search for: pam_new_authtok_reqd

https://bugzilla.mindrot.org/show_bug.cgi?id=2018 Bug #: 2018 Summary: sshd not handling PAM_NEW_AUTHTOK_REQD properly Classification: Unclassified Product: Portable OpenSSH Version: 6.0p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: unassigned-bugs at m...

http://bugzilla.mindrot.org/show_bug.cgi?id=129 Summary: PAM with ssh authentication fails treat PAM_NEW_AUTHTOK_REQD properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org Reporte...

https://bugzilla.mindrot.org/show_bug.cgi?id=2018 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Set all RESOLVED bugs to CLOSED with release

http://bugzilla.mindrot.org/show_bug.cgi?id=129 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|openssh-unix-dev at mindrot.org|stevesk at pobox.com ------- Additional Comments From stevesk at pobox.com 2002-03-31 05:44 ------- i will look at this. -------

...12:56:47 -0000 1.84 +++ auth-pam.c 7 Dec 2003 13:23:38 -0000 @@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 extern ServerOptions options; extern Buffer loginmsg; +extern int compat20; #define __unused @@ -118,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + s...

...Oct 2003 14:01:45 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.76 2003/10/09 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCC...

http://bugzilla.mindrot.org/show_bug.cgi?id=1188 Summary: keyboard-interactive should not allow retry after pam_acct_mgmt fails Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support

Hello in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( When a User try to login with a expired Passwort, SSH denys the Acces to the System fbeckman at zvadmxz:/home/fbeckman # ssh -v fbeckman at xy OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted.

We just started using NDS for Solaris to authenticate users on our SOlaris 2.6 boxes. Works great with OpenSSH except for one thing. When a user's password is expired, sshd won't allow them access, while telnetd reports the number of grace logins left, and asks to change the user's password. Seems to be an interaction with the PAM account module, but I'm not familiar enough

...Nov 2003 09:02:24 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCC...

...cleanup(); } -u_int -do_pam_account(void) -{ - if (sshpam_account_status != -1) - return (sshpam_account_status); - - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { - sshpam_account_status = 0; - return (sshpam_account_status); - } - - if (sshpam_err == PAM_NEW_AUTHTOK_REQD) - sshpam_password_change_required(1); - - sshpam_account_status = 1; - return (sshpam_account_status); -} - void do_pam_set_tty(const char *tty) { @@ -939,6 +918,45 @@ static s...

...he account, then the application has a gaping hole and is at fault. - A PAM module may defer authentication and authorization, in password-change-required situations, to pam_sm_chauthtok(3PAM), but if so it must: a) return PAM_SUCCESS from its pam_sm_authenticate(3PAM) _AND_ b) return PAM_NEW_AUTHTOK_REQD from its pam_sm_acct_mgmt(3PAM). Kerberos V and LDAP BIND type modules typically do this. If it does otherwise then it will either not support password aging or sport a gaping security hole. - Such modules' account modules must be configured as required or requisite or...

Hi, I just upgraded from Mandriva 2009.0 (Samba 3.2.3) to Mandriva 2009.1 (Samba 3.3.2), keeping all the same config files I had before. I use pam_winbind to authenticate users against MS Active Directory. Everything was working perfectly prior to the upgrade, and now everything seems to be fine except for one thing: no user can have access due to the following errors (taken from auth.log): May

...d aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user can't be said to be authenticated at that point. The problem with this is that by the time pam_acct_mgmt() is called in OpenSSH userauth has been completed, so kbd-interactive is not used for the password changing and instead the work is relegated till...

...xpired password: (SR: 8606160402 CR: JAGad29724) HP-UX is inconsistent with the PAM standard with respect to the return value for an expired password. libpam_unix.1 returns PAM_AUTHTOK_EXPIRED when it detects an expired password; the PAM standard expects PAM_NEW_AUTHTOK_REQD to be returned. This inconsistency causes a problem for programs written to run on multiple platforms. Resolution: When an expired password is detected, libpam_unix.1 now returns standard PAM_NEW_AUTHTOK_REQD instead of PAM_AUTHTOK_...

...appdata_ptr); @@ -175,11 +172,17 @@ pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); switch (pam_retval) { - case PAM_SUCCESS: + case PAM_SUCCESS: /* This is what we want */ break; - case PAM_NEW_AUTHTOK_REQD: - pam_msg_cat(NEW_AUTHTOK_MSG); + case PAM_AUTHTOK_EXPIRED: + case PAM_NEW_AUTHTOK_REQD: + pam_retval = pam_chauthtok((pam_handle_t *)pamh, PAM_CHANGE_EXPIRED_ AUTHTOK); + if (pam_retval != PAM_SUCCESS) {...

Hi, I was investigating why I don't see any warnings from pam_ldap indicating the pending expiration of passwords as well as for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not have a conversation function. Also, there is a function print_pam_messages (currently empty) which look suspiciously like it is ear marked to show just those error messages: /* auth-pam.c */ void print_pam_messages(void) { /* XXX */ } By an...

...etrieving revision 1.54 diff -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 20 Nov 2002 13:12:12 -0000 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; @@ -256,7 +256,6 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTH...

...to log on to the device via ssh (pam is in use) - these users are redirected (via nss module) to a linux user who cannot log in directly to the system so far this is working fine. But now I also want the user to change the password if it has expired. Therefore my PAM module returns the error code PAM_NEW_AUTHTOK_REQD in the pam_sm_acct_mgmt function. The user is then prompted to change the password. Unfortunately, the function of my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd. In the source code I then saw that the pas...

...Version: 3.1p1 Platform: Other OS/Version: All Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Nicolas.Williams at ubsw.com When pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD pam_chauthtok() must be the next PAM function called. That is, pam_chauthtok() MUST be called before pam_open_session() and before pam_setcred(PAM_ESTABLISH_CRED). The point is: if the user's password is expired then the login process cannot proceed too far before password changing is attempte...