similar to: is sshpam_thread() dead code?

I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch,

Hi, I am using PAM authentication on 3.8p1. In my PAM auth module I can turn on debug logging that includes a timestamp in the form "mm/dd/yy hh:mm:ss". Life is good. I want to upgrade from 3.8p1 so I can use PAM for PasswordAuthentication in addition to keyboard-interactive. I have compiled both 4.1p1 and 4.3p2 and the PAM authentication for both methods works fine in both

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

There is a minor problem with the PAM support in OpenSSH 3.8p1. If you use POSIX threads (as specified by defining USE_POSIX_THREADS) in auth-pam.c, PAM authentication will fail in routine import_environments(). The purpose of this routine is to import variables returned by do_pam_account() in sshpam_thread(). However, those variable are only exported if USE_POSIX_THREADS is NOT set.

http://bugzilla.mindrot.org/show_bug.cgi?id=705 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #455 is|0 |1 obsolete| | Attachment #526 is|0 |1 obsolete|

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

I connect to my OpenSSH 3.8.1p1 server and when the password dialog shoes up I wait a min or so, long enough for the "Timeout before authentication for %s" alarm to trigger. If at that point I enter my password ssh will just sit there: debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad

https://bugzilla.mindrot.org/show_bug.cgi?id=1795 Summary: An integer variable "num" in mm_answer_pam_query() is not initialized before used Product: Portable OpenSSH Version: 5.5p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support

Hello! My Linux-server is every day attacked with brute-force password cracking attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM, LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking attempts with very short delays (1 second): Jan 31 00:46:53 XXX sshd[10774]: Invalid user backup from ::ffff:66.98.176.50 Jan 31 00:46:54 XXX sshd[10776]: Invalid user server

Processing commands for control at bugs.debian.org: > tags 653294 + jessie Bug #653294 [hellanzb] hellanzb: doesn't work with python-twisted 11.1.0-1 (patch included) Added tag(s) jessie. > tags 701439 + jessie Bug #701439 [src:ircd-hybrid] ircd-hybrid: ftbfs with eglibc-2.17 Added tag(s) jessie. > tags 616910 + jessie Bug #616910 [src:musiclibrarian] musiclibrarian: deprecation of