search for: pam_chauthtok

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it...

http://bugzilla.mindrot.org/show_bug.cgi?id=188 Summary: pam_chauthtok() is called too late Product: Portable OpenSSH Version: 3.1p1 Platform: Other OS/Version: All Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org Reporte...

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 ------- Created an attachment (id=55) Patch to do pw aging in kbd-interactive ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh", remove unnecessary casts "(pam_handle_t *)" * fix typo in NEW_AUTHTOK_MSG * extend pamconv() to support real interactive prompting and display, in addition to the kludge to...

Can I ask for some advice, as to where in the code would be the logical place to add code to ask a user to change his password? Presumably do_pam_account is the *wrong* place. Guess I should build a do_pam_password function, but who should be calling it?

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From stevesk at pobox.com 2002-06-04 05:46 ------- 20020426 - (djm) Disable PAM password expiry until a complete fix for bug #188 exists ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=188 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |smueller at atsec.com ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:46 ------- *** Bug 256 has been marked as a

http://bugzilla.mindrot.org/show_bug.cgi?id=188 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dirk.bockmann at customs.gov.au ------- Additional Comments From stevesk at pobox.com 2002-08-30 07:08 ------- *** Bug 362 has been

http://bugzilla.mindrot.org/show_bug.cgi?id=188 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-14 22:32

...onversation functions (5, in the current development versions). One of these is a fairly generic "tty_conv" that interacts with the user directly on stdin/stdout and /dev/tty. Since the user doesn't get a pty until quite late in the login process, this function is only used for pam_chauthtok() in some cases, and always after sshd has forked to set up for the user's shell. The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's do_pam_chauthtok() in auth-pam.c): static struct pam_conv tty_conv = { pam_tty_conv, NULL }; [...] sshpam_err = pam_set_item(sshpa...

Okay, I'm confused again. They way you guys are talking about the conversation routine, it would seem that you think it is a way to fetch something from the user - like a new password. Is this possible? Does calling pam_chauthtok() cause the underlying pam_sm_chauthtok() eventually print something on stdout and read a new password from stdin (the socket to the client) using the conversation routine? If this is what is happening, then logically the bug is in the part of the conversation routine that isn't checking to se...

http://bugzilla.mindrot.org/show_bug.cgi?id=1065 ------- Comment #11 from joss at debian.org 2005-12-06 22:31 ------- Created an attachment (id=1036) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1036&action=view) Debugging output of the issue Finally, here is the output of sshd -ddd. First, in normal operation. Second, when the problem occurs. Third, with an expired password,

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn...

Hi, The Solaris password requirements like a. no empty password b. minimum 6 chars etc for a regualr user are not enforced when a password expired user is changing password at the SSH login prompt. The version of openSSH I am using is 3.8.1 and Solaris 8 is where the sshd is running. Is anybody aware of this problem? Is there some configuration option I can use to enforce these password

...called in OpenSSH userauth has been completed, so kbd-interactive is not used for the password changing and instead the work is relegated till the TTY session is setup. By then the login process has begun and the user even has a UTMP entry. To make matters worse, OpenSSH calls pam_setcred() before pam_chauthtok(). Clearly that is wrong. Our PAM_KRB5 module has a module option "pw_exp_in_auth" which causes it to do the password aging prompting in pam_krb5:pam_sm_authenticate(). Using this option with the "sshd" PAM service causes password aging to be performed over the kbd-interactive...

...f my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd. In the source code I then saw that the passwd binary is called directly, which explains the behavior. Furthermore I saw in the source that in special cases pam_chauthtok is called. As an experiment I made the nns redirection to the root user and set PermitRootLogin to yes in the sshd_config. Then the pam module which was configured in /etc/pam.d/sshd is called to change the password, as I would have expected in the case of the non-root user. So I wonder why pam_ch...

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't....

Hi, freebsd-security. I have FreeBSD 5.3-STABLE. When I try to change user's password (via passwd) I recieve the following: passwd: entry inconsistent passwd: pam_chauthtok(): error in service module passwd: in pam_sm_chauthtok(): pw_copy() failed and password stays unchanged. There are no other errors in the authorization system at all. Contents of /etc/pam.d stayed unchanged (compared to /usr/src/pam.d) Permissions: /etc/group 644 root:wheel /etc/passwd 644 root:w...

...change it now, enter your login password and after doing so you are instantly disconnected. I think this is a problem with PAM and not SSH, but how can I get a solution on this ? sshd is running without problems, no core dump. In /var/adm/messages there is the following output: auth.crit fatal: PAM pam_chauthtok failed[-1]: Unknown error that's all. Is there a workaround (like using a different PAM library and not pam_unix.so) ? Alex

Hi, What I am about to describe is something that has existed for a very long time, but it is still a usability issue. :) When logging in to a system and the system detects that the password has expired and needs to change this happens Login As: Foobar Password: Your password has expired. Choose a new password. Old Pasword: Now the user has just read the text "Your password has