search for: sshpam_err

...m_user; - pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); + pam_get_item(grab_pamh(0, NULL), PAM_USER, (const void **)&pam_user); setproctitle("%s [pam]", pam_user); #endif @@ -224,11 +287,11 @@ sshpam_conv.appdata_ptr = ctxt; buffer_init(&buffer); - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; - sshpam_err = pam_authenticate(sshpam_handle, 0); + sshpam_err = pam_authenticate(grab_pamh(0, NULL), 0); i...

...end(); - packet_write_wait(); -#endif + debug("%s: %s", __func__, **prompts); + buffer_append(&loginmsg, **prompts, + strlen(**prompts)); xfree(**prompts); **prompts = NULL; } @@ -551,21 +549,6 @@ do_pam_account(void) } void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) -...

...7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto a...

.... --- openssh.original/BUILD/openssh-3.9p1/auth-pam.c Mon Aug 16 09:12:06 2004 +++ openssh/BUILD/openssh-3.9p1/auth-pam.c Mon Sep 13 08:35:36 2004 @@ -756,27 +756,6 @@ sshpam_cleanup(); } -u_int -do_pam_account(void) -{ - if (sshpam_account_status != -1) - return (sshpam_account_status); - - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { - sshpam_account_status = 0; - return (sshpam_account_status); - } - - if (sshpam_err == PAM_NEW_AUTHTOK_R...

..._new_authtok_reqd = buffer_get_int(b); + + if (sshpam_new_authtok_reqd == 1) + pam_password_change_required(1); + /* Import environment from subprocess */ num_env = buffer_get_int(b); sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); @@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + if (compat20) { + if (do_pam_account()) { + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS)...

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

...7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISABLE_KBDINT_CHAUTHTOK + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshp...

...for session The code from 3.6.1p2 is doesn't set PAM_TTY at all when tty is NULL. Doing that fixes -current for me. Should it be changed to do the same thing, ie --- auth-pam.c 3 Jun 2003 00:25:48 -0000 1.64 +++ auth-pam.c 8 Aug 2003 02:13:34 -0000 @@ -531,11 +531,13 @@ if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); - debug("PAM: setting PAM_TTY to \"%s\"", tty); - sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); - if (sshp...

...w(user))) { + free(user); + return PAM_AUTH_ERR; + } + + free(authctxt->pw); + authctxt->pw = pw; + free(authctxt->user); + authctxt->user = user; + } + return PAM_SUCCESS; +} + +/* * Conversation function for authentication thread. */ static int @@ -469,6 +502,10 @@ if (sshpam_err != PAM_SUCCESS) goto auth_fail; + sshpam_err = sshpam_handle_user_change(sshpam_handle, sshpam_authctxt); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + if (compat20) { if (!do_pam_account()) { sshpam_err = PAM_ACCT_EXPIRED; @@ -1206,7 +1243,8 @@ sshpam_err = pam_authentica...

Hello there, We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various Solaris boxes with PAM and an LDAP server back end. Recently we have added a requirement for users to have complex passwords. The problem is, if a user's password has expired, when they log in they are prompted for a new password (good) but if they enter a non-complex new password the session is closed rather than

...is only used for pam_chauthtok() in some cases, and always after sshd has forked to set up for the user's shell. The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's do_pam_chauthtok() in auth-pam.c): static struct pam_conv tty_conv = { pam_tty_conv, NULL }; [...] sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); debug("PAM: changing password"); sshpam_err = p...

...M_TTY_KLUDGE /* * Some silly PAM modules (e.g. pam_time) require a TTY to operate. * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #endif I can tell that Sunfreeware did define PAM_TTY_KLUDGE, because I see this in the server's d...

https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Bug ID: 3210 Summary: Confusing errors when pam_acct_mgmt() fails Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee:

...= sshpam_ctxt; + } if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); @@ -221,6 +228,7 @@ sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + sshpam_ctxt = ctxt; buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, --- contrib/solaris/buildpkg.sh 2004/02/26 19:35:55 1.1.1.1 +++ contrib/solaris/buildpkg.sh 2004/02/27 00:27:00 @@ -18,14 +18,15 @@ # with a real OpenSSH package on a system. This is not needed on systems # that support the -R option to pkgadd. #...

https://bugzilla.mindrot.org/show_bug.cgi?id=1667 Summary: sshd slow connect with 'UseDNS yes' Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

...); + } } #endif Index: auth-pam.c =================================================================== --- auth-pam.c (revision 15) +++ auth-pam.c (working copy) @@ -996,6 +996,8 @@ void do_pam_session(void) { + if(sshpam_session_open) return; + debug3("PAM: opening session"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&store_conv); -- Nye Liu nliu at mrv.com (818) 772-6235x248 (818) 772-0576 fax "Who would be stupid enough to quote a fictitious character?" -- Don Quixote

http://bugzilla.mindrot.org/show_bug.cgi?id=1087 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Group|Portable OpenSSH | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...if /* DISABLE_PRIVSEP */ /* * This replaces auth-pam.c @@ -673,8 +675,10 @@ pam_conv.conv = pam_chauthtok_conv; pam_conv.appdata_ptr = NULL; +#ifndef DISABLE_PRIVSEP if (use_privsep) fatal("Password expired (unable to change with privsep)"); +#endif /* DISABLE_PRIVSEP */ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&pam_conv); if (sshpam_err != PAM_SUCCESS) diff -adurN openssh-3.7.1p2.privsep/auth-rhosts.c openssh-3.7.1p2/auth-rhosts.c --- openssh-3.7.1p2.privsep/auth-rhosts.c Tue Jun 3 04:25:48 2003 +++ openssh-3.7.1p2/auth-rhosts.c Sat Oct...

...nSSH checks the usernames before PAM-authentication, this feature will not help against testing usernames. I played a bit with OpenSSH's source code to enable a FAIL_DELAY: In auth-pam.c: sshpam_thread I inserted pam_fail_delay(sshpam_handle, 10000000 /* micro-seconds */ ); before sshpam_err = pam_authenticate(sshpam_handle, flags); This results in a 10 seconds delay after an login attempt with an existing user, but a wrong password. Unfortunately this introduces new problems, because an attacker can now see, if the user exists or not: Case 1: existing username, but wrong password...

https://bugzilla.mindrot.org/show_bug.cgi?id=2246 Bug ID: 2246 Summary: PAM enhancements for OpenSSH server Product: Portable OpenSSH Version: 6.6p1 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at