search for: setpcr

http://bugzilla.mindrot.org/show_bug.cgi?id=969 Summary: early setpcred() stomps on PAM Product: Portable OpenSSH Version: 3.9p1 Platform: All OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-bugs at mindrot.org ReportedBy: dle...

Hi, I need to use sftp-only accounts, chroot()ed in their home dirs, on AIX 5.3 with OpenSSH_5.2p1. But there is a problem with the chroot() call. In the do_setusercontext() function, chroot() is called after the setpcred() (only AIX is concerned by the setpcred() call), so privileges are already dropped when chroot() is called. When not calling setpcred(), the chroot() does not fail and the privileges are dropped anyway within the permanently_set_uid() call, just after the safely_chroot() call. Is the setpcred(...

The way this was last supplied to this list (2002-07-13) has the chroot after the call to 'setpcred'. In AIX 4.3.3 the call to setpcred changes the uid and eff. uid to the user attempting to logon. Then the call to chroot( new_home ) fails because AIX requires that any user issuing the chroot subroutine be at root authority. Net result: attempting to do a chroot after the call to setpcred...

...AssignedTo: unassigned-bugs at mindrot.org ReportedBy: bana at docisland.org I need to use sftp-only accounts, chroot()ed in their home dirs, on AIX 5.3 with OpenSSH_5.2p1. But there is a problem with the chroot() call. In the do_setusercontext() function, chroot() is called after the setpcred() (only AIX is concerned by the setpcred() call), so privileges are already dropped when chroot() is called. When not calling setpcred(), the chroot() does not fail and the privileges are dropped anyway within the permanently_set_uid() call, just after the safely_chroot() call. Is the setpcred(...

...Severity: normal Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: dleonard at vintela.com pam_open_session() is being called with euid/uid set to the authenticated user (instead of root) It seems that do_setusercontext() calls setpcred() early, but setpcred() has the effect of setting uid/euid to the authenticated user. This can't be undone, and the subsequent calls to do_pam_session() are unprivileged. This is bad for our pam module that creates missing home directories. Reproduced on oslevels 4330-11, 5100-03, 5200-04...

...ly got a chance to try this. I got compile errors with gcc on AIX 4.2.1 and 4.3.3. gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I/usr/local/include -DHAVE_CONFIG_H -c port-aix.c port-aix.c: In function `set_limits_from_userattr': port-aix.c:35: too few arguments to function `setpcred' port-aix.c:36: too few arguments to function `setpenv' The following patch works for me. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...e details: attached is a patch that changes some of the #includes for AIX. It moves the AIX-specific includes to port-aix.h and adds includes that contain the prototypes for many of the authentication functions. The idea isto fix some warnings. Unfortunately this exposes a couple of problems: * setpcred call does not match prototype * loginfailed on AIX 5.2 takes an (optional?) extra argument: Reason The patch changes the setpcred call to: setpcred(pw->pw_name, (char **)NULL); It also adds configure magic to detect a 4-arg loginfailed and #defines to use the appropriate call (hidden in po...

There are a couple of bugs in the openssh-3.7.1p2. The aix_setauthdb function does not work with other types of authentication such as AFS/DFS. The loginfailed test in configure is not correct. Also, AIX can use the wtmp logging which I added in configure. Attached is the patch. Thanks, Matt Richards -------------- next part -------------- *** openssh-3.7.1p2/openbsd-compat/port-aix.c Mon Jul 14

...nedTo: openssh-unix-dev at mindrot.org ReportedBy: janfrode at parallab.uib.no OpenSSH isn't setting the AIX capabilities correctly, so I had a look into fixing this. It looks to me like port-aix.c could be simplified by removing all setrlimit() calls and instead use the AIX functions setpcred()/setpenv() to set up the user environment. They are documented in http://tre.ii.uib.no/doc_link/en_US/a_doc_lib/libs/basetrf2/setpcred.htm http://tre.ii.uib.no/doc_link/en_US/a_doc_lib/libs/basetrf2/setpenv.htm Please consider applying the following patches so that we can use OpenSSH to...

...ged child process to deal with network data */ --- session.c.orig Tue Jun 25 13:28:07 2002 +++ session.c Tue Jun 25 13:33:16 2002 @@ -1154,22 +1154,26 @@ { #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ if (getuid() == 0 || geteuid() == 0) { #endif /* HAVE_CYGWIN */ #ifdef HAVE_SETPCRED setpcred(pw->pw_name); #endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { + int flags = LOGIN_SETALL & ~LOGIN_SETPATH; +#ifdef __bsdi__ + if (getpid() != getpgrp()) + flags &= ~LOG...

...9; Changed root directory to "/home/test" Failed to set process credentials .. then it quits. I attached the truss log from AIX 6.1 (truss_log.txt) I also attached the fix that worked for me (this code was posted already in https://bugzilla.mindrot.org/attachment.cgi?id=1669 ). I call setpcred before chroot. Already posted this on https://bugzilla.mindrot.org/show_bug.cgi?id=1567 but had no reply. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

Has anyone seen the error that I'm getting below? After you ssh to the box and enter the password the connection just closes. SSH Version { root at xxxxxxxx} # ssh -V OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 OS Version { root at xxxxxxxx } # oslevel -r AIX 4330-09 SSH Connect Failure { root at xxxxxxxxx } # ssh -l xxxxxxxxx -v localhost OpenSSH_3.7p1, SSH protocols

Hi, we're in the process of setting up large-page support on IBM regattas, but for large-page support the users have to have a set of extra capabilities (CAP_BYPASS_RAC_VMM,CAP_PROPAGATE). This are configured on a per user basis by listing which capability each user have in /etc/security/user. Unfortunately they don't get set when the users log in via OpenSSH (3.1p1). Does anybody know

...-------------------------------------------- CC| |dtucker at zip.com.au --- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2008-06-15 05:27:49 --- I think this was fixed with the change for bug #926. Can you confirm? Also, how does the setpcred change relate to this bug and is it still needed? Thanks. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.

...md5_crypt memmove \ - mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ + mkdtemp ngetaddrinfo openpty ogetaddrinfo readpassphrase \ realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ socketpair strerror strlcat strlcpy strmode sysconf tcgetpgrp \ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) + +dnl Make sure that mmap prototype is defined before defining HAVE_MMAP +AC_CHECK_DECL(mmap, [AC_CHECK_FUNCS(mmap)]) dnl Make s...

http://bugzilla.mindrot.org/show_bug.cgi?id=543 Summary: sshd does not use AIX's setauthdb Product: Portable OpenSSH Version: 3.6p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cawlfiel at

...ssphrase \ + inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp \ + mmap ngetaddrinfo nsleep openpty ogetaddrinfo pstat readpassphrase \ realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ Index: openbsd-compat/port-aix.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.h,v retrieving revision 1.6 diff -u -r1.6 port-aix.h --- openbsd-compat/port-a...

Hi, (please CC me as I'm not subscribed to the list) If compiled with SELinux support, OpenSSH 4.8 current cvs fails for accounts where the new ChrootDirectory option is active : debug1: PAM: establishing credentials debug3: PAM: opening session debug2: User child is on pid 1695 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug3: safely_chroot: checking

I am attempting to run openssh 3.7.1p2 with privsep on AIX 5.2 ML2 (with the december 2003 critical patches also). This was compiled on the host machine with the IBM Visual Age C compiler (C for AIX Compiler, Version 5). I did not have any trouble compiling. My configure was ./configure --with-tcp-wrappers, and I have the freeware tcp wrappers (freeware.tcp_wrappers.rte 7.6.1.5), and a compiled

The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2