search for: print_pam_messag

Hi, I was investigating why I don't see any warnings from pam_ldap indicating the pending expiration of passwords as well as for PAM_NEW_AUTHTOK_REQD. Eventually, I found that do_pam_account() does not have a conversation function. Also, there is a function print_pam_messages (currently empty) which look suspiciously like it is ear marked to show just those error messages: /* auth-pam.c */ void print_pam_messages(void) { /* XXX */ } By any chance, is someone working on a patch to show these warning messages ? Thanks. Ralf.

...ition to the kludge to feed the user's password into PAM during initial login * add function do_pam_chauthtok() to call pam_chauthtok() if needed, once interactive session has been established auth-pam.h: * add prototype for do_pam_chauthtok() session.c: * add call to do_pam_chauthtok() after print_pam_messages() I am subscribed to openssh-unix-dev, so you do not have to copy any list discussion to me personally. =================================================================== RCS file: RCS/auth-pam.c,v retrieving revision 1.1 diff -u -r1.1 auth-pam.c --- auth-pam.c 2000/09/06 22:29:58 1.1 +++ auth...

...ot;dup2 stdin: %s", strerror(errno)); @@ -608,6 +604,24 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); +#ifdef USE_PAM + /* + * If password change is needed, do it now. + * For privsep, this needs to occur before we acquire a + * controlling tty. + */ + print_pam_messages(); + if (use_privsep && is_pam_password_change_required()) + PRIVSEP(do_pam_chauthtok()); +#endif + /* Make the pseudo tty our controlling tty. */ + pty_make_controlling_tty(&ttyfd, s->tty); + + /* without privsep, chauthtok requires a controlling tty */ + if (!use_privsep)...

...quired but no " + "TTY available"); /* Fork the child. */ if ((pid = fork()) == 0) { @@ -726,6 +731,7 @@ socklen_t fromlen; struct sockaddr_storage from; struct passwd * pw = s->pw; + int password_changed = 0; pid_t pid = getpid(); /* @@ -758,6 +764,13 @@ print_pam_messages(); do_pam_chauthtok(); } +#else + buffer_append(&expiremsg, "\0", 1); + if (password_change_required) { + printf("%s\n", (char *)buffer_ptr(&expiremsg)); + fflush(stdout); + password_changed = do_tty_change_password(pw); + } #endif if (check_quietlogin(s,...

...quired but no " + "TTY available"); /* Fork the child. */ if ((pid = fork()) == 0) { @@ -726,6 +731,7 @@ socklen_t fromlen; struct sockaddr_storage from; struct passwd * pw = s->pw; + int password_changed = 0; pid_t pid = getpid(); /* @@ -758,6 +764,13 @@ print_pam_messages(); do_pam_chauthtok(); } +#else + buffer_append(&expiremsg, "\0", 1); + if (password_change_required) { + printf("%s\n", (char *)buffer_ptr(&expiremsg)); + fflush(stdout); + password_changed = do_tty_change_password(pw); + } #endif if (check_quietlogin(s,...

...-746,16 +749,23 @@ options.verify_reverse_mapping), (struct sockaddr *)&from, fromlen); -#ifdef USE_PAM /* * If password change is needed, do it now. * This needs to occur before the ~/.hushlogin check. */ +#ifdef USE_PAM if (is_pam_password_change_required()) { print_pam_messages(); - do_pam_chauthtok(); + if (!use_privsep) + do_pam_chauthtok(); } #endif + buffer_append(&expire_message, "\0", 1); + if (password_change_required) { + printf("%s", (char *)buffer_ptr(&expire_message)); + do_tty_change_password(pw); + password_changed = 1;...

...+766,13 @@ } #endif +#ifdef WITH_AIXAUTHENTICATE + if (is_aix_password_change_required()) { + printf("%s\n", aixexpiremsg); + do_aix_change_password(pw); + } +#endif + if (check_quietlogin(s, command)) return; @@ -764,7 +780,10 @@ if (!is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ + #ifdef WITH_AIXAUTHENTICATE + if (!is_aix_password_change_required() && aixexpiremsg && *aixexpiremsg) + printf("%s\n", aixexpiremsg); if (aixloginmsg && *aixloginmsg) printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUT...

...;t think its exploitable. But the format string processing isn't needed here, so it should be painless to remove. Here's the patch. -- Aaron - --- auth-pam.c~ Thu Jun 22 04:44:54 2000 +++ auth-pam.c Fri Jul 7 14:57:16 2000 @@ -277,7 +277,7 @@ void print_pam_messages(void) { if (pam_msg != NULL) - - fprintf(stderr, pam_msg); + fputs(pam_msg, stderr); } /* Append a message to the PAM message buffer */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOWZU...

...rm/test if aixloginmsg should be freed ? If so this little patch might work (I didn't test this !!!!!): ^^^^^^^^^^^^^^^^^^^^^^^^^ --- session.c-orig Wed Jan 3 10:19:31 2001 +++ session.c Wed Jan 3 10:20:48 2001 @@ -750,8 +750,10 @@ print_pam_messages(); #endif /* USE_PAM */ #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + free(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */...

http://bugzilla.mindrot.org/show_bug.cgi?id=564 ------- Additional Comments From djm at mindrot.org 2003-07-30 11:48 ------- Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly - suggestions wanted. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...enssh-3.5p1a/auth-pam.h Wed Oct 16 10:00:40 2002 @@ -39,6 +39,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); diff -u -r openssh-3.5p1/session.c openssh-3.5p1a/session.c --- openssh-3.5p1/session.c Thu Sep 26 02:38:50 2002 +++ openssh-3.5p1a/session.c Wed Oct 16 15:01:40 2002 @@ -454,7 +454,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_se...

...ssh-3.4p1-dw/auth-pam.h Tue Jul 16 07:54:05 2002 @@ -12,6 +12,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); Only in openssh-3.4p1-dw: auth-pam.h.orig diff -u -r openssh-3.4p1/session.c openssh-3.4p1-dw/session.c --- openssh-3.4p1/session.c Wed Jun 26 08:51:06 2002 +++ openssh-3.4p1-dw/session.c Tue Jul 16 07:54:06 2002 @@ -461,7 +461,6 @@ session_pro...

...+104,6 @@ #define MAX_SESSIONS 10 Session sessions[MAX_SESSIONS]; -#ifdef WITH_AIXAUTHENTICATE -char *aixloginmsg; -#endif /* WITH_AIXAUTHENTICATE */ - #ifdef HAVE_LOGIN_CAP login_cap_t *lc; #endif @@ -770,10 +767,13 @@ if (options.use_pam && !is_pam_password_change_required()) print_pam_messages(); #endif /* USE_PAM */ -#ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) - printf("%s\n", aixloginmsg); -#endif /* WITH_AIXAUTHENTICATE */ + + /* display post-login message */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0&quo...

Hello all, The long-mooted PAM merge from FreeBSD is starting _now_. This replaces the PAM password auth kludge that we have used until now with a discrete challenge-response module. This module is invoked via keyboard-interactive for protocol 2 or TIS auth for protocol 1. Warning: this is a large change and will probably break things. It has only been tested with basic password auth modules and

...nect("Password change required but no " @@ -581,7 +580,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->tty); do_pam_setcred(1); #endif @@ -753,7 +752,7 @@ */ if (is_pam_password_change_required()) { print_pam_messages(); - do_pam_chauthtok(); + PRIVSEP(do_pam_chauthtok()); } #endif @@ -1238,6 +1237,12 @@ * Reestablish them here. */ do_pam_setcred(0); + + /* + * We need to open the session here because PAM on HP-UX does not + * work after the call to permanently_set_uid. + */ + do_pam_...