similar to: [RFC][PATCH] Detect and handle PAM changing user name

From: Marco Trevisan (Trevi?o) <mail at 3v1n0.net> PAM modules can change the user during their execution, in such case ssh would still use the user that has been provided giving potentially access to another user with the credentials of another one. So prevent this to happen, by ensuring that the final PAM user is matching the one that initiated the transaction. See also:

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the

Hi All. Has anyone else tried the current tree on Solaris 8? I installed a recommended patch cluster and now I get PAM errors, but only on a non-interactive (ie no TTY) login. I think this behaviour was introduced with the patch cluster. First thing is that in debug mode, the debug at auth-pam.c:534 derefs tty which is null, and segfaults. This occurs in debug mode only and is easy to fix.

All, I tried to sign up for this list a few weeks ago, but I don't think it worked. After I confirmed my intention to be on the list, I only got one single message from someone on the list, and that was it. So, either this is a particularly quiet list, or my subscription was dropped somehow just after it was made. So, if you could kindly CC me directly on any responses to this, I sure would

Hi. I'm one of the OpenSSH developers, and I've done some of the work on sshd's PAM interface recently. I've discovered some behaviour peculiar to LinuxPAM that I can't explain: changing the conversation function does not appear to work, even though the pam_set_item() call claims to succeed. The previous conversation function is still called. Background: the PAM API

https://bugzilla.mindrot.org/show_bug.cgi?id=1799 Summary: Unable to login through PAM on Solaris 8 x86 due to PAM_TTY Product: Portable OpenSSH Version: 5.5p1 Platform: ix86 OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: PAM support AssignedTo:

The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file:

Hi, I am using PAM authentication on 3.8p1. In my PAM auth module I can turn on debug logging that includes a timestamp in the form "mm/dd/yy hh:mm:ss". Life is good. I want to upgrade from 3.8p1 so I can use PAM for PasswordAuthentication in addition to keyboard-interactive. I have compiled both 4.1p1 and 4.3p2 and the PAM authentication for both methods works fine in both

Hello! My Linux-server is every day attacked with brute-force password cracking attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM, LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking attempts with very short delays (1 second): Jan 31 00:46:53 XXX sshd[10774]: Invalid user backup from ::ffff:66.98.176.50 Jan 31 00:46:54 XXX sshd[10776]: Invalid user server

Hello! Please consider including the attached patch in the next release. It allows one to drop privilege separation code while building openssh by using '--disable-privsep' switch of configure script. If one doesn't use privilege separation at all, why don't simply allow him to drop privilege separation support completely? -- Sincerely Your, Dan. -------------- next part

> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van > Belle via samba > Sent: 24 July 2018 09:41 > To: samba at lists.samba.org > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache due time > differences with the domain controller > > I did re-read the whole thread again. > > Im running out

In OpenSSH 3.6.1p2, pam_open_session() ran with a conversation function, do_pam_conversation(), that fed text to the client. In OpenSSH 3.7.1p2, this is no longer the case: session modules run with a conversation function that just returns PAM_CONV_ERR. This means that simple session modules whose job involves printing text on the user's terminal no longer work: pam_lastlog, pam_mail, and

I tried to compile pam_ldap-184 but it gave lots of error msgs. BTW, I have successfully compiled nss_ldap-255. For pam_ldap, my configure looks like: ./configure --with-ldap-lib=openldap --with-ldap-dir=/usr/local --with-ldap-conf-file=/usr/local/etc/openldap/ldap.conf and the following is the configure output --- start of configure output --- creating cache ./config.cache checking host system

On 7/28/2020 4:11 PM, Jason Keltz wrote: > > On 7/28/2020 3:59 PM, Jason Keltz via samba wrote: >> I'm experimenting with smb + winbind. >> >> My host is joined to AD and I can login to my host fine using my AD >> credentials via SSH.?? The only issue is that I don't get a Kerberos >> ticket generated. >> >> In

On Tue, 1 Feb 2005, it was written: > Nicolas Lopez wrote: > > maildir and most of my accounts in LDAP. Since the accounts are created > > through a web interface on another server home directories on the mail > > server don't get created automatically. There's the handy pam module > > pam_mkhomedir.so to automagically create home directories, but >

Hi, I'm trying to change the PAM_USER within a pam module, and observed that dovecot 0.99 does not support this. I then looked at 1.x and found: src/auth/passdb-pam.c:232: /* FIXME: this doesn't actually work since we're in the child process.. */ status = pam_get_item(pamh, PAM_USER, (linux_const void **)&item); if (status !=