search for: pam_ssh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:09.pam_ssh Security Advisory The FreeBSD Project Topic: pam_ssh improperly grants access when user account has unencrypted SSH private keys Category: contrib Module: pam Announ...

Hello! We experienced crashes of the dovecot-auth process during user verification with pam_ssh. After a little debugging I saw that pam_ssh and dovecot both provide a buffer_free() function. During cleanup of pam_ssh the buffer_free() from dovecot was called. The members of the buffer had all "out of bound" addresses. After rename the buffer_free() in dovecot the pam login works...

...eBSD 8.2 using any password. The user had a .ssh/id_rsa and .ssh/id_rsa.pub key pair without a password but nullok was not specified, so I think this should be considered a bug. During diagnosis, /etc/pam.d/sshd was configured for authentication using: ------------- auth required pam_ssh.so no_warn try_first_pass ------------- I enabled _openpam_debug in pam_ssh and found this during a login via sshd to the user's account: ------------- Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to load key from /home/targetuser/.ssh/identity Nov 15 09:...

...an ssh-agent process is started and any successfully decrypted private keys are added. Hence, users only type their logins and passwords once at the beginning of a session. As a side benefit, system administrators can elect to rid the password database of authentication data. At the time I wrote pam_ssh, Theo de Raadt said he wanted to keep the OpenSSH code base tightly-controlled, so my patches were not imported. FreeBSD was interested, however, and pam_ssh has been part of the core ever since. Now that the code has been performing well for a year in FreeBSD, would you consider importing it int...

...inbind.so auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account sufficient pam_winbind.so account required pam_unix.so # session #ses...

...ie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_winbind.so #account required pam_krb5.so account required pam_login_access.so account requ...

...sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so mkhomedir=yes #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session...

...no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account sufficient /usr/local/lib/pam_winbind.so account r...

...m.d/{imap,pop3} were untouched; both as follows # # $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $ # # PAM configuration for the "pop3" service # # auth #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_nologin.so account required pam_unix.so

...pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass #tfa auth sufficient pam_winbind.so debug try_first_pass auth sufficient pam_unix.so no_warn try_first_pass # account #account...

...pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass #tfa auth sufficient pam_winbind.so debug try_first_pass auth sufficient pam_unix.so no_warn try_first_pass # account #account...

...ib/pam_winbind.so try_first_pass auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required /usr/lib/pam_winbind.so #account required pam_krb5.so account required pam_login_access.so acco...

...ntly, we can only have S/KEY+password, by using PAM for authentication, and configuring PAM accordingly. But PAM of course can't handle SSH public keys. I thought for a while that ideally we could actually use PAM to tell sshd what methods of authentication to accept at each stage... require pam_ssh_skey.so sufficient pam_ssh_publickey.so sufficient pam_ssh_password.so ...etc. But PAM doesn't actually let us work like that, so it'd end up being something more like... require pam_ssh.so methods=skey require pam_ssh.so methods=publickey,password ...and I suspect it's overkill...

...am_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so #account required pam_login_access.so #account required pam_unix.so # session #...

...quot; service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth sufficient /usr/local/lib/pam_winbind.so auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_winbind.so auth required pam_unix.so no_warn try_first_pass # account account sufficient /usr/local/lib/pam_winbind.so account required pam_nologin.so #account required pam_krb5.so account...

>> auth: in openpam_parse_chain(): /etc/pam.d/dovecot(1): missing or invalid facility > > I do not think that it has something to do with the dovecot settings > itself but perhaps with the pam facility settings instead? i can believe that. any clues to debug? randy

...> > # > # $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $ > # > # PAM configuration for the "pop3" service > # > > # auth > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth required pam_unix.so no_warn try_first_pass > > # account > #account required pam_nologin.so > account required pam_unix.so copy or link /etc/pam.d/imap do /etc/pam.d/dovecot -...

Hi, I'm trying to setup Dovecot with MS AD and am using this as my guide: http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm I can definitely access information on the AD server using wbinfo -g and wbinfo -u..... Currently my dovecot.conf file looks like this: # v1.1: #auth_ntlm_use_winbind = yes # v1.2+: auth_use_winbind = yes auth_winbind_helper_path = /usr/local/bin/ntlm_auth

...28 20:29:06 2005 @@ -9,5 +9,5 @@ auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass +auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass nullok +auth sufficient pam_unix.so no_warn try_first_pass nullok Thank you very much for any hints! -mi

...l package size (3 rpms -- openssh, openssh-server and openssh-clients -- was 650Kb befor and 420Kb after). While tweaking makefiles and so on, I realized one minor problem with libssl.a: it is not a complete library per se. Yes, I know that it isn't intended to be used by other programs (btw, pam_ssh uses parts of libssh), but keeping it in a good state may be helpful anyway. One issue with this library is that it refers to an external variable, IPV4or6, that itself isn't in library, but defined in several source files instead, repeating the same lines every time. So, then libssl is a sha...