similar to: [Bug 83] fork() fails when there are PAM limits set

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |misiek at pld.org.pl Summary|PAM limits applied |PAM limits applied |incorrectly

http://bugzilla.mindrot.org/show_bug.cgi?id=83 Summary: fork() fails when there are PAM limits set Product: Portable OpenSSH Version: 3.0.2p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rudolph at getsystems.com ------- Additional Comments From djm at mindrot.org 2003-01-07 18:31 ------- *** Bug 354 has been marked as a

http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From djm at mindrot.org 2003-03-10 15:49 ------- Created an attachment (id=247) --> (http://bugzilla.mindrot.org/attachment.cgi?id=247&action=view) Call pam_session after child fork() Hopefully this patch will allow people to gather the feedback necessary to close this bug. ------- You are receiving this

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |PAM support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

A few things to keep in mind: - kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during kbd-int so that modules in each of those PAM stacks can prompt the user (pam_open_session(), for example, may prompt a user with an informational message akin to the last login message) - all userauth methods should

http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From dtucker at zip.com.au 2003-09-15 12:13 ------- Hey, isn't this fixed in -current? do_pam_session is now called before permanently_set_uid. Could you please try a snapshot? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

With OpenSSH 2.9.9p2 as the server, I'm not able to do scp or "ssh machinename command" in general to any of my Suns! I tracked this down a bit; the problem occurs only when PAM support is enabled. However, if I remove line 430 of session.c, "do_pam_session(s->pw->pw_name, NULL);" inside of do_exec_no_pty, the problem goes away. It looks like the following entry

I'm using Dovecot 1.1.7 on CentOS 5.2. I've changed my passdb from passwd to pam, it works fine, but I've found this messages on /var/log/secure: dovecot-auth: PAM adding faulty module: /lib64/security/pam_limits.so dovecot-auth: PAM unable to dlopen(/lib64/security/pam_limits.so) dovecot-auth: PAM [error: /lib64/security/pam_limits.so: failed to map segment from shared object:

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant

http://bugzilla.mindrot.org/show_bug.cgi?id=118 Summary: Implement TIS (protocol 1) via PAM Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at

Dear all, I've been looking into hacking with some PAM modules, and thought I could learn from the OpenSSH source (it's probably the closest thing to a canonical cross-platform consumer of the API). One thing I've noticed I don't understand though is how OpenSSH's invocation of do_pam_session/setcred can work (in main of the process forked in sshd.c). Ignoring privsep for the

http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|fork() fails when there are |PAM limits applied |PAM limits set |incorrectly ------- You are receiving this mail because: ------- You

On Solaris, the pam_unix module includes a pam_session which updates the lastlog file. Since OpenSSH calls pam_session before reading the lastlog file, SSH logins to systems with this configuration (as well as similar ones, I'd imagine) report the last login time and remote host as the values from the current session. My solution to this problem is to call pam_open_session in the child,

I am using PAM and pam_smbpass.so with Samba 2.999 (Debian sid package). If, in /etc/pam.d/samba, I set session required pam_smbpass.so then login fails, and the log says: [2002/08/04 15:43:26, 0] auth/pampass.c:smb_pam_error_handler(73) smb_pam_error_handler: PAM: session setup failed : Module is unknown [2002/08/04 15:43:26, 1] smbd/session.c:session_claim(103) pam_session

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@

>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of

Should pam_setcred() be called if pam_authenticate() wasn't called? I would say not; both of these functions are in the authenticate part of pam. It seems the the 'auth' part of pam config controls which modules get called, so if you didn't to _authenticate() you shouldn't do _setcred(). thx /fc

Hi. I've just compiled and installed 1.0beta7 on MacOSX 10.4.6. I have lost the battle with PAM authentication. When I connect to the IMAP server and provide the correct user name and password, the mail client is told authentication failed. Here's what's in the log: Apr 21 22:47:43 shaun dovecot: auth(default): client in: AUTH 2 PLAIN service=IMAP secured