Displaying 20 results from an estimated 32 matches for "pam_close_sess".
2004 Sep 01
2
openssh-3.9p1: no pam_close_session() invocation
Hello,
I would like to point to this problem again as I have not seen a reply to
my original posting:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106458208520320&w=2
and the problem still exists in version 3.9p1.
After closing a ssh-session the pam_close_session() function is not
invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does not
help.
Could someone acknowledge the problem, or even better, could some openssh
developer fix it?
With kind regards
CB
--
Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg,
Schl?t...
2003 Sep 26
1
openssh-3.7.1p2: no pam_close_session() invocation
Hello,
I would like to use PAM. All PAM interaction worked well with openssh-3.5
Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session()
function won't get invoked. Some debugging shows, that the call is
protected by an if-statement (module auth-pam.c, function sshpam_cleanup):
if (sshpam_session_open) {
pam_close_session(sshpam_handle, PAM_SILENT);
/* cb, 26.09.03 */
debug2("\n\nin sshpam_cleanup: mypid = %d\...
2007 Oct 31
1
pam_close_session for ssh as root
Hello,
I have a question.
Why do I have pam_close_session with every user but not with root?
Can I configure this in sshd_conf?
Best regards
Karl-Heinz Delzeit
2005 May 22
3
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO|994 |
nThis| |
------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
...ebug1: Cannot delete credentials[9]: Authentication failed
in debug mode. ("Authentication failed" is reported with privsep.
Without the reason given is "Permission denied".)
When turning on debug logging in syslog, the messages corresponding
to session termination are
PAM: pam_close_session()
PAM: load_function: successful load of pam_sm_close_session
PAM: pam_setcred: error Authentication failed
PAM: pam_end(): status = Authentication failed
Strange enough that pam_end() is reported to have failed too, despite
the sshd apparently got PAM_SUCCESS returned! I tried the syste...
2005 Feb 02
0
Dovecot doesn't call pam_open_session, thus dodging pam_mkhomedir (fwd)
...+ if ((status = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
+ *error = t_strdup_printf("pam_open_session(%s) failed: %s",
+ user, pam_strerror(pamh, status));
+ return status;
+ }
+
+ if ((status = pam_close_session(pamh, 0)) != PAM_SUCCESS) {
+ *error = t_strdup_printf("pam_close_session(%s) failed: %s",
+ user, pam_strerror(pamh, status));
+ return status;
+ }
+
status = pam_get_item(pamh, PAM_USER, (linux_const...
2008 Oct 27
3
[Bug 1534] New: openssh calls pam functions in the wrong order on logout
...ugzilla.mindrot.org/attachment.cgi?id=1577)
openssh pam fix for calling functions in the right order on logout
Copied from original bugreport by Andreas Schwab in Novell bugzilla:
openssh calls the pam functions on logout in the wrong order.
pam_setcred with the DELETE_CRED flag is called before
pam_close_session is called.
This means that e.g. a kerberos aware module can't use the kerberos
credentials cache to close it's session, cause the tickets are already
gone.
pam_setcred with DELETE_CRED should be called after pam_close_session.
See attached patch.
--
Configure bugmail: https://bugzil...
2001 Oct 26
1
PAM session cleanup on Sol8 with v2.9.9p2
In do_pam_cleanup_proc(), there are 3 calls to PAM:
1) pam_close_session() - do lastlog stuff
2) pam_setcred(PAM_DELETE_CRED) - delete credentials
3) pam_end() - close PAM
It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
This is due to a check done pam_unix.so to not allow a caller with euid 0
to even try to delete their SECURE_RPC creden...
2013 Jan 19
1
PAM function ordering
...isn't going to stop
connections. I remain confused though how the krb5 module in BSD could ever
have its setcred function called successfully by OpenSSH. Perhaps it's an
eccentric Kerberos implementation?
Similarly, I wonder if there are any known guidelines on how
pam_setcred(DESTROY) and pam_close_session are meant to be called, and if
there are any constraints in the order between to be portable?
Thanks ever so much for any clues you could give me. Hopefully I'm simply
missing something.
Nicholas
----------
Nicholas Wilson: nicholas at nicholaswilson.uk
2005 Jan 27
1
Dovecot doesn't call pam_open_session, thus dodging pam_mkhomedir
I hit a small snag using Dovecot-imapd smoothly in my environment
with maildir and most of my accounts in LDAP. Since the accounts are
created through a web interface on another server home directories on
the mail server don't get created automatically. There's the handy pam
module pam_mkhomedir.so to automagically create home directories, but
unfortunatly Dovecot wasn't calling
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
...r);
+ }
+ }
reply[count].resp = xstrdup("");
-
- if (msg[count]->msg != NULL)
- pam_msg_cat(msg[count]->msg);
-
+ reply[count].resp_retcode = PAM_SUCCESS;
break;
default:
free(reply);
@@ -103,22 +135,22 @@
if (pamh != NULL)
{
- pam_retval = pam_close_session((pam_handle_t *)pamh, 0);
+ pam_retval = pam_close_session(pamh, 0);
if (pam_retval != PAM_SUCCESS) {
log("Cannot close PAM session: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ PAM_STRERROR(pamh, pam_retval));
}
- pam_retval = pam_setcred((pam_han...
2006 May 22
9
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926
------- Comment #8 from djm at mindrot.org 2006-05-22 15:12 -------
I don't understand - surely the limits should be applied in the *child*
process and not the parent process?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2016 Mar 04
7
[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
...100)
| |
| fork ------- (future shell)
| | |
| | exec(bash)
| | |
| | X
| |
| X
|
pam_close_session
|
pam_setcred
|
pam_end
|
X
The problem is, that pam_authenticate and pam_acct_mgmt is called in a
separate auxiliary process. Any data stored using pam_set_data and any
other state information stored by those two functions are lost when the
auxiliary process exits (with exceptions...
1998 Oct 07
1
Re: sshd and PAM [summary]
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I''ve got several replies, thank you for them. Let me summarize:
o Many people say there is a PAMified version of ssh available at
ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source)
ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries)
(there are analogous paths for the other architectures). The packages
are made by Jan
2001 Feb 26
1
2.5.1p1 on Redhat Linux 6.2 using PAM does not log closing of session
Hello all,
On Redhat 6.2, the PAM_unix module logs the session opening, but not
the session closing. This was logged as of 2.3.0p1. Upgrading to
2.5.1p1 makrs the start of the problem.
Thanks in advance,
Victor
--
Victor J. Orlikowski
======================
v.j.orlikowski at gte.net
orlikowski at apache.org
vjo at us.ibm.com
2004 Mar 24
1
Trying to compile Samba 3.0.2a
...on `smb_internal_pam_session':
: undefined reference to `pam_open_session'
auth/pampass.o(.text+0x18b0): In function `smb_internal_pam_session':
: undefined reference to `pam_setcred'
auth/pampass.o(.text+0x18be): In function `smb_internal_pam_session':
: undefined reference to `pam_close_session'
auth/pampass.o(.text+0x194d): In function `smb_pam_chauthtok':
: undefined reference to `pam_chauthtok'
collect2: ld returned 1 exit status
make: *** [bin/smbd] Error 1
Any help would be very much appreciated.
Thanks,
John Seo
1998 Dec 04
1
Red Hat 5.2''s login doesn''t do PAM session management correctly
...ed Hat 5.2''s util-linux package was modified so that it no
longer forks a separate process for the user''s shell; instead, it
immediately closes the session and execs the user''s shell. This means that
a PAM module which expects to be able to do post-session cleanup in its
pam_close_session hook will do the cleanup *before* the user''s shell is
invoked. This breaks the pam_linux_afs module (which invokes AFS''s unlog)
and KTH Kerberos''s pam_krb4 module (which destroys the ticket cache), among
others, so the session is effectively unauthenticated (contrary...
2006 Aug 04
2
[Bug 926] pam_session_close called as user or not at all
...solution which would
solve all cases (privsep yes/no, root/regular user) would be to add
another fork before the setuid calls and shell process exec.
login does this:
1. call pam_open_session
2. fork
3. parent waits for child, child impersonates user, execs shell
4. when child exits, parent calls pam_close_session
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
...)
{
debug("PAM: cleanup");
- if (sshpam_handle == NULL)
- return;
- pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
- if (sshpam_cred_established) {
- pam_setcred(sshpam_handle, PAM_DELETE_CRED);
- sshpam_cred_established = 0;
- }
- if (sshpam_session_open) {
- pam_close_session(sshpam_handle, PAM_SILENT);
- sshpam_session_open = 0;
- }
- sshpam_authenticated = sshpam_new_authtok_reqd = 0;
- pam_end(sshpam_handle, sshpam_err);
- sshpam_handle = NULL;
+ if (grab_pamh(0, NULL) != NULL) {
+ pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&null_conv);
+ if (...
2003 Feb 26
0
PAM merge from FreeBSD
...ts are issued)
- all of those PAM calls have to be done in a process which is an
ancestor to the user's actual session processes and those user
processes should not be created before calling PAM either
- preferably the process that calls pam_open_session() should be the
one to call pam_close_session(), on the same PAM handle on which
pam_open_session() was called
- no concurrence (threads) is needed for any of this, but because of
the way PAM conversations work
- the event loop must be nested (yes, this is workable, and 3.5p1
does nest the event loop in kbd-int userauth w...