search for: pam_success

...switch (msg[count]->msg_style) { + for (count = 0; count < num_msg; count++) { + switch ((*msg)[count].msg_style) { + case PAM_PROMPT_ECHO_ON: + fputs((*msg)[count].msg, stderr); + fgets(buf, sizeof(buf), stdin); + reply[count].resp = xstrdup(buf); + reply[count].resp_retcode = PAM_SUCCESS; + break; case PAM_PROMPT_ECHO_OFF: - if (pampasswd == NULL) { - free(reply); - return PAM_CONV_ERR; - } + if (pamstate == INITIAL_LOGIN) { + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp = xstrdup(pampasswd); +...

...le("%s [pam]", pam_user); #endif @@ -224,11 +287,11 @@ sshpam_conv.appdata_ptr = ctxt; buffer_init(&buffer); - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_authenticate(sshpam_handle, 0); + sshpam_err = pam_authenticate(grab_pamh(0, NULL), 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; buffer_put_cstring(&buffer, "OK"); @@ -238,7 +301,7 @@ auth_fail: buffer_put_cstring(&buffer, -...

...fore '*' token pam_ldap.c: In function `_cleanup_authtok_data': pam_ldap.c:602: error: `data' undeclared (first use in this function) pam_ldap.c: In function `_alloc_config': pam_ldap.c:617: error: `PAM_BUF_ERR' undeclared (first use in this function) pam_ldap.c:666: error: `PAM_SUCCESS' undeclared (first use in this function) pam_ldap.c: In function `_read_config': pam_ldap.c:771: error: `PAM_SUCCESS' undeclared (first use in this function) pam_ldap.c:773: error: `PAM_BUF_ERR' undeclared (first use in this function) pam_ldap.c:800: error: `PAM_SERVICE_ERR' und...

Trying 2.1.1p2 on HP-UX 11 (trusted system) I get: Jul 3 14:24:53 robinson sshd[1236]: debug: Encryption type: 3des Jul 3 14:24:53 robinson sshd[1236]: debug: Received session key; encryption turned on. Jul 3 14:24:53 robinson sshd[1236]: debug: Installing crc compensation attack detector. Jul 3 14:24:53 robinson sshd[1236]: debug: Starting up PAM with username "stevesk" Jul 3

-----BEGIN PGP SIGNED MESSAGE----- Hi, I''ve got several replies, thank you for them. Let me summarize: o Many people say there is a PAMified version of ssh available at ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source) ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries) (there are analogous paths for the other architectures). The packages are made by Jan

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

...the PAM stack changing the user name on us + */ +static int +sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt) +{ + const char *pam_user; + const char **ptr_pam_user = &pam_user; + + if (pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS) + return PAM_AUTH_ERR; + + if (strcmp(authctxt->user, pam_user)) { + char *user = strdup(pam_user); + struct passwd *pw; + + if (!user) + return PAM_AUTH_ERR; + + if (!(pw = getpwnamallow(user))) { + free(user); + return PAM_AUTH_ERR; + } + + free(authctxt->pw); + authctxt-&g...

...okup service=imap Feb 11 09:20:40 mail auth: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/lib/pam_krb5.so.6 Feb 11 09:20:40 mail auth: in pam_get_user(): entering Feb 11 09:20:40 mail auth: in pam_get_item(): entering: PAM_USER Feb 11 09:20:40 mail auth: in pam_get_item(): returning PAM_SUCCESS Feb 11 09:20:40 mail auth: in pam_get_user(): returning PAM_SUCCESS Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Got user: woodsb02 Feb 11 09:20:40 mail auth: in pam_get_item(): entering: PAM_RUSER Feb 11 09:20:40 mail auth: in pam_get_item(): returning PAM_SUCCESS Feb 11 09:20:40 mail auth...

...tok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */...

...b 11 09:20:40 mail auth: in openpam_dispatch(): calling > pam_sm_authenticate() in /usr/lib/pam_krb5.so.6 > Feb 11 09:20:40 mail auth: in pam_get_user(): entering > Feb 11 09:20:40 mail auth: in pam_get_item(): entering: PAM_USER > Feb 11 09:20:40 mail auth: in pam_get_item(): returning PAM_SUCCESS > Feb 11 09:20:40 mail auth: in pam_get_user(): returning PAM_SUCCESS > Feb 11 09:20:40 mail auth: in pam_sm_authenticate(): Got user: > woodsb02 > Feb 11 09:20:40 mail auth: in pam_get_item(): entering: PAM_RUSER > Feb 11 09:20:40 mail auth: in pam_get_item(): returning > PAM_SUC...

...end(&loginmsg, **prompts, + strlen(**prompts)); xfree(**prompts); **prompts = NULL; } @@ -551,21 +549,6 @@ do_pam_account(void) } void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_ses...

...up(ctx->request->user); + string = strdup(str_c(username)); if (string == NULL) i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); break; @@ -108,12 +116,14 @@ } free(resp); + str_free(&username); return PAM_CONV_ERR; } resp[i].resp_retcode = PAM_SUCCESS; resp[i].resp = string; } + str_free(&username); *resp_r = resp; return PAM_SUCCESS; @@ -231,7 +241,10 @@ pam_strerror(pamh, status)); return status; } - auth_request_set_field(request, "user", item, NULL); + if (module->pam_allow_transform) + { + auth_...

...`pamh' undeclared (first use in this function) nsswitch/pam_winbind.c:72: (Each undeclared identifier is reported only once nsswitch/pam_winbind.c:72: for each function it appears in.) nsswitch/pam_winbind.c:72: `PAM_CONV' undeclared (first use in this function) nsswitch/pam_winbind.c:73: `PAM_SUCCESS' undeclared (first use in this function) nsswitch/pam_winbind.c:74: dereferencing pointer to incomplete type nsswitch/pam_winbind.c:74: `nargs' undeclared (first use in this function) nsswitch/pam_winbind.c:74: `message' undeclared (first use in this function) nsswitch/pam_winbind.c:75:...

Hi, The main (and probably the only) use case of this PAM module is to let sudo authenticate users via their ssh-agent, therefore without having to type any password and without being tempted to use the NOPASSWD sudo option for such convenience. The principle is originally implemented by an existing module [0][1] and many pages that explain how to use it for such purpose can be found online.

...story-20 sshd[4656]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1245880658, the policy says it should expire here 1245880657 (now it's: 1245882598)) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jun 24 15:29:58 history-20 sshd[4656]: pam_...

...`pamh' undeclared (first use in this function) nsswitch/pam_winbind.c:67: (Each undeclared identifier is reported only once nsswitch/pam_winbind.c:67: for each function it appears in.) nsswitch/pam_winbind.c:67: `PAM_CONV' undeclared (first use in this function) nsswitch/pam_winbind.c:68: `PAM_SUCCESS' undeclared (first use in this function) nsswitch/pam_winbind.c:69: dereferencing pointer to incomplete type nsswitch/pam_winbind.c:69: `nargs' undeclared (first use in this function) nsswitch/pam_winbind.c:69: `message' undeclared (first use in this function) nsswitch/pam_winbind.c:70:...

...story-20 sshd[4656]: pam_winbind(sshd:auth): Password has expired (Password was last set: 1245880658, the policy says it should expire here 1245880657 (now it's: 1245882598)) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:auth): [pamh: 0x1f06f48] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): [pamh: 0x1f06f48] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Jun 24 15:29:58 history-20 sshd[4656]: pam_winbind(sshd:account): pam_sm_acct_mgmt success but PAM_WINBIND_NEW_AUTHTOK_REQD is set Jun 24 15:29:58 history-20 sshd[4656]: pam_...

...-with-winbind \ --with-pam make 2>errors errors: nsswitch/pam_winbind.c:97: dereferencing pointer to incomplete type nsswitch/pam_winbind.c: In function `winbind_request': nsswitch/pam_winbind.c:111: `PAM_SERVICE_ERR' undeclared (first use in this function) nsswitch/pam_winbind.c:122: `PAM_SUCCESS' undeclared (first use in this function) nsswitch/pam_winbind.c: In function `winbind_auth_request': nsswitch/pam_winbind.c:154: `PAM_AUTH_ERR' undeclared (first use in this function) nsswitch/pam_winbind.c:158: `PAM_USER_UNKNOWN' undeclared (first use in this function) nsswitch/pam...

...The code from 3.6.1p2 is doesn't set PAM_TTY at all when tty is NULL. Doing that fixes -current for me. Should it be changed to do the same thing, ie --- auth-pam.c 3 Jun 2003 00:25:48 -0000 1.64 +++ auth-pam.c 8 Aug 2003 02:13:34 -0000 @@ -531,11 +531,13 @@ if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); - debug("PAM: setting PAM_TTY to \"%s\"", tty); - sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); - if (sshpam_err != PAM_S...

...d == 1) + pam_password_change_required(1); + /* Import environment from subprocess */ num_env = buffer_get_int(b); sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); @@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + if (compat20) { + if (do_pam_account()) { + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + pam_password_change_required(0); + } + }...