search for: pam_password_change_required

Hi I just "stumbled" over the flags settings in pam_password_change_required(). As far as I looked over the OpenSSH code, setting/resetting the 2nd bit in those flags from auth-options.c whould only make sense if the flags are checked to be 0/1 in the remaining OpenSSH code. Frank

...ated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + sshpam_new_authtok_reqd = reqd; + if (reqd) { + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } else { + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + + } +} /* I...

auth-pam.c declares some new functions in the pam_ namespace that are not part of PAM. pam_password_change_required() pam_msg_cat() pam_cleanup_proc() Purely to avoid any possible future problems I would suggest changing these so they do not being with pam_, suggestions include: __ssh_pam_msg_cat() ssh_pam_msg_cat() do_pam_msg_cat() cat_pam_msg() Please don't take this as a hint that any of these func...

...Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: buckh at pobox.com if you don't authenticate via pam/keyboard-interactive, then when do_pam_account figures out your password is expired and calls pam_password_change_required, the latter will probably segfault when it dereferences the uninitialized int *force_pwchange. this is b/c, if you don't authenticate using the PRIVSEP(sshpam_device), sshpam_init_ctx is never called, so force_pwchange isn't properly initialized i'll attach a workaround patch, but not...

...ommendation in the list, we enabled USE_POSIX_THREADS and we got the following buffer error on the server side when ssh connection is attempted. This is not the case with OpenSSH-3.7.1p2. It works when USE_POSIX_THREADS is enabled.But, 3.8p1 closed with this error in the server side. ------ debug3: pam_password_change_required 0 debug3: PAM: num env strings 0 buffer_get: trying to get more bytes 4 than in buffer 0 debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering ------- To fix this, we have done some changes in auth-pam.c and session.c [1]. We are not sure that this is the exact fix f...

...ue Feb 17 05:20:08 2004 --- new/auth-pam.c Thu Feb 26 23:18:05 2004 *************** *** 201,206 **** --- 201,207 ---- debug3("PAM: %s entering", __func__); + #ifndef USE_POSIX_THREADS /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); pam_password_change_required(buffer_get_int(b)); *************** *** 228,233 **** --- 229,235 ---- } #endif } + #endif } /* ----------------------------------------------------------------------- Antoine Verheijen Email: antoine.verheijen at ualberta.ca CNS Network Services Phone...

...expiry and I need public key authentication this is a problem. I know it looks like an odd combination, but regardless of how I choose to authenticate, my account is still accessible via a password in so many ways, and so that password must be changed regularly. sshd appears to be crashing in pam_password_change_required(). I can only assume that force_pwchange is not initialised. I'll know soon after I get a version of openssh built with debugging symbols, but that'll have to wait until Monday. Lloyd