search for: start_pam

http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM

...rns false. However, I would rather use a real version of sshd, so I suggest there be some changes made to allow for better PAM-usage. For that, the (or a) call to getpwnam() must be run AFTER pam has checked authorization and account (my pam_useradd is an account module). First, pw is sent by to start_pam(). start_pam() only uses pw->pw_name though, so I suggest sending in user instead of pw. Second, pw is used to compare uid if not running as root. This check I suppose could be done after auth_pam_password() ? If these changes aren't good for non-pam situations, maybe considering splitti...

I was browsing the OpenSSH sources (which are very readable, thankyou very much) and noticed that PAM was only being told what host the user is logging in from for account processing - not for password processing. As I can see no reason not to put this in start_pam this is exactly what I have done - and attached a patch to this effect. This allows PAM to fill in rhost= in its audit messages (pam_unix), and may in fact be used in some module, somewhere. (The patch is against RedHat's patched 2.3.0p1, and looks very slightly odd because the last 2 lines...

Howdy coders, in openssh-2.5.2p2, auth1.c, do_authentication() you folks do a call to getpwnam(user) If this fails, you NULL out 'pw' Unfortunately, this stops start_pam() from being called at all. I'm not a PAM API expert, but I was under the impression that there are pam API calls you should be making for account verification, in PARALLEL to getpwnam(), rather than being gated by getpwnam() Or instead, maybe you should have start_pam fill out a limited set...

http://bugzilla.mindrot.org/show_bug.cgi?id=191 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From mouring at eviladmin.org

...m update of attachment 292) OK, except for the last bit, I think this is all done. >+#ifdef USE_PAM >+ options.permit_empty_passwd && >+#endif This is done in auth-passwd.c: if (*password == '\0' && options.permit_empty_passwd == 0) return 0; >- PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); >+ PRIVSEP(start_pam(user)); Fixed a while back. >- if (pam_retval == PAM_SUCCESS && pw) { >+ if (pam_retval == PAM_SUCCESS) { > debug("PAM password authentication accepted for " >- "%.100s",...

...se which all seems to make sense: authctxt->pw = PRIVSEP(getpwnamallow(user)); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; #ifdef USE_PAM if (options.use_pam) PRIVSEP(start_pam(authctxt->pw->pw_name)); #endif } else { authctxt->pw = fakepw(); #ifdef USE_PAM if (options.use_pam) PRIVSEP(start_pam(user)); #endif } However, in auth2-chall.c the code that actually verifies the passwd returned by th...

is this change ok? goal is that PAM with -u0 does not use DNS (like without PAM). Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.34 diff -u -r1.34 auth-pam.c --- auth-pam.c 2001/03/27 06:12:24 1.34 +++ auth-pam.c 2001/03/30 16:46:12 @@ -41,6 +41,10 @@ static int do_pam_conversation(int num_msg,

...t;ssh.h" #include "xmalloc.h" #include "servconf.h" +#include "packet.h" RCSID("$Id: auth-pam.c,v 1.11 2000/07/09 12:42:33 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: You password has expired, please change it now" +static void start_pam2(struct passwd *pw, int auth_type); + /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -53,6 +56,7 @@ static struct pam_handle_t *pamh = NULL; static const char *pampasswd = NULL; static char *pam_msg = NULL;...

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From fcusack at fcusack.com 2002-04-16 23:27 ------- sshd should definitely not be using 'NOUSER'. The correct thing is to use the username, regardless of whether (pw) exists. I can't understand why you would substitute the value 'NOUSER'. ------- You are receiving this mail because: -------

...x: auth-pam.c =================================================================== RCS file: /cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -w -u -w -b -p -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 24 Nov 2002 18:43:41 -0000 @@ -378,10 +378,13 @@ void start_pam(const char *user) extern ServerOptions options; extern u_int utmp_len; const char *rhost; + char buf[1024]; debug("Starting up PAM with username \"%.200s\"", user); - pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &__pamh); + strlcpy(buf, SSHD_PAM_SERV...

...am.h openssh-3.5p1/auth-pam.h --- openssh-3.5p1.orig/auth-pam.h Tue Jul 23 01:44:07 2002 +++ openssh-3.5p1/auth-pam.h Tue Dec 3 14:13:52 2002 @@ -27,10 +27,6 @@ #include "includes.h" #ifdef USE_PAM -#if !defined(SSHD_PAM_SERVICE) -# define SSHD_PAM_SERVICE __progname -#endif - void start_pam(const char *user); void finish_pam(void); int auth_pam_password(Authctxt *authctxt, const char *password); diff -ru openssh-3.5p1.orig/servconf.c openssh-3.5p1/servconf.c --- openssh-3.5p1.orig/servconf.c Thu Sep 5 05:35:15 2002 +++ openssh-3.5p1/servconf.c Tue Dec 3 14:22:00 2002 @@ -48,6 +48,...

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...it_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); if (pam_retval == PAM_SUCCESS) { diff -uNr openssh-3.0.2p1.orig/auth-pam.h openssh-3.0.2p1/auth-pam.h --- openssh-3.0.2p1.orig/auth-pam.h Mon Mar 26 22:12:24 2001 +++ openssh-3.0.2p1/auth-pam.h Fri Feb 15 02:15:02 2002 @@ -7,7 +7,7 @@ void start_pam(const char *user); void finish_pam(void); -int auth_pam_password(struct passwd *pw, const char *password); +int auth_pam_password(struct passwd *pw, const char *password, int prompt_type); char **fetch_pam_environment(void); int do_pam_authenticate(int flags); int do_pam_account(char *username,...

...No authentication or GSSAPI context"); gssctxt = authctxt->methoddata; diff -adurN openssh-3.7.1p2.privsep/auth2.c openssh-3.7.1p2/auth2.c --- openssh-3.7.1p2.privsep/auth2.c Wed Sep 3 01:32:46 2003 +++ openssh-3.7.1p2/auth2.c Sat Oct 4 23:21:44 2003 @@ -174,13 +174,19 @@ PRIVSEP(start_pam(user)); #endif } +#ifndef DISABLE_PRIVSEP setproctitle("%s%s", authctxt->pw ? user : "unknown", use_privsep ? " [net]" : ""); +#else + setproctitle("%s", authctxt->pw ? user : "unknown"); +#endif /* DISABLE_PRIVSEP */...

Hello, I came across an interoperability problem in OpenSSH 3.0p1 and 3.0.1p1 concerning the AFS token forwarding. That means that the new versions are not able to exchange AFS tokens (and Kerberos TGTs) with older OpenSSH releases (including 2.9p2) and with the old SSH 1.2.2x. In my opinion this problem already existed in Openssh 2.9.9p1, but I have never used this version (I only looked at the