Displaying 13 results from an estimated 13 matches for "password_change_required".
2002 Nov 20
0
[PATCH #9] Password expiration via /bin/passwd.
...ore generic. (There's actually a net reduction in #ifdefs).
Patch against CVS:
1) configure finds passwd.
2) sshd uses passwd during session if required.
3) sshd uses passwd for PAM change if privsep disabled.
4) sshd uses Buffers for expire and post-login messages (no longer AIX
specific).
5) password_change_required generalized (no longer PAM specific).
Tested on the following configurations:
Redhat 8 (without PAM)
AIX 4.3.3
Solaris 8 (without PAM)
HP-UX 11.0 (trusted configuration, with PAM)
I'm confused about this from auth-pam.c:
/* XXX: This would need to be done in the parent process,
* but there&...
2003 Jul 09
0
[PATCH] Add expired password handling for AIX.
...nclude "xmalloc.h"
#include "canohost.h"
+#include "misc.h"
+#include "auth-options.h"
#if !defined(HAVE_OSF_SIA)
/* Don't need any of these headers for the SIA cases */
@@ -82,6 +84,7 @@
extern ServerOptions options;
extern Buffer loginmsg;
+int password_change_required = 0;
/*
* Tries to authenticate the user using password. Returns true if
@@ -248,4 +251,81 @@
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
#endif /* !HAVE_OSF_SIA */
+}
+
+/*
+ * Perform generic password...
2003 Jul 30
1
[PATCH] Password expiry merge (AIX parts)
...t;
+#include "misc.h"
+#include "buffer.h"
#include "openbsd-compat/xcrypt.h"
#ifdef WITH_AIXAUTHENTICATE
# include "buffer.h"
# include "canohost.h"
-extern Buffer loginmsg;
#endif
extern ServerOptions options;
+extern Buffer loginmsg;
+int password_change_required = 0;
/*
* Tries to authenticate the user using password. Returns true if
@@ -168,4 +172,81 @@
}
# endif
#endif /* !HAVE_OSF_SIA */
+}
+
+/*
+ * Perform generic password change via tty. Like do_pam_chauthtok(),
+ * it throws a fatal error if the password can't be changed.
+ */
+int
+d...
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
...et the password */
-/* into PAM and to pick up any messages generated by PAM into pamconv_msg */
+/* states for pamconv() */
+typedef enum { INITIAL_LOGIN, OTHER } pamstates;
+static pamstates pamstate = INITIAL_LOGIN;
+/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
+static int password_change_required = 0;
+
+/*
+ * PAM conversation function.
+ * There are two states this can run in.
+ *
+ * INITIAL_LOGIN mode simply feeds the password from the client into
+ * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
+ * messages with pam_msg_cat(). This is used during initial
+ * authenticat...
2003 Feb 20
0
"if 0" in auth-pam.c
Hi,
I was doing some research on why new openssh-versions (3.4 and 3.5p1)
doesnt ask you to change expired passwords (it just disconnects you) and
found something curious.
Line 259 of auth-pam.c has "#if 0" and then the code to set some vars
(eg. password_change_required to true) followed by an "endif". Why is
that? I'm not a C expert, but I think "if 0" is a non-possible
situation, right?
I then removed these conditions, and it worked just fine, changed my
password as it should..
btw, yes, I removed "Privilege Separation" to...
2002 Dec 21
6
[PATCH] PAM chauthtok + Privsep
...case PAM_SUCCESS:
/* This is what we want */
break;
-#if 0
case PAM_NEW_AUTHTOK_REQD:
- message_cat(&__pam_msg, use_privsep ?
- NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
+ message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
/* disallow other functionality for now */
@@ -267,7 +266,6 @@
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
-#endif
default:
log("PAM rejected by account configuration[%d]: "
"%.200s", pam_retval, PAM_STRERROR(__pamh,
@@...
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
...case PAM_SUCCESS:
/* This is what we want */
break;
-#if 0
case PAM_NEW_AUTHTOK_REQD:
- message_cat(&__pam_msg, use_privsep ?
- NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
+ message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
/* disallow other functionality for now */
@@ -267,7 +266,6 @@
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
-#endif
default:
log("PAM rejected by account configuration[%d]: "
"%.200s", pam_retval, PAM_STRERROR(__pamh,
@@...
2002 Aug 07
0
[Bug 381] New: unable to access expired accounts using PAM with openssh-3.4P1
...ed by account configuration" error
message.
I noticed that this functionality has been disabled in auth-pam.c
#if 0
case PAM_NEW_AUTHTOK_REQD:
message_cat(&__pam_msg, use_privsep ?
NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
/* disallow other functionality for now */
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
#endif
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2002 Dec 08
1
Password expiry related clarification in OpenSSH3.5p1
...Why this part of the code is not used in 3.5p1? Is there any specific
reasons for not using this part of the code?
#if 0
case PAM_NEW_AUTHTOK_REQD:
message_cat(&__pam_msg, use_privsep ?
NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
/* disallow other functionality for now */
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
#endif
Please reply.
Thanks
Logsnaath.
----- End forwarded message -----
2018 Sep 28
2
Support for RFC4252 in sshd with PAM
...m_request_receive entering
debug1: do_pam_account: called
debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required)
debug3: sshpam_password_change_required 1
debug3: mm_request_send entering: type 103
Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2
debug1: monitor_child_preauth: dhubbard2 has been authenticated by
privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26...
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch
in the sshd_config. You'd use it by having a PAM module that sets
PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs.
The patch is against the 2.9.9p2 distribution.
I'm not on the list, a reply if this patch is accepted would be great.
(But not required, I know some folks have a distaste for
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
..."
@@ -54,6 +56,8 @@
/* states for do_pam_conversation() */
enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
+/* which type of prompts we should handle, set in auth_pam_password */
+static int pamprompt;
/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
static int password_change_required = 0;
/* remember whether the last pam_authenticate() succeeded or not */
@@ -98,6 +102,10 @@
int count;
char buf[1024];
+ u_int dlen;
+ int plen, type;
+ char *response;
+
/* PAM will free this later */
reply = malloc(num_msg * sizeof(*reply));
if (reply == NULL)
@@ -111,10 +119,40 @@...
2003 Mar 20
4
Call for testing for 3.6: password expiry?
I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible:
http://bugzilla.mindrot.org/show_bug.cgi?id=14
On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1:
http://bugzilla.mindrot.org/show_bug.cgi?id=125
In fact, both patches work together, apparently.
If I have any