similar to: Openssh still logs in while passwd is locked

Displaying 20 results from an estimated 2000 matches similar to: "Openssh still logs in while passwd is locked"

2002 Nov 12
1
Locked account and logging in with public key
Hi! I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled. It seems that if I use public key authentication I can log in to an account that is locked (/etc/shadow has *LK* as password). Login is also allowed even if the user does not have a valid shell. Is this a bug or am I missing something? -- Osmo Paananen
2002 Jan 29
21
locked account accessable via pubkey auth
maybe this is a silly question ;-) But why is it possible to login on a machine with a locked account (passwd -l ) via pubkey-authentication (authorized_keys) ? I use OpenSSH3.01p1on Solaris8 with PAM support so I thought this should not happen. If this is the normal behaviour and built in intentionally what would be the easiest way to lock an account without deleting the users authorized_keys ?
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:
2016 Mar 04
7
[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee:
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",
2011 Mar 18
1
Problem with pam-auth and winbind
Hi I try to use windbind rule to authenticate users in dovecot login procedure. /etc/nsswitch.conf file: passwd: files winbind shadow: files winbind group: files winbind Configuration of the dovecot is follows: log_path: /var/log/dovecot/error.log info_log_path: /var/log/dovecot/info.log protocols: imap imaps pop3 pop3s ssl_cert_file: /etc/pki/tls/certs/dovecot.pem ssl_key_file:
2005 Feb 15
1
Is it possible to avoid PAM calls for key based Auth methods
Hello All, Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based auth methods such as Public key,gssapi etc, this skips the pam_authenticate() call and directly calls pam_acct_mgmt(). This results in a failed attempt with few of my own PAM modules. Is there any way to implement this facility to be controlled by a directive in sshd_config. I mean PAM calls should not be
2001 Sep 05
1
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant
2002 Jun 14
0
[Bug 278] ssh allows auto login even if account is locked
http://bugzilla.mindrot.org/show_bug.cgi?id=278 Darren.Moffat at Sun.COM changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From Darren.Moffat at Sun.COM
2002 Mar 26
2
SSH / PAM / Kerberos / password aging
Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as
2005 Dec 18
0
pam_authenticate() failed:
Obviously I have an account. This is Solaris 10. I have been tinkering with the /etc/pam.conf without success. Does anyone have a solution? I have this currently in the pam.conf. dovecot auth required pam_passwd_auth.so.1 try_first_pass dovecot account required pam_unix_account.so.1 I have tried: dovecot auth required pam_unix_account.so.1 nullok dovecot account
2007 Aug 14
2
OpenSSH public key problem with Solaris 10 and LDAP users?
Hello. I've got a problem logging in to a Sparc Solaris 10 machine with public key authentication. I searched, and found a similar problem report at <http://thread.gmane.org/gmane.network.openssh.devel/12694>. For that guy, the problem had to do with LDAP. My user accounts are also stored in LDAP, an OpenLDAP server, to be exact. That server runs on the same machine as the machine
2005 Aug 03
10
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065 Summary: password expiration and SSH keys don't go well together Product: Portable OpenSSH Version: 4.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org
2003 May 02
6
openssh 3.6.1_p2 problem with pam (fwd)
----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's
2020 Sep 08
26
[Bug 3210] New: Confusing errors when pam_acct_mgmt() fails
https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Bug ID: 3210 Summary: Confusing errors when pam_acct_mgmt() fails Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee:
2004 Sep 14
1
PATCH: Public key authentication defeats passwd age warning.
All, I tried to sign up for this list a few weeks ago, but I don't think it worked. After I confirmed my intention to be on the list, I only got one single message from someone on the list, and that was it. So, either this is a particularly quiet list, or my subscription was dropped somehow just after it was made. So, if you could kindly CC me directly on any responses to this, I sure would
2016 Mar 07
2
[Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2549 Bug ID: 2549 Summary: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication Product: Portable OpenSSH Version: 7.1p2 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5
2002 Oct 29
2
Re: pam + radius
On Tue, 2002-10-29 at 05:01, Hielke Christian Braun wrote: > i am trying to use dovecot with pam and radius. My users have names > in the format joe at somedomain.com. When i have pam configured to use > the normal passwd/shadow files it works fine. With radius it does not. > I see at the radius server that the domain part of my usernames > is always replaced with the same domain
2006 May 03
8
[Bug 1188] keyboard-interactive should not allow retry after pam_acct_mgmt fails
http://bugzilla.mindrot.org/show_bug.cgi?id=1188 Summary: keyboard-interactive should not allow retry after pam_acct_mgmt fails Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The