Displaying 20 results from an estimated 1200 matches similar to: "[Bug 559] PAM fixes"
2001 Nov 07
2
Flaw in empty password authentication in sshd
The auth-pam.c of sshd server contains a small flaw that allows empty
password logins even if "PermitEmptyPasswords" option in the sshd config
file is set to "no". The scenario is as follows:
Using ssh the user tries to logon to the machine using an account that has
empty password. If the user presses enter on the password prompt (NULL
password) access is
2002 Feb 15
0
[Bug 118] New: Implement TIS (protocol 1) via PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=118
Summary: Implement TIS (protocol 1) via PAM
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: fcusack at
2002 Jul 24
0
pam problems with securid patch
Hi,
I have the securID patch applied to openssh3.4p-1 and it's compiled with
pam. The problem I'm getting is that SecurID auth works OK, but normal
password auth doesn't. I narrowed down the failure to the following section
in auth-pam.c :
__pampasswd = password;
pamstate = INITIAL_LOGIN;
pam_retval = do_pam_authenticate(
options.permit_empty_passwd ==
2000 Aug 27
0
patch for TIS (skey/opie) *and* passwd auth via PAM
Hello,
appended is a patch that makes it possible to use PAM both for
password authentication and TIS (i.e. s/key or opie or any other
interactive challenge/response scheme). I have developed this starting
from the patch at http://www.debian.org/Bugs/db/61/61906.html on
Debian with openssh-2.1.1p4-3. After configuring ssh with
--with-pam-tis, there are two PAM services, "sshd" and
2001 Feb 10
1
[PATCH] Tell PAM about remote host earlier
I was browsing the OpenSSH sources (which are very readable, thankyou
very much) and noticed that PAM was only being told what host the user
is logging in from for account processing - not for password
processing. As I can see no reason not to put this in start_pam this is
exactly what I have done - and attached a patch to this effect.
This allows PAM to fill in rhost= in its audit messages
2003 May 12
10
[Bug 559] PAM fixes
http://bugzilla.mindrot.org/show_bug.cgi?id=559
Summary: PAM fixes
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: fcusack at fcusack.com
- start PAM
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
http://bugzilla.mindrot.org/show_bug.cgi?id=419
Summary: HP-UX PAM problems with 3.5p1
Product: Portable OpenSSH
Version: -current
Platform: HPPA
OS/Version: HP-UX
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy:
2002 Dec 05
1
patch to add a PAMServiceName config option
I append a patch against openssh-3.5p1.tar.gz which adds a config option
PAMServiceName. The option allows one to specify the PAM service at
runtime in the config file rather than using __progname or having it
hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful
if one wants to run multiple instances of sshd using different PAM
configurations.
With this patch
2002 Apr 26
0
PAM keyboard-interactive
The following patch (relative to -current) makes PAM a proper
kbd-interactive citizen. There are a few limitations (grep for todo), but
the code seems to work OK for protocols 1 & 2 with and without privsep.
Please have a play!
auth2-pam.c is based on code from FreeBSD.
Index: auth2-chall.c
===================================================================
RCS file:
2002 Jul 02
3
New PAM kbd-int diff
Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes
PAM kbd-int work with privilege separation.
Contrary to what I have previously stated - it *does* handle multiple
prompts. What it does not handle is multiple passes through the PAM
conversation function, which would be required for expired password
changing.
I would really appreciate some additional eyes over the
2002 Jun 25
4
PAM kbd-int with privsep
The following is a patch (based on FreeBSD code) which gets kbd-int
working with privsep. It moves the kbd-int PAM conversation to a child
process and communicates with it over a socket.
The patch has a limitation: it does not handle multiple prompts - I have
no idea how common these are in real-life. Furthermore it is not well
tested at all (despite my many requests on openssh-unix-dev@).
-d
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
noticed that it did not honor password expiration consistently with
other Solaris login services.
The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
password changes on expiration via pam_chauthtok(). A brief summary of
changes:
auth-pam.c:
* change declaration of pamh to "static pam_handle_t *pamh",
2002 Jul 16
2
HP-UX PAM with Trusted System patch
I'm fairly new to the list and new to submitting patches. Can someone
please verify the attached patch for running a HP-UX Trusted System with
PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify
the user via __pamh after the call to permanently_set_uid in session.c.
So I called do_pam_session prior to the call and added a function
do_pam_set_tty in order to set the
2002 Nov 24
1
[PATCH] PamServiceNameAppend
Hello,
Here's the situation I'm facing : I'm running OpenSSH on a server. On
a gateway, I forward TCP:22 to the server TCP:22. So far, so good. I can
log in from inside the lan by connecting using standard SSH port, or
from the other network through the gateway.
Now, I'd like a different configuration for connections from the
outside. I start another SSHd on the
2002 Jul 25
0
openssh-unix-dev digest, Vol 1 #505 - 15 msgs
subscribe openssh-unix-dev at mindrot.org
> Send openssh-unix-dev mailing list submissions to
> openssh-unix-dev at mindrot.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> or, via email, send a message with subject or body 'help' to
> openssh-unix-dev-request at mindrot.org
>
2001 Mar 30
1
PAM and -u0
is this change ok? goal is that PAM with -u0 does not use DNS (like
without PAM).
Index: auth-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth-pam.c,v
retrieving revision 1.34
diff -u -r1.34 auth-pam.c
--- auth-pam.c 2001/03/27 06:12:24 1.34
+++ auth-pam.c 2001/03/30 16:46:12
@@ -41,6 +41,10 @@
static int do_pam_conversation(int num_msg,
1999 Dec 28
0
Patches to report rsaref build and to call pam_setcred
I've attached two patches. The first just changes the output of "ssh -V"
to print that it was built against rsaref if libRSAglue (which is built
as part of openssl only when it is built against rsaref) is present at
build-time. The second adds appropriate calls to pam_setcred() in sshd.
Without them, our systems can't access AFS because the PAM modules only
get tokens at a
2002 Jun 26
3
pam session as root
Beyond any more general questions of whether pam sessions *should* be
run as root, is there an immediate security concern with moving the
pam_open_session (and pam_setcred) stuff to the parent (root) process?
(E.g., via the patch below.)
--
Mike Stone
diff -u -r1.4 auth-pam.c
--- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4
+++ auth-pam.c 25 Jun 2002 20:33:41 -0000
@@ -286,6 +286,8 @@
2001 Oct 09
1
TISviaPAM patch
Here is a patch that does TIS auth via PAM. It's controlled by a switch
in the sshd_config. You'd use it by having a PAM module that sets
PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs.
The patch is against the 2.9.9p2 distribution.
I'm not on the list, a reply if this patch is accepted would be great.
(But not required, I know some folks have a distaste for
2002 Dec 10
5
[PATCH] Password expiry with Privsep and PAM
Hi All.
Attached is a patch that implements password expiry with PAM and
privsep. It works by passing a descriptor to the tty to the monitor,
which sets up a child with that tty as stdin/stdout/stderr, then runs
chauthtok(). No setuid helpers.
I used some parts of Michael Steffens' patch (bugid #423) to make it
work on HP-UX.
It's still rough but it works. Tested on Solaris 8 and