search for: pam_rhost

...in the past few -stable and alpha releases, but did not get to and instead always patched myself. Now having updated to the latest snapshot (which may be released as beta1), I stumbled on it again: In src/auth/passdb-pam.c, where the client host is passed to PAM, the code looks like this: #ifdef PAM_RHOST const char *host = net_ip2addr(&request->remote_ip); if (host != NULL) pam_set_item(pamh, PAM_RHOST, host); #endif For some reason there is a preprocessor/compile-time check whethere there exists such a preprocessor symbol as the PAM item PAM_RHOST (why check that? IIRC PAM_RHOST is...

Hi and here's an feature request from a user/developer, wher I would like to hear your comments again. Thanks > The PAM_RHOST item, which tells PAM which remote host it is conversing > with, is currently set by OpenSSH _after_ authentication is made. This > is not a good thing for me, as a have written a module which needs the > IP of the peer as a part of authentication. > My module was written to eleminate...

A little problem, which is bugging me: when using PAM authentication, Dovecot (0.99.5) does not set the PAM_RHOST item, so the PAM modules cannot know who the client is. We need this for some PAM module doing access control. Changing passdb-pam.c to pam_set_item it seems trivial, but I'm bugged as to how to get the client name from there. It seems not to be available in the auth_request strut or anythin...

Hi, When running in inetd mode (-i), if stdin/stdout are not an IP socket, sshd will set PAM_RHOST to "UNKNOWN" which causes a reverse DNS lookup by pam that always fails because "UNKNOWN" cannot be resolved. I've posted a possible fix here: https://github.com/openssh/openssh-portable/pull/388 Cheers, Daan De Meyer

...21 pam_stack[23836]: passing PAM_CONV to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: NOT passing PAM_FAIL_DELAY to child: source not set May 23 12:01:56 192.168.1.21 pam_stack[23836]: NOT passing PAM_OLDAUTHTOK to child: source is NULL May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing PAM_RHOST to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: NOT passing PAM_RUSER to child: source is NULL May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing PAM_SERVICE to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing PAM_TTY to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: p...

Hi, A few things regarding logging and libwrap.. a) PAM_RHOST patch Back in July, dean gaudet helpfully posted a patch to dovecot PAM_RHOST the remote IP. Is this going to be included in the main dovecot tree? It seems like a worthwhile addition. The more informative and concise the logging the better. See http://www.dovecot.org/list/dovecot/2004-July/004...

to improve forensic log info i want to set the PAM_RHOST value to the remote ip (which pam logs as rhost=foo in failure messages). i didn't look to see if anything has been done in this way on CVS because i'm still on 0.99.10.6. below is a bit of a hack. in some sense the remote_ip might make more sense in the AUTH_LOGIN_REQUEST_NEW packet rat...

...bind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "roy" (0x1021aa8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_AUTHTOK) = 0x1021ab8 Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_CONV) = 0x102c068 Jul 24 10:13:18 pi-dc sshd[865]: pam_...

...side pam_open_session. Truss shows that the lastlog file has just been opened for writing. Non-interactive uses of ssh work. The cause is that, on this route through the code, do_pam_account is _not_ called, but do_pam_session is. This results in pam_open_session being called with PAM_TTY set but PAM_RHOST not set. (In the non-interactive case, PAM_TTY is not set either, so the PAM module does not try to update lastlog, and so does not look at PAM_RHOST). The SIGSEGV might be regarded as a bug in Sun's code, but the failure to set PAM_RHOST in the case of a passwordless login is a bug in OpenSSH...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi OpenSSH'ers, I am emailing you to ask is it possible to record failed passwords attempts and log them to syslog? Are there patches available for this? Has anyone managed to do this before? Are there alternitive methods? Many Thanks, A - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer

...inbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_AUTHTOK) = 0x7fc74c2caec0 sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_CONV) = 0x7fc74c2e0cf0 sshd[9569]: pam_winbind(sshd:auth): getting password (0x...

...dle_lock_count && sshpam_handle_lock_ready) { + sshpam_handle_lock_ready = 0; + pthread_mutexattr_destroy(&lock_attr); + pthread_mutex_destroy(&sshpam_handle_lock); + } +#endif } static int @@ -296,30 +370,53 @@ extern u_int utmp_len; extern char *__progname; const char *pam_rhost, *pam_user; + pam_handle_t *sshpam_handle_holder; + +#ifdef USE_POSIX_THREADS + /* (Re)initialize our pthread structures if it's safe to do so. Only + * free them if they were previously initialized and they aren't + * currently in use. + */ + if (!process_id) + process_id = getpid();...

I did re-read the whole thread again. Im running out of options.. When i look at : https://wiki.samba.org/index.php/PAM_Offline_Authentication You can do these last checks. Run the : Testing offline authentication as show on the wiki. Debian normaly does not have /etc/security/pam_winbind.conf, check if its there if so backup it remove it. Check if these packages are installed.

...rg.au -------------- next part -------------- --- auth-pam.c.orig Sat Feb 10 13:01:35 2001 +++ auth-pam.c Sat Feb 10 14:14:53 2001 @@ -191,14 +191,6 @@ { int pam_retval; - debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item(pamh, PAM_RHOST, - get_canonical_hostname()); - if (pam_retval != PAM_SUCCESS) { - fatal("PAM set rhost failed[%d]: %.200s", - pam_retval, PAM_STRERROR(pamh, pam_retval)); - } - if (remote_user != NULL) { debug("PAM setting ruser to \"%.200s\"", remote_user); pam_retval...

...; well its obviously blowing up on pam_open_session, so you need to validate > your "pamh" handle somehow. thank you, and how would one do this? considering that my 'pamh' handle is being used three times prior to that, in: pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); all in the same function, I would have thought that this would have been okay...all of the above go through successfully... my only real "refer...

(I am sorry to bother the list with something I should have verified myself right now - I simply do not have access to the source code here) Thinking of some limit I wanted to put with authentication, I am wondering - when Dovecot authenticates a user using PAM, now that (in 1.0) it passes the rhost item to PAM, it passes a hostname, not an IP address. Does it double-verify the DNS record

...t mindrot.org Reporter: seroland86 at gmail.com Since OpenSSH 7.2 it is possible to identify sessions within log files as session-related log entries include the clients port. Right now I don't see a good way to correlate output of PAM modules to the session as only the clients host (PAM_RHOST) is exported to the PAM environment. If the clients port was accessible within PAM it can be included in log messages and thus correlated to a session. Export can be e.g. done through pam_set_item() or pam_putenv(). -- You are receiving this mail because: You are watching the assignee of the bug.

...ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = "mycomputer.domain.local" (0x7f6b82684610) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_CONV) = 0x7f6b82683810 Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): user 'nathan' granted access Nov 28 17:34...

...4cb2030] STATE: ITEM(PAM_USER) = "georg" (0x7f1d54ca9f00) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_TTY) = "ssh" (0x7f1d54cb21d0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_RHOST) = "192.168.0.107" (0x7f1d54cb21b0) Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_AUTHTOK) = 0x7f1d54ca83e0 Jan 2 12:23:55 websrv sshd[3541]: pam_winbind(sshd:auth): [pamh: 0x7f1d54cb2030] STATE: ITEM(PAM_CONV) = 0x7f1d54cb2210 Jan 2 1...

...TRERROR((pam_handle_t *)pamh, pam_retval)); + pw->pw_name, PAM_STRERROR(pamh, pam_retval)); return 0; } } @@ -157,33 +190,35 @@ int pam_retval; debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + pam_retval = pam_set_item(pamh, PAM_RHOST, get_canonical_hostname()); if (pam_retval != PAM_SUCCESS) { fatal("PAM set rhost failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } if (remote_user != NULL) { debug(...