search for: spwd

...? S 8:53PM 0:00.92 imap-login This has me deeply confused. I'm not running IMAP, I'm not interested in running IMAP, I don't want anything to do with IMAP. However, there's five processes for imap-login. What gives? On to your second question: Are /etc/pwd.db and /etc/spwd.db available? Yes, both are listed in the directory of /etc as follows. -rw-r--r-- 1 root wheel 40960 Jul 9 09:56 /etc/pwd.db -rw------- 1 root wheel 40960 Jul 9 09:56 /etc/spwd.db featherweb: {41} How "available" this makes them (I don't know what context you were asking i...

Hi, I installed Dovecot on FreeBSD 4-STABLE machine and have a problem. MTA is postfix delivering to ~/Maildir, runs perfectly. Dovecot is configured to use plaintext auth, config file is at the end of this mail. When trying to get mail via IMAP, I'm getting the following errors: /var/log/dovecot.log > Aug 24 12:00:35 Info: Dovecot starting up > Aug 24 12:00:51 Info: Login: goshik

Has anyone got the pam_chroot module to successfully work in FreeBSD? I have FreeBSD 5.2-RELEASE installed. I copied the appropriate binaries and libraries into my chroot, I can chroot -u test -g test /home/test /usr/local/bin/bash and it works perfectly. So now I am trying to get the pam module to work. I added session required pam_chroot.so debug into the

QNX Neutrino does not support the shadow password database properly. Apart from misdocumenting /etc/shadow as having 4 fields when in fact it has 5 (including the "last changed" field), its getspnam() fills in the sp_expire field of the spwd structure with 0. And since by default, shadow support is enabled and the configure script turns on HAS_SHADOW_EXPIRE when it finds that field, the built sshd ends up refusing all connections on the grounds of an expired account. I have dealt with this temporarily by hacking as follows: ========...

...age Dovecot's var_expand() call, which, looking at the code, appears to be the function responsible for %variable expansion and formatting. The relevant piece of code seems to be this excerpt in auth/passdb-shadow.c: static enum passdb_result shadow_lookup(struct auth_request *request, struct spwd **spw_r) { auth_request_log_debug(request, AUTH_SUBSYS_DB, "lookup"); *spw_r = getspnam(request->user); if (*spw_r == NULL) { auth_request_log_unknown_user(request, AUTH_SUBSYS_DB); return PASSDB_RESULT_USER_UNKNOWN; } w...

...es and getpwnam(3) for non-shadowed users' entries. Otherwise, the function "allowed_user" in auth.c of openssh-2.1.1p2 has the following lines: 59 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ 60 defined(HAS_SHADOW_EXPIRE) 61 struct spwd *spw; 62 63 /* Shouldn't be called if pw is NULL, but better safe than sorry */ 64 if (!pw) 65 return 0; 66 67 spw = getspnam(pw->pw_name); 68 if (spw == NULL) 69 return 0; . So, getspnam will returns NULL for our...

maybe this is a silly question ;-) But why is it possible to login on a machine with a locked account (passwd -l ) via pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not happen. If this is the normal behaviour and built in intentionally what would be the easiest way to lock an account without deleting the users authorized_keys ?

...vered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may be able to gain unauthorised access to parts of the /etc/spwd.db file, allowing them to mount guessing attacks against user passwords. If you have not chosen to install the xlockmore port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: Deinstall the xlockmore port/package, if you have installed it. V....

Hi Damien, I noticed you merged a couple of ifdefs in the fix for bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd =

...t; +# include <sys/audit.h> +# include <pwdadj.h> +#endif #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) # include "md5crypt.h" #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ @@ -46,6 +51,9 @@ #ifdef HAVE_SHADOW_H struct spwd *spw; #endif +#ifdef HAVE_GETPWANAM + struct passwd_adjunct *spw; +#endif #ifdef WITH_AIXAUTHENTICATE char *authmsg; char *loginmsg; @@ -99,6 +107,16 @@ pw_password = spw->sp_pwdp; } #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#if defined(HAVE_GETPWANAM)...

...-09-04 07:46:57 UTC (RELENG_4_3) FreeBSD only: Yes I. Background rmuser is a perl script used to completely remove users from a system. II. Problem Description When removing a user from the system with the rmuser utility, the /etc/master.passwd file and it's corresponding database /etc/spwd.db must be updated. The rmuser script was incorrectly doing this by creating a new master.passwd file with an unsafe umask and then using chmod to set its permissions to 0600. Between the time that the file was created and the time that its permissions were changed the file is world-readable. Th...

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

I encountered a couple of strange events with respect to password authentication this morning. Two of our staff were unable to login onto several systems using their usual passwords. Both users had last logged in on these hosts using their accounts and passwords on Friday past. The two accounts could not log on to any of the servers for which they had access and the message log on each showed

http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2003-01-09 23:17 ------- Created an attachment (id=199) --> (http://bugzilla.mindrot.org/attachment.cgi?id=199&action=view) Implement password change via /bin/passwd in session. openssh-passexpire10.patch: * Implementes shadow and AIX password expiry. * Adds general expire_message

...clude "includes.h" + +#ifdef HAVE_LIBIAF +char * get_iaf_password(struct passwd *pw); +#endif /* HAVE_LIBIAF */ + --- openssh/openbsd-compat/xcrypt.c.old 2005-04-23 17:58:46.364982000 -0700 +++ openssh/openbsd-compat/xcrypt.c 2005-08-25 21:14:50.830527003 -0700 @@ -91,7 +91,11 @@ struct spwd *spw = getspnam(pw->pw_name); if (spw != NULL) +#ifdef HAVE_LIBIAF + pw_password = get_iaf_password(pw); +#else pw_password = spw->sp_pwdp; +#endif /* HAVE_LIBIAF */ # endif # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; --- openssh/se...

-----BEGIN PGP SIGNED MESSAGE----- Hi, I''ve got several replies, thank you for them. Let me summarize: o Many people say there is a PAMified version of ssh available at ftp://ftp.replay.com/pub/crypto/redhat/SRPMS (the source) ftp://ftp.replay.com/pub/crypto/redhat/i386 (Intel binaries) (there are analogous paths for the other architectures). The packages are made by Jan

...@@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; +#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; + buffer_init(&expire_message); +#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ + !defined(DISABLE_SHADOW) && defined(HAS_SHADO...

Hi All. With one eye on the do_pam_chauthtok() stuff I've merged contributions by Pablo Sor and Mark Pitt into a patch against -current. I'm interested in testers and suggestions for improvements. The patch extends the loginrestrictions test to include expired accounts (but unlike Mark's patch, doesn't log accounts with expired passwords unless they're locked) and adds

...1.jpmg/auth.c 2005-01-20 10:11:24.689070494 +0000 @@ -69,17 +69,17 @@ * Otherwise true is returned. */ int allowed_user(struct passwd * pw) { struct stat st; const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; char *shell; - int i; + int i, allowed; #ifdef USE_SHADOW struct spwd *spw = NULL; #endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; @@ -138,44 +138,85 @@ } if (S_ISREG(st.st_mode) == 0 || (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { logit("User %.100s not allo...

Hi all, I have two prodction servers with FreeBSD 5.4 (all security patches are applied). They running some services like dns, ssh, http, ftp, etc. But I woukd like to encrypt some services for some hosts with ipsec when it is accessed. For example: - DNS resolution: not encrypted. - DNS replication master-slave: encrypted by ipsec. - Telnet: encrypted by ipsec for some hosts. Deny