search for: pam_user

<<pam_user.patch>> Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions,...

In 1.2.1 there's: passdb-pam.c:230 status = pam_get_item(pamh, PAM_USER, &item); passdb-pam.c:237 auth_request_set_field(request, "user", item, NULL); so "item" is PAM_USER, which is then checked by auth_request_set_field: 1022 if (strcmp(request->user, value) != 0) { 1023 auth_request_log_deb...

...for example a kerberos ticket. >My guess, given what OpenSSH does with PAM: PAM_CRED_ESTABLISH means >"make it so we can use your module's credentials as root" whereas >PAM_REINITIALIZE_CREDS means "make it so we can use your module's >credentials as pam_get_item(PAM_USER)." That is wrong and is one thing the XSSO doc is clear on: "The pam_setcred() function is used to establish, modify, or delete the credentials of the current user associated with the authentication handle, pamh. " The Solaris pam_setcred(3pam) man page is less clear - I'll f...

Hello all. It is my understanding that a PAM-aware application should check the value of the PAM_USER attribute after every PAM call.

...mbiquous. I think it is quite easy to make the assumption that ESTABLISH and REINITIALIZE care synonymous but both are different from REFRESH. >And, IMO, as I think about it, the OpenSSH interpretation makes plenty >of sense. Consider an app that will not fork() a child that runs as the >PAM_USER (e.g., a web server) but which nonetheless needs the user's >Kerberos creds -- why bother creating a user-owned ccache then? I can see that from a PAM view point but it won't really work from a Kerberos view point (it isn't how kerberos was designed to work). >> "The pam...

Hi, I am using PAM authentication on 3.8p1. In my PAM auth module I can turn on debug logging that includes a timestamp in the form "mm/dd/yy hh:mm:ss". Life is good. I want to upgrade from 3.8p1 so I can use PAM for PasswordAuthentication in addition to keyboard-interactive. I have compiled both 4.1p1 and 4.3p2 and the PAM authentication for both methods works fine in both

...57:47.000000000 -0500 +++ openssh-4.6p1.jleu/auth-pam.c 2007-05-24 13:16:56.000000000 -0500 @@ -335,6 +335,39 @@ } /* + * Detect and deal with the PAM stack changing the user name on us + */ +static int +sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt) +{ + const char *pam_user; + const char **ptr_pam_user = &pam_user; + + if (pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS) + return PAM_AUTH_ERR; + + if (strcmp(authctxt->user, pam_user)) { + char *user = strdup(pam_user); + struct passwd *pw; + + if (!user) + re...

...ld May 23 12:01:56 192.168.1.21 pam_stack[23836]: NOT passing PAM_RUSER to child: source is NULL May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing PAM_SERVICE to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing PAM_TTY to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing PAM_USER to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: NOT passing PAM_USER_PROMPT to child: source is NULL May 23 12:01:56 192.168.1.21 pam_stack[23836]: passing data to child May 23 12:01:56 192.168.1.21 pam_stack[23836]: calling substack May 23 12:01:56 192.168.1.21 pam_stack[23836]: substack r...

...*/ + +static pam_handle_t *grab_pamh(int set, pam_handle_t *value) +{ + if (set) + sshpam_handle = value; + return sshpam_handle; +} + +#endif /* #ifdef USE_POSIX_THREADS */ + /* * Conversation function for authentication thread. */ @@ -216,7 +279,7 @@ #ifndef USE_POSIX_THREADS const char *pam_user; - pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); + pam_get_item(grab_pamh(0, NULL), PAM_USER, (const void **)&pam_user); setproctitle("%s [pam]", pam_user); #endif @@ -224,11 +287,11 @@ sshpam_conv.appdata_ptr = ctxt; buffer_init(&buffer); - sshpam...

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 ------- > OpenSSH traditionally would not even start PAM, and > now starts it specifying 'NOUSER' as the login name. We have always used NOUSER, the recent patch just makes it consistent between protocols 1 and 2. > The second is to prevent username guessing

...(flags: 0x0000) > Jul 29 09:33:53 brayden xrdp-sesman[1652]: > pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: > ITEM(PAM_SERVICE) = "xrdp-sesman" (0xb471c0) > Jul 29 09:33:53 brayden xrdp-sesman[1652]: > pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_USER) > = "jas" (0xb4fd60) > Jul 29 09:33:53 brayden xrdp-sesman[1652]: > pam_winbind(xrdp-sesman:auth): [pamh: 0xb4cac0] STATE: ITEM(PAM_TTY) = > "xrdp-sesman" (0xb4d6a0) > Jul 29 09:33:53 brayden xrdp-sesman[1652]: > pam_winbind(xrdp-sesman:auth): [pamh: 0xb4c...

..._winbind(sshd:auth): [pamh: 0x1022c38] ENTER: pam_sm_authenticate (flags: 0x0001) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_SERVICE) = "sshd" (0x10226f8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_USER) = "roy" (0x1021aa8) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_TTY) = "ssh" (0x102c040) Jul 24 10:13:18 pi-dc sshd[865]: pam_winbind(sshd:auth): [pamh: 0x1022c38] STATE: ITEM(PAM_RHOST) = "192.168.2.240" (0x102c028) Jul...

Hi, I'm trying to change the PAM_USER within a pam module, and observed that dovecot 0.99 does not support this. I then looked at 1.x and found: src/auth/passdb-pam.c:232: /* FIXME: this doesn't actually work since we're in the child process.. */ status = pam_get_item(pamh, PAM_USER, (linux...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi OpenSSH'ers, I am emailing you to ask is it possible to record failed passwords attempts and log them to syslog? Are there patches available for this? Has anyone managed to do this before? Are there alternitive methods? Many Thanks, A - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer

...8.1.1 sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] ENTER: pam_sm_authenticate (flags: 0x0001) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7fc74c2c9380) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_USER) = "DOMREMOTE\testuser" (0x7fc74c2c9fe0) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_TTY) = "ssh" (0x7fc74c2e15f0) sshd[9569]: pam_winbind(sshd:auth): [pamh: 0x7fc74c2cad40] STATE: ITEM(PAM_RHOST) = "192.168.1.1" (0x7fc74c2e15d0) sshd[956...

I'm experimenting with smb + winbind. My host is joined to AD and I can login to my host fine using my AD credentials via SSH.?? The only issue is that I don't get a Kerberos ticket generated. In /etc/security/pam_winbind.conf I have: krb5_auth = yes krb5_ccache_type = KEYRING In /etc/krb5.conf, I also have: default_ccache_name = KEYRING:persistent:%{uid} Using wbinfo -K jas, then

I did re-read the whole thread again. Im running out of options.. When i look at : https://wiki.samba.org/index.php/PAM_Offline_Authentication You can do these last checks. Run the : Testing offline authentication as show on the wiki. Debian normaly does not have /etc/security/pam_winbind.conf, check if its there if so backup it remove it. Check if these packages are installed.

...taller.py index 637c64c..7c66676 100644 --- a/scripts/ovirt-config-installer.py +++ b/scripts/ovirt-config-installer.py @@ -177,7 +177,7 @@ class NodeInstallScreen: def current_password_callback(self): auth = PAM.pam() auth.start("passwd") - auth.set_item(PAM.PAM_USER, "root") + auth.set_item(PAM.PAM_USER, "admin") global current_password current_password = self.current_password.value() auth.set_item(PAM.PAM_CONV, pam_conv) @@ -590,7 +590,7 @@ class NodeInstallScreen: self.root_password_1 = Entry(15,...

...2683650] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_SERVICE) = "sshd" (0x7f6b826837d0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_USER) = "nathan" (0x7f6b826837f0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_TTY) = "ssh" (0x7f6b8268dbd0) Nov 28 17:34:58 testbox01 sshd[26078]: pam_winbind(sshd:account): [pamh: 0x7f6b82683650] STATE: ITEM(PAM_RHOST) = &...

The 2 errors: pam_setcred: error Permission denied Cannot delete credentials[7]: Permission denied Looks to be a major bug in the PAM module for Solaris-2.8/2.7/2.6. Has anyone from the list (developers of OpenSSH, endusers, hackers, etc.) came up w/ a solution? Even a temporary one? When authenticating yourself on the same system that worked, but when authenticating to another system failed. I