search for: pam_putenv

I'm getting these over and over again in my dovecot [CVS] logs. I'm using PAM for authentication- something that worked a few weeks ago. Apr 6 15:22:11 [PAM-env] Unknown PAM_ITEM: <XAUTHORITY> Apr 6 15:22:11 [dovecot-auth] PAM pam_putenv: delete non-existent entry; XAUTHORITY dovecot: Apr 06 15:22:16 Warning: Killed with signal 2 dovecot: Apr 06 15:22:16 Error: child 25731 (imap) killed with signal 2 dovecot: Apr 06 15:22:16 Error: child 27545 (login) killed with signal 2 dovecot: Apr 06 15:22:16 Error: child 20320 (login) killed...

We're using an internal PAM module (Linux) that sets a few environment variables using pam_putenv (on pam_sm_authenticate). In version 3.6.1p1i such variables are visible to the user (as expected), but since 3.7p1 they are not... Is this the expected behaviour? Thanks in advance, Jose ____________________________________________________________________________ Jose A. Rodriguez...

I've been looking for a while and can't figure out for sure if variables allowed by AcceptEnv are readable by a PAM module. I looked through the openssh source code and found a few calls to pam_putenv(), which looks like the relevant call, but I don't see anything that would copy over AcceptEnv variables. Am I correct that the variables are not available to PAM? I'm guessing there are security implications to passing arbitrary variables through to PAM but is there some other way I...

https://bugzilla.mindrot.org/show_bug.cgi?id=2043 Priority: P5 Bug ID: 2043 Assignee: unassigned-bugs at mindrot.org Summary: memleak in import_environments Severity: trivial Classification: Unclassified OS: All Reporter: arthurmesh at gmail.com Hardware: All Status: NEW Version:

Hi All. Markus has commited the long-awaited GSSAPI patch to OpenBSD's ssh. There are patches. The first [1] is a straightforward port of the OpenBSD code to Portable. The second [2] contains the parts I've stolen from Simon Wilkinson's portable GSSAPI patch in an attempt to make it build. It is incomplete and doesn't currently work. The PAM support is not there and

...now I don't have any possibility to figure out which actual user has now logged in on behalf of user x. A solution to this problem is that OpenSSH makes the fingerprint of the key that has been (succesfully) used during public key authentication available within the PAM space (pam_set_data() / pam_putenv()). In this case one could hook in another PAM module e.g. for session management that obtains the fingerprint and work with it (e.g. mapping to user and making it available in user environment). -- You are receiving this mail because: You are watching the assignee of the bug.

...e process credentials (eg a PAG for AFS or the stored DH keys, however they are stored), that private data is not available to module, so the credentials are not established. The data stored by pam_set_data is completely inacessible to the application (ie sshd). If is was stored via pam_set_item, pam_putenv or the normal environment space, it can be copied to the main sshd process (and in 3.8 and up, it is). Currently, the only known workaround is to enable the use of POSIX threads, as Paul discovered. This is because the module-private data is stored in the same address space as the main sshd, and...

Hello list, Bug 688 is causing me a massive headache on OS X. The fact that each PAM authentication takes place in a separate process means the PAM context data isn't shared and therefore prevents the passing of data between modules. (pam_set_data, and pam_get_data) Compiling with pthreads isn't really an option because of the added security risk and the fact that some of the PAM

...a good way to correlate output of PAM modules to the session as only the clients host (PAM_RHOST) is exported to the PAM environment. If the clients port was accessible within PAM it can be included in log messages and thus correlated to a session. Export can be e.g. done through pam_set_item() or pam_putenv(). -- You are receiving this mail because: You are watching the assignee of the bug.

...AME. * Remove a few unnecessary checks from the streams xattr module. * Remove a few unnecessary checks from the streams xattr module. o Andreas Schneider <anschneider@suse.de> * Fix a segfault if ? is there but the options are NULL. * Avoid flooding of syslog with failing pam_putenv messages. * Document default of the printing config variable. * Use talloc_tos() instead of the talloc NULL context. o Karolin Seeger <kseeger@samba.org> * BUG 6058: Use ''make distclean'' instead of ''make clean'' in build_docs. * BUG 6000:...

...AME. * Remove a few unnecessary checks from the streams xattr module. * Remove a few unnecessary checks from the streams xattr module. o Andreas Schneider <anschneider@suse.de> * Fix a segfault if ? is there but the options are NULL. * Avoid flooding of syslog with failing pam_putenv messages. * Document default of the printing config variable. * Use talloc_tos() instead of the talloc NULL context. o Karolin Seeger <kseeger@samba.org> * BUG 6058: Use ''make distclean'' instead of ''make clean'' in build_docs. * BUG 6000:...

...sshpam_err != PAM_SUCCESS) fatal("PAM: pam_chauthtok(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); } /* @@ -706,7 +803,7 @@ compound = xmalloc(len); snprintf(compound, len, "%s=%s", name, value); - ret = pam_putenv(sshpam_handle, compound); + ret = pam_putenv(grab_pamh(0, NULL), compound); xfree(compound); #endif @@ -724,7 +821,7 @@ { #ifdef HAVE_PAM_GETENVLIST debug("PAM: retrieving environment"); - return (pam_getenvlist(sshpam_handle)); + return (pam_getenvlist(grab_pamh(0, NULL))); #els...

...1) and when listing public keys available in a token using ssh-keygen(1). bz#3006 Portability ----------- * ssh(1): fix SIGWINCH delivery of Solaris for multiplexed sessions bz#3030 * ssh(1), sshd(8): fix typo that prevented detection of Linux VRF * sshd(8): add no-op implementation of pam_putenv to avoid build breakage on platforms where the PAM implementation lacks this function (e.g. HP-UX). bz#3008 * sftp-server(8): fix Solaris privilege sandbox from preventing the legacy sftp rename operation from working (was refusing to allow hard links to files owned by other users). b...

...checks from the streams xattr module. * Remove a few unnecessary checks from the streams depot module and fix to work with NTRENAME. o Andreas Schneider <anschneider@suse.de> * Fix a segfault if ? is there but the options are NULL. * Avoid flooding of syslog with failing pam_putenv messages. o Karolin Seeger <kseeger@samba.org> * BUG 6000: Avoid bashism in perfcount.init. * Change default value of "ldap ssl" to "start tls". * Update version number in the manpages. * Fix several small issues and typos in the manpages. * Check i...

...checks from the streams xattr module. * Remove a few unnecessary checks from the streams depot module and fix to work with NTRENAME. o Andreas Schneider <anschneider@suse.de> * Fix a segfault if ? is there but the options are NULL. * Avoid flooding of syslog with failing pam_putenv messages. o Karolin Seeger <kseeger@samba.org> * BUG 6000: Avoid bashism in perfcount.init. * Change default value of "ldap ssl" to "start tls". * Update version number in the manpages. * Fix several small issues and typos in the manpages. * Check i...

...1) and when listing public keys available in a token using ssh-keygen(1). bz#3006 Portability ----------- * ssh(1): fix SIGWINCH delivery of Solaris for multiplexed sessions bz#3030 * ssh(1), sshd(8): fix typo that prevented detection of Linux VRF * sshd(8): add no-op implementation of pam_putenv to avoid build breakage on platforms where the PAM implementation lacks this function (e.g. HP-UX). bz#3008 * sftp-server(8): fix Solaris privilege sandbox from preventing the legacy sftp rename operation from working (was refusing to allow hard links to files owned by other users). b...

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |