Displaying 20 results from an estimated 900 matches similar to: "LinuxPAM and sshd: changing conversation function doesn't work but claims to."
2003 Nov 13
0
[PATCH] Make PAM chauthtok_conv function into tty_conv
Hi All.
Attached is a patch that converts pam_chauthtok_conv into a generic
pam_tty_conv, which is used rather than null_conv for do_pam_session.
This allows, for example, display of messages from PAM session modules.
The accumulation of PAM messages into loginmsg won't help until there is
a way to collect loginmsg from the monitor (see, eg, the patches for bug
#463). This is because the
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes
PAM authentication take place in a separate process or thread
(launched from sshpam_init_ctx() in auth-pam.c). By default (if you
don't define USE_POSIX_THREADS) the code "fork"s a separate process.
Or if you define USE_POSIX_THREADS it will create a new thread (a
second one, in addition to the primary thread).
The
2004 Sep 14
1
PATCH: Public key authentication defeats passwd age warning.
All,
I tried to sign up for this list a few weeks ago, but I don't think
it worked. After I confirmed my intention to be on the list, I only
got one single message from someone on the list, and that was it.
So, either this is a particularly quiet list, or my subscription
was dropped somehow just after it was made. So, if you could kindly
CC me directly on any responses to this, I sure would
2003 Aug 08
0
Problem with -current on Solaris 8 + PAM?
Hi All.
Has anyone else tried the current tree on Solaris 8? I installed a
recommended patch cluster and now I get PAM errors, but only on a
non-interactive (ie no TTY) login. I think this behaviour was introduced
with the patch cluster.
First thing is that in debug mode, the debug at auth-pam.c:534 derefs tty
which is null, and segfaults. This occurs in debug mode only and is easy
to fix.
2003 Oct 12
4
[PATCH]: Call pam_chauthtok from keyboard-interactive.
Hi All.
This patch calls pam_chauthtok() to change an expired password via PAM
during keyboard-interactive authentication (SSHv2 only). It is tested on
Redhat 8 and Solaris 8.
In theory, it should have simply been a matter of calling pam_chauthtok
with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is
if it's expired, right? From the Solaris pam_chauthtok man page:
2003 Nov 13
0
[PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive.
Hi All.
Attached is a patch to perform pam_chauthtok via SSH2
keyboard-interactive. It should be simpler, but since Solaris seems to
ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check
if it's expired. To minimise the change in behaviour, it also caches the
result so pam_acct_mgmt still only gets called once.
This doesn't seem to work on AIX 5.2, I don't know
2003 Dec 07
0
[PATCH] Do PAM chauthtok via keyboard-interactive.
Hi All.
Attached is another patch that attempts to do pam_chauthtok() via SSH2
keyboard-interactive authentication. It now passes the results from the
authentication thread back to the monitor (based on a suggestion from
djm).
Because of this, it doesn't call do_pam_account twice and consequently
now works on AIX 5.2, which the previous version didn't. I haven't tested
it on any
2004 Feb 27
0
PAM patch for openssh 3.7.1p2
SecureComputing's PAM library doesn't pass back the correct context to
the pam_conversation function, i.e. it passes back NULL. So this patch
works around this fact.
likely you'll only want this hack if you expect to use pam_safeword.so
in your authentication check, and only if you run sshd in privilege
separation (separate process) mode so that the PAM conversation is
single
2006 Apr 27
0
bug in OpenSSH_4.3p2: pam_open_session() called but not close for root users
For root sessions pam_open_session is called, but not pam_close_session.
sshd behavior is broken for root logins because if pam session
is run from the child, close is never called due to exec:
on open
since use_privsep is not set, parent calls do_exec_pty(),
which does not open session. then, it skips calling do_setusercontext(),
so it does not open session.
child calls
2003 Sep 23
5
PAM sessions and conversation functions
In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function,
do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2,
this is no longer the case: session modules run with a conversation
function that just returns PAM_CONV_ERR. This means that simple session
modules whose job involves printing text on the user's terminal no
longer work: pam_lastlog, pam_mail, and
2003 Oct 28
2
Privilege separation
Hello!
Please consider including the attached patch in the next release. It
allows one to drop privilege separation code while building openssh by using
'--disable-privsep' switch of configure script. If one doesn't use privilege
separation at all, why don't simply allow him to drop privilege separation
support completely?
--
Sincerely Your, Dan.
-------------- next part
2010 Jul 16
8
[Bug 1799] New: Unable to login through PAM on Solaris 8 x86 due to PAM_TTY
https://bugzilla.mindrot.org/show_bug.cgi?id=1799
Summary: Unable to login through PAM on Solaris 8 x86 due to
PAM_TTY
Product: Portable OpenSSH
Version: 5.5p1
Platform: ix86
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo:
2007 May 24
2
[RFC][PATCH] Detect and handle PAM changing user name
I've implemented a patch to openssh which allows the PAM auth layer
to detect if the PAM stack has changed the user name and then adjusts
its internal data structures accordingly. (imagine a PAM stack that
uses individual credentials to authenticate, but assigns the user to
a role account).
First, is the openssh community interested in this patch?
Second, if there is interest in the patch,
2001 Oct 25
3
PAM conversation stuff
Okay, I'm confused again. They way you guys are talking about the
conversation routine, it would seem that you think it is a way to fetch
something from the user - like a new password. Is this possible? Does
calling pam_chauthtok() cause the underlying pam_sm_chauthtok()
eventually print something on stdout and read a new password from stdin
(the socket to the client) using the conversation
2006 Jan 19
5
Only one chance to enter a new password?
Hello there,
We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various
Solaris boxes with PAM and an LDAP server back end.
Recently we have added a requirement for users to have complex
passwords. The problem is, if a user's password has expired, when they
log in they are prompted for a new password (good) but if they enter a
non-complex new password the session is closed rather than
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
noticed that it did not honor password expiration consistently with
other Solaris login services.
The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
password changes on expiration via pam_chauthtok(). A brief summary of
changes:
auth-pam.c:
* change declaration of pamh to "static pam_handle_t *pamh",
2004 Mar 24
1
Trying to compile Samba 3.0.2a
Hi,
I'm using SuSE 8.2 and I got the source for samba 3.0.2a and I tried to
install it. ./configure (w/o any arguments) went ok so I type make and it
gives me the following errors:
Linking bin/smbd
auth/pampass.o(.text+0x59): In function `smb_pam_error_handler':
: undefined reference to `pam_strerror'
auth/pampass.o(.text+0xcb6): In function `smb_pam_end':
: undefined reference
2005 Feb 01
3
Feature request: FAIL_DELAY-support for sshd
Hello!
My Linux-server is every day attacked with brute-force password cracking
attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM,
LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking
attempts with very short delays (1 second):
Jan 31 00:46:53 XXX sshd[10774]: Invalid user backup from
::ffff:66.98.176.50
Jan 31 00:46:54 XXX sshd[10776]: Invalid user server
2009 Dec 03
9
[Bug 1681] New: conversation function for passwd auth method assumes instead of fail
https://bugzilla.mindrot.org/show_bug.cgi?id=1681
Summary: conversation function for passwd auth method assumes
instead of fail
Product: Portable OpenSSH
Version: 5.3p1
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo:
2001 Mar 30
1
PAM and -u0
is this change ok? goal is that PAM with -u0 does not use DNS (like
without PAM).
Index: auth-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth-pam.c,v
retrieving revision 1.34
diff -u -r1.34 auth-pam.c
--- auth-pam.c 2001/03/27 06:12:24 1.34
+++ auth-pam.c 2001/03/30 16:46:12
@@ -41,6 +41,10 @@
static int do_pam_conversation(int num_msg,