search for: sshpam_handle

Displaying 20 results from an estimated 22 matches for "sshpam_handle".

2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
....c src/auth-pam.c --- src.old/auth-pam.c Wed Oct 29 12:37:08 2003 +++ src/auth-pam.c Wed Oct 29 12:37:07 2003 @@ -128,6 +128,69 @@ static void sshpam_free_ctx(void *); static struct pam_ctxt *cleanup_ctxt; +#ifdef USE_POSIX_THREADS + +static pthread_mutexattr_t lock_attr; +static pthread_mutex_t sshpam_handle_lock; +static int sshpam_handle_lock_ready = 0; +static int sshpam_handle_lock_count = 0; +static pid_t process_id = 0; + +/* On Solaris, Linux and Darwin, PAM routines are said to only be + * thread-safe if each thread has a different PAM handle (which really + * means they're NOT thread-safe,...
2003 Nov 13
0
[PATCH] Make PAM chauthtok_conv function into tty_conv
...ait(); -#endif + debug("%s: %s", __func__, **prompts); + buffer_append(&loginmsg, **prompts, + strlen(**prompts)); xfree(**prompts); **prompts = NULL; } @@ -551,21 +549,6 @@ do_pam_account(void) } void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_s...
2003 Sep 23
5
PAM sessions and conversation functions
In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and
2003 Aug 08
0
Problem with -current on Solaris 8 + PAM?
...uld it be changed to do the same thing, ie --- auth-pam.c 3 Jun 2003 00:25:48 -0000 1.64 +++ auth-pam.c 8 Aug 2003 02:13:34 -0000 @@ -531,11 +531,13 @@ if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); - debug("PAM: setting PAM_TTY to \"%s\"", tty); - sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_TTY: %s", - pam_strerror(sshpam_h...
2004 Sep 14
1
PATCH: Public key authentication defeats passwd age warning.
...LD/openssh-3.9p1/auth-pam.c Mon Aug 16 09:12:06 2004 +++ openssh/BUILD/openssh-3.9p1/auth-pam.c Mon Sep 13 08:35:36 2004 @@ -756,27 +756,6 @@ sshpam_cleanup(); } -u_int -do_pam_account(void) -{ - if (sshpam_account_status != -1) - return (sshpam_account_status); - - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { - sshpam_account_status = 0; - return (sshpam_account_status); - } - - if (sshpam_err == PAM_NEW_AUTHTOK_REQD) - sshpam_password_change...
2007 May 24
2
[RFC][PATCH] Detect and handle PAM changing user name
...h-4.6p1/auth-pam.c openssh-4.6p1.jleu/auth-pam.c --- openssh-4.6p1/auth-pam.c 2006-09-16 20:57:47.000000000 -0500 +++ openssh-4.6p1.jleu/auth-pam.c 2007-05-24 13:16:56.000000000 -0500 @@ -335,6 +335,39 @@ } /* + * Detect and deal with the PAM stack changing the user name on us + */ +static int +sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt) +{ + const char *pam_user; + const char **ptr_pam_user = &pam_user; + + if (pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS) + return PAM_AUTH_ERR; + + if (strcmp(authctxt->user, pam_...
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
...icated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_...
2003 Dec 07
0
[PATCH] Do PAM chauthtok via keyboard-interactive.
..._int(b); + + if (sshpam_new_authtok_reqd == 1) + pam_password_change_required(1); + /* Import environment from subprocess */ num_env = buffer_get_int(b); sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); @@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + if (compat20) { + if (do_pam_account()) { + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + pam_pa...
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
...icated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISABLE_KBDINT_CHAUTHTOK + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto...
2011 Oct 20
2
[Bug 1945] New: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes
...npriv process is not removed. $ ll /tmp/krb5cc* -rw------- 1 test users 416 Oct 20 14:03 /tmp/krb5cc_243_245 I have tested this on hpux but believe the same behaviour on other OS as well. Probable fix is to change the condition in sshpam_cleanup(void)/auth-pam.c < if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor())) --- > if (sshpam_handle == NULL && (use_privsep && !mm_is_monitor())) -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the...
2006 Jan 19
5
Only one chance to enter a new password?
Hello there, We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various Solaris boxes with PAM and an LDAP server back end. Recently we have added a requirement for users to have complex passwords. The problem is, if a user's password has expired, when they log in they are prompted for a new password (good) but if they enter a non-complex new password the session is closed rather than
2004 Dec 28
2
LinuxPAM and sshd: changing conversation function doesn't work but claims to.
...thtok() in some cases, and always after sshd has forked to set up for the user's shell. The code for the chauthtok looks like this (from OpenSSH 3.8.1p1's do_pam_chauthtok() in auth-pam.c): static struct pam_conv tty_conv = { pam_tty_conv, NULL }; [...] sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); debug("PAM: changing password"); sshpam_err = pam_chauthtok(sshpam_handle, P...
2010 Jul 16
8
[Bug 1799] New: Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
...Some silly PAM modules (e.g. pam_time) require a TTY to operate. * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #endif I can tell that Sunfreeware did define PAM_TTY_KLUDGE, because I see this in the server's debug output: debug1: PAM: set...
2005 Feb 01
3
Feature request: FAIL_DELAY-support for sshd
...acking attempts, but it doesn't use delays. Because OpenSSH checks the usernames before PAM-authentication, this feature will not help against testing usernames. I played a bit with OpenSSH's source code to enable a FAIL_DELAY: In auth-pam.c: sshpam_thread I inserted pam_fail_delay(sshpam_handle, 10000000 /* micro-seconds */ ); before sshpam_err = pam_authenticate(sshpam_handle, flags); This results in a 10 seconds delay after an login attempt with an existing user, but a wrong password. Unfortunately this introduces new problems, because an attacker can now see, if the user exis...
2006 Sep 12
3
Weird TZ Behavior in 4.1p1 and 4.3p2 on AIX
Hi, I am using PAM authentication on 3.8p1. In my PAM auth module I can turn on debug logging that includes a timestamp in the form "mm/dd/yy hh:mm:ss". Life is good. I want to upgrade from 3.8p1 so I can use PAM for PasswordAuthentication in addition to keyboard-interactive. I have compiled both 4.1p1 and 4.3p2 and the PAM authentication for both methods works fine in both
2003 Sep 26
1
openssh-3.7.1p2: no pam_close_session() invocation
...on worked well with openssh-3.5 Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session() function won't get invoked. Some debugging shows, that the call is protected by an if-statement (module auth-pam.c, function sshpam_cleanup): if (sshpam_session_open) { pam_close_session(sshpam_handle, PAM_SILENT); /* cb, 26.09.03 */ debug2("\n\nin sshpam_cleanup: mypid = %d\n\n", getpid()); sshpam_session_open = 0; } I guess that the forked child process that calls the sshpam_cleanup() function is forked before the parent calls do_pam_session() (which sets sshpam_session_o...
2004 Feb 27
0
PAM patch for openssh 3.7.1p2
...if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); @@ -221,6 +228,7 @@ sshpam_conv.conv = sshpam_thread_conv; sshpam_conv.appdata_ptr = ctxt; + sshpam_ctxt = ctxt; buffer_init(&buffer); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, --- contrib/solaris/buildpkg.sh 2004/02/26 19:35:55 1.1.1.1 +++ contrib/solaris/buildpkg.sh 2004/02/27 00:27:00 @@ -18,14 +18,15 @@ # with a real OpenSSH package on a system. This is not needed on systems # that support the -R option to pkgadd. #TEST_DIR=/var/tmp # leave...
2006 Apr 27
0
bug in OpenSSH_4.3p2: pam_open_session() called but not close for root users
...x: auth-pam.c =================================================================== --- auth-pam.c (revision 15) +++ auth-pam.c (working copy) @@ -996,6 +996,8 @@ void do_pam_session(void) { + if(sshpam_session_open) return; + debug3("PAM: opening session"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&store_conv); -- Nye Liu nliu at mrv.com (818) 772-6235x248 (818) 772-0576 fax "Who would be stupid enough to quote a fictitious character?" -- Don Quixote
2009 Oct 26
17
[Bug 1667] New: sshd slow connect with 'UseDNS yes'
https://bugzilla.mindrot.org/show_bug.cgi?id=1667 Summary: sshd slow connect with 'UseDNS yes' Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:
2009 Dec 03
9
[Bug 1681] New: conversation function for passwd auth method assumes instead of fail
...conv() "Assumes that echo-off prompts are for the password" and pass password as a reply. It could lead that password is exposed to a wrong consumer. Correct solution is to set AUTHTOK before pam_autheticate is called in sshpam_auth_passwd() function. Something like this: pam_set_item(sshpam_handle, PAM_AUTHTOK, password); -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.