similar to: pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

http://bugzilla.mindrot.org/show_bug.cgi?id=926 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------

http://bugzilla.mindrot.org/show_bug.cgi?id=423 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |627 nThis| | Status|NEW |ASSIGNED ------- Additional

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy:

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy:

https://bugzilla.mindrot.org/show_bug.cgi?id=2549 Bug ID: 2549 Summary: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication Product: Portable OpenSSH Version: 7.1p2 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5

Hello, I am using OpenSSH-3.8p1 on HP-UX machine with USE_POSIX_THREADS option. This is for making the kerberos credentials file to be created in the system with PAM. In OpenSSH versions 3.5 when authentication is done with pam kerberos, a /tmp/krb5cc_X_Y file is created on the server side. But the KRB5CCNAME variable is not set by default. So, after we manually set this environment variable, the

OpenSSH 3.7.1p2 contains an #ifdef USE_POSIX_THREADS and simulates threads by processes if this is not defined. However, configure and config.h do not provide any means to define this. Is this already included for future releases but does not function properly if defined? Or could it be set manually in config.h and would work in Solaris?

I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

on hp-ux 11 i see: $ date;ssh jenny Fri Oct 12 14:44:13 PDT 2001 Last successful login for stevesk: Fri Oct 12 10:45:42 PST8PDT 2001 on pts/2 Last unsuccessful login for stevesk: Mon Sep 24 22:55:53 PST8PDT 2001 Last login: Fri Oct 12 10:45:43 2001 from 172.31.1.53 You have mail. so solaris PAM is different. can other solaris+PAM users confirm this? On Fri, 12 Oct 2001, Benn Oshrin wrote:

Hello All. Attached is an update to my previous patch to make do_pam_chauthtok and privsep play nicely together. First, a question: does anybody care about these or the password expiration patches? Anyway, the "PRIVSEP(do_pam_hauthtok())" has been moved to just after the pty has been allocated but before it's made the controlling tty. This allows the child running chauthtok to

On Solaris, the pam_unix module includes a pam_session which updates the lastlog file. Since OpenSSH calls pam_session before reading the lastlog file, SSH logins to systems with this configuration (as well as similar ones, I'd imagine) report the last login time and remote host as the values from the current session. My solution to this problem is to call pam_open_session in the child,

https://bugzilla.mindrot.org/show_bug.cgi?id=2380 Bug ID: 2380 Summary: [PATCH] Optionally allow pam_setcred to override gid Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee:

I'm using OpenSSH-2.9.9p2 on Solaris 8 sparc64. 2.9p2 worked fine, but 2.9.9p2+ is giving me trouble with one thing - sshd segfaults if I try to connect and execute a command, such as "ssh machine ls". Otherwise it works great. sshd will fork, and the child process segfaults. CVS snapshot does the same thing. I've narrowed this down somewhat. It will only happen if you use

Should pam_setcred() be called if pam_authenticate() wasn't called? I would say not; both of these functions are in the authenticate part of pam. It seems the the 'auth' part of pam config controls which modules get called, so if you didn't to _authenticate() you shouldn't do _setcred(). thx /fc

Hi All. Attached is a patch that implements password expiry with PAM and privsep. It works by passing a descriptor to the tty to the monitor, which sets up a child with that tty as stdin/stdout/stderr, then runs chauthtok(). No setuid helpers. I used some parts of Michael Steffens' patch (bugid #423) to make it work on HP-UX. It's still rough but it works. Tested on Solaris 8 and

We've been having trouble with OpenSSH 2.9p2, running on Solaris 8 (a domain of an E10k), with PAM authentication turned on. It intermittently crashes with signal 11 (seg fault) after the password is entered, after the MOTD is displayed, but before control is passed over to the login shell. I eventually managed to persuade sshd's child process to consistently crash, upon entry of an

https://bugzilla.mindrot.org/show_bug.cgi?id=2399 Bug ID: 2399 Summary: openssh server should fatal out when pam_setcred and pam_open_session fail Product: Portable OpenSSH Version: 6.8p1 Hardware: Sparc OS: Solaris Status: NEW Severity: normal Priority: P5

Hello. I'm wondering how one would go about configuring dovecot to invoke pam_setcred() from the same process as (or a parent process of) the process which eventually reads the user's mail off the disk. This is required for pam modules that set kernel-level credentials which are later used to access the user's mail files. In particular, I'm trying to use dovecot with pam_krb5