Displaying 20 results from an estimated 20000 matches similar to: "PAM problem after openssh-portable 3.6.1p2_5 update?"
2003 Sep 29
1
FreeBSD-SA-03:15.openssh
In RELENG_4_8 /usr/src/UPDATING, I see:
20030924: p9 FreeBSD-SA-03:15.openssh
Fix PAM-related bugs in OpenSSH's challenge/response code.
But there's no mention of FreeBSD-SA-03:15.openssh on this list,
the security-notifications list, the web site, the ftp site, etc.
Is this advisory still pending? or is UPDATING just mislabled?
Thanks,
Bryan
2014 Apr 24
0
Help implementing username_format in auth PAM driver
While configuring my server with dovecot I noticed that the PAM
authentication driver does not support the username_format option as
does the password file driver. This didn't seem too hard to implement
so I through together a patch.
As you can see in the attached patch I only modify the username sent
to PAM. Despit doing this I run into the domain lost
2004 Feb 27
0
PAM patch for openssh 3.7.1p2
SecureComputing's PAM library doesn't pass back the correct context to
the pam_conversation function, i.e. it passes back NULL. So this patch
works around this fact.
likely you'll only want this hack if you expect to use pam_safeword.so
in your authentication check, and only if you run sshd in privilege
separation (separate process) mode so that the PAM conversation is
single
2002 Feb 15
2
Advice on: sshd[28182]: PAM pam_set_item: NULL pam handle passed
Hi,
Ive got winbind and samba working great (version 2.2.3) on our RH 7.1 box's.
But as we have about 200 users on our domain, we want to restrict ssh
access on our linux box's.
So I created a group on the NT PDC called: Winbind
In this group, Ive only put our developers and us, the sy admins.
In the /etc/ssh/sshd_config, I entered the line: AllowGroups MMEBS+Winbind.
Thus, allowing
2001 Feb 10
1
[PATCH] Tell PAM about remote host earlier
I was browsing the OpenSSH sources (which are very readable, thankyou
very much) and noticed that PAM was only being told what host the user
is logging in from for account processing - not for password
processing. As I can see no reason not to put this in start_pam this is
exactly what I have done - and attached a patch to this effect.
This allows PAM to fill in rhost= in its audit messages
2000 Sep 13
2
auth-pam.c support for pam_chauthtok()
When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users
noticed that it did not honor password expiration consistently with
other Solaris login services.
The patch below is against OpenSSH 2.2.0p1 and adds support for PAM
password changes on expiration via pam_chauthtok(). A brief summary of
changes:
auth-pam.c:
* change declaration of pamh to "static pam_handle_t *pamh",
2003 Nov 13
0
[PATCH] Make PAM chauthtok_conv function into tty_conv
Hi All.
Attached is a patch that converts pam_chauthtok_conv into a generic
pam_tty_conv, which is used rather than null_conv for do_pam_session.
This allows, for example, display of messages from PAM session modules.
The accumulation of PAM messages into loginmsg won't help until there is
a way to collect loginmsg from the monitor (see, eg, the patches for bug
#463). This is because the
2003 Oct 29
4
Fix for USE_POSIX_THREADS in auth-pam.c
As many of you know, OpenSSH 3.7.X, unlike previous versions, makes
PAM authentication take place in a separate process or thread
(launched from sshpam_init_ctx() in auth-pam.c). By default (if you
don't define USE_POSIX_THREADS) the code "fork"s a separate process.
Or if you define USE_POSIX_THREADS it will create a new thread (a
second one, in addition to the primary thread).
The
2006 Jan 16
0
passdb-pam: PAM_RHOST on FreeBSD >= 5.0 (where PAM != Linux-PAM)
This is actually something I had on my mind to write about in the past
few -stable and alpha releases, but did not get to and instead always
patched myself. Now having updated to the latest snapshot (which may
be released as beta1), I stumbled on it again:
In src/auth/passdb-pam.c, where the client host is passed to PAM, the
code looks like this:
#ifdef PAM_RHOST
const char *host =
2003 Aug 08
0
Problem with -current on Solaris 8 + PAM?
Hi All.
Has anyone else tried the current tree on Solaris 8? I installed a
recommended patch cluster and now I get PAM errors, but only on a
non-interactive (ie no TTY) login. I think this behaviour was introduced
with the patch cluster.
First thing is that in debug mode, the debug at auth-pam.c:534 derefs tty
which is null, and segfaults. This occurs in debug mode only and is easy
to fix.
1999 Nov 22
1
[s-x86] OpenSSH 1.2pre14 fails on pam_open_session() ...
On Mon, 22 Nov 1999, Philip Brown wrote:
> [ Marc G. Fournier writes ]
> > debug("PAM_retval(open_session) about to run");
> > pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
>
> >
> > ===========================================
> >
> > so, its looking like I'm authenticated properly, but when trying to set up
> > the
2002 Feb 14
2
[Bug 117] OpenSSH second-guesses PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=117
------- Additional Comments From djm at mindrot.org 2002-02-15 10:10 -------
> OpenSSH traditionally would not even start PAM, and
> now starts it specifying 'NOUSER' as the login name.
We have always used NOUSER, the recent patch just makes it consistent between
protocols 1 and 2.
> The second is to prevent username guessing
2017 Jul 10
7
[Bug 2741] New: Export Port to PAM
https://bugzilla.mindrot.org/show_bug.cgi?id=2741
Bug ID: 2741
Summary: Export Port to PAM
Product: Portable OpenSSH
Version: 7.5p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
2003 Sep 23
0
Multiple PAM vulnerabilities in portable OpenSSH
Subject: Portable OpenSSH Security Advisory: sshpam.adv
This document can be found at: http://www.openssh.com/txt/sshpam.adv
1. Versions affected:
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).
2003 Sep 23
0
Multiple PAM vulnerabilities in portable OpenSSH
Subject: Portable OpenSSH Security Advisory: sshpam.adv
This document can be found at: http://www.openssh.com/txt/sshpam.adv
1. Versions affected:
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs
is remotely exploitable (under a non-standard configuration,
with privsep disabled).
2002 Sep 26
0
Portable openssh integration with PAM on HP-UX 11.X Trusted System
Hi.
I was wondering a couple things relating to PAM authentication:
1. I found that expired passwords caused authentication failure, rather
than the expected behaviour of forcing a paswword change. After perusing
the auth-pam.c file (as it appears in openssh-3.4p1), I found that the
reason is that the case for the relevant return value (PAM_AUTHTOKEN_REQD)
from pam_acct_mgmt is wrapped
2003 Sep 23
0
PAM vulnerability in portable OpenSSH
> Interesting quote:
>
> "Due to complexity, inconsistencies in the specification and differences
> between vendors' PAM implementations we recommend that PAM be left disabled
> in sshd_config unless there is a need for its use. Sites only using public
> key or simple password authentication usually have little need to enable PAM
> support."
>
> Slander?
2001 Oct 25
3
PAM conversation stuff
Okay, I'm confused again. They way you guys are talking about the
conversation routine, it would seem that you think it is a way to fetch
something from the user - like a new password. Is this possible? Does
calling pam_chauthtok() cause the underlying pam_sm_chauthtok()
eventually print something on stdout and read a new password from stdin
(the socket to the client) using the conversation
2018 Feb 12
0
FreeBSD Core dump: PAM authentication with Kerberos credentials (GSSAPI_MIT)
Hi!
Can you attempt to get core dump with debugging symbols with dovecot too? Currently it seems to only contain symbols from kerberos bit, which is not very useful on it's own.
Aki
> On 12 February 2018 at 17:34 Ben Woods <woodsb02 at gmail.com> wrote:
>
>
> Hi everyone,
>
> I have a repeatable core dump when running dovecot on FreeBSD in the
> specific
2004 Nov 09
1
Solaris + PAM/LDAP + pubkey failing?
I've got a Solaris 8 and 9 box using LDAP to successfully authenticate users.
I can get logged in via ssh using keyboard interactive (via PAM/LDAP). When
I try to use pubkey authentication, both the pubkey as well as the fallback to
keyboard interactive always fail. I've tried openssh versions as early as 3.4
and as new as the 11-06 snapshot with the same behavior. Everything works