search for: use_pam

...e <bsd_auth.h> + static char *bsduser=NULL; /* XXX -- ugly, but we need the original */ + #endif + /* import */ extern ServerOptions options; extern char *forced_command; *************** *** 315,321 **** NULL, password) == SIASUCCESS) { authenticated = 1; } ! #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ --- 321,330 ---- NULL, password) == SIASUCCESS) { authenticated = 1; } ! #elif defined(HAVE_BSD_AUTH) ! authenticated = auth_user...

...in_cap.h> +# include <bsd_auth.h> +static char *bsduser=NULL; /* XXX -- ugly, but we need the original */ +#endif + /* import */ extern ServerOptions options; extern char *forced_command; @@ -258,7 +264,10 @@ NULL, password) == SIASUCCESS) { authenticated = 1; } -#else /* !USE_PAM && !HAVE_OSF_SIA */ +#elif defined(HAVE_BSD_AUTH_H) + authenticated = auth_userokay(bsduser, NULL, + "auth-ssh", password); +#else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH_H */ /* Try authentication with the password. */ authenticated = auth_...

..._SIA) /* Do SIA auth with password */ - if (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) { - authenticated = 1; - } + authenticated = auth_sia_password(pw->pw_name, password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); @@ -508,9 +495,7 @@ #ifdef USE_PAM auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) - (sia_validate_user(NULL, saved_argc, saved_argv, - ge...

...-unix-dev at mindrot.org Damien Miller maintains the OpenSSH-portable tree, he'll know what to do with it... -d. --- http://www.monkey.org/~dugsong/ --- old/session.c Sat Dec 1 18:37:08 2001 +++ session.c Tue Feb 12 00:03:37 2002 @@ -437,7 +437,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -494,6 +493,9 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ +#if defined(USE_PAM)...

...sed authentication. The affected accounts were those with "*LK*" in the shadow file's password field (and my actual problem was that I had "*LK*" where I should have had "NP"). I believe the reason for the behaviour change is the change of the default for options.use_pam. The reason I find this particularly strange is that USE_PAM is not even #defined (e.g., UsePam cannot be specified in sshd_config). The code which is being affected by the change is in auth.c: | /* check for locked account */ | if (!options.use_pam && passwd && *...

...e: /cvs/openssh/auth-pam.h,v retrieving revision 1.16 diff -u -r1.16 auth-pam.h --- auth-pam.h 23 Jul 2002 00:44:07 -0000 1.16 +++ auth-pam.h 21 Dec 2002 11:39:05 -0000 @@ -25,6 +25,8 @@ */ #include "includes.h" +#include "channels.h" +#include "session.h" #ifdef USE_PAM #if !defined(SSHD_PAM_SERVICE) Index: monitor.c =================================================================== RCS file: /cvs/openssh/monitor.c,v retrieving revision 1.33 diff -u -r1.33 monitor.c --- monitor.c 9 Nov 2002 15:47:49 -0000 1.33 +++ monitor.c 21 Dec 2002 11:39:06 -0000 @@ -118,6...

http://bugzilla.mindrot.org/show_bug.cgi?id=192 Summary: monitor.c:545: undefined reference to `auth_password with USE_PAM on Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kent at l...

http://bugzilla.mindrot.org/show_bug.cgi?id=423 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |627 nThis| | Status|NEW |ASSIGNED ------- Additional

...ect as a non-existant user. >From auth1.c line 459 #elif defined(HAVE_OSF_SIA) (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { #else /* !HAVE_OSF_SIA && !USE_PAM */ At this stage pw could be NULL so obviously pw->pw_name isn't a valid thing to do. Should this just be 'user'? I'm not even 100% sure of the validity of passing NULL as collect function (acceptable in 4.0g manpage, not mentioned in 4.0d manpage). - Mike --------------...

...================================== > RCS file: /var/cvs/openssh/session.c,v > retrieving revision 1.80 > diff -u -r1.80 session.c > --- session.c 2001/02/21 05:53:33 1.80 > +++ session.c 2001/02/21 16:28:40 > @@ -481,6 +481,10 @@ > > session_proctitle(s); > > +#ifdef USE_PAM > + do_pam_setcred(); > +#endif /* USE_PAM */ > + > /* Fork the child. */ > if ((pid = fork()) == 0) { > /* Child. Reinitialize the log since the pid has changed. */ > @@ -593,6 +597,11 @@ > ptyfd = s->ptyfd; > ttyfd = s->ttyfd; > > +#ifdef USE_PAM...

http://bugzilla.mindrot.org/show_bug.cgi?id=191 Summary: compilation faills in auth1.c:392 `pw' undeclared when USE_PAM is on Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: critical Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org Report...

http://bugzilla.mindrot.org/show_bug.cgi?id=191 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From mouring at eviladmin.org

...tion it should look something like this (untested, and unsure if any other PAM tweaks are needed), but I won't commit anything until someone says ya or na for it being correct. passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ +#ifdef USE_PAM + /* Do PAM auth with password */ + authenticated = authctxt->valid && auth_pam_password + (authctxt>pw,passwd); +#else authenticated = authctxt->valid && auth_password(authctxt, passwd); +#endif memset(passwd, 0, strlen(passwd));...

...gss-serv-krb5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 795992d9..a12bb244 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) } else retval = 0; +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); +#endif + krb5_free_principal(krb_context, princ); return retval; } -- 2.11.0

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

...-r1.48 auth-passwd.c --- auth-passwd.c 25 Sep 2002 23:14:16 -0000 1.48 +++ auth-passwd.c 20 Nov 2002 13:12:13 -0000 @@ -42,6 +42,8 @@ #include "log.h" #include "servconf.h" #include "auth.h" +#include "buffer.h" +#include "misc.h" #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the PAM or SIA cases */ @@ -81,8 +83,10 @@ #endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; +extern Buffer login_message; +extern int password_change_required; #ifdef WITH_AIXAUTHENTICATE...

...This also fixes a bug in the current TIS handling, it turns echo on when doing TIS. diff -uNr openssh-3.0.2p1.orig/auth-pam.c openssh-3.0.2p1/auth-pam.c --- openssh-3.0.2p1.orig/auth-pam.c Fri Nov 9 12:22:17 2001 +++ openssh-3.0.2p1/auth-pam.c Fri Feb 15 02:17:19 2002 @@ -26,6 +26,8 @@ #ifdef USE_PAM #include "ssh.h" +#include "ssh1.h" +#include "packet.h" #include "xmalloc.h" #include "log.h" #include "auth-pam.h" @@ -54,6 +56,8 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; +...

...ng SunOS 5.7, and while I was testing it to make sure everything was working properly, I noticed that when I used PAM to authenticate, rather than /bin/login, sshd was not honoring /etc/nologin. I took a real quick look through the source code and found this at line 1022 of session.c: #ifndef USE_PAM /* pam_nologin handles this */ if (!options.use_login) { Now that seems like it's probably the right way to handle /etc/nologin under PAM authenticated linux systems, however there's one problem: Sun doesn't ship SunOS with a pam_nologin.so module. pam_unix.so authenticates...

...and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=150968 possible patch for first solution: Index: session.c =================================================================== --- session.c (revision 15) +++ session.c (working copy) @@ -394,8 +394,10 @@ session_proctitle(s); #if defined(USE_PAM) - if (options.use_pam && !use_privsep) + if (options.use_pam && !use_privsep) { + do_pam_session(); do_pam_setcred(1); + } #endif /* USE_PAM */ /* Fork the child. */ @@ -531,8 +533,10 @@ #if defined(USE_PAM) if (options.use_pam) { do_pam_set_tty(s->tty); - if (!u...

...th PAM. See comments for details. diff -ur openssh-2.9p2.dist/session.c openssh-2.9p2/session.c Index: openssh-2.9p2/session.c --- openssh-2.9p2.dist/session.c Sat Jun 16 23:40:51 2001 +++ openssh-2.9p2/session.c Thu Sep 6 11:48:04 2001 @@ -456,10 +456,6 @@ session_proctitle(s); -#if defined(USE_PAM) - do_pam_setcred(1); -#endif /* USE_PAM */ - /* Fork the child. */ if ((pid = fork()) == 0) { /* Child. Reinitialize the log since the pid has changed. */ @@ -509,6 +505,13 @@ perror("dup2 stderr"); #endif /* USE_PIPES */ +#if defined(USE_PAM) + /* pam_setcred might print...