similar to: [Bug 188] New: pam_chauthtok() is called too late

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

A few things to keep in mind: - kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during kbd-int so that modules in each of those PAM stacks can prompt the user (pam_open_session(), for example, may prompt a user with an informational message akin to the last login message) - all userauth methods should

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 ------- Created an attachment (id=55) Patch to do pw aging in kbd-interactive ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

On 2001-10-26 at 13:35:50 Nicolas Williams <Nicolas.Williams at ubsw.com> wrote: > On Fri, Oct 26, 2001 at 02:11:13PM +0200, Markus Friedl wrote: > > On Fri, Oct 26, 2001 at 10:14:21AM +1000, Damien Miller wrote: > > > On Thu, 25 Oct 2001, Ed Phillips wrote: > > > > > > > What is the reasoning behind this? Do we want to see a lastlog entry for >

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as

Hi, I'm using SuSE 8.2 and I got the source for samba 3.0.2a and I tried to install it. ./configure (w/o any arguments) went ok so I type make and it gives me the following errors: Linking bin/smbd auth/pampass.o(.text+0x59): In function `smb_pam_error_handler': : undefined reference to `pam_strerror' auth/pampass.o(.text+0xcb6): In function `smb_pam_end': : undefined reference

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee:

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

http://bugzilla.mindrot.org/show_bug.cgi?id=189 Summary: pam_setcred() failures should not be treated as fatal Product: Portable OpenSSH Version: 3.1p1 Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@

I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a

http://bugzilla.mindrot.org/show_bug.cgi?id=188 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-14 22:32

http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From stevesk at pobox.com 2002-06-04 05:46 ------- 20020426 - (djm) Disable PAM password expiry until a complete fix for bug #188 exists ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=188 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |smueller at atsec.com ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:46 ------- *** Bug 256 has been marked as a

http://bugzilla.mindrot.org/show_bug.cgi?id=188 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dirk.bockmann at customs.gov.au ------- Additional Comments From stevesk at pobox.com 2002-08-30 07:08 ------- *** Bug 362 has been

Currently, OpenSSH prints the message: "Warning: You password has expired, please change it now" if the password has expired. It would be nice if the user could/had to change password before continuing, like with Linux console login. I've tried to make an patch, but it doesn't work. Ideas? --- auth-pam.c.org Wed Oct 11 18:03:43 2000 +++ auth-pam.c Wed Oct 11 18:03:44