search for: pam_reinitialize_cred

>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? My interpreta...

http://bugzilla.mindrot.org/show_bug.cgi?id=1339 Summary: pam_dhkeys doesn't work (PAM_REINITIALIZE_CRED without PAM_ESTABLISH_CRED) Product: Portable OpenSSH Version: 4.6p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucke...

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant PAM_REFRESH_CRED >PAM_RENEW_CREDS is there for cred...

...sword of just five characters ["hello", for what it's worth :) ]), followed by the correct password. Investigation (using copious debug() statements) has isolated the problem down to one line of code: pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); in auth-pam.c, function do_pam_setcred(). It appears that this function is being called twice: once with init set, once without (ie: once with PAM_ESTABLISH_CRED, once with PAM_REINITIALIZE_CRED). It's on the call to pam_setcred(__pamh, PAM_REINITIALIZE_CRED) that the seg fault occurs. To c...

...45]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 sshd[12345]: pam_unix(sshd:session): session opened for user user2 by (uid=0) sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] ENTER: pam_sm_setcred (flags: 0x0008) sshd[12346]: pam_winbind(sshd:setcred): PAM_REINITIALIZE_CRED not implemented sshd[12346]: pam_winbind(sshd:setcred): [pamh: 0x12345678] LEAVE: pam_sm_setcred returning 0 When interactive, I'll get: sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2 sshd[12345]: pam_winb...

...d(gnome-screensaver:account): user 'rking' granted access Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] ENTER: pam_sm_setcred (flags: 0x0008) Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:setcred): PAM_REINITIALIZE_CRED not implemented Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] LEAVE: pam_sm_setcred returning 0 Aug 9 19:21:37 pc15 gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=10001 euid=10001 tty...

http://bugzilla.mindrot.org/show_bug.cgi?id=1305 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1343 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this

...ng a session. *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pam...

...try_first_pass *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, PA...

...up failed[%d]: %.200s", @@ -304,6 +306,8 @@ do_pam_set_conv(&conv); + if (init&&creds_set) + return; /*be idempotent so we can be called in monitor and child*/ debug("PAM establishing creds"); pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); diff -u -r1.1.1.1 monitor.c --- monitor.c 24 Jun 2002 23:29:52 -0000 1.1.1.1 +++ monitor.c 25 Jun 2002 20:33:41 -0000 @@ -278,6 +278,8 @@ #ifdef USE_PAM if (!do_pam_account(authctxt->pw->pw_name, NULL)) authenticated = 0; + do_pam_session(authctxt->pw->pw_name, NULL); +...

http://bugzilla.mindrot.org/show_bug.cgi?id=1289 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1339 -- Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this

Hello, We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a non-root user with PAM [pam-kerberos] then I get the following error. debug3: PAM: opening session debug1: PAM: reinitializing credentials PAM: pam_setcred(): Failure setting user credentials This is particularly for non-root users with PrivSep YES. When I connect to a root user with PrivSep YES or to a non-root

http://bugzilla.mindrot.org/show_bug.cgi?id=926 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------

...am_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343) Thanks to everyone who has contributed patches, reported bugs and tested releases. Che...

...am_end() was not being called if authentication failed (bz #1322) - Fix SELinux support when SELinux is in permissive mode. Previously sshd(8) was treating SELinux errors as always fatal. (bz #1325) - Ensure that pam_setcred(..., PAM_ESTABLISH_CRED) is called before pam_setcred(..., PAM_REINITIALIZE_CRED), fixing pam_dhkeys. (bz #1339) - Fix privilege separation on QNX - pre-auth only, this platform does not support file descriptior passing needed for post-auth privilege separation. (bz #1343) Thanks to everyone who has contributed patches, reported bugs and tested releases. Che...

...t) { debug("PAM: establishing credentials"); - sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); + sshpam_err = pam_setcred(grab_pamh(0, NULL), PAM_ESTABLISH_CRED); } else { debug("PAM: reinitializing credentials"); - sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED); + sshpam_err = pam_setcred(grab_pamh(0, NULL), PAM_REINITIALIZE_CRED); } if (sshpam_err == PAM_SUCCESS) { sshpam_cred_established = 1; @@ -598,10 +695,10 @@ } if (sshpam_authenticated) fatal("PAM: pam_setcred(): %s", - pam_strerror(sshpam_handle, sshpam_err)); +...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |