search for: sshpam_thread

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I wondered what part sshpam_thread() (in auth-pam.c) is playing wrt. PAM authentication. It seems to be never called from any other ssh code (judging from CVS as of 27.6.2004). I noticed this because the current openssh package in Debian unstable (3.8.1p1) is not calling the pam_authenticate() function at all, regardless of my conf...

...patch, how do I go about submitting the patch for formal review? Third, regardless of interest by the openssh community, is there anyone willing to review this code for me? PS I've tested the code path going through sshpam_auth_passwd(), but do know how to test the code path that goes through sshpam_thread(). <patch against 4.6p1 (portable) attached> -- James R. Leu jleu at inoc.com INOC -> http://inoc.com/ DELIVERING UPTIME -------------- next part -------------- diff -uNr openssh-4.6p1/auth-pam.c openssh-4.6p1.jleu/auth-pam.c --- openssh-4.6p1/auth-pam.c 2006-09-16 20:57:47.000000000 -05...

Hi, I am using PAM authentication on 3.8p1. In my PAM auth module I can turn on debug logging that includes a timestamp in the form "mm/dd/yy hh:mm:ss". Life is good. I want to upgrade from 3.8p1 so I can use PAM for PasswordAuthentication in addition to keyboard-interactive. I have compiled both 4.1p1 and 4.3p2 and the PAM authentication for both methods works fine in both

...ne __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,15 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err !...

...-pam.c match the prototypes defined by the PAM specs for the conversation function and get_pam_item. See OSF RFC 86.0[1] (A.1 and appendix B) and and XSS0[2] (ss 5.1.2 and ch 6). It will cause warnings similar to the following on platforms that don't match the specs: auth-pam.c: In function `sshpam_thread': auth-pam.c:365: warning: passing arg 3 of `pam_get_item' from incompatible pointer type auth-pam.c:370: warning: assignment from incompatible pointer type auth-pam.c: At top level: auth-pam.c:460: warning: initialization from incompatible pointer type auth-pam.c: In function `sshpam_init&...

There is a minor problem with the PAM support in OpenSSH 3.8p1. If you use POSIX threads (as specified by defining USE_POSIX_THREADS) in auth-pam.c, PAM authentication will fail in routine import_environments(). The purpose of this routine is to import variables returned by do_pam_account() in sshpam_thread(). However, those variable are only exported if USE_POSIX_THREADS is NOT set. Consequently, import_environments() get upset when there's nothing in the buffer when that macro IS set. I have chosen to comment out the guts of routine import_environments() if USE_POSIX_PTHREADS is not defined as...

...= buffer_get_int(b); + sshpam_new_authtok_reqd = buffer_get_int(b); + + if (sshpam_new_authtok_reqd == 1) + pam_password_change_required(1); + /* Import environment from subprocess */ num_env = buffer_get_int(b); sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); @@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + if (compat20) { + if (do_pam_account()) { + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (s...

...ne __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISABLE_KBDINT_CHAUTHTOK + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPI...

...tate: Attaching to program: `/private/tmp/OpenSSH.roots/OpenSSH~obj/sshd', process 26589. Reading symbols for shared libraries ...................... done 0x9002cf88 in semaphore_wait_trap () (gdb) bt #0 0x9002cf88 in semaphore_wait_trap () #1 0x9006153c in pthread_join () #2 0x00028a50 in sshpam_thread_cleanup () at /tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:417 #3 0x00017110 in do_cleanup (authctxt=0x4034e0) at /tmp/OpenSSH.roots/OpenSSH/openssh/session.c:2273 #4 0x00007044 in cleanup_exit (i=255) at /tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:1923 #5 0x00035bb0 in fatal (fmt=0x547d0 &quo...

...: type 51 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering buffer_put_cstring: s == NULL debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.

...login attempts. It may help a bit against cracking attempts, but it doesn't use delays. Because OpenSSH checks the usernames before PAM-authentication, this feature will not help against testing usernames. I played a bit with OpenSSH's source code to enable a FAIL_DELAY: In auth-pam.c: sshpam_thread I inserted pam_fail_delay(sshpam_handle, 10000000 /* micro-seconds */ ); before sshpam_err = pam_authenticate(sshpam_handle, flags); This results in a 10 seconds delay after an login attempt with an existing user, but a wrong password. Unfortunately this introduces new problems, becau...