Displaying 17 results from an estimated 17 matches for "pam_delete_cred".
2002 Oct 09
0
Again: Cannot delete credentials
As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message
on logout: Cannot delete credentials. This occurs when in auth-pam.c,
function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is
called under UID 0. I suggested a patch for this on Nov 22, 2001, based on
openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0
by "if (!flag) setuid(0);" does not actually work but seems not to be
required.]
Now in 3.4p1 with privilege separation, I found this...
2001 Oct 26
1
PAM session cleanup on Sol8 with v2.9.9p2
In do_pam_cleanup_proc(), there are 3 calls to PAM:
1) pam_close_session() - do lastlog stuff
2) pam_setcred(PAM_DELETE_CRED) - delete credentials
3) pam_end() - close PAM
It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
This is due to a check done pam_unix.so to not allow a caller with euid 0
to even try to delete their SECURE_RPC credentials. When sshd calls
pam_setcred() to delete the cred...
2001 Oct 31
3
2.9.9p2 and Solaris-2.8 PAM: Cannot delete credentials[7]: Permission denied
The 2 errors:
pam_setcred: error Permission denied
Cannot delete credentials[7]: Permission denied
Looks to be a major bug in the PAM module for Solaris-2.8/2.7/2.6.
Has anyone from the list (developers of OpenSSH, endusers, hackers, etc.)
came up w/ a solution? Even a temporary one?
When authenticating yourself on the same system that worked, but when
authenticating to another system failed. I
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
...e_t *)pamh, 0);
+ pam_retval = pam_close_session(pamh, 0);
if (pam_retval != PAM_SUCCESS) {
log("Cannot close PAM session: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ PAM_STRERROR(pamh, pam_retval));
}
- pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);
+ pam_retval = pam_setcred(pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS) {
debug("Cannot delete credentials: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ PAM_STRERROR(pamh, pam_retval));
}
- pam_retval = pam_end((pam_handle_t *)pamh, pam_re...
2001 Sep 05
1
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
...reate a user-owned ccache *before* the account
>management part of PAM has been called and suceeded??
Because you are supposed to call pam functions in this order:
pam_start(pamh,...);
pam_authenticate(pamh, ...);
pam_acct_mgmt(pamh,
pam_setcred(pamh, PAM_ESTABLISH_CRED)
...
pam_setcred(pamh, PAM_DELETE_CRED);
pam_end(pamh);
This is quite clear from the Solaris man page for pam_setcred(3pam)
" The pam_setcred() function is used to establish, modify, or
delete user credentials. It is typically called after the
user has been authenticated and after a session has been
ope...
2000 May 23
0
HP-UX 11.0 scp -t hangs and PAM
...ain (argc=1, argv=0x7bff0164) at scp.c:328
So we're blocked in read() on fd 0 for some reason. The file transfer
does complete.
Another issue is we get this message from sshd when logging out:
May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission denied
So pam_setcred(PAM_DELETE_CRED) isn't working.
2009 Jul 13
0
openssh conversation failure issue on HPUX
....23.
Here is the message:
Jun 15 13:21:28 a300sua0 sshd[10798]: pam_setcred: error Permission
denied
See
http://www.docs.hp.com/en/T1471-90033/ch01s06.html
We track the issue to sshpam_cleanup() which resets the conversation
function pointer to sshpam_null_conv() before calling pam_setcred with
PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR.
It seems HPUX PAM module then decided to call the conversation function
(not sure why), and gets this error.
Is it possible/advisable to (maybe use #ifdef) move the pam_set_item
call to after the pam_setcred block?
Thanks
Leo Liou
Not a shred...
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
...ct pam_response **resp, void *appdata_ptr);
@@ -186,12 +184,15 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */
+#ifndef __hpux
if (__pamh && creds_set) {
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+#endif
if (__pamh) {
pam_retval = pam_end(__pamh, pam_retval);
@@ -256,10 +257,8 @@
case PAM_SUCCESS:
/* This is what we want *...
2001 Jan 22
0
Patches for failing build & bus error on SPARC/Linux
...38,349 ----
/* Function replacement / compatibility hacks */
/* In older versions of libpam, pam_strerror takes a single argument */
+ /* Older versions of PAM (1.10) don't define some symbols the same way */
#ifdef HAVE_OLD_PAM
# define PAM_STRERROR(a,b) pam_strerror((b))
+ # define PAM_DELETE_CRED PAM_CRED_DELETE
+ # define PAM_ESTABLISH_CRED PAM_CRED_ESTABLISH
+ # define PAM_NEW_AUTHTOK_REQD PAM_AUTHTOKEN_REQD
#else
# define PAM_STRERROR(a,b) pam_strerror((a),(b))
#endif
*** fake-getnameinfo.c.orig Fri Sep 29 00:59:14 2000
--- fake-getnameinfo.c Mon Jan 22 16:19:39 2001
**************...
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
...er_free(&buffer);
pthread_exit(NULL);
@@ -274,20 +337,31 @@
sshpam_cleanup(void)
{
debug("PAM: cleanup");
- if (sshpam_handle == NULL)
- return;
- pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
- if (sshpam_cred_established) {
- pam_setcred(sshpam_handle, PAM_DELETE_CRED);
- sshpam_cred_established = 0;
- }
- if (sshpam_session_open) {
- pam_close_session(sshpam_handle, PAM_SILENT);
- sshpam_session_open = 0;
- }
- sshpam_authenticated = sshpam_new_authtok_reqd = 0;
- pam_end(sshpam_handle, sshpam_err);
- sshpam_handle = NULL;
+ if (grab_pamh(0, NULL) != NULL) {...
1999 Dec 28
0
Patches to report rsaref build and to call pam_setcred
...ar *remote_user);
void do_pam_session(char *username, char *ttyname);
+void do_pam_setcred();
void pam_cleanup_proc(void *context);
static struct pam_conv conv = {
@@ -230,6 +231,12 @@
PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
}
+ pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED);
+ if (pam_retval != PAM_SUCCESS) {
+ log("Cannot delete credentials: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
+ }
+
pam_retval = pam_end((pam_handle_t *)pamh, pam_retval);
if (pam_retval != PAM_SUCCESS) {
log("Cannot release PAM authentication: %...
2000 Jul 03
1
Antwort: Re: sshd does not exit after scp (hpux 11.00 / ssh 2.1 .1p1)
...ain (argc=1, argv=0x7bff0164) at scp.c:328
So we're blocked in read() on fd 0 for some reason. The file transfer
does complete.
Another issue is we get this message from sshd when logging out:
May 23 13:22:16 robinson sshd[14075]: Cannot delete credentials: Permission
denied
So pam_setcred(PAM_DELETE_CRED) isn't working.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: att1.eml
Type: application/octet-stream
Size: 3401 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000703/3ff8d57b/attachment.obj
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
...-3.5p1a/auth-pam.c
--- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002
+++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002
@@ -186,12 +186,14 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+#ifndef __hpux
if (__pamh && creds_set) {
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+#endif
if (__pamh) {
pam_retval = pam_end(__pamh, pam_retval);
@@ -299,6 +301,18 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval...
2002 May 29
0
pam_limits module bug and its effects on pam applications
...ials
| |
v v
pam_close_session setuid/gid to authenticated user
| |
v v
pam_setcred call to cleanup credentials exec shell/command
|
v
pam_end
But this requires that pam_setcred( pamh, PAM_ESTABLISH_CRED)
and pam_setcred( pamh, PAM_DELETE_CRED ) can be called in different
processes. If this is not the case i don't know of a way to ever
implement resource limit settings in a reliable way.
--
2000 Jul 03
2
2.1.1p2 HP-UX 11 PAM General Commerical Security error
Trying 2.1.1p2 on HP-UX 11 (trusted system) I get:
Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des
Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on.
Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector.
Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk"
Jul 3
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
...ct pam_response **resp, void *appdata_ptr);
@@ -186,12 +184,15 @@
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */
+#ifndef __hpux
if (__pamh && creds_set) {
pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(__pamh, pam_retval));
}
+#endif
if (__pamh) {
pam_retval = pam_end(__pamh, pam_retval);
@@ -256,10 +257,8 @@
case PAM_SUCCESS:
/* This is what we want *...
2001 Sep 05
2
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>Neither the Sun PAM documentation nor the Linux-PAM documentation
>describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail.
I would agree it is vague, but then that is also a problem with the XSSO
document (http://www.opengroup.org/onlinepubs/008329799/)
>Could we please have a clarification on the semantics of
>PAM_CRED_ESTABLISH vs. the semantics of