similar to: PAM problem after openssh-portable 3.6.1p2_5 update?

In RELENG_4_8 /usr/src/UPDATING, I see: 20030924: p9 FreeBSD-SA-03:15.openssh Fix PAM-related bugs in OpenSSH's challenge/response code. But there's no mention of FreeBSD-SA-03:15.openssh on this list, the security-notifications list, the web site, the ftp site, etc. Is this advisory still pending? or is UPDATING just mislabled? Thanks, Bryan

While configuring my server with dovecot I noticed that the PAM authentication driver does not support the username_format option as does the password file driver. This didn't seem too hard to implement so I through together a patch. As you can see in the attached patch I only modify the username sent to PAM. Despit doing this I run into the domain lost

SecureComputing's PAM library doesn't pass back the correct context to the pam_conversation function, i.e. it passes back NULL. So this patch works around this fact. likely you'll only want this hack if you expect to use pam_safeword.so in your authentication check, and only if you run sshd in privilege separation (separate process) mode so that the PAM conversation is single

Hi, Ive got winbind and samba working great (version 2.2.3) on our RH 7.1 box's. But as we have about 200 users on our domain, we want to restrict ssh access on our linux box's. So I created a group on the NT PDC called: Winbind In this group, Ive only put our developers and us, the sy admins. In the /etc/ssh/sshd_config, I entered the line: AllowGroups MMEBS+Winbind. Thus, allowing

I was browsing the OpenSSH sources (which are very readable, thankyou very much) and noticed that PAM was only being told what host the user is logging in from for account processing - not for password processing. As I can see no reason not to put this in start_pam this is exactly what I have done - and attached a patch to this effect. This allows PAM to fill in rhost= in its audit messages

When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh",

Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

This is actually something I had on my mind to write about in the past few -stable and alpha releases, but did not get to and instead always patched myself. Now having updated to the latest snapshot (which may be released as beta1), I stumbled on it again: In src/auth/passdb-pam.c, where the client host is passed to PAM, the code looks like this: #ifdef PAM_RHOST const char *host =

Hi All. Has anyone else tried the current tree on Solaris 8? I installed a recommended patch cluster and now I get PAM errors, but only on a non-interactive (ie no TTY) login. I think this behaviour was introduced with the patch cluster. First thing is that in debug mode, the debug at auth-pam.c:534 derefs tty which is null, and segfaults. This occurs in debug mode only and is easy to fix.

On Mon, 22 Nov 1999, Philip Brown wrote: > [ Marc G. Fournier writes ] > > debug("PAM_retval(open_session) about to run"); > > pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > > > > > =========================================== > > > > so, its looking like I'm authenticated properly, but when trying to set up > > the

http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 ------- > OpenSSH traditionally would not even start PAM, and > now starts it specifying 'NOUSER' as the login name. We have always used NOUSER, the recent patch just makes it consistent between protocols 1 and 2. > The second is to prevent username guessing

https://bugzilla.mindrot.org/show_bug.cgi?id=2741 Bug ID: 2741 Summary: Export Port to PAM Product: Portable OpenSSH Version: 7.5p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org

Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled).

Subject: Portable OpenSSH Security Advisory: sshpam.adv This document can be found at: http://www.openssh.com/txt/sshpam.adv 1. Versions affected: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled).

Hi. I was wondering a couple things relating to PAM authentication: 1. I found that expired passwords caused authentication failure, rather than the expected behaviour of forcing a paswword change. After perusing the auth-pam.c file (as it appears in openssh-3.4p1), I found that the reason is that the case for the relevant return value (PAM_AUTHTOKEN_REQD) from pam_acct_mgmt is wrapped

> Interesting quote: > > "Due to complexity, inconsistencies in the specification and differences > between vendors' PAM implementations we recommend that PAM be left disabled > in sshd_config unless there is a need for its use. Sites only using public > key or simple password authentication usually have little need to enable PAM > support." > > Slander?

Okay, I'm confused again. They way you guys are talking about the conversation routine, it would seem that you think it is a way to fetch something from the user - like a new password. Is this possible? Does calling pam_chauthtok() cause the underlying pam_sm_chauthtok() eventually print something on stdout and read a new password from stdin (the socket to the client) using the conversation

Hi! Can you attempt to get core dump with debugging symbols with dovecot too? Currently it seems to only contain symbols from kerberos bit, which is not very useful on it's own. Aki > On 12 February 2018 at 17:34 Ben Woods <woodsb02 at gmail.com> wrote: > > > Hi everyone, > > I have a repeatable core dump when running dovecot on FreeBSD in the > specific

I've got a Solaris 8 and 9 box using LDAP to successfully authenticate users. I can get logged in via ssh using keyboard interactive (via PAM/LDAP). When I try to use pubkey authentication, both the pubkey as well as the fallback to keyboard interactive always fail. I've tried openssh versions as early as 3.4 and as new as the 11-06 snapshot with the same behavior. Everything works