similar to: SSH / PAM / Kerberos / password aging

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 ------- Created an attachment (id=55) Patch to do pw aging in kbd-interactive ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

Hi everyone, I have a repeatable core dump when running dovecot on FreeBSD in the specific scenario described below. Dovecot is linked against MIT kerberos in /usr/local/lib/, whilst PAM is linked against Heimdal in /usr/lib/. My expectation was that dovecot authentication using GSSAPI would use MIT kerberos in /usr/local/lib, whereas PAM authentication is independent from dovecot and would

https://bugzilla.mindrot.org/show_bug.cgi?id=2475 Bug ID: 2475 Summary: Login failure when PasswordAuthentication, ChallengeResponseAuthentication, and PermitEmptyPasswords are all enabled Product: Portable OpenSSH Version: 7.1p1 Hardware: ix86 OS: Linux Status: NEW

https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee:

Hi, I just upgraded from Mandriva 2009.0 (Samba 3.2.3) to Mandriva 2009.1 (Samba 3.3.2), keeping all the same config files I had before. I use pam_winbind to authenticate users against MS Active Directory. Everything was working perfectly prior to the upgrade, and now everything seems to be fine except for one thing: no user can have access due to the following errors (taken from auth.log): May

>Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the >'passwd -l ...' command to lock the users password. However, the user can >still access the system via ssh. Whilst I could do other things such as >moving their .ssh directory, removing their account home directory, etc, >etc, is there some 'nicer' way to inform ssh that the account is now

maybe this is a silly question ;-) But why is it possible to login on a machine with a locked account (passwd -l ) via pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not happen. If this is the normal behaviour and built in intentionally what would be the easiest way to lock an account without deleting the users authorized_keys ?

All, I tried to sign up for this list a few weeks ago, but I don't think it worked. After I confirmed my intention to be on the list, I only got one single message from someone on the list, and that was it. So, either this is a particularly quiet list, or my subscription was dropped somehow just after it was made. So, if you could kindly CC me directly on any responses to this, I sure would

http://bugzilla.mindrot.org/show_bug.cgi?id=1188 Summary: keyboard-interactive should not allow retry after pam_acct_mgmt fails Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

>Okay, this appears to be a problem with pam_unix.so - the code in >pam_sm_open_session is written with the assumption that the tty name is of >the form "/dev/" + something else on the end. I'm not sure why the pam_sm_open_session in pam_unix on Solaris now does this: /* report error if ttyn or rhost are not set */ if ((ttyn == NULL) || (rhost == NULL))

http://bugzilla.mindrot.org/show_bug.cgi?id=1087 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Group|Portable OpenSSH | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

We've been having trouble with OpenSSH 2.9p2, running on Solaris 8 (a domain of an E10k), with PAM authentication turned on. It intermittently crashes with signal 11 (seg fault) after the password is entered, after the MOTD is displayed, but before control is passed over to the login shell. I eventually managed to persuade sshd's child process to consistently crash, upon entry of an

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

We just started using NDS for Solaris to authenticate users on our SOlaris 2.6 boxes. Works great with OpenSSH except for one thing. When a user's password is expired, sshd won't allow them access, while telnetd reports the number of grace logins left, and asks to change the user's password. Seems to be an interaction with the PAM account module, but I'm not familiar enough