similar to: Puzzled about PAM support in OpenSSH-3.7.1p2

this is at the bottom of auth.c. What is it? struct passwd * fakepw(void) { static struct passwd fake; memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; fake.pw_uid = -1; fake.pw_gid = -1; fake.pw_class =

Hi, there's a change made to 4.4p1, which gave some irritation on the Cygwin mailing list. It's a change from 20060907: - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can be used to drop privilege to; fixes Solaris GSSAPI crash reported by Magnus Abrante; suggestion and feedback dtucker@ NB. this change will require that the privilege separation user must

Hello! Please consider including the attached patch in the next release. It allows one to drop privilege separation code while building openssh by using '--disable-privsep' switch of configure script. If one doesn't use privilege separation at all, why don't simply allow him to drop privilege separation support completely? -- Sincerely Your, Dan. -------------- next part

http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From dtucker at zip.com.au 2004-07-01 13:40 ------- (From update of attachment 292) OK, except for the last bit, I think this is all done. >+#ifdef USE_PAM >+ options.permit_empty_passwd && >+#endif This is done in auth-passwd.c: if (*password == '\0' &&

http://bugzilla.mindrot.org/show_bug.cgi?id=118 Summary: Implement TIS (protocol 1) via PAM Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at

Hello, appended is a patch that makes it possible to use PAM both for password authentication and TIS (i.e. s/key or opie or any other interactive challenge/response scheme). I have developed this starting from the patch at http://www.debian.org/Bugs/db/61/61906.html on Debian with openssh-2.1.1p4-3. After configuring ssh with --with-pam-tis, there are two PAM services, "sshd" and

Hello, Here's the situation I'm facing : I'm running OpenSSH on a server. On a gateway, I forward TCP:22 to the server TCP:22. So far, so good. I can log in from inside the lan by connecting using standard SSH port, or from the other network through the gateway. Now, I'd like a different configuration for connections from the outside. I start another SSHd on the

Hi all, After the memory leaks (bug 1967 <https://bugzilla.mindrot.org/show_bug.cgi?id=1967>) I reported in bugzilla are fixed, I also applied melton(http://lcs.ios.ac.cn/~xuzb/melton.html) to detect the potential bugs in sshd (openssh-5.9p1). The url below is the index of bug reports that are checked as real bugs manually.

Hi, I am working on the following SSH solution and I need some help: 1. User ssh against my node where he/she does not have an account 2. Firstly the node synchronize its user database from a remote db with ldap. (just refresh the database, no authentication here) 3. Authenticate the user with a PAM module I am using my synchronisation script as a PAM module but it seems that the authentication

Dear list, since the order of authentication and AFS token/KRB TGT forwarding changed (around 3.0), we have had problems with users accidentally overwriting their credentials from a "password" login with forwarded credentials. E.g. user A logs in as user B, but stays with the AFS permissions of user A. A workaround is to use "-k" on these sessions, but "it worked without

I append a patch against openssh-3.5p1.tar.gz which adds a config option PAMServiceName. The option allows one to specify the PAM service at runtime in the config file rather than using __progname or having it hardwired to SSHD_PAM_SERVICE at compile time. I expect this to be useful if one wants to run multiple instances of sshd using different PAM configurations. With this patch

If the info_response code is going to test that the # of responses is < 100, then the info_request code should check that < 100 prompts are sent. It would be rude to send 101 prompts and then fail when the responses come back. I actually think the test should be removed altogether, the limit seems quite arbitrary, but here is a patch to not send > 100 prompts. With this patch, the test

This is an attempt to simplify the AIX expiry-via-passwd stuff and make it more generic. (There's actually a net reduction in #ifdefs). Patch against CVS: 1) configure finds passwd. 2) sshd uses passwd during session if required. 3) sshd uses passwd for PAM change if privsep disabled. 4) sshd uses Buffers for expire and post-login messages (no longer AIX specific). 5) password_change_required

Hi Damien, I noticed you merged a couple of ifdefs in the fix for bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd =

Hi All. Attached is a patch which adds AIX native password expiry support to sshd. It will only apply to -current and is a subset of the patch I have been working on in the last few months (see bug #14 [1]). It contains code by Pablo Sor, Mark Pitt and Zdenek Tlusty and fixes for bugs reported by many others (see [2] for a full list). It adds a do_tty_change_password function that execs

Hi, What''s the best way to hook into any changes made to the value of a single model attribute? I need to know when the encrypted_password attribute on my User model changes i.e. when the user has changed their password. I''m not interested in the actual changed value, I just need to know when it''s been changed so that I can regenerate their API key as well. Thanks in

As posted, here is an updated patch which allows openssh to be built with non-selinux config. (Hi openssh guys, forwarding this to you incase you interested including it into the devel version of openssh. Please let us know if you have any suggestions or changes that need to be made) Regards Nigel Kukard On Thu, Sep 02, 2004 at 04:11:54PM -0400, Daniel J Walsh wrote: > New SSH patch. >

It works for the "yes" case but not for the "without-password" case. The function that checks (auth_root_allowed(auth_method) is special cased for "password". The Pam case sends "keyboard-interactive/pam" which like all other authentication methods except password succeeds. Here is a patch to make it work for me. Please feel free to criticize as

The following are patches against openssh 2.1.1p4 to add support for the BSD_AUTH authentication mechanisms. It allows the use of non-challenge/response style mechanisms (which styles are allowed my be limited by appropriate auth-ssh entries in login.conf). The patches also add support for calling setusercontext for the appropriate class when called with a command (so that the PATH, limits,

heres a fix for pam support im openssh, inline and attached.. openssh calls do_pam_session early, before a fork(). it does this on the proc still running as root, so it checks the users limits, against what root has running, and depending on limits can fail at the fork() (and almost always does). this patch moves it past the fork. ive been running it for a couple of weeks and everything seems