search for: sshpam_session_open

...do_setusercontext(), so it does not open session. child calls do_setusercontext(), which opens session. on close child will not close sesion, because it exec'd the shell, and the sshd task is gone! parent will not close session, since session was not opened by parent, sshpam_session_open is not set. as root: parent process pid 205: do_exec_pty() uid 0 child process pid 208: do_setusercontext() uid 0 pid 208: radius pam open session (exec shell) parent process pid 208: radius pam close session (skipped!) BROKEN! but it does work for user logins because: on open...

...I would like to use PAM. All PAM interaction worked well with openssh-3.5 Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session() function won't get invoked. Some debugging shows, that the call is protected by an if-statement (module auth-pam.c, function sshpam_cleanup): if (sshpam_session_open) { pam_close_session(sshpam_handle, PAM_SILENT); /* cb, 26.09.03 */ debug2("\n\nin sshpam_cleanup: mypid = %d\n\n", getpid()); sshpam_session_open = 0; } I guess that the forked child process that calls the sshpam_cleanup() function is forked before the parent calls do_pam_se...

...31 @@ sshpam_cleanup(void) { debug("PAM: cleanup"); - if (sshpam_handle == NULL) - return; - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + if (grab_pamh(0, NULL) != NULL) { + pam_set_item(grab_pamh(0, NULL), PAM_CONV, (const void *)&am...

...ssh while logging in and out: it is kind of login and logout scripts. PAM session creation is done in function do_pam_session which is invoked by do_setusercontext which is invoked by do_child. do_child function is invoked after fork. In a child process do_pam_session function sets global variable sshpam_session_open to remember that session was opened. After execution of do_setusercontext and do_pam_session function do_child does something and then invokes bash by execve. So in this moment child child process was destroyed by bash and sshpam_session_open variable was lost but it should be remembered elsewhere:...

...AM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; -} - -void do_pam_set_tty(const char *tty) { if (tty != NULL) { @@ -611,7 +594,7 @@ is_pam_password_change_required(void) } static int -pam_chauthtok_conv(int n, const struct pam_message **msg, +pam_tty_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *...

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

...8 @@ RCSID("$Id: auth-pam.c,v 1.76 2003/10/09 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat2...

...Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy: dtucker at zip.com.au Reported by Dr. Carsten Benecke: "I guess that the forked child process that calls the sshpam_cleanup() function is forked before the parent calls do_pam_session() (which sets sshpam_session_open to true)." and Chris Jensen: "But when I exit the session, pam_sm_close_session gets called, but it only runs as the user that was logged in, so it doesn't have permission to unmount the directory." The PAM session modules are called in the forked child but the cleanup should b...

...Dec 2003 13:23:38 -0000 @@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 extern ServerOptions options; extern Buffer loginmsg; +extern int compat20; #define __unused @@ -118,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + sshpam_new_authtok_reqd = reqd; + if (...

...8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISA...