search for: pam_conv_err

...RR; pin=strdup(resp->resp); free (resp); It works. For example rlogin shows string "Enter PIN:" and returns answer in resp->resp. Openssh works exactly the same, right way, if 'ChallengeResponseAuthentication yes' is set and v2 protocol is used. With v1 PAM_CONV_ERR is always returned, which means that error occured during conversation with user. However no conversation takes place - "Enter PIN:" is not shown, user is asked for nothing. Logging in with v1 looks this way: # ssh -1 -p machine Password: Response: user at machine's password: (......

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and pam_motd. Can somebody explain to me why this change was made (as part of the FreeBSD PAM merge, apparently), or if it was a mistake? I realize that sessio...

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

Hi All. While wandering in auth-pam.c I noticed that there's a few Portable-specific escapees from the xmalloc(foo * bar) cleanup. There's also a "probably can't happen" integer overflow in ssh-rand-helper.c with the memset: num_cmds = 64; - entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t)); + entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));

...1024]; + u_int dlen; + int plen, type; + char *response; + /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); if (reply == NULL) @@ -111,10 +119,40 @@ */ switch(PAM_MSG_MEMBER(msg, count, msg_style)) { case PAM_PROMPT_ECHO_ON: - free(reply); - return PAM_CONV_ERR; + if (pamprompt != PAM_PROMPT_ECHO_ON || + (*msg)[count].msg == NULL) { + free(reply); + return PAM_CONV_ERR; + } + + /* handle challenge/response (ssh1 TIS) */ + /* Send the challenge */ + strlcpy(buf, PAM_MSG_MEMBER(msg, count, msg), + sizeof(buf)); + debug(&...

...words. + */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { struct pam_response *reply; int count; + char buf[1024]; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); if (reply == NULL) return PAM_CONV_ERR; - for(count = 0; count < num_msg; count++) { - switch (msg[count]->msg_style) { + for (count = 0; count < num_msg; count++) { + switch ((*msg)[count].msg_style) { + case PAM_PROMPT_ECHO_ON: + fputs((*msg)[count].msg, stderr); + fgets(buf, sizeof(buf), stdin); + reply[count...

...m_message **msg, struct pam_response **resp, void *data) { char input[PAM_MAX_MSG_SIZE]; @@ -620,7 +603,7 @@ pam_chauthtok_conv(int n, const struct p *resp = NULL; - if (n <= 0 || n > PAM_MAX_NUM_MSG) + if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) return (PAM_CONV_ERR); if ((reply = malloc(n * sizeof(*reply))) == NULL) @@ -662,6 +645,8 @@ pam_chauthtok_conv(int n, const struct p return (PAM_CONV_ERR); } +static struct pam_conv tty_conv = { pam_tty_conv, NULL }; + /* * XXX this should be done in the authentication phase, but ssh1 doesn't * suppo...

...signedTo: openssh-bugs at mindrot.org ReportedBy: Markus.Kuhn at cl.cam.ac.uk When a user presses Ctrl-C in ssh while being prompted by the PAM conversation function during a keyboard-interactive authentication, then sshd's conversation function does not return to the PAM library with PAM_CONV_ERR. Instead sshd calls pam_end() directly from inside the conversation function. This is in violation of "The Linux-PAM application developers' guide" (draft 0.73, 2000-12-02), which states in section 3.2.1, page 14 that "should an error occur the application should [...] simply re...

Is there a way for a PAM module to force a client (and the server) to use kbd-interactive? As far as I can tell, when in the INITIAL_LOGIN phase, all communication with the client returns a PAM_CONV_ERR. I am trying to write a PAM module that will prompt a user for a second username and a second password in order for the module to succeed so that proper authentication relies on the ability to authenticate against n machines, where n < 1. I looked at the pam_authsrv module, but that appear...

This patch series consists of minor fixes and cleanups I made during update to openssh V_4_6 branch. openssh/auth-pam.c | 9 ++++----- openssh/auth2.c | 2 -- openssh/readconf.c | 7 ++++--- openssh/servconf.c | 14 ++++++++------ openssh/sftp-server.c | 9 ++++++--- openssh/sshd.c | 2 +- 6 files changed, 23 insertions(+), 20 deletions(-) -- ldv

...int dlen, plen, type; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); @@ -70,13 +75,58 @@ for(count = 0; count < num_msg; count++) { switch (msg[count]->msg_style) { case PAM_PROMPT_ECHO_OFF: - if (pampasswd == NULL) { - free(reply); - return PAM_CONV_ERR; + if (current_auth_type==SSH_CMSG_AUTH_TIS && pampasswd==NULL) { + /* TIS */ + int prompt_len; + char *prompt; + debug("send SSH_SMSG_...

...ses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof **resp)) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_PROMPT_ECHO_OFF: - context_pam2.num_expected++; + pam_send(ctxt, "p%s&quot...

-----BEGIN PGP SIGNED MESSAGE----- Hi, I''ve got several replies, thank you for them. Let me summarize: o Many people say there is a PAMified version of ssh available at ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source) ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries) (there are analogous paths for the other architectures). The packages are made by Jan

...ses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof **resp)) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_PROMPT_ECHO_OFF: - context_pam2.num_expected++; + sshpam_send(ctxt, "p%s&q...

...PAM support Assignee: unassigned-bugs at mindrot.org Reporter: tomas.kuthan at oracle.com Currently OpenSSH runs pam_setcred with 'fake' conversation function sshpam_store_conv. If some PAM module actually tries to converse for pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR. But there are/will be real world PAM modules, that actually need to converse for pam_setcred. This bugs asks for making that possible for keyboard-interactive authentication. Allowing pam_setcred conversation for other user auths (pubkey, password, hostbased, gssapi-with-mic, ...) would be signi...

If the info_response code is going to test that the # of responses is < 100, then the info_request code should check that < 100 prompts are sent. It would be rude to send 101 prompts and then fail when the responses come back. I actually think the test should be removed altogether, the limit seems quite arbitrary, but here is a patch to not send > 100 prompts. With this patch, the test

...ctxt */ + static void sshpam_free_ctx(void *); /* @@ -142,6 +145,10 @@ *resp = NULL; ctxt = data; + if ( ctxt == NULL ) + { + ctxt = sshpam_ctxt; + } if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); @@ -221,6 +228,7 @@ sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + sshpam_ctxt = ctxt; buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, --- contrib/solaris/buildpkg.sh 2004/02/26 19:35:55 1.1....

...10798]: pam_setcred: error Permission denied See http://www.docs.hp.com/en/T1471-90033/ch01s06.html We track the issue to sshpam_cleanup() which resets the conversation function pointer to sshpam_null_conv() before calling pam_setcred with PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR. It seems HPUX PAM module then decided to call the conversation function (not sure why), and gets this error. Is it possible/advisable to (maybe use #ifdef) move the pam_set_item call to after the pam_setcred block? Thanks Leo Liou Not a shred of evidence exists in favor of the notion that life i...

...re) tried by the client and completed successfully. (NOTE: there's no tty at that point, nor any way to know if the client will want a tty session) - userauth methods other than kbd-int should have a null conversation function (either NULL, literally, or a function that returns PAM_CONV_ERR if any echo on/off prompts are issued) - all of those PAM calls have to be done in a process which is an ancestor to the user's actual session processes and those user processes should not be created before calling PAM either - preferably the process that calls pam_open_session() shou...

...ses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof(struct pam_response))) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_PROMPT_ECHO_OFF: - context_pam2.num_expected++; + sshpam_send(ctx...