similar to: [Bug 1534] New: openssh calls pam functions in the wrong order on logout

Displaying 20 results from an estimated 3000 matches similar to: "[Bug 1534] New: openssh calls pam functions in the wrong order on logout"

2001 Sep 05
2
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of
2002 Oct 21
0
[Bug 419] New: HP-UX PAM problems with 3.5p1
http://bugzilla.mindrot.org/show_bug.cgi?id=419 Summary: HP-UX PAM problems with 3.5p1 Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:
2001 Oct 26
1
PAM session cleanup on Sol8 with v2.9.9p2
In do_pam_cleanup_proc(), there are 3 calls to PAM: 1) pam_close_session() - do lastlog stuff 2) pam_setcred(PAM_DELETE_CRED) - delete credentials 3) pam_end() - close PAM It appears that pam_setcred() always fails with the error PAM_PERM_DENIED. This is due to a check done pam_unix.so to not allow a caller with euid 0 to even try to delete their SECURE_RPC credentials. When sshd calls
2013 Jan 19
1
PAM function ordering
Dear all, I've been looking into hacking with some PAM modules, and thought I could learn from the OpenSSH source (it's probably the closest thing to a canonical cross-platform consumer of the API). One thing I've noticed I don't understand though is how OpenSSH's invocation of do_pam_session/setcred can work (in main of the process forked in sshd.c). Ignoring privsep for the
2001 Sep 05
1
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant
2002 May 29
0
pam_limits module bug and its effects on pam applications
On 2001-10-26 at 13:35:50 Nicolas Williams <Nicolas.Williams at ubsw.com> wrote: > On Fri, Oct 26, 2001 at 02:11:13PM +0200, Markus Friedl wrote: > > On Fri, Oct 26, 2001 at 10:14:21AM +1000, Damien Miller wrote: > > > On Thu, 25 Oct 2001, Ed Phillips wrote: > > > > > > > What is the reasoning behind this? Do we want to see a lastlog entry for >
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The
2003 Feb 26
0
PAM merge from FreeBSD
A few things to keep in mind: - kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during kbd-int so that modules in each of those PAM stacks can prompt the user (pam_open_session(), for example, may prompt a user with an informational message akin to the last login message) - all userauth methods should
2005 May 22
3
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------
2004 Mar 24
1
Trying to compile Samba 3.0.2a
Hi, I'm using SuSE 8.2 and I got the source for samba 3.0.2a and I tried to install it. ./configure (w/o any arguments) went ok so I type make and it gives me the following errors: Linking bin/smbd auth/pampass.o(.text+0x59): In function `smb_pam_error_handler': : undefined reference to `pam_strerror' auth/pampass.o(.text+0xcb6): In function `smb_pam_end': : undefined reference
2007 Oct 31
3
MANAGESIEVE patch v8 for dovecot 1.0.7
Hello dovecot users, I have updated the MANAGESIEVE patch to the latest stable version of dovecot (1.0.7). This new version also adds extra configuration settings to explicitly specify the location of the sieve storage and the active sieve script. Additionally, the README now more clearly explains the configuration of the daemon. It currently won't compile with 1.1 due to significant changes
2016 Mar 04
7
[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee:
2005 Jun 29
3
sshd deletes the GSSAPI ticket on exit
Hello All, I have run into a situation where a user exiting from a PAM_KERBEROS-authenticated session runs the risk of deleting a kinit-generated credentials file that was already sitting on the server. I will explain the problem in detail, but let me begin with my question. It has a specific reference to PAM_KERBEROS, but it can also be a general question. If a user (ssh) session was
2016 Mar 07
2
[Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2549 Bug ID: 2549 Summary: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication Product: Portable OpenSSH Version: 7.1p2 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5
2007 Aug 27
1
MANAGESIEVE patch v7 for dovecot 1.0.3 and TLS
Hi, I allow only TLS/SSL connection to dovecot. The managesieve doesn't work with TLS but it works without it. gladiac at magrathea:~> gnutls-cli -p 2000 -s --insecure -V milliways.cynapses.org Resolving 'milliways.cynapses.org'... Connecting to '213.239.217.124:2000'... - Simple Client Mode: - Received[194]: "IMPLEMENTATION" "dovecot"
2002 Feb 27
0
[Bug 127] New: PAM with ssh authentication and pam_krb5 doesn't work properly
http://bugzilla.mindrot.org/show_bug.cgi?id=127 Summary: PAM with ssh authentication and pam_krb5 doesn't work properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:
2001 Sep 06
1
lastlog on Solaris with PAM (patch included)
On Solaris, the pam_unix module includes a pam_session which updates the lastlog file. Since OpenSSH calls pam_session before reading the lastlog file, SSH logins to systems with this configuration (as well as similar ones, I'd imagine) report the last login time and remote host as the values from the current session. My solution to this problem is to call pam_open_session in the child,
2015 May 12
0
ldap host attribute is ignored
> > After that you'll probably have to turn up logging in sssd and check its > logs to see what it's doing. i have set logging in sssd to 9: cache_credentials = true debug_level = 9 I first tried a user with the correct host attribute, then a user without the host attribute. The output in the logfiles are the same. Note: USER ist not a local user. Without correct ldap password
2002 Jun 26
3
pam session as root
Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@