similar to: [Bug 278] ssh allows auto login even if account is locked

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant

>Using OpenSSH 3.1p1 on a Sun Solaris 7 box, I disabled an account using the >'passwd -l ...' command to lock the users password. However, the user can >still access the system via ssh. Whilst I could do other things such as >moving their .ssh directory, removing their account home directory, etc, >etc, is there some 'nicer' way to inform ssh that the account is now

>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee:

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch,

http://bugzilla.mindrot.org/show_bug.cgi?id=278 Summary: ssh allows auto login even if account is locked Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

<<pam_user.patch>> Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions, let me know. Thanks, Jeremy -------------- next part -------------- A non-text

Hi! I'm using Openssh v3.5p1 with Solaris 8 compiled with pam support enabled. It seems that if I use public key authentication I can log in to an account that is locked (/etc/shadow has *LK* as password). Login is also allowed even if the user does not have a valid shell. Is this a bug or am I missing something? -- Osmo Paananen

Hi I try to use windbind rule to authenticate users in dovecot login procedure. /etc/nsswitch.conf file: passwd: files winbind shadow: files winbind group: files winbind when I try logon from my console to dovecot (pop3 server): # telnet komp14 110 Trying 10.10.10.38... Connected to komp.xxx.xxx (10.10.10.38). Escape character is '^]'. +OK Dovecot ready. user tt1 +OK pass xxxxxxxxx -ERR

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

Hello All, Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based auth methods such as Public key,gssapi etc, this skips the pam_authenticate() call and directly calls pam_acct_mgmt(). This results in a failed attempt with few of my own PAM modules. Is there any way to implement this facility to be controlled by a directive in sshd_config. I mean PAM calls should not be

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

On Tue, 1 Feb 2005, it was written: > Nicolas Lopez wrote: > > maildir and most of my accounts in LDAP. Since the accounts are created > > through a web interface on another server home directories on the mail > > server don't get created automatically. There's the handy pam module > > pam_mkhomedir.so to automagically create home directories, but >

A few things to keep in mind: - kbd-int should call pam_authenticate(), acct_mgmt(), chauthtok(), if required, setcred(PAM_ESTABLISH_CRED) and open_session() ALL during kbd-int so that modules in each of those PAM stacks can prompt the user (pam_open_session(), for example, may prompt a user with an informational message akin to the last login message) - all userauth methods should

https://bugzilla.mindrot.org/show_bug.cgi?id=3210 Bug ID: 3210 Summary: Confusing errors when pam_acct_mgmt() fails Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee:

http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM

Hi, I'm using SuSE 8.2 and I got the source for samba 3.0.2a and I tried to install it. ./configure (w/o any arguments) went ok so I type make and it gives me the following errors: Linking bin/smbd auth/pampass.o(.text+0x59): In function `smb_pam_error_handler': : undefined reference to `pam_strerror' auth/pampass.o(.text+0xcb6): In function `smb_pam_end': : undefined reference