Displaying 20 results from an estimated 4000 matches similar to: "SSH / PAM / Kerberos / password aging"
2005 Jun 08
1
Possible security flaw in OpenSSH and/or pam_krb5
openssh-unix-dev at mindrot.org
kerberos at ncsa.uiuc.edu
We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5
module. When a Kerberos principal has the REQUIRES_PWCHANGE
(+needchange) flag set, OpenSSH+pam_krb5 will still successfully
authenticate the user. Local 'su' and 'login' fail in this case which
leads us to believe it's at least
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes
PAM authentication take place in a separate process or thread
(launched from sshpam_init_ctx() in auth-pam.c). By default (if you
don't define USE_POSIX_THREADS) the code "fork"s a separate process.
Or if you define USE_POSIX_THREADS it will create a new thread (a
second one, in addition to the primary thread).
The
2002 Mar 27
4
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188
------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 -------
Created an attachment (id=55)
Patch to do pw aging in kbd-interactive
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
noticed that it did not honor password expiration consistently with
other Solaris login services.
The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
password changes on expiration via pam_chauthtok(). A brief summary of
changes:
auth-pam.c:
* change declaration of pamh to "static pam_handle_t *pamh",
2001 Sep 05
1
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>> >Could we please have a clarification on the semantics of
>> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS?
>>
>> My interpretation is:
>>
>> You call PAM_ESTABLISH_CRED to create them
>> You call PAM_REINITIALIZE_CRED to update creds that can expire over time,
>> for example a kerberos ticket.
Oops. I meant
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
Hi All.
This patch calls pam_chauthtok() to change an expired password via PAM
during keyboard-interactive authentication (SSHv2 only). It is tested on
Redhat 8 and Solaris 8.
In theory, it should have simply been a matter of calling pam_chauthtok
with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is
if it's expired, right? From the Solaris pam_chauthtok man page:
2018 Feb 12
3
FreeBSD Core dump: PAM authentication with Kerberos credentials (GSSAPI_MIT)
Hi everyone,
I have a repeatable core dump when running dovecot on FreeBSD in the
specific scenario described below.
Dovecot is linked against MIT kerberos in /usr/local/lib/, whilst PAM is
linked against Heimdal in /usr/lib/.
My expectation was that dovecot authentication using GSSAPI would use MIT
kerberos in /usr/local/lib, whereas PAM authentication is independent from
dovecot and would
2015 Sep 28
4
[Bug 2475] New: Login failure when PasswordAuthentication, ChallengeResponseAuthentication, and PermitEmptyPasswords are all enabled
https://bugzilla.mindrot.org/show_bug.cgi?id=2475
Bug ID: 2475
Summary: Login failure when PasswordAuthentication,
ChallengeResponseAuthentication, and
PermitEmptyPasswords are all enabled
Product: Portable OpenSSH
Version: 7.1p1
Hardware: ix86
OS: Linux
Status: NEW
2016 Mar 04
7
[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
https://bugzilla.mindrot.org/show_bug.cgi?id=2548
Bug ID: 2548
Summary: Make pam_set_data/pam_get_data work with OpenSSH
Product: Portable OpenSSH
Version: 7.2p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: major
Priority: P5
Component: PAM support
Assignee:
2009 May 01
2
pam_winbind: user needs new password
Hi,
I just upgraded from Mandriva 2009.0 (Samba 3.2.3) to Mandriva 2009.1
(Samba 3.3.2), keeping all the same config files I had before. I use
pam_winbind to authenticate users against MS Active Directory.
Everything was working perfectly prior to the upgrade, and now
everything seems to be fine except for one thing: no user can have
access due to the following errors (taken from auth.log):
May
2002 May 22
3
Openssh still logs in while passwd is locked
>Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the
>'passwd -l ...' command to lock the users password. However, the user can
>still access the system via ssh. Whilst I could do other things such as
>moving their .ssh directory, removing their account home directory, etc,
>etc, is there some 'nicer' way to inform ssh that the account is now
2002 Jan 29
21
locked account accessable via pubkey auth
maybe this is a silly question ;-) But why is it possible to login on a
machine with a locked account (passwd -l ) via pubkey-authentication
(authorized_keys) ?
I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not
happen.
If this is the normal behaviour and built in intentionally what would be the
easiest way to lock an account without deleting the users authorized_keys ?
2004 Sep 14
1
PATCH: Public key authentication defeats passwd age warning.
All,
I tried to sign up for this list a few weeks ago, but I don't think
it worked. After I confirmed my intention to be on the list, I only
got one single message from someone on the list, and that was it.
So, either this is a particularly quiet list, or my subscription
was dropped somehow just after it was made. So, if you could kindly
CC me directly on any responses to this, I sure would
2006 May 03
8
[Bug 1188] keyboard-interactive should not allow retry after pam_acct_mgmt fails
http://bugzilla.mindrot.org/show_bug.cgi?id=1188
Summary: keyboard-interactive should not allow retry after
pam_acct_mgmt fails
Product: Portable OpenSSH
Version: -current
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
2003 May 02
6
openssh 3.6.1_p2 problem with pam (fwd)
----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> -----
Date: Fri, 2 May 2003 14:01:33 +0200
From: Andrea Barisani <lcars at infis.univ.trieste.it>
To: openssh at openssh.com
Subject: openssh 3.6.1_p2 problem with pam
Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour:
# ssh -l lcars mybox
[2 seconds delay]
lcars at mybox's
2001 Oct 25
6
Regarding PAM_TTY_KLUDGE and Solaris 8...
>Okay, this appears to be a problem with pam_unix.so - the code in
>pam_sm_open_session is written with the assumption that the tty name is of
>the form "/dev/" + something else on the end. I'm not sure why the
pam_sm_open_session in pam_unix on Solaris now does this:
/* report error if ttyn or rhost are not set */
if ((ttyn == NULL) || (rhost == NULL))
2005 Sep 21
23
[Bug 1087] SSH fails to show PAM password expiry message from LDAP on login
http://bugzilla.mindrot.org/show_bug.cgi?id=1087
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Group|Portable OpenSSH |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
2001 Aug 28
1
OpenSSHd barfs upon reauthentication: PAM, Solaris 8
We've been having trouble with OpenSSH 2.9p2, running on Solaris 8
(a domain of an E10k), with PAM authentication turned on. It
intermittently crashes with signal 11 (seg fault) after the password
is entered, after the MOTD is displayed, but before control is passed
over to the login shell. I eventually managed to persuade sshd's child
process to consistently crash, upon entry of an
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
Hi All.
Attached is a patch to perform pam_chauthtok via SSH2
keyboard-interactive. It should be simpler, but since Solaris seems to
ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check
if it's expired. To minimise the change in behaviour, it also caches the
result so pam_acct_mgmt still only gets called once.
This doesn't seem to work on AIX 5.2, I don't know
2000 May 25
2
grace logins on solaris
We just started using NDS for Solaris to authenticate users on our SOlaris
2.6 boxes. Works great with OpenSSH except for one thing. When a user's
password is expired, sshd won't allow them access, while telnetd reports
the number of grace logins left, and asks to change the user's password.
Seems to be an interaction with the PAM account module, but I'm not
familiar enough