similar to: PAM and -u0

Hi All. Attached is a patch that implements password expiry with PAM and privsep. It works by passing a descriptor to the tty to the monitor, which sets up a child with that tty as stdin/stdout/stderr, then runs chauthtok(). No setuid helpers. I used some parts of Michael Steffens' patch (bugid #423) to make it work on HP-UX. It's still rough but it works. Tested on Solaris 8 and

Hello All. Attached is an update to my previous patch to make do_pam_chauthtok and privsep play nicely together. First, a question: does anybody care about these or the password expiration patches? Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after the pty has been allocated but before it's made the controlling tty. This allows the child running chauthtok to

I was browsing the OpenSSH sources (which are very readable, thankyou very much) and noticed that PAM was only being told what host the user is logging in from for account processing - not for password processing. As I can see no reason not to put this in start_pam this is exactly what I have done - and attached a patch to this effect. This allows PAM to fill in rhost= in its audit messages

do_pre_login() in session.c is used (in do_exec_pty()) before it's declared, which is causing some problems for me. please move it up a couple hundred lines in the file. patch included for 0807 snapshot. thanks, wendy % diff -u session.c.orig session.c.mod --- session.c.orig Tue Aug 7 13:11:51 2001 +++ session.c.mod Tue Aug 7 16:21:07 2001 @@ -397,6 +397,34 @@ } }

http://bugzilla.mindrot.org/show_bug.cgi?id=419 Summary: HP-UX PAM problems with 3.5p1 Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:

This is an attempt to simplify the AIX expiry-via-passwd stuff and make it more generic. (There's actually a net reduction in #ifdefs). Patch against CVS: 1) configure finds passwd. 2) sshd uses passwd during session if required. 3) sshd uses passwd for PAM change if privsep disabled. 4) sshd uses Buffers for expire and post-login messages (no longer AIX specific). 5) password_change_required

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

http://bugzilla.mindrot.org/show_bug.cgi?id=118 Summary: Implement TIS (protocol 1) via PAM Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at

Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@

I'm fairly new to the list and new to submitting patches. Can someone please verify the attached patch for running a HP-UX Trusted System with PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify the user via __pamh after the call to permanently_set_uid in session.c. So I called do_pam_session prior to the call and added a function do_pam_set_tty in order to set the

Hello, appended is a patch that makes it possible to use PAM both for password authentication and TIS (i.e. s/key or opie or any other interactive challenge/response scheme). I have developed this starting from the patch at http://www.debian.org/Bugs/db/61/61906.html on Debian with openssh-2.1.1p4-3. After configuring ssh with --with-pam-tis, there are two PAM services, "sshd" and

Hello, Here's the situation I'm facing : I'm running OpenSSH on a server. On a gateway, I forward TCP:22 to the server TCP:22. So far, so good. I can log in from inside the lan by connecting using standard SSH port, or from the other network through the gateway. Now, I'd like a different configuration for connections from the outside. I start another SSHd on the

I append a patch against openssh-3.5p1.tar.gz which adds a config option PAMServiceName. The option allows one to specify the PAM service at runtime in the config file rather than using __progname or having it hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful if one wants to run multiple instances of sshd using different PAM configurations. With this patch

Hi, I was doing some research on why new openssh-versions (3.4 and 3.5p1) doesnt ask you to change expired passwords (it just disconnects you) and found something curious. Line 259 of auth-pam.c has "#if 0" and then the code to set some vars (eg. password_change_required to true) followed by an "endif". Why is that? I'm not a C expert, but I think "if 0" is

I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a

Currently, OpenSSH prints the message: "Warning: You password has expired, please change it now" if the password has expired. It would be nice if the user could/had to change password before continuing, like with Linux console login. I've tried to make an patch, but it doesn't work. Ideas? --- auth-pam.c.org Wed Oct 11 18:03:43 2000 +++ auth-pam.c Wed Oct 11 18:03:44

http://bugzilla.mindrot.org/show_bug.cgi?id=127 Summary: PAM with ssh authentication and pam_krb5 doesn't work properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo:

while trying to sort out the PAM incompatabilities between openssh 3.0.2p1 and solaris 8 and sun's pam_krb5 i got some things to work. i'm really not sure where the appropriate place to submit patches is so for now i'm sending them here. this patch will allow PAM interoperability when using sun's pam_krb5 without using the system login routine (this way X forwarding will

Anyone out there know more about PAM under Solaris 7/x86 then I do, that can maybe tackle this, and/or suggestion a route to take to fix? After doing some debugging, it looks like the problem is a seg fault at: sshd.c:void pam_cleanup_proc(void *context) =========================================== debug("PAM_retval(open_session) about to run"); pam_retval =

As has often been mentioned, Solaris (at least 7 and 8) gives a debug1 message on logout: Cannot delete credentials. This occurs when in auth-pam.c, function do_pam_cleanup_proc(), pam_setcred(__pamh, PAM_DELETE_CRED) is called under UID 0. I suggested a patch for this on Nov 22, 2001, based on openssh 2.9.9p2 through 3.0.1p1. [The attempt in my patch to reset to UID 0 by "if (!flag)