Displaying 20 results from an estimated 27 matches for "pam_conv_err".
2005 Jun 21
1
problem with pam_converse with openssh protocol version 1
...RR;
pin=strdup(resp->resp);
free (resp);
It works. For example rlogin shows string "Enter PIN:" and returns
answer in resp->resp. Openssh works exactly the same, right way, if
'ChallengeResponseAuthentication yes' is set and v2 protocol is used.
With v1 PAM_CONV_ERR is always returned, which means that error occured
during conversation with user. However no conversation takes place -
"Enter PIN:" is not shown, user is asked for nothing. Logging in with v1
looks this way:
# ssh -1 -p machine
Password:
Response:
user at machine's password:
(......
2003 Sep 23
5
PAM sessions and conversation functions
In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function,
do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2,
this is no longer the case: session modules run with a conversation
function that just returns PAM_CONV_ERR. This means that simple session
modules whose job involves printing text on the user's terminal no
longer work: pam_lastlog, pam_mail, and pam_motd.
Can somebody explain to me why this change was made (as part of the
FreeBSD PAM merge, apparently), or if it was a mistake? I realize that
sessio...
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch
in the sshd_config. You'd use it by having a PAM module that sets
PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs.
The patch is against the 2.9.9p2 distribution.
I'm not on the list, a reply if this patch is accepted would be great.
(But not required, I know some folks have a distaste for
2006 May 04
2
xmalloc(foo*bar) -> xcalloc(foo, bar) for Portable
Hi All.
While wandering in auth-pam.c I noticed that there's a few Portable-specific
escapees from the xmalloc(foo * bar) cleanup.
There's also a "probably can't happen" integer overflow in
ssh-rand-helper.c with the memset:
num_cmds = 64;
- entcmd = xmalloc(num_cmds * sizeof(entropy_cmd_t));
+ entcmd = xcalloc(num_cmds, sizeof(entropy_cmd_t));
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
...1024];
+ u_int dlen;
+ int plen, type;
+ char *response;
+
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
if (reply == NULL)
@@ -111,10 +119,40 @@
*/
switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
case PAM_PROMPT_ECHO_ON:
- free(reply);
- return PAM_CONV_ERR;
+ if (pamprompt != PAM_PROMPT_ECHO_ON ||
+ (*msg)[count].msg == NULL) {
+ free(reply);
+ return PAM_CONV_ERR;
+ }
+
+ /* handle challenge/response (ssh1 TIS) */
+ /* Send the challenge */
+ strlcpy(buf, PAM_MSG_MEMBER(msg, count, msg),
+ sizeof(buf));
+ debug(&...
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
...words.
+ */
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
struct pam_response *reply;
int count;
+ char buf[1024];
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
if (reply == NULL)
return PAM_CONV_ERR;
- for(count = 0; count < num_msg; count++) {
- switch (msg[count]->msg_style) {
+ for (count = 0; count < num_msg; count++) {
+ switch ((*msg)[count].msg_style) {
+ case PAM_PROMPT_ECHO_ON:
+ fputs((*msg)[count].msg, stderr);
+ fgets(buf, sizeof(buf), stdin);
+ reply[count...
2003 Nov 13
0
[PATCH] Make PAM chauthtok_conv function into tty_conv
...m_message **msg,
struct pam_response **resp, void *data)
{
char input[PAM_MAX_MSG_SIZE];
@@ -620,7 +603,7 @@ pam_chauthtok_conv(int n, const struct p
*resp = NULL;
- if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
return (PAM_CONV_ERR);
if ((reply = malloc(n * sizeof(*reply))) == NULL)
@@ -662,6 +645,8 @@ pam_chauthtok_conv(int n, const struct p
return (PAM_CONV_ERR);
}
+static struct pam_conv tty_conv = { pam_tty_conv, NULL };
+
/*
* XXX this should be done in the authentication phase, but ssh1 doesn't
* suppo...
2003 Sep 01
2
[Bug 632] PAM conversation function does not return when connection is aborted
...signedTo: openssh-bugs at mindrot.org
ReportedBy: Markus.Kuhn at cl.cam.ac.uk
When a user presses Ctrl-C in ssh while being prompted by the PAM conversation
function during a keyboard-interactive authentication, then sshd's conversation
function does not return to the PAM library with PAM_CONV_ERR. Instead sshd
calls pam_end() directly from inside the conversation function.
This is in violation of "The Linux-PAM application developers' guide" (draft
0.73, 2000-12-02), which states in section 3.2.1, page 14 that "should an error
occur the application should [...] simply re...
2002 Jan 07
3
keyboard-interactive
Is there a way for a PAM module to force a client (and the server) to
use kbd-interactive? As far as I can tell, when in the INITIAL_LOGIN
phase, all communication with the client returns a PAM_CONV_ERR. I am
trying to write a PAM module that will prompt a user for a second
username and a second password in order for the module to succeed so
that proper authentication relies on the ability to authenticate against
n machines, where n < 1.
I looked at the pam_authsrv module, but that appear...
2007 Apr 10
6
[PATCH 0/6] openssh V_4_6: minor fixes/cleanups
This patch series consists of minor fixes and cleanups I made during
update to openssh V_4_6 branch.
openssh/auth-pam.c | 9 ++++-----
openssh/auth2.c | 2 --
openssh/readconf.c | 7 ++++---
openssh/servconf.c | 14 ++++++++------
openssh/sftp-server.c | 9 ++++++---
openssh/sshd.c | 2 +-
6 files changed, 23 insertions(+), 20 deletions(-)
--
ldv
2000 Aug 27
0
patch for TIS (skey/opie) *and* passwd auth via PAM
...int dlen, plen, type;
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
@@ -70,13 +75,58 @@
for(count = 0; count < num_msg; count++) {
switch (msg[count]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
- if (pampasswd == NULL) {
- free(reply);
- return PAM_CONV_ERR;
+ if (current_auth_type==SSH_CMSG_AUTH_TIS && pampasswd==NULL) {
+ /* TIS */
+ int prompt_len;
+ char *prompt;
+ debug("send SSH_SMSG_...
2002 Apr 26
0
PAM keyboard-interactive
...ses, 0, sizeof(struct pam_response) * num_msg);
-
- text = NULL;
- for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) {
- int style = PAM_MSG_MEMBER(msg, i, msg_style);
- switch (style) {
- case PAM_PROMPT_ECHO_ON:
+ ctxt = data;
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ if ((*resp = calloc(n, sizeof **resp)) == NULL)
+ return (PAM_BUF_ERR);
+ for (i = 0; i < n; ++i) {
+ resp[i]->resp_retcode = 0;
+ resp[i]->resp = NULL;
+ switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
- context_pam2.num_expected++;
+ pam_send(ctxt, "p%s"...
1998 Oct 07
1
Re: sshd and PAM [summary]
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
I''ve got several replies, thank you for them. Let me summarize:
o Many people say there is a PAMified version of ssh available at
ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source)
ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries)
(there are analogous paths for the other architectures). The packages
are made by Jan
2002 Jun 25
4
PAM kbd-int with privsep
...ses, 0, sizeof(struct pam_response) * num_msg);
-
- text = NULL;
- for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) {
- int style = PAM_MSG_MEMBER(msg, i, msg_style);
- switch (style) {
- case PAM_PROMPT_ECHO_ON:
+ ctxt = data;
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ if ((*resp = calloc(n, sizeof **resp)) == NULL)
+ return (PAM_BUF_ERR);
+ for (i = 0; i < n; ++i) {
+ resp[i]->resp_retcode = 0;
+ resp[i]->resp = NULL;
+ switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
- context_pam2.num_expected++;
+ sshpam_send(ctxt, "p%s&q...
2016 Mar 07
2
[Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
...PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: tomas.kuthan at oracle.com
Currently OpenSSH runs pam_setcred with 'fake' conversation function
sshpam_store_conv. If some PAM module actually tries to converse for
pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.
But there are/will be real world PAM modules, that actually need to
converse for pam_setcred. This bugs asks for making that possible for
keyboard-interactive authentication.
Allowing pam_setcred conversation for other user auths (pubkey,
password, hostbased, gssapi-with-mic, ...) would be signi...
2002 Jun 27
1
[PATCH] kbdintctxt->nreq test
If the info_response code is going to test that the # of responses is < 100,
then the info_request code should check that < 100 prompts are sent. It
would be rude to send 101 prompts and then fail when the responses come
back.
I actually think the test should be removed altogether, the limit seems
quite arbitrary, but here is a patch to not send > 100 prompts. With
this patch, the test
2004 Feb 27
0
PAM patch for openssh 3.7.1p2
...ctxt */
+
static void sshpam_free_ctx(void *);
/*
@@ -142,6 +145,10 @@
*resp = NULL;
ctxt = data;
+ if ( ctxt == NULL )
+ {
+ ctxt = sshpam_ctxt;
+ }
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
@@ -221,6 +228,7 @@
sshpam_conv.conv = sshpam_thread_conv;
sshpam_conv.appdata_ptr = ctxt;
+ sshpam_ctxt = ctxt;
buffer_init(&buffer);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
--- contrib/solaris/buildpkg.sh 2004/02/26 19:35:55 1.1....
2009 Jul 13
0
openssh conversation failure issue on HPUX
...10798]: pam_setcred: error Permission
denied
See
http://www.docs.hp.com/en/T1471-90033/ch01s06.html
We track the issue to sshpam_cleanup() which resets the conversation
function pointer to sshpam_null_conv() before calling pam_setcred with
PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR.
It seems HPUX PAM module then decided to call the conversation function
(not sure why), and gets this error.
Is it possible/advisable to (maybe use #ifdef) move the pam_set_item
call to after the pam_setcred block?
Thanks
Leo Liou
Not a shred of evidence exists in favor of the notion that life i...
2003 Feb 26
0
PAM merge from FreeBSD
...re)
tried by the client and completed successfully. (NOTE: there's no tty
at that point, nor any way to know if the client will want a tty
session)
- userauth methods other than kbd-int should have a null conversation
function (either NULL, literally, or a function that returns
PAM_CONV_ERR if any echo on/off prompts are issued)
- all of those PAM calls have to be done in a process which is an
ancestor to the user's actual session processes and those user
processes should not be created before calling PAM either
- preferably the process that calls pam_open_session() shou...
2002 Jul 02
3
New PAM kbd-int diff
...ses, 0, sizeof(struct pam_response) * num_msg);
-
- text = NULL;
- for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) {
- int style = PAM_MSG_MEMBER(msg, i, msg_style);
- switch (style) {
- case PAM_PROMPT_ECHO_ON:
+ ctxt = data;
+ if (n <= 0 || n > PAM_MAX_NUM_MSG)
+ return (PAM_CONV_ERR);
+ if ((*resp = calloc(n, sizeof(struct pam_response))) == NULL)
+ return (PAM_BUF_ERR);
+ for (i = 0; i < n; ++i) {
+ resp[i]->resp_retcode = 0;
+ resp[i]->resp = NULL;
+ switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
- context_pam2.num_expected++;
+ sshpam_send(ctx...