OTHER;
pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
if (pam_retval != PAM_SUCCESS)
fatal("PAM pam_chauthtok failed[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
-#if 0
/* XXX: This would need to be done in the parent process,
* but there's currently no way to pass such request. */
+ password_chan...
2002 Jul 02
3
New PAM kbd-int diff
...a packet during conversation");
- }
-
- if (context_pam2.num_received == context_pam2.num_expected) {
- *resp = context_pam2.responses;
- return PAM_SUCCESS;
- } else
- return PAM_CONV_ERR;
+ err = pam_acct_mgmt(sshpamh, 0);
+ if (err == PAM_NEW_AUTHTOK_REQD)
+ err = pam_chauthtok(sshpamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (err != PAM_SUCCESS)
+ goto auth_fail;
+#endif
+ sshpam_send(ctxt, "=OK");
+ pam_end(sshpamh, err);
+ exit(0);
+
+ auth_fail:
+ sshpam_send(ctxt, "!%s", pam_strerror(sshpamh, err));
+ pam_end(sshpamh, err);
+ exit(0);
}
-void
-input_userauth_info_response_pam(int type...
2002 Jun 25
4
PAM kbd-int with privsep
...le(context_pam2.finished == 0) {
- done = 1;
- dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr);
- if(context_pam2.finished == 0)
- debug("extra packet during conversation");
- }
+ err = pam_acct_mgmt(sshpamh, 0);
+ if (err == PAM_NEW_AUTHTOK_REQD)
+ err = pam_chauthtok(sshpamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (err != PAM_SUCCESS)
+ goto auth_fail;
+#endif
+ sshpam_send(ctxt, "=OK");
+ pam_end(sshpamh, err);
+ exit(0);
+
+ auth_fail:
+ sshpam_send(ctxt, "!%s", pam_strerror(sshpamh, err));
+ pam_end(sshpamh, err);
+ exit(0);
+}
- if(context_pam2.num_received == context_pam2.n...