search for: pam_retval

...", stderr); + } + } reply[count].resp = xstrdup(""); - - if (msg[count]->msg != NULL) - pam_msg_cat(msg[count]->msg); - + reply[count].resp_retcode = PAM_SUCCESS; break; default: free(reply); @@ -103,22 +135,22 @@ if (pamh != NULL) { - pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + pam_retval = pam_close_session(pamh, 0); if (pam_retval != PAM_SUCCESS) { log("Cannot close PAM session: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam...

Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on. Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector. Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk" Jul 3

...ery slightly odd because the last 2 lines it adds are the the same as the 2 lines before the patch.) -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- --- auth-pam.c.orig Sat Feb 10 13:01:35 2001 +++ auth-pam.c Sat Feb 10 14:14:53 2001 @@ -191,14 +191,6 @@ { int pam_retval; - debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item(pamh, PAM_RHOST, - get_canonical_hostname()); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam...

...r *user, const char *password); void do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, char *ttyname); +void do_pam_setcred(); void pam_cleanup_proc(void *context); static struct pam_conv conv = { @@ -230,6 +231,12 @@ PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credentials: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); if (pam...

...Success So it seems to be preferrable to skip credentials deletion on HP-UX... Cheers! Michael diff -u -r openssh-3.5p1/auth-pam.c openssh-3.5p1a/auth-pam.c --- openssh-3.5p1/auth-pam.c Sun Jul 28 22:24:08 2002 +++ openssh-3.5p1a/auth-pam.c Wed Oct 16 15:00:01 2002 @@ -186,12 +186,14 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval));...

...expired, please change it now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete cr...

...expired, please change it now." -#define NEW_AUTHTOK_MSG_PRIVSEP \ - "Your password has expired, the session cannot proceed." static int do_pam_conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -186,12 +184,15 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } +/* HP-UX doesn't like credentials to be deleted. Skip and rely on pam_end() */ +#ifndef __hpux if (__pamh && creds_set) { pam_retval = pam_setcred(__pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete cr...

On Mon, 22 Nov 1999, Philip Brown wrote: > [ Marc G. Fournier writes ] > > debug("PAM_retval(open_session) about to run"); > > pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > > > > > =========================================== > > > > so, its looking like I'm authenticated properly, but when trying to set up > > the whole envir...

...empty passwords are not permitted. A possible patch for the problem is given below: *** auth-pam.c Tue Apr 24 00:08:37 2001 --- auth-amrita.c Tue Nov 6 22:58:46 2001 *************** *** 203,208 **** --- 203,209 ---- { extern ServerOptions options; int pam_retval; + int flags=0; do_pam_set_conv(&conv); *************** *** 217,223 **** __pampasswd = password; pamstate = INITIAL_LOGIN; ! pam_retval = do_pam_authenticate(0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authenticatio...

...e know more about PAM under Solaris 7/x86 then I do, that can maybe tackle this, and/or suggestion a route to take to fix? After doing some debugging, it looks like the problem is a seg fault at: sshd.c:void pam_cleanup_proc(void *context) =========================================== debug("PAM_retval(open_session) about to run"); pam_retval = pam_open_session((pam_handle_t *)pamh, 0); debug("PAM_retval(open_session) successful"); if (pam_retval != PAM_SUCCESS) { log("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval));...

...conversation(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); +/* XXX: move to header file */ +const char * +get_remote_name_or_ip(void); + /* module-local variables */ static struct pam_conv conv = { do_pam_conversation, @@ -356,9 +360,9 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); debug("PAM setting rhost to \"%.200s\"", - get_canonical_hostname(options.reverse_mapping_check)); + get_remote_name_or_ip()); pam_retval = pam_set_item(__pamh, PAM_RHOST, - get_canonical_hostname(options.reverse_mapping_check));...

...mmediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } + if (session_opened) + return; /*Be idempotent so we can be called in monitor and child*/ pam_retval = pam_open_session(__pamh, 0); if (pam_retval != PAM_SUCCESS) fatal("PAM session setup failed[%d]: %.200s", @@ -304,6 +306,8 @@ do_p...

...50 djm Exp $"); -#define NEW_AUTHTOK_MSG \ - "Warning: You password has expired, please change it now" - /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -175,11 +172,17 @@ pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); switch (pam_retval) { - case PAM_SUCCESS: + case PAM_SUCCESS: /* This is what we want */ break; - case PAM_NEW_AUTHTOK_REQD: - pam_msg_ca...

Hello all, On Redhat 6.2, the PAM_unix module logs the session opening, but not the session closing. This was logged as of 2.3.0p1. Upgrading to 2.5.1p1 makrs the start of the problem. Thanks in advance, Victor -- Victor J. Orlikowski ====================== v.j.orlikowski at gte.net orlikowski at apache.org vjo at us.ibm.com

...etcred: error Permission denied" errors are still issued when exiting a session. *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv);...

.../pam_unix.so.1 sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass *** auth-pam.c- Mon Feb 25 18:36:04 2002 --- auth-pam.c Tue Feb 26 10:05:31 2002 *************** *** 297,304 **** do_pam_set_conv(&conv); debug("PAM establishing creds"); ! pam_retval = pam_setcred(__pamh, ! init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); if (pam_retval != PAM_SUCCESS) { if (was_authenticated) fatal("PAM setcred failed[%d]: %.200s", --- 297,303 ---- do_pam_set_conv(&conv); de...

...nssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c --- openssh-3.4p1/auth-pam.c Tue May 7 21:27:56 2002 +++ openssh-3.4p1-dw/auth-pam.c Tue Jul 16 07:54:05 2002 @@ -294,6 +294,18 @@ session_opened = 1; } +/* Set the TTY after session is open */ +void do_pam_set_tty(const char *ttyname) { + int pam_retval; + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); +...

...-123,29 +173,34 @@ } } -/* Attempt password authentation using PAM */ -int auth_pam_password(struct passwd *pw, const char *password) +/* Attempt authentication using PAM */ +int auth_pam_password(struct passwd *pw, const char *password, int auth_type) { extern ServerOptions options; int pam_retval; + if (auth_type != current_auth_type) { + finish_pam(); + start_pam2(pw, auth_type); + } + /* deny if no user. */ if (pw == NULL) return 0; if (pw->pw_uid == 0 && options.permit_root_login == 2) return 0; - if (*password == '...

>Okay, this appears to be a problem with pam_unix.so - the code in >pam_sm_open_session is written with the assumption that the tty name is of >the form "/dev/" + something else on the end. I'm not sure why the pam_sm_open_session in pam_unix on Solaris now does this: /* report error if ttyn or rhost are not set */ if ((ttyn == NULL) || (rhost == NULL))

...t I think "if 0" is a non-possible situation, right? I then removed these conditions, and it worked just fine, changed my password as it should.. btw, yes, I removed "Privilege Separation" to do these tests. Here is the piece of code I'm talking about: switch (pam_retval) { case PAM_SUCCESS: /* This is what we want */ break; #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK...