Displaying 20 results from an estimated 54 matches for "pam_chauthtok".
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
Hi All.
This patch calls pam_chauthtok() to change an expired password via PAM
during keyboard-interactive authentication (SSHv2 only). It is tested on
Redhat 8 and Solaris 8.
In theory, it should have simply been a matter of calling pam_chauthtok
with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is
if it...
2002 Mar 26
0
[Bug 188] New: pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
Summary: pam_chauthtok() is called too late
Product: Portable OpenSSH
Version: 3.1p1
Platform: Other
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
Reporte...
2002 Mar 27
4
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 -------
Created an attachment (id=55)
Patch to do pw aging in kbd-interactive
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
noticed that it did not honor password expiration consistently with
other Solaris login services.
The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
password changes on expiration via pam_chauthtok(). A brief summary of
changes:
auth-pam.c:
* change declaration of pamh to "static pam_handle_t *pamh", remove
unnecessary casts "(pam_handle_t *)"
* fix typo in NEW_AUTHTOK_MSG
* extend pamconv() to support real interactive prompting and display, in
addition to the kludge to...
2000 May 31
1
pam_chauthtok placement
Can I ask for some advice, as to where in the code would be the logical
place to add code to ask a user to change his password? Presumably
do_pam_account is the *wrong* place. Guess I should build a
do_pam_password function, but who should be calling it?
2002 Jun 03
0
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
------- Additional Comments From stevesk at pobox.com 2002-06-04 05:46 -------
20020426
- (djm) Disable PAM password expiry until a complete fix for bug #188
exists
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2002 Jul 18
0
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
stevesk at pobox.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |smueller at atsec.com
------- Additional Comments From stevesk at pobox.com 2002-07-18 15:46 -------
*** Bug 256 has been marked as a
2002 Aug 29
0
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
stevesk at pobox.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dirk.bockmann at customs.gov.au
------- Additional Comments From stevesk at pobox.com 2002-08-30 07:08 -------
*** Bug 362 has been
2003 May 14
2
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From djm at mindrot.org 2003-05-14 22:32
2004 Dec 28
2
LinuxPAM and sshd: changing conversation function doesn't work but claims to.
...onversation
functions (5, in the current development versions).
One of these is a fairly generic "tty_conv" that interacts with the
user directly on stdin/stdout and /dev/tty. Since the user doesn't get
a pty until quite late in the login process, this function is only used
for pam_chauthtok() in some cases, and always after sshd has forked to
set up for the user's shell.
The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's
do_pam_chauthtok() in auth-pam.c):
static struct pam_conv tty_conv = { pam_tty_conv, NULL };
[...]
sshpam_err = pam_set_item(sshpa...
2001 Oct 25
3
PAM conversation stuff
Okay, I'm confused again. They way you guys are talking about the
conversation routine, it would seem that you think it is a way to fetch
something from the user - like a new password. Is this possible? Does
calling pam_chauthtok() cause the underlying pam_sm_chauthtok()
eventually print something on stdout and read a new password from stdin
(the socket to the client) using the conversation routine? If this is
what is happening, then logically the bug is in the part of the
conversation routine that isn't checking to se...
2005 Dec 06
4
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065
------- Comment #11 from joss at debian.org 2005-12-06 22:31 -------
Created an attachment (id=1036)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1036&action=view)
Debugging output of the issue
Finally, here is the output of sshd -ddd. First, in normal operation. Second,
when the problem occurs. Third, with an expired password,
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
Hi All.
Attached is a patch to perform pam_chauthtok via SSH2
keyboard-interactive. It should be simpler, but since Solaris seems to
ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check
if it's expired. To minimise the change in behaviour, it also caches the
result so pam_acct_mgmt still only gets called once.
This doesn...
2004 Jul 28
3
Solaris password requirements not enforced
Hi,
The Solaris password requirements like
a. no empty password
b. minimum 6 chars
etc for a regualr user are not enforced when a password expired user is
changing password at the SSH login prompt.
The version of openSSH I am using is 3.8.1 and Solaris 8 is where the
sshd is running.
Is anybody aware of this problem?
Is there some configuration option I can use to enforce these password
2002 Mar 26
2
SSH / PAM / Kerberos / password aging
...called in
OpenSSH userauth has been completed, so kbd-interactive is not used for
the password changing and instead the work is relegated till the TTY
session is setup. By then the login process has begun and the user even
has a UTMP entry.
To make matters worse, OpenSSH calls pam_setcred() before
pam_chauthtok(). Clearly that is wrong.
Our PAM_KRB5 module has a module option "pw_exp_in_auth" which causes it
to do the password aging prompting in pam_krb5:pam_sm_authenticate().
Using this option with the "sshd" PAM service causes password aging to
be performed over the kbd-interactive...
2023 Dec 22
0
sshd and password expiration
...f my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd.
In the source code I then saw that the passwd binary is called directly, which explains the behavior. Furthermore I saw in the source that in special cases pam_chauthtok is called.
As an experiment I made the nns redirection to the root user and set PermitRootLogin to yes in the sshd_config. Then the pam module which was configured in /etc/pam.d/sshd is called to change the password, as I would have expected in the case of the non-root user.
So I wonder why pam_ch...
2003 Dec 07
0
[PATCH] Do PAM chauthtok via keyboard-interactive.
Hi All.
Attached is another patch that attempts to do pam_chauthtok() via SSH2
keyboard-interactive authentication. It now passes the results from the
authentication thread back to the monitor (based on a suggestion from
djm).
Because of this, it doesn't call do_pam_account twice and consequently
now works on AIX 5.2, which the previous version didn't....
2005 Mar 22
3
PAM fails to change user password
Hi, freebsd-security.
I have FreeBSD 5.3-STABLE.
When I try to change user's password (via passwd) I recieve the
following:
passwd: entry inconsistent
passwd: pam_chauthtok(): error in service module
passwd: in pam_sm_chauthtok(): pw_copy() failed
and password stays unchanged.
There are no other errors in the authorization system at all.
Contents of /etc/pam.d stayed unchanged (compared to /usr/src/pam.d)
Permissions:
/etc/group 644 root:wheel
/etc/passwd 644 root:w...
2001 Nov 08
5
OpenSSH3.0p1/PAM/Sol8
...change it now, enter your
login password and after doing so you are instantly disconnected. I think
this is a problem with PAM and not SSH, but how can I get a solution on this
?
sshd is running without problems, no core dump. In /var/adm/messages there
is the following output:
auth.crit fatal: PAM pam_chauthtok failed[-1]: Unknown error
that's all. Is there a workaround (like using a different PAM library and
not pam_unix.so) ?
Alex
2015 Jan 23
4
Usability issue when forced to change password when logging in to a system
Hi,
What I am about to describe is something that has existed for a very
long time, but it is still a usability issue. :)
When logging in to a system and the system detects that the password has
expired and needs to change this happens
Login As: Foobar
Password:
Your password has expired. Choose a new password.
Old Pasword:
Now the user has just read the text
"Your password has