search for: pam_setcr

...gin with my question. It has a specific reference to PAM_KERBEROS, but it can also be a general question. If a user (ssh) session was such that it skipped pam_authenticate() during login (probably because it used a Key-based auth method), then is it all right for sshd to correspondingly skip pam_setcred() during session exit? What will happen if we take that approach? As I understand it, pam_setcred() is called as part of the authentication phase as well as part of the session exit phase. When called during authentication, pam_setcred() sets the KRB5CCNAME environment variable to the cre...

https://bugzilla.mindrot.org/show_bug.cgi?id=2549 Bug ID: 2549 Summary: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication Product: Portable OpenSSH Version: 7.1p2 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5 Component: PAM support...

Should pam_setcred() be called if pam_authenticate() wasn't called? I would say not; both of these functions are in the authenticate part of pam. It seems the the 'auth' part of pam config controls which modules get called, so if you didn't to _authenticate() you shouldn't do _setcred(). thx /...

Hello, We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a non-root user with PAM [pam-kerberos] then I get the following error. debug3: PAM: opening session debug1: PAM: reinitializing credentials PAM: pam_setcred(): Failure setting user credentials This is particularly for non-root users with PrivSep YES. When I connect to a root user with PrivSep YES or to a non-root user with PrivSep NO, then no issues. This is tested on 3.7.1p2 and 3.8.1p1 and two versions behave alike. This is not the case when USE_...

Hello. I'm wondering how one would go about configuring dovecot to invoke pam_setcred() from the same process as (or a parent process of) the process which eventually reads the user's mail off the disk. This is required for pam modules that set kernel-level credentials which are later used to access the user's mail files. In particular, I'm trying to use dovecot with...

https://bugzilla.mindrot.org/show_bug.cgi?id=2399 Bug ID: 2399 Summary: openssh server should fatal out when pam_setcred and pam_open_session fail Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5 Component: PAM support Assignee: unassign...

http://bugzilla.mindrot.org/show_bug.cgi?id=189 Summary: pam_setcred() failures should not be treated as fatal Product: Portable OpenSSH Version: 3.1p1 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at min...

I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a pam_setcred() or pam_open_session() call. Cheers, Nalin -------------- next part -------------- diff -uNr acconfig.h acconfig.h --- acconfig.h Sat Dec 25 18:21:48 1999 +++ acconfig.h Mon Dec 2...

...ED_ESTABLISH means >"make it so we can use your module's credentials as root" whereas >PAM_REINITIALIZE_CREDS means "make it so we can use your module's >credentials as pam_get_item(PAM_USER)." That is wrong and is one thing the XSSO doc is clear on: "The pam_setcred() function is used to establish, modify, or delete the credentials of the current user associated with the authentication handle, pamh. " The Solaris pam_setcred(3pam) man page is less clear - I'll file a man page bug for Solaris to get it clarified better. >And, given what OpenSSH...

...SER (e.g., a web server) but which nonetheless needs the user's >Kerberos creds -- why bother creating a user-owned ccache then? I can see that from a PAM view point but it won't really work from a Kerberos view point (it isn't how kerberos was designed to work). >> "The pam_setcred() function is used to establish, modify, or delete the >> credentials of the current user associated with the authentication handle, >> pamh. " > >Why does that description not jive with my interpretation of the OpenSSH >interpretation of the pam_setcred() flags' se...

http://bugzilla.mindrot.org/show_bug.cgi?id=189 ------- Additional Comments From stevesk at pobox.com 2002-04-01 17:49 ------- why should pam_setcred() failures not be treated as fatal? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

In do_pam_cleanup_proc(), there are 3 calls to PAM: 1) pam_close_session() - do lastlog stuff 2) pam_setcred(PAM_DELETE_CRED) - delete credentials 3) pam_end() - close PAM It appears that pam_setcred() always fails with the error PAM_PERM_DENIED. This is due to a check done pam_unix.so to not allow a caller with euid 0 to even try to delete their SECURE_RPC credentials. When sshd calls pam_setcred()...

https://bugzilla.mindrot.org/show_bug.cgi?id=2380 Bug ID: 2380 Summary: [PATCH] Optionally allow pam_setcred to override gid Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org...

...et the following error message: ============ snip =================== auth(default): client in: AUTH 8 PLAIN service=IMAP secured lip=10.24.1.6 rip=10.211.11.1 auth(default): client out: CONT 8 auth(default): client in: CONT<hidden> auth(default): pam(pgerlesb,10.211.11.1): pam_setcred() failed: Error in service module auth(default): client out: FAIL 8 user=pgerlesb auth(default): client in: AUTH 9 PLAIN service=IMAP secured lip=10.24.1.6 rip=10.211.11.1 resp=<hidden> auth(default): pam(pgerlesb,10.211.11.1): pam_setcred() failed: Error in service module...

http://bugzilla.mindrot.org/show_bug.cgi?id=698 Summary: fixed bug in calling pam_setcred Product: Portable OpenSSH Version: 3.7.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: postadal...

...d I don't understand though is how OpenSSH's invocation of do_pam_session/setcred can work (in main of the process forked in sshd.c). Ignoring privsep for the moment, if we're doing challenge-response then pam_authenticate is happening in the PAM "thread", so the pam_h we call pam_setcred with isn't the one that we called pam_authenticate with. The pam_h the main process is using at this stage seems to be the one created in sshpam_init_authctx (or mm_init_auth_ctx with privsep) and hasn't had pam_authenticate called on it, has it? I've checked FreeBSD's pam_krb5 s...

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org...

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org...

http://bugzilla.mindrot.org/show_bug.cgi?id=189 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-01-07 17:40

...ependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 ------- I've been thinking about this. It's too late for 4.1p1, but I think the right way to fix this is to split up the do_pam_setcred() and do_pam_session() calls, and hook the do_pam_session calls into the login/logout recording in loginrec.c (to be called from the monitor). The existing loginmsg handling would allow any messages returned by PAM to be sent to the user. This would allow per-session login recording and would a...