similar to: Deleting root credentials

Hello All, I have run into a situation where a user exiting from a PAM_KERBEROS-authenticated session runs the risk of deleting a kinit-generated credentials file that was already sitting on the server. I will explain the problem in detail, but let me begin with my question. It has a specific reference to PAM_KERBEROS, but it can also be a general question. If a user (ssh) session was

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

Hello, We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a non-root user with PAM [pam-kerberos] then I get the following error. debug3: PAM: opening session debug1: PAM: reinitializing credentials PAM: pam_setcred(): Failure setting user credentials This is particularly for non-root users with PrivSep YES. When I connect to a root user with PrivSep YES or to a non-root

Dear all, I've been looking into hacking with some PAM modules, and thought I could learn from the OpenSSH source (it's probably the closest thing to a canonical cross-platform consumer of the API). One thing I've noticed I don't understand though is how OpenSSH's invocation of do_pam_session/setcred can work (in main of the process forked in sshd.c). Ignoring privsep for the

Openssh 5.0p1 on HPUX 11.23. Here is the message: Jun 15 13:21:28 a300sua0 sshd[10798]: pam_setcred: error Permission denied See http://www.docs.hp.com/en/T1471-90033/ch01s06.html We track the issue to sshpam_cleanup() which resets the conversation function pointer to sshpam_null_conv() before calling pam_setcred with PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR. It

Hello All, The changing of group for the root results in the following message with OpenSSH 3.9p1 "permanently_set_uid: was able to restore old [e]gid" The following change in uidswap.c fixes me the problem. /* Try restoration of GID if changed (test clearing of saved gid) */ - if (old_gid != pw->pw_gid && + if(getgid() != pw->pw_gid && (setgid(old_gid)

The 2 errors: pam_setcred: error Permission denied Cannot delete credentials[7]: Permission denied Looks to be a major bug in the PAM module for Solaris-2.8/2.7/2.6. Has anyone from the list (developers of OpenSSH, endusers, hackers, etc.) came up w/ a solution? Even a temporary one? When authenticating yourself on the same system that worked, but when authenticating to another system failed. I

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy:

http://bugzilla.mindrot.org/show_bug.cgi?id=789 Summary: pam_setcred() not being called as root Product: Portable OpenSSH Version: 3.7.1p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: PAM support AssignedTo: openssh-bugs at mindrot.org ReportedBy:

Hello All, Im using OpenSSH 4.2p1 statically linked with OpenSSL 0.9.7i. It looks now that a fips certified OpenSSL is now available at http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz . I like to know of any patches applicable for OpenSSH versions to make it fips compliant. Is there any idea for OpenSSH core team to make OpenSSH as fips compliant? What amount of work it needs at this

https://bugzilla.mindrot.org/show_bug.cgi?id=1945 Bug #: 1945 Summary: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes Classification: Unclassified Product: Portable OpenSSH Version: 5.8p1 Platform: All OS/Version: HP-UX Status: NEW

http://bugzilla.mindrot.org/show_bug.cgi?id=926 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|994 | nThis| | ------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------

https://bugzilla.mindrot.org/show_bug.cgi?id=2549 Bug ID: 2549 Summary: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication Product: Portable OpenSSH Version: 7.1p2 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5

On 27 Oct 2015, at 09:48, Senthil Kumar <senthil.thecoder at gmail.com> wrote: > > Haven't worked on this yet, but I work on the gcc AVR backend (and binutils), and I'm very interested in this - I intend to work on it in my spare time. And do you have any comments / objections to Dylan becoming the code owner? David

https://bugzilla.mindrot.org/show_bug.cgi?id=2548 Bug ID: 2548 Summary: Make pam_set_data/pam_get_data work with OpenSSH Product: Portable OpenSSH Version: 7.2p1 Hardware: Sparc OS: Solaris Status: NEW Severity: major Priority: P5 Component: PAM support Assignee:

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant

>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of

In do_pam_cleanup_proc(), there are 3 calls to PAM: 1) pam_close_session() - do lastlog stuff 2) pam_setcred(PAM_DELETE_CRED) - delete credentials 3) pam_end() - close PAM It appears that pam_setcred() always fails with the error PAM_PERM_DENIED. This is due to a check done pam_unix.so to not allow a caller with euid 0 to even try to delete their SECURE_RPC credentials. When sshd calls

Should pam_setcred() be called if pam_authenticate() wasn't called? I would say not; both of these functions are in the authenticate part of pam. It seems the the 'auth' part of pam config controls which modules get called, so if you didn't to _authenticate() you shouldn't do _setcred(). thx /fc

Hi, Im using OpenSSH 4.0 p1 linked with zlib version less then 1.2.2 in a number of systems. These are all production systems where I can't upgrade the service. I have a question that if I disable the compression by setting "compression no" in sshd_config, will I be able to overcome the Buffer overflow vulnerability in zlib. I just glanced through the code and it seems sshd is