search for: pam_establish_cred

http://bugzilla.mindrot.org/show_bug.cgi?id=1339 Summary: pam_dhkeys doesn't work (PAM_REINITIALIZE_CRED without PAM_ESTABLISH_CRED) Product: Portable OpenSSH Version: 4.6p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org ReportedBy: David.Leon...

...otmail.com when using authenticating against pam_krb5 a user can only login when sshd is configured to use the system's login routine. the byproduct of this problem is that the user can not use X forwarding. this patch fixes the problem by modifying the call to pam_setcred to only use the PAM_ESTABLISH_CRED flag. users can now login (at least with solaris 8) with the pam.conf entry: sshd auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 ***...

...TOK_REQD) Jun 24 15:29:58 history-20 sshd[4656]: Accepted password for cmthielen from 127.0.0.1 port 36881 ssh2 Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:session): session opened for user cmthielen by (uid=0) Jun 24 15:29:58 history-20 sshd[4660]: pam_...

...TOK_REQD) Jun 24 15:29:58 history-20 sshd[4656]: Accepted password for cmthielen from 127.0.0.1 port 36881 ssh2 Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] ENTER: pam_sm_setcred (flags: 0x0002) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:setcred): [pamh: 0x1f06f48] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_unix(sshd:session): session opened for user cmthielen by (uid=0) Jun 24 15:29:58 history-20 sshd[4660]: pam_...

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant PAM_REFRESH_CRED >PAM_RENEW_CREDS is there for credential renewal (i.e., ticket renewal, >in the Kerberos case). That's clear from its...

...ll issued when exiting a session. *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_re...

...ail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? My interpretation is: You call PAM_ESTABLISH_CRED to create them You call PAM_REINITIALIZE_CRED to update creds that can expire over time, for example a kerberos ticket. >My guess, given what OpenSSH does with PAM: PAM_CRED_ESTABLISH means >"make it so we can use your module's credentials as root" whereas >PAM_REINITIALIZE_...

...ests worked for a password of just five characters ["hello", for what it's worth :) ]), followed by the correct password. Investigation (using copious debug() statements) has isolated the problem down to one line of code: pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); in auth-pam.c, function do_pam_setcred(). It appears that this function is being called twice: once with init set, once without (ie: once with PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call to pam_setcred(__pamh, PAM_REINITIALIZE_CRED) that the...

A few things to keep in mind: - kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during kbd-int so that modules in each of those PAM stacks can prompt the user (pam_open_session(), for example, may prompt a user with an informational message akin to the last login message) - all userauth methods should call pam_acct_mgmt() and force kbd-int,...

http://bugzilla.mindrot.org/show_bug.cgi?id=926 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------

...CESS) { fatal("PAM session setup failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } } @@ -217,10 +252,28 @@ int pam_retval; debug("PAM establishing creds"); - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { fatal("PAM setcred failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); + } +} + +/* + * Have user change authentication token if pam_acct_...

...winbind(gdm:auth): [pamh: 0x88bcf70] LEAVE: pam_sm_authenticate returning 0 pam_winbind(gdm:account): user 'sachs' OK pam_winbind(gdm:account): user 'sachs' granted access pam_winbind(gdm:setcred): [pamh: 0x88bcf70] ENTER: pam_sm_setcred (flags: 0x0002) pam_winbind(gdm:setcred): PAM_ESTABLISH_CRED not implemented pam_winbind(gdm:setcred): [pamh: 0x88bcf70] LEAVE: pam_sm_setcred returning 0 Some configurations: 1 - Nsswitch configure with LDAP, its work fine. 2 - smb.conf [global] workgroup = _LOCAL_ netbios name = debian-x11 realm = LOCAL.INT.BR s...

...[12345]: pam_winbind(sshd:account): [pamh: 0x12345678] LEAVE: pam_sm_acct_mgmt returning 12 sshd[12345]: Accepted password for user2 from 127.0.0.1 port 4711 ssh2 sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0002) sshd[12345]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented sshd[12345]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0) sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008) sshd[12346]: pa...

...: 0x1022c38] STATE: DATA(PAM_WINBIND_HOMEDIR) = "\\lion-x99\users\roy" (0x102e340) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: DATA(PAM_WINBIND_LOGONSERVER) = "PI-DC" (0x102e3a8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): PAM_ESTABLISH_CRED not implemented Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:setcred): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc s...

On Tue, 2002-10-29 at 05:01, Hielke Christian Braun wrote: > i am trying to use dovecot with pam and radius. My users have names > in the format joe at somedomain.com. When i have pam configured to use > the normal passwd/shadow files it works fine. With radius it does not. > I see at the radius server that the domain part of my usernames > is always replaced with the same domain

http://bugzilla.mindrot.org/show_bug.cgi?id=1305 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1343 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this

...shd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Nicolas.Williams at ubsw.com When pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD pam_chauthtok() must be the next PAM function called. That is, pam_chauthtok() MUST be called before pam_open_session() and before pam_setcred(PAM_ESTABLISH_CRED). The point is: if the user's password is expired then the login process cannot proceed too far before password changing is attempted. This bug applies, or should apply, to any implementation of PAM. Thus I selected "All" for the OS to which this bug applies. Cheers, Nico -----...

...AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Nicolas.Williams at ubsw.com pam_setcred() failures should not be treated as fatal; at least there should be an option so pam_setcred() failures are not treated as fatal(). But users should be warned loudly when pam_setcred(PAM_ESTABLISH_CRED) fails and sshd proceeds. Cheers, Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

..."PAM session setup failed[%d]: %.200s", @@ -304,6 +306,8 @@ do_pam_set_conv(&conv); + if (init&&creds_set) + return; /*be idempotent so we can be called in monitor and child*/ debug("PAM establishing creds"); pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); diff -u -r1.1.1.1 monitor.c --- monitor.c 24 Jun 2002 23:29:52 -0000 1.1.1.1 +++ monitor.c 25 Jun 2002 20:33:41 -0000 @@ -278,6 +278,8 @@ #ifdef USE_PAM if (!do_pam_account(authctxt->pw->pw_name, NULL)) authenticated = 0; + do_pam_session(authctxt->pw-...

http://bugzilla.mindrot.org/show_bug.cgi?id=1289 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1339 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this