search for: pam_end

https://bugzilla.mindrot.org/show_bug.cgi?id=1396 Summary: When pam-authentication thread ends, it doesn't call the function pam_end Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: Linux Status: NEW Keywords: patch Severity: normal Priority: P2 Component: PAM support AssignedTo: b...

....org ReportedBy: Markus.Kuhn at cl.cam.ac.uk When a user presses Ctrl-C in ssh while being prompted by the PAM conversation function during a keyboard-interactive authentication, then sshd's conversation function does not return to the PAM library with PAM_CONV_ERR. Instead sshd calls pam_end() directly from inside the conversation function. This is in violation of "The Linux-PAM application developers' guide" (draft 0.73, 2000-12-02), which states in section 3.2.1, page 14 that "should an error occur the application should [...] simply return PAM_CONV_ERR". Wh...

...ithout the reason given is "Permission denied".) When turning on debug logging in syslog, the messages corresponding to session termination are PAM: pam_close_session() PAM: load_function: successful load of pam_sm_close_session PAM: pam_setcred: error Authentication failed PAM: pam_end(): status = Authentication failed Strange enough that pam_end() is reported to have failed too, despite the sshd apparently got PAM_SUCCESS returned! I tried the system native login program to see how it is scheduling PAM session cleanup. Not at all, neither pam_close_session() nor pam_setcred()...

...Benutzer die Sitzung beendet. Hierzu wird zuerst pam_start aufgerufen. Dies authentisiert basierend auf der pam.conf den Benutzer. Danach wird Accountmanagement durchgef?hrt. Zum Schlu? folgt session. Diese Stufen werden pam - Konform durchlaufen. Jedoch wird nachdem session durchgef?hrt wird nicht pam_end aufgerufen. pam_end ruft die cleanup - Callbacks der einzelnen Module auf. Da dies nicht aufgerufen wird, werden offene Filehandles gehalten und sockets nicht geschlossen. pam_end wird erst aufgerufen, wenn der Benutzer die Verbindung beendet. Ich hoffe, es ist nicht allzu konfus. Gru? Cengiz...

...(samba) workgroup users and it works fine (pam_smbpass). But after joining a domain and start using pam_winbind too, pwauth (2.3.10) get a segmentation fault when trying to authenticate any workgroup or domain user. What happens is that it does authenticate the user successfully, but when it calls pam_end() to release its resources, it crashes. Maybe pam_winbind is freeing something that will be freed by pam_end or something like that - I don't really know about PAM and their modules (smbpass/winbind), but it seems that pam_winbind might be misusing libtalloc somehow. Any ideas ? I believe this...

http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Summary: pam_end() is not called if authentication fails, which breaks pam-abl Product: Portable OpenSSH Version: 4.6p1 Platform: Other URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041 OS/Version: Linux Status: NEW...

...&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + if (grab_pamh(0, NULL) != NULL) { + pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { + pam_setcred(grab_pamh(0, NULL), PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (s...

In do_pam_cleanup_proc(), there are 3 calls to PAM: 1) pam_close_session() - do lastlog stuff 2) pam_setcred(PAM_DELETE_CRED) - delete credentials 3) pam_end() - close PAM It appears that pam_setcred() always fails with the error PAM_PERM_DENIED. This is due to a check done pam_unix.so to not allow a caller with euid 0 to even try to delete their SECURE_RPC credentials. When sshd calls pam_setcred() to delete the credentials, evidentally, it is runnin...

...e), &conv, &pamh); if (status != PAM_SUCCESS) { auth_request_log_error(request, "pam", "pam_start() failed: %s", pam_strerror(pamh, status)); + str_free(&username); return PASSDB_RESULT_INTERNAL_FAILURE; } @@ -277,6 +300,7 @@ if ((status2 = pam_end(pamh, status)) != PAM_SUCCESS) { auth_request_log_error(request, "pam", "pam_end() failed: %s", pam_strerror(pamh, status2)); + str_free(&username); return PASSDB_RESULT_INTERNAL_FAILURE; } @@ -300,6 +324,7 @@ auth_request_set_field(request, "r...

...ord check succeeded smb_pam_start: PAM: Init user: root smb_pam_start: PAM: setting rhost to: mads smb_pam_start: PAM: setting tty smb_pam_start: PAM: Init passed for user: root smb_pam_account: PAM: Account Management for User: root smb_pam_account: PAM: Account OK for User: root smb_pam_end: PAM: PAM_END OK. user token sid S-1-5-11 Clearing default real name User name: root Real name: root smb_pam_start: PAM: Init user: root smb_pam_start: PAM: setting tty smb_pam_start: PAM: Init passed for user: root smb_pam_end: PAM: PAM_END OK. Chained message size=184 sm...

...ord check succeeded smb_pam_start: PAM: Init user: root smb_pam_start: PAM: setting rhost to: mads smb_pam_start: PAM: setting tty smb_pam_start: PAM: Init passed for user: root smb_pam_account: PAM: Account Management for User: root smb_pam_account: PAM: Account OK for User: root smb_pam_end: PAM: PAM_END OK. user token sid S-1-5-11 Clearing default real name User name: root Real name: root smb_pam_start: PAM: Init user: root smb_pam_start: PAM: setting tty smb_pam_start: PAM: Init passed for user: root smb_pam_end: PAM: PAM_END OK. Chained message size=184 sm...

...pam_handle_t *)pamh, PAM_DELETE_CRED); + pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { debug("Cannot delete credentials: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + pam_retval = pam_end(pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { log("Cannot release PAM authentication: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } } } @@ -139,14 +171,1...

...t proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam...

...14:07:02.439128, 4] auth/pampass.c:564(smb_pam_account) smb_pam_account: PAM: Account Management for User: testuser [2012/06/23 14:07:02.439189, 4] auth/pampass.c:583(smb_pam_account) smb_pam_account: PAM: Account OK for User: testuser [2012/06/23 14:07:02.439242, 4] auth/pampass.c:450(smb_pam_end) smb_pam_end: PAM: PAM_END OK. [2012/06/23 14:07:02.439255, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/06/23 14:07:02.439262, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [testuser] -> [testuser] ->...

...nit passed for user: root [2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_account(551) smb_pam_account: PAM: Account Management for User: root [2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_account(570) smb_pam_account: PAM: Account OK for User: root [2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_end(440) smb_pam_end: PAM: PAM_END OK. [2007/03/26 15:30:46, 5] auth/auth.c:check_ntlm_password(296) check_ntlm_password: PAM Account for user [root] succeeded [2007/03/26 15:30:46, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] -> [root] -> [r...

...t proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#endif if (__pamh) { pam...

...at cvs.openbsd.org 2003/11/17 11:06:07 [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h] [monitor_wrap.c monitor_wrap.h sshconnect2.c ssh-gss.h] replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob. - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int conversation function - (djm) Export environment variables from authentication subprocess to parent. Part of Bug #717 -d

...fork ------- (future shell) | | | | | exec(bash) | | | | | X | | | X | pam_close_session | pam_setcred | pam_end | X The problem is, that pam_authenticate and pam_acct_mgmt is called in a separate auxiliary process. Any data stored using pam_set_data and any other state information stored by those two functions are lost when the auxiliary process exits (with exceptions like environment variables, whic...

...ccache *before* the account >management part of PAM has been called and suceeded?? Because you are supposed to call pam functions in this order: pam_start(pamh,...); pam_authenticate(pamh, ...); pam_acct_mgmt(pamh, pam_setcred(pamh, PAM_ESTABLISH_CRED) ... pam_setcred(pamh, PAM_DELETE_CRED); pam_end(pamh); This is quite clear from the Solaris man page for pam_setcred(3pam) " The pam_setcred() function is used to establish, modify, or delete user credentials. It is typically called after the user has been authenticated and after a session has been opened. See...

-----BEGIN PGP SIGNED MESSAGE----- Hi, I''ve got several replies, thank you for them. Let me summarize: o Many people say there is a PAMified version of ssh available at ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source) ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries) (there are analogous paths for the other architectures). The packages are made by Jan