similar to: [Bug 1945] New: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

All, I tried to sign up for this list a few weeks ago, but I don't think it worked. After I confirmed my intention to be on the list, I only got one single message from someone on the list, and that was it. So, either this is a particularly quiet list, or my subscription was dropped somehow just after it was made. So, if you could kindly CC me directly on any responses to this, I sure would

Hello, I would like to use PAM. All PAM interaction worked well with openssh-3.5 Now that I have tried to upgrade to 3.7.1p1/p2 the pam_close_session() function won't get invoked. Some debugging shows, that the call is protected by an if-statement (module auth-pam.c, function sshpam_cleanup): if (sshpam_session_open) { pam_close_session(sshpam_handle, PAM_SILENT); /* cb, 26.09.03 */

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the

Hi All. Has anyone else tried the current tree on Solaris 8? I installed a recommended patch cluster and now I get PAM errors, but only on a non-interactive (ie no TTY) login. I think this behaviour was introduced with the patch cluster. First thing is that in debug mode, the debug at auth-pam.c:534 derefs tty which is null, and segfaults. This occurs in debug mode only and is easy to fix.

I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch,

Hello, The banner message displayed on the screen contain octal values instead of korean chars. Prior to ssh 5.1 the banner message would display the charaters properly. I understand that starting from 5.1 the message is passed through strnvis() function. I looked into documentation on strnvis and found that it does not support multibyte chars and doesnt work well with international chars.

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

I have 4 systems and each one of them has a partition I'd like to be remotely accessible on the other 3 systems. In other words System1 has Partition1. Systems 2,3,4 should be able to remotely mount Partition1 from System1. Also System2 has Partition2. Then systems 1,3,4 should be able to remotely mount Partition2 from System2 and so on. I tried NFS and it works but only in the ideal

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

Hi, I installed openssh3.1p1 on two IRIX test systems which have both ipv6/v4 stack. When tried to execute ssh, it says permission denied and it fails. I did add --with-pam when i did configure, installed pam libraries also on the test systems. user1 at system1~ 59 % /usr/freeware/bin/ssh user1 at system1 /usr/bin/true user1 at system1's password: Permission denied, please try again. user1

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

Hi all. As Corinna pointed out, there are some cases where sshd will log some authentications twice when privsep=yes. This can happen on any platform although it seems most obvious on the ones that don't do post-auth privsep. It also occurs when sshd logs to stderr (eg running under daemontools) or when you have a /dev/log in the privsep chroot. The patch below attempts to solve this for

https://bugzilla.mindrot.org/show_bug.cgi?id=2167 Bug ID: 2167 Summary: Connection remains when fork() fails. Product: Portable OpenSSH Version: 5.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

Hi. I'm one of the OpenSSH developers, and I've done some of the work on sshd's PAM interface recently. I've discovered some behaviour peculiar to LinuxPAM that I can't explain: changing the conversation function does not appear to work, even though the pam_set_item() call claims to succeed. The previous conversation function is still called. Background: the PAM API

Yes this scenario works on my 2 systems which are at LAN. I made one system as server (192.168.0.20) and registered from other system... it is fine but now there is a different scene. actually there is a registered user named abc at system1 (192.168.0.20) having context [payasyougo] which is used to do outbound calls. we want to use this user's context and account so that when we register

Greetings! I am working with Lustre-2.1.2 on RHEL 6.2. First I configured it using the standard defaults over TCP/IP. Everything worked very nicely usnig a real, static --mgsnode=a.b.c.x value which was the actual IP of the MGS/MDS system1 node. I am now trying to integrate it with Pacemaker-1.1.7. I believe I have most of the set-up completed with a particular exception. The "lctl

I'm rsyncing files on system1 to its external HD. system2 is remote and pulls those files from the external HD. system2 does not have root privileges on system1 so I chown the files to pull. Can I somehow use --fake-super or something similar to save the original ownership info to ACLs? - Grant

https://bugzilla.mindrot.org/show_bug.cgi?id=1799 Summary: Unable to login through PAM on Solaris 8 x86 due to PAM_TTY Product: Portable OpenSSH Version: 5.5p1 Platform: ix86 OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: PAM support AssignedTo:

Hi, sifting through my system's logs, I noticed many break-in attempts by rogue ssh clients trying long lists of common passwords. For some time now I pondered different approaches to counter these, but could not come up with a solution that really satisfied me. I finally reached the conclusion that any countermeasures required support in sshd itself, and created the attached patch. If