search for: pam_perm_deni

In do_pam_cleanup_proc(), there are 3 calls to PAM: 1) pam_close_session() - do lastlog stuff 2) pam_setcred(PAM_DELETE_CRED) - delete credentials 3) pam_end() - close PAM It appears that pam_setcred() always fails with the error PAM_PERM_DENIED. This is due to a check done pam_unix.so to not allow a caller with euid 0 to even try to delete their SECURE_RPC credentials. When sshd calls pam_setcred() to delete the credentials, evidentally, it is running with euid 0, so the checks in pam_unix.so guarantee failure - which means the user...

...error: `PAM_SUCCESS' undeclared (first use in this function) pam_ldap.c: At top level: pam_ldap.c:2347: error: syntax error before '*' token pam_ldap.c: In function `_service_ok': pam_ldap.c:2353: error: `session' undeclared (first use in this function) pam_ldap.c:2355: error: `PAM_PERM_DENIED' undeclared (first use in this function) pam_ldap.c:2358: warning: implicit declaration of function `pam_get_item' pam_ldap.c:2358: error: `pamh' undeclared (first use in this function) pam_ldap.c:2358: error: `PAM_SERVICE' undeclared (first use in this function) pam_ldap.c:2358:...

...bug #1188 introduced an unconditional override of return value from pam_acct_mgmt(), setting PAM_ACCT_EXPIRED on any error from account step. It could have been 15 years ago, when there were not any other reasons why this function could fail, but these days, there are at least PAM_USER_UNKNOWN and PAM_PERM_DENIED (from Fedora 32 man pages). In these cases, openssh goes into unexpected code paths giving confusing error messages, such as: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=client user=useruser debug1: do_pam_account: called pam_sss(sshd:account): Access d...

Hi, I have an auth module for PAM that I wrote a few years ago called pam_vsd.so. The idea is that a user must have a certain privilege before they can successfully authenticate. Without the privilege the PAM module will return PAM_PERM_DENIED. However I find that in OpenSSH 3.7.1p2, I can easily subvert this check simply by hitting return 3 times on connection i.e. [nick at localhost pam.d]$ ssh nick at host.dsvr.net Server host.dsvr.net Password: <hit return> Password: <hit return> Password: <hit return> nick...

My company, which is a mac-heavy shop in the printing industry, needed to migrate to a faster file server. As our directory trees are very large, both Samba, and Netatalk were bogging down badly on our Linux server (Samba, due to heavy CPU usage during directory listings - the case-sensitive file system issue, and netatalk because the cnid db was getting too big). Our solution was to switch to a