search for: pam_sm_authenticate

...:parse_cfg(778)] yubi_attr_prefix=(null) [../pam_yubico.c:parse_cfg(779)] url=(null) [../pam_yubico.c:parse_cfg(780)] capath=(null) [../pam_yubico.c:parse_cfg(781)] token_id_length=12 [../pam_yubico.c:parse_cfg(782)] mode=client [../pam_yubico.c:parse_cfg(783)] chalresp_path=(null) [../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack [../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes [../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. [../pam_yubico.c:pam_sm_authenticate(954)] OTP: ccccccbcitfdueencldivbcjvghv...

...am_krb5 this was OK. I didn't need to have AD users in my local /etc/passwd for authentication to be successful. This is not possible using FreeBSD's pam_krb5.so because of the getpwnam in the authentication function of pam_krb5.c. I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate verify the password and pam_sm_acct_mgmt verify that the user has a local account? If this were the case then you could setup other services like ftp and such to use pam_krb5 for AD authentication. -Corey Smith

https://bugzilla.mindrot.org/show_bug.cgi?id=2475 Bug ID: 2475 Summary: Login failure when PasswordAuthentication, ChallengeResponseAuthentication, and PermitEmptyPasswords are all enabled Product: Portable OpenSSH Version: 7.1p1 Hardware: ix86 OS: Linux Status: NEW

...utput below, my explanation of the backtrace is below (cronological order / newest item last): - Dovecot had successfully performed pam_start(), the necessary pam_set_item(), and called pam_authenticate(pamh, 0) https://github.com/dovecot/core/blob/2.2.33.2/src/auth/passdb-pam.c#L158 - PAM called pam_sm_authenticate() in /usr/lib/libpam/modules/pam_krb5/pam_krb5.c which successfully got the user, ruser, service, principal, password, checked local user, and then ran krb5_get_init_creds_opt_set_default_flags https://github.com/freebsd/freebsd/blob/master/lib/libpam/modules/pam_krb5/pam_krb5.c#L242 - Heimdal krb...

...backtrace is below > (cronological order / newest item last): > > - Dovecot had successfully performed pam_start(), the necessary > pam_set_item(), and called pam_authenticate(pamh, 0) > https://github.com/dovecot/core/blob/2.2.33.2/src/auth/passdb-pam.c#L158 > > - PAM called pam_sm_authenticate() in > /usr/lib/libpam/modules/pam_krb5/pam_krb5.c which successfully got the > user, ruser, service, principal, password, checked local user, and then ran > krb5_get_init_creds_opt_set_default_flags > https://github.com/freebsd/freebsd/blob/master/lib/libpam/modules/pam_krb5/pam_krb5.c...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi OpenSSH'ers, I am emailing you to ask is it possible to record failed passwords attempts and log them to syslog? Are there patches available for this? Has anyone managed to do this before? Are there alternitive methods? Many Thanks, A - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer

...ering Nov 9 10:00:07 sshserver sshd[27977]: [ID 384020 auth.debug] PAM[27977]: pam_set_item(7f6e8:conv) Nov 9 10:00:07 sshserver sshd[27977]: [ID 225850 auth.debug] PAM[27977]: pam_authenticate(7f6e8, 1) Nov 9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]: load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/security/pam_authtok_get.so.1 Nov 9 10:00:07 sshserver sshd[27977]: [ID 258498 auth.debug] PAM[27977]: load_function: successful load of pam_sm_authenticate Nov 9 10:00:07 sshserver sshd[27977]: [ID 348363 auth.debug] PAM[27977]: load_modules(7f6e8, pam_sm_authenticate)=/usr/lib/securit...

...Password Password: Wrong Password Password: Wrong Password Permission denied (publickey,keyboard-interactive). [testme at hp1 ~]$ And from the logs on the system dt0 [root at dt0 /var/log]# tail debug.log Apr 16 12:17:08 dt0 sshd[80774]: pam_winbind(sshd): [pamh: 0x80300b840] LEAVE: pam_sm_authenticate returning 9 (PAM_AUTH_ERR) Apr 16 12:42:39 dt0 sshd[81031]: pam_winbind(sshd): [pamh: 0x80300b840] ENTER: pam_sm_authenticate (flags: 0x0001) Apr 16 12:42:39 dt0 sshd[81031]: pam_winbind(sshd): getting password (0x00004001) Apr 16 12:42:42 dt0 sshd[81031]: pam_winbind(sshd): [pamh: 0x80300b840]...

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user can't be said to be authenticated at that point. The problem with this is that by the time pam_acct_mgmt() is called in OpenSSH userauth has been completed, so kbd-interactive...

...* : backend = tdb valid users = %U /var/log/auth.log: login[739]: pam_unix(login:auth): check pass; user unknown login[739]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost= login[739]: pam_winbind(login:auth): [pamh: 0x190d460] ENTER: pam_sm_authenticate (flags: 0x0000) login[739]: pam_winbind(login:auth): getting password (0x00004389) login[739]: pam_winbind(login:auth): pam_get_item returned a password login[739]: pam_winbind(login:auth): Verify user 'USER' login[739]: pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE' l...

...5:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): pam_winbind_request: read from socket failed! Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module error (retval = 3, user = 'NA\nda') Apr 24 10:55:15 LINUX-1 httpd2-prefork: pam_winbind(httpd): [pamh: 0xa0c91c0] LEAVE: pam_sm_authenticate returning 3 Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): pam_winbind_request: read from socket failed! Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): internal module error (retval = 3, user = 'na\sja') Apr 24 10:55:17 LINUX-1 httpd2-prefork: pam_winbind(httpd): [...

...ve the patch installed. I can't > > think what else the problem could be. > > > > I can't see what happens after I type in my password. Pamlog looks > > like this - > > > > Jan 29 11:28:27 sun001 login: [ID 634615 auth.debug] > > pam_authtok_get:pam_sm_authenticate: flags = 0 > > Jan 29 11:28:31 sun001 login: [ID 378613 auth.debug] pam_dhkeys: > > user ganguly not found Jan 29 11:28:31 sun001 login: [ID 896952 > > auth.debug] > > pam_unix_auth: entering > > pam_sm_authenticate() > > Jan 29 11:28:31 sun001 login: [ID 21934...

...il_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2008/01/14 16:22:12, 0] nsswitch/winbindd_util.c:trustdom_recv(268) Got invalid trustdom response Which results in a bad authentication: /var/log/pam.log Jan 14 16:29:03 sandbox pam_winbind[2632]: pam_winbind: pam_sm_authenticate (flags: 0x0000) Jan 14 16:29:07 sandbox pam_winbind[2632]: Verify user `testuser' Jan 14 16:29:17 sandbox pam_winbind[2632]: request failed: NT_STATUS_IO_TIMEOUT, PAM error was System error (4), NT error was NT_STATUS_IO_TIMEOUT Jan 14 16:29:17 sandbox pam_winbind[2632]: internal module err...

...sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE debug session required pam_unix.so /var/log/secure: [The ticket expired during the night between these log events] ug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] ENTER: pam_sm_authenticate (flags: 0x0000) Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x00000191) Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): pam_get_item returned a password Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pa...

...util_sid.c:string_to_sid(242) string_to_sid: Sid S-0-0 is not in a valid format. [2008/01/14 16:22:12, 0] nsswitch/winbindd_util.c:trustdom_recv(268) Got invalid trustdom response Which results in a bad authentication: /var/log/pam.log Jan 14 16:29:03 sandbox pam_winbind[2632]: pam_winbind: pam_sm_authenticate (flags: 0x0000) Jan 14 16:29:07 sandbox pam_winbind[2632]: Verify user `testuser' Jan 14 16:29:17 sandbox pam_winbind[2632]: request failed: NT_STATUS_IO_TIMEOUT, PAM error was System error (4), NT error was NT_STATUS_IO_TIMEOUT Jan 14 16:29:17 sandbox pam_winbind[2632]: internal module err...

...the patch installed. I can't > > think what else the problem could be. > > > > I can't see what happens after I type in my password. Pamlog looks > > like this - > > > > Jan 29 11:28:27 sun001 login: [ID 634615 auth.debug] > > pam_authtok_get:pam_sm_authenticate: flags = 0 > > Jan 29 11:28:31 sun001 login: [ID 378613 auth.debug] pam_dhkeys: > > user ganguly not found Jan 29 11:28:31 sun001 login: [ID 896952 > > auth.debug] > > pam_unix_auth: entering > > pam_sm_authenticate() > > Jan 29 11:28:31 sun001 login: [ID 219349...

...nt pam_unix.so nullok obscure md5 password required pam_winbind.so session optional pam_unix.so session optional pam_winbind.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=077 Debug PAM: pam_winbind(gdm:auth): [pamh: 0x88bcf70] ENTER: pam_sm_authenticate (flags: 0x0000) pam_winbind(gdm:auth): getting password (0x00000181) pam_winbind(gdm:auth): Verify user 'sachs' pam_winbind(gdm:auth): CONFIG file: krb5_ccache_type 'FILE' pam_winbind(gdm:auth): enabling krb5 login flag pam_winbind(gdm:auth): enabling request for a FILE krb5 cc...

...;ve also tried running pam_winbind with debugging. When logging in non-interactively, I'll get: sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain user=user2 sshd[12345]: pam_winbind(sshd:auth): [pamh: 0x12345678] ENTER: pam_sm_authenticate (flags: 0x0001) sshd[12345]: pam_winbind(sshd:auth): getting password (0x00000011) sshd[12345]: pam_winbind(sshd:auth): pam_get_item returned a password sshd[12345]: pam_winbind(sshd:auth): Verify user 'user2' sshd[12345]: pam_winbind(sshd:auth): request failed: Must change password, PAM er...

...ctions = yes | idmap uid = 10000-20000 | idmap gid = 10000-20000 | template shell = /bin/bash | winbind enum groups = yes | winbind enum users = yes | winbind use default domain = yes and if someone tries to login, I get: | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] ENTER: pam_sm_authenticate (flags: 0x0001) | [...] sshd[19524]: pam_winbind(sshd:auth): getting password (0x00000011) | [...] sshd[19524]: pam_winbind(sshd:auth): pam_get_item returned a password | [...] sshd[19524]: pam_winbind(sshd:auth): Verify user 'sfroehli' | [...] sshd[19524]: pam_winbind(sshd:auth): request f...

...MREMOTE\\\\testuser from 192.168.1.1 port 44848 ssh2 [preauth] sshd[9569]: pam_unix(sshd:auth): check pass; user unknown sshd[9569]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0) sshd[9569]: pam_winbind(sshd:aut...