similar to: [Bug 1308] pam handling change breaks pam_abl module

http://bugzilla.mindrot.org/show_bug.cgi?id=1308 --- Comment #6 from Tom Cox <tomc at hot.rr.com> 2007-06-24 03:12:38 --- Created an attachment (id=1312) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1312) Change prevents pam_end from being called with current status. File shows problem introduced in session.c, version 1.346. -- Configure bugmail:

http://bugzilla.mindrot.org/show_bug.cgi?id=1308 Summary: pam handling change breaks pam_abl module Product: Portable OpenSSH Version: 4.6p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=1322 Summary: pam_end() is not called if authentication fails, which breaks pam-abl Product: Portable OpenSSH Version: 4.6p1 Platform: Other URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405041 OS/Version: Linux Status: NEW Severity:

I want to use sshd together with pam_abl to reduce that logfile spamming with ssh attacks. So the problem is as follows: Setting maxAuthTries to 0 or any other values smaller than the default of 6 changes the behaviour of pam_abl. First, but this also happens with not using maxAuthTries option, is: if the clientside closes connection after for example one failed authentication try then the

bugzilla-daemon at mindrot.org wrote: >Summary: segfault if not using pam/keyboard-interactive mech and > password's expired I'm sorry to report that there is a bug in the PAM code in OpenSSH 3.8p1, and sorrier to say that I put it there. This is a NULL pointer dereference and is *not* considered to be a security vulnerability. When sshd is configured --with-pam, run with

https://bugzilla.mindrot.org/show_bug.cgi?id=1602 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #9 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Marc

I'm looking for an RPM (SRPM is OK) for pam_abl, suitable for installation on a CentOS 3.5 system. I've googled without identifying one I'm confident of. Would the one for Fedora 3 be expected to work? If not, what?

Hi All. Damien merged a bunch of changes today which caused compile errors on a few platforms (which you can see live and in colour at [0]). a) Solaris, early AIX: ../crc32.c:100: `u_int32_t? undeclared (first use in this function) On these platforms u_int32_t is defined in defines.h which is not included by crc32.c. Fixed by attached patch. b) PAM platforms (Redhat, Solaris once a) is

Hi Darren, As you suggested, I've incorporated pty and enabled raw mode in my client program. VIM runs fine ;-P Now I only need to pass in the terminal window size and handle several signals Thanks for the heads up! On Mon, Feb 10, 2014 at 4:59 PM, Darren Tucker <dtucker at zip.com.au> wrote: > On Mon, Feb 10, 2014 at 7:39 PM, Aaron Lewis <the.warl0ck.1989 at gmail.com>

OK, with this additional information I can now reproduce it. Based on some quick experiments it seems to be triggered when sshd is built --with-ssh1 and the config does not *load* a Protocol 1 host key. Works: Protocol=1,2 + Hostkey not specified Protocol=1,2 + Hostkeys for both protocols specified. Doesn't work: Protocol=2 + Hostkey not specified. Protocol=1,2 + Hostkeys specified only for

Hi All. OpenSSH 4.7 is preparing for release so we are asking for any interested folks to please test a snapshot. The main changes are: * sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. * The SSH channel window size has been increased, which improves performance on high-BDP networks. * ssh(1) and sshd(8) now preserve MAC

Hi All. Has anyone else tried the current tree on Solaris 8? I installed a recommended patch cluster and now I get PAM errors, but only on a non-interactive (ie no TTY) login. I think this behaviour was introduced with the patch cluster. First thing is that in debug mode, the debug at auth-pam.c:534 derefs tty which is null, and segfaults. This occurs in debug mode only and is easy to fix.

Hi All. I (actually the tinderbox[1]) found a problem with the fix for bug #422: when PAM is enabled on a platform that uses /etc/shadow, the variable "passwd" in auth.c is used uninitialized. There's a simple patch attached to fix this. The question is: should the locked account test be done when PAM is enabled or should we rely on PAM to do the right thing? In theory they

Hi All. Today a patch was commited to OpenSSH that performs PAM password changes via SSH2 keyboard-interactive authentication. I should work fine with privsep, which some of the other solutions have problems with. While the patch itself is relatively small, it's bigger than it should have been due to differences in PAM implementations. I encourage anyone with a interest in this to try

Hi. If sshd is configured to use PAM and UsePrivilegeSeparation=no or you are logging is as root, any messages returned by PAM session modules are not displayed to the user. (Even when the config file has privsep=yes, logging in as root disables privsep anyway since there's no point, so it behaves the same way as privsep=no). I think I've figured out why: when privsep=no,

On Wed, Feb 01, 2006 at 05:28:40PM -0800, Peter Michalek wrote: > The patch you suggested works OK, I tried it on the snapshot of 1/28/06 > using a user authenticated via GSSAPI/Kerberos, with this result, which > I think is acceptable: [...] It's not clear to me from the output, but does the connection close after the PAM account check failed? > Could we make this part of the

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the

https://bugzilla.mindrot.org/show_bug.cgi?id=1654 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #5 from Darren Tucker <dtucker at dtucker.net> --- Created attachment

On Tue, 25 Apr 2023 at 03:36, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote: > > On Apr 10, 2023, at 7:24 AM, Darren Tucker <dtucker at dtucker.net> wrote: [...] > > Since you're using 9.1, the message could be an "Invalid free", since > > there was a double-free bug in that release :-( > > Forgot to ask: does this bug manifest