Displaying 20 results from an estimated 2000 matches similar to: "Deleting root credentials"
2005 Jun 29
3
sshd deletes the GSSAPI ticket on exit
Hello All,
I have run into a situation where a user exiting from a
PAM_KERBEROS-authenticated session runs the risk of deleting a
kinit-generated credentials file that was already sitting on the server. I
will explain the problem in detail, but let me begin with my question. It
has a specific reference to PAM_KERBEROS, but it can also be a general
question.
If a user (ssh) session was
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes
PAM authentication take place in a separate process or thread
(launched from sshpam_init_ctx() in auth-pam.c). By default (if you
don't define USE_POSIX_THREADS) the code "fork"s a separate process.
Or if you define USE_POSIX_THREADS it will create a new thread (a
second one, in addition to the primary thread).
The
2004 May 18
2
pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"
Hello,
We use USE_POSIX_THREADS in our HP-UX build of OpenSSH. When we connect a
non-root user with PAM [pam-kerberos] then I get the following error.
debug3: PAM: opening session
debug1: PAM: reinitializing credentials
PAM: pam_setcred(): Failure setting user credentials
This is particularly for non-root users with PrivSep YES. When I connect to
a root user with PrivSep YES or to a non-root
2013 Jan 19
1
PAM function ordering
Dear all,
I've been looking into hacking with some PAM modules, and thought I could
learn from the OpenSSH source (it's probably the closest thing to a
canonical cross-platform consumer of the API).
One thing I've noticed I don't understand though is how OpenSSH's
invocation of do_pam_session/setcred can work (in main of the process
forked in sshd.c). Ignoring privsep for the
2009 Jul 13
0
openssh conversation failure issue on HPUX
Openssh 5.0p1 on HPUX 11.23.
Here is the message:
Jun 15 13:21:28 a300sua0 sshd[10798]: pam_setcred: error Permission
denied
See
http://www.docs.hp.com/en/T1471-90033/ch01s06.html
We track the issue to sshpam_cleanup() which resets the conversation
function pointer to sshpam_null_conv() before calling pam_setcred with
PAM_DELETE_CRED. sshpam_null_conv() always just returns PAM_CONV_ERR.
It
2005 Jan 05
2
changing group for root
Hello All,
The changing of group for the root results in the following message with
OpenSSH 3.9p1
"permanently_set_uid: was able to restore old [e]gid"
The following change in uidswap.c fixes me the problem.
/* Try restoration of GID if changed (test clearing of saved gid) */
- if (old_gid != pw->pw_gid &&
+ if(getgid() != pw->pw_gid &&
(setgid(old_gid)
2001 Oct 31
3
2.9.9p2 and Solaris-2.8 PAM: Cannot delete credentials[7]: Permission denied
The 2 errors:
pam_setcred: error Permission denied
Cannot delete credentials[7]: Permission denied
Looks to be a major bug in the PAM module for Solaris-2.8/2.7/2.6.
Has anyone from the list (developers of OpenSSH, endusers, hackers, etc.)
came up w/ a solution? Even a temporary one?
When authenticating yourself on the same system that worked, but when
authenticating to another system failed. I
2004 Jan 14
18
[Bug 789] pam_setcred() not being called as root
http://bugzilla.mindrot.org/show_bug.cgi?id=789
Summary: pam_setcred() not being called as root
Product: Portable OpenSSH
Version: 3.7.1p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy:
2004 Jan 14
18
[Bug 789] pam_setcred() not being called as root
http://bugzilla.mindrot.org/show_bug.cgi?id=789
Summary: pam_setcred() not being called as root
Product: Portable OpenSSH
Version: 3.7.1p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy:
2006 Apr 15
2
OpenSSH fips compliance
Hello All,
Im using OpenSSH 4.2p1 statically linked with OpenSSL 0.9.7i. It looks now
that a fips certified OpenSSL is now available at
http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz . I like to know of
any patches applicable for OpenSSH versions to make it fips compliant. Is
there any idea for OpenSSH core team to make OpenSSH as fips compliant? What
amount of work it needs at this
2011 Oct 20
2
[Bug 1945] New: Only 1 of the 2 krb cache files is removed on closing the ssh connection with UsePrivilegeSeparation=yes
https://bugzilla.mindrot.org/show_bug.cgi?id=1945
Bug #: 1945
Summary: Only 1 of the 2 krb cache files is removed on closing
the ssh connection with UsePrivilegeSeparation=yes
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: HP-UX
Status: NEW
2005 May 22
3
[Bug 926] pam_session_close called as user or not at all
http://bugzilla.mindrot.org/show_bug.cgi?id=926
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO|994 |
nThis| |
------- Additional Comments From dtucker at zip.com.au 2005-05-22 11:03 -------
2016 Mar 07
2
[Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2549
Bug ID: 2549
Summary: [PATCH] Allow PAM conversation for pam_setcred for
keyboard-interactive authentication
Product: Portable OpenSSH
Version: 7.1p2
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: enhancement
Priority: P5
2015 Oct 27
4
Code owner for the new AVR backend
On 27 Oct 2015, at 09:48, Senthil Kumar <senthil.thecoder at gmail.com> wrote:
>
> Haven't worked on this yet, but I work on the gcc AVR backend (and binutils), and I'm very interested in this - I intend to work on it in my spare time.
And do you have any comments / objections to Dylan becoming the code owner?
David
2016 Mar 04
7
[Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
https://bugzilla.mindrot.org/show_bug.cgi?id=2548
Bug ID: 2548
Summary: Make pam_set_data/pam_get_data work with OpenSSH
Product: Portable OpenSSH
Version: 7.2p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: major
Priority: P5
Component: PAM support
Assignee:
2001 Sep 05
1
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>> >Could we please have a clarification on the semantics of
>> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS?
>>
>> My interpretation is:
>>
>> You call PAM_ESTABLISH_CRED to create them
>> You call PAM_REINITIALIZE_CRED to update creds that can expire over time,
>> for example a kerberos ticket.
Oops. I meant
2001 Sep 05
2
reinit_creds (was Re: OpenSSHd barfs upon reauthentication: PAM, Solaris 8)
>Neither the Sun PAM documentation nor the Linux-PAM documentation
>describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail.
I would agree it is vague, but then that is also a problem with the XSSO
document (http://www.opengroup.org/onlinepubs/008329799/)
>Could we please have a clarification on the semantics of
>PAM_CRED_ESTABLISH vs. the semantics of
2001 Oct 26
1
PAM session cleanup on Sol8 with v2.9.9p2
In do_pam_cleanup_proc(), there are 3 calls to PAM:
1) pam_close_session() - do lastlog stuff
2) pam_setcred(PAM_DELETE_CRED) - delete credentials
3) pam_end() - close PAM
It appears that pam_setcred() always fails with the error PAM_PERM_DENIED.
This is due to a check done pam_unix.so to not allow a caller with euid 0
to even try to delete their SECURE_RPC credentials. When sshd calls
2003 Jun 04
3
pam_setcred() without pam_authenticate()?
Should pam_setcred() be called if pam_authenticate() wasn't called?
I would say not; both of these functions are in the authenticate
part of pam.
It seems the the 'auth' part of pam config controls which modules get
called, so if you didn't to _authenticate() you shouldn't do _setcred().
thx
/fc
2006 Jan 19
1
OpenSSH 4.0 p1 and zlib vulnerability
Hi,
Im using OpenSSH 4.0 p1 linked with zlib version less then 1.2.2 in a number
of systems. These are all production systems where I can't upgrade the
service. I have a question that if I disable the compression by setting
"compression no" in sshd_config, will I be able to overcome the Buffer
overflow vulnerability in zlib. I just glanced through the code and it seems
sshd is