search for: pamstate

...NULL; static const char *pampasswd = NULL; static char *pam_msg = NULL; -/* PAM conversation function. This is really a kludge to get the password */ -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +/* states for pamconv() */ +typedef enum { INITIAL_LOGIN, OTHER } pamstates; +static pamstates pamstate = INITIAL_LOGIN; +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +static int password_change_required = 0; + +/* + * PAM conversation function. + * There are two states this can run in. + * + * INITIAL_LOGIN mode simply feeds the password from the c...

...Tue Nov 6 22:58:46 2001 *************** *** 203,208 **** --- 203,209 ---- { extern ServerOptions options; int pam_retval; + int flags=0; do_pam_set_conv(&conv); *************** *** 217,223 **** __pampasswd = password; pamstate = INITIAL_LOGIN; ! pam_retval = do_pam_authenticate(0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for " "user \"%.100s\"", pw->pw_name); --- 218,227 ---- __pampasswd = password; pamst...

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...+26,8 @@ #ifdef USE_PAM #include "ssh.h" +#include "ssh1.h" +#include "packet.h" #include "xmalloc.h" #include "log.h" #include "auth-pam.h" @@ -54,6 +56,8 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; +/* which type of prompts we should handle, set in auth_pam_password */ +static int pamprompt; /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded or not */ @@ -98,...

Hi, I have the securID patch applied to openssh3.4p-1 and it's compiled with pam. The problem I'm getting is that SecurID auth works OK, but normal password auth doesn't. I narrowed down the failure to the following section in auth-pam.c : __pampasswd = password; pamstate = INITIAL_LOGIN; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); but I can't see how this works. Can anyone enlighten me please? I know that the password is correct but pam_retval is still not equal to PAM_SUCCESS. Ch...

...l)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -#if 0 /* XXX: This would need to be done in the parent process, *...

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any

...================================== RCS file: /cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 20 Nov 2002 13:12:12 -0000 @@ -60,7 +60,7 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; /* remember whether pam_acct_mgmt() returned PAM_NEW_AUTHTOK_REQD */ -static int password_change_required = 0; +extern int password_change_required; /* remember whether the last pam_authenticate() succeeded or not */ static int was_authenticated = 0; @@ -256,7 +256,6 @@ cas...

...l)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -#if 0 /* XXX: This would need to be done in the parent process, *...

...ed to openssh3.4p-1 and it's compiled with > > pam. The problem I'm getting is that SecurID auth works OK, but normal > password auth doesn't. I narrowed down the failure to the following > section > in auth-pam.c : > > __pampasswd = password; > > pamstate = INITIAL_LOGIN; > pam_retval = do_pam_authenticate( > options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK > : > 0); > > but I can't see how this works. Can anyone enlighten me please? I know > that > the password is correct but pam_retva...