pam-ssh-users Mailing List for pam_ssh
Brought to you by:
rosenauer
Menu
▾
▴
pam-ssh-users — Installing and using pam_ssh
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2006 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Wolfgang R. <wol...@ro...> - 2013-06-11 07:36:40
|
Hi,
thanks for the bugreport and patch.
Changes are committed to master:
commit d744c1cda9e5d87598167f71333fcc230734c3c9
Author: Jim Carter <ji...@ma...>
Date: Tue Jun 11 09:15:33 2013 +0200
Add missing credential restores
They will end up in the next version (1.99) but there is no release date
for it.
Wolfgang
Am 06.06.2013 07:52, schrieb Jim Carter:
> If pam_ssh.so is called when the session has no TTY, in
> pam_sm_open_session when it is about to link $HOME/.ssh/agent-$HOST-$TTY,
> it instead returns without calling openpam_restore_cred. There is a
> similar escape route if it can read the agent file but can't stat it. In
> XDM serving a XDMCP query (which has no TTY), but not on the physical
> display and not with other display managers such as LightDM, the non-root
> user lacks permission to write on lastlog, to talk to the login manager to
> manage the session, etc. This prevents the user from getting an X-Windows
> session. The appended patch inserts the needed calls to
> openpam_restore_cred, and the user is able to get a session.
>
> This is with pam_ssh-1.97-23.1.1.i586 and x86_64, and
> xdm-1.1.10-14.6.1.i586 and x86_64, on OpenSuSE 12.3.
>
> Please see https://bugzilla.novell.com/show_bug.cgi?id=823484 for the
> syslog messages, a "how to reproduce" scenario, and more discussion.
>
>
|
|
From: Jim C. <ji...@ma...> - 2013-06-06 06:47:16
|
If pam_ssh.so is called when the session has no TTY, in pam_sm_open_session when it is about to link $HOME/.ssh/agent-$HOST-$TTY, it instead returns without calling openpam_restore_cred. There is a similar escape route if it can read the agent file but can't stat it. In XDM serving a XDMCP query (which has no TTY), but not on the physical display and not with other display managers such as LightDM, the non-root user lacks permission to write on lastlog, to talk to the login manager to manage the session, etc. This prevents the user from getting an X-Windows session. The appended patch inserts the needed calls to openpam_restore_cred, and the user is able to get a session. This is with pam_ssh-1.97-23.1.1.i586 and x86_64, and xdm-1.1.10-14.6.1.i586 and x86_64, on OpenSuSE 12.3. Please see https://bugzilla.novell.com/show_bug.cgi?id=823484 for the syslog messages, a "how to reproduce" scenario, and more discussion. -- James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 520 Portola Plaza; Los Angeles, CA, USA 90095-1555 Email: ji...@ma... http://www.math.ucla.edu/~jimc (q.v. for PGP key) Patch follows: --- pam_ssh-1.97/pam_ssh.c 2013-06-04 16:15:04.142565929 -0700 +++ /tmp/root.jimc/pam_ssh-1.97/pam_ssh.c 2013-06-04 15:59:06.363422528 -0700 @@ -630,6 +630,7 @@ pam_ssh_log(LOG_ERR, "stat() failed on %s", per_agent); pam_set_data(pamh, "ssh_agent_env_agent", NULL, NULL); fclose(env_read); + openpam_restore_cred(pamh); return retval; } file_ctime = stat_buf.st_mtime; @@ -873,6 +874,7 @@ * with the per-session file */ if (!tty_raw) { pam_ssh_log(LOG_DEBUG, "session has no tty"); + openpam_restore_cred(pamh); return PAM_SUCCESS; } |
|
From: Ryan L. <me...@ry...> - 2010-11-01 20:26:51
|
Hi, I use fedora 13, and I installed pam_ssh via yum. I would like to have my login password unlock my ssh key passwords. I tried following the instructions on http://pam-ssh.sourceforge.net/ to get this to work, but it doesn't presumably because I use fluxbox as a window manager and I don't have a desktop manager, therefore I don't have gdm. Can someone explain the proper way to make this work under fluxbox? thanks. -rhl |
|
From: Ankush G. <mai...@gm...> - 2009-11-25 12:02:57
|
Hello I have downloaded latest pam_ssh 1.97. Please let me know the process to installation / implementation in HPUX . Thanks Ankush |
|
From: <ac...@ar...> - 2007-08-22 13:55:39
|
I am trying to set up SSH on some client hosts such that all users can be a= uthenticated from our common Radius server and single sign-on is provided. SSH today provides the SSH-Agent. The SSH-Agent holds a user's private keys= and these must be added manually for each session. There are two drawbacks= that I would like to get around: * The private keys must be added manually on each session to the ssh-agent= using ssh-add=20 * The private keys must be made available locally on each client host a pa= rticular user is potentially using. I wonder if there is a solution where the user authenticates once to e.g. t= he ssh-agent using the Radius server. The ssh-agent then maintains the user= 's credentials in memory for all subsequent SSH usage. At the end of the lo= gin session the ssh-agent is terminated, and thus the user's credentials ar= e deleted. An even better solution would be to do authentication only once during logi= n and to transmit the user credentials from login (also using Radius in our= case) to an ssh-agent. I understand that pam_ssh already does this part bu= t still relies on locally stored private keys. Is there a way to get rid of= these and use e.g. the Radius server instead? This could be done either by= obtaining the private keys from the Radius server or just use user id and = password to authenticate to the sshd (without private/public keys). Regards,=20 Andreas Lemke=20 Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT F=DCR ALLE NEUEINSTEIGER Jetzt bei Arcor: g=FCnstig und schnell mit DSL - das All-Inclusive-Paket f=FCr clevere Doppel-Sparer, nur 34,95 =80 inkl. DSL- und ISDN-Grundgeb= =FChr! http://www.arcor.de/rd/emf-dsl-2 |
|
From: Konstantin M. <mak...@gm...> - 2007-08-03 11:29:27
|
> I'm fine with merging back to the SF project but my request to be added > to the project was not answered a long time ago. Sad, even more considering the fact they were looking for a new maintainer... On 8/3/07, Wolfgang Rosenauer <wol...@ro...> wrote: > > Konstantin M. wrote: > > > I looked at that project when I was searching for rpms of pam_ssh, > > it has dependencies and looked like it's built for SUSE in it's flavors. > > The source code there is Linux generic but the RPMs linked from there > are for SUSE distributions that's true. > > > SF project on the other hand was built for many distro's. > > Since the projects did't merge, the latest release from SF project > > (2007-02-06) was the one I followed. > > True. I never wanted to fork that project but since I had to do some > fixes and wanted to make them public somewhere I created this project. > I'm fine with merging back to the SF project but my request to be added > to the project was not answered a long time ago. > > Wolfgang > |
|
From: Wolfgang R. <wol...@ro...> - 2007-08-03 10:46:48
|
Konstantin M. wrote: > I looked at that project when I was searching for rpms of pam_ssh, > it has dependencies and looked like it's built for SUSE in it's flavors. The source code there is Linux generic but the RPMs linked from there are for SUSE distributions that's true. > SF project on the other hand was built for many distro's. > Since the projects did't merge, the latest release from SF project > (2007-02-06) was the one I followed. True. I never wanted to fork that project but since I had to do some fixes and wanted to make them public somewhere I created this project. I'm fine with merging back to the SF project but my request to be added to the project was not answered a long time ago. Wolfgang |
|
From: Konstantin M. <mak...@gm...> - 2007-08-03 10:21:20
|
Thanx, I looked at that project when I was searching for rpms of pam_ssh, it has dependencies and looked like it's built for SUSE in it's flavors. SF project on the other hand was built for many distro's. Since the projects did't merge, the latest release from SF project (2007-02-06) was the one I followed. On 8/3/07, Wolfgang Rosenauer <wol...@ro...> wrote: > > Hi, > > Konstantin M. wrote: > > > The latest (1.92) release isn't compiling on the RHEL 5 systems > (CentOS), > > it gives various errors as such: > > > > pam_ssh.c:540: error: 'SYSLOG_FACILITY_AUTHPRIV' undeclared (first use > > in this function) > > pam_ssh.c:550: error: 'LOG_ERR' undeclared (first use in this function) > > pam_ssh.c:572: error: 'LOG_CRIT' undeclared (first use in this function) > > pam_ssh.c: In function 'pam_sm_close_session': > > pam_ssh.c:873: error: 'LOG_ERR' undeclared (first use in this function) > > make[1]: *** [pam_ssh.lo] Error 1 > > make[1]: Leaving directory `/tmp/pam_ssh-1.92' > > make: *** [all] Error 2 > > > > I used the older Dag Wieers' 1.91 RPMs, but for now no one seems to have > > built the fixed 1.92 version RPM... > > Any ideas? > > I'm not sure if this one is fixed already but back when I was employed > at SUSE I fixed some stuff in pam_ssh. Since there was/is no activity at > the SF project I wanted to provide a project page hosting the current > source code I created: > > http://developer.novell.com/wiki/index.php/Pam_ssh > > > HTH, > Wolfgang > |
|
From: Wolfgang R. <wol...@ro...> - 2007-08-03 05:49:39
|
Hi, Konstantin M. wrote: > The latest (1.92) release isn't compiling on the RHEL 5 systems (CentOS), > it gives various errors as such: > > pam_ssh.c:540: error: 'SYSLOG_FACILITY_AUTHPRIV' undeclared (first use > in this function) > pam_ssh.c:550: error: 'LOG_ERR' undeclared (first use in this function) > pam_ssh.c:572: error: 'LOG_CRIT' undeclared (first use in this function) > pam_ssh.c: In function 'pam_sm_close_session': > pam_ssh.c:873: error: 'LOG_ERR' undeclared (first use in this function) > make[1]: *** [pam_ssh.lo] Error 1 > make[1]: Leaving directory `/tmp/pam_ssh-1.92' > make: *** [all] Error 2 > > I used the older Dag Wieers' 1.91 RPMs, but for now no one seems to have > built the fixed 1.92 version RPM... > Any ideas? I'm not sure if this one is fixed already but back when I was employed at SUSE I fixed some stuff in pam_ssh. Since there was/is no activity at the SF project I wanted to provide a project page hosting the current source code I created: http://developer.novell.com/wiki/index.php/Pam_ssh HTH, Wolfgang |
|
From: Konstantin M. <mak...@gm...> - 2007-08-02 11:44:04
|
Hi everyone, The latest (1.92) release isn't compiling on the RHEL 5 systems (CentOS), it gives various errors as such: pam_ssh.c:540: error: 'SYSLOG_FACILITY_AUTHPRIV' undeclared (first use in this function) pam_ssh.c:550: error: 'LOG_ERR' undeclared (first use in this function) pam_ssh.c:572: error: 'LOG_CRIT' undeclared (first use in this function) pam_ssh.c: In function 'pam_sm_close_session': pam_ssh.c:873: error: 'LOG_ERR' undeclared (first use in this function) make[1]: *** [pam_ssh.lo] Error 1 make[1]: Leaving directory `/tmp/pam_ssh-1.92' make: *** [all] Error 2 I used the older Dag Wieers' 1.91 RPMs, but for now no one seems to have built the fixed 1.92 version RPM... Any ideas? Thanx in advance! |
|
From: Wolfgang R. <wol...@ro...> - 2007-03-30 18:26:44
|
Hi, and sorry for the faked reply but I wasn't subscribed at this but trying to answer a mail from the archive. ajk wrote: > Greetings, folks. I've just noticed that I haven't been receiving > mail from the SourceForge project site for quite some time. That > doesn't excuse my total lack of responsiveness on the project, and I > apologize. > > Anyway, I no longer have access to enough different architectures to > adequately test pam_ssh releases, nor do I have the time (obviously) > to contribute substantially to the project. > > If anyone is interested and willing to take on this task, please let > me know. > > ajk I've tried to contact you directly sometime last year but maybe had the wrong mail address or the mail didn't go through for some other reason. I did some work on pam_ssh last year to fix some issues and enhancing logging etc. Because I got no answer but wanted to do that more or less in the public having the chance to give back some enhancements to the community I've registered the project in Novell's DeveloperNet and released some minor versions from there. http://developer.novell.com/wiki/index.php/Pam_ssh I wouldn't say that I really have much time to push that forward but I did basic maintenance and some improvements for easier debugging. (I had to do this in my former job) We should probably merge back the stuff to SourceForge or whatever. Please let me know what you think. Wolfgang |
|
From: <aj...@aj...> - 2007-02-06 13:07:22
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, folks. I've just noticed that I haven't been receiving mail from the SourceForge project site for quite some time. That doesn't excuse my total lack of responsiveness on the project, and I apologize. Anyway, I no longer have access to enough different architectures to adequately test pam_ssh releases, nor do I have the time (obviously) to contribute substantially to the project. If anyone is interested and willing to take on this task, please let me know. ajk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFyH2K8gM8+Mr5peERAtS/AKDKRUaww8p3RT0uir52XBZzkdAqqwCeLJla 7Bq7R8MZoffihpGRnf7SXH4= =z8ci -----END PGP SIGNATURE----- |
|
From: julius J. <jul...@gm...> - 2006-03-11 08:51:48
|
Hi, i would like to use my dsa keys password for authetification (login/ssh-agent). Ive used the config example from pam_ssh: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_ssh.so auth sufficient /lib/security/pam_unix.so use_first_pass likeauth nullok nodelay auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ssh.so After entering my user name i get prompted for the ssh-password, but i can login with my normal password or my keys password? Julius |
|
From: Sam C. <sa...@su...> - 2004-12-06 15:09:38
|
Aurélien Labrosse ext RD-CSRD-GRE wrote: > Juste use ssh's agent forwarding. On each machine you got the public > key, you > will be authenticated without any questions, unless you haven't added > the key > to ssh-agent on the first host. Sorry, I perhaps didn't explain correctly. I can get into all my machines without a password. However, I then need to enter the password when I use "sudo". I assume sudo uses PAM and could therefor be made to talk to the (remote) ssh-agent to get my keys. However I think it would require an additional (root-writable-only) authorized_keys files for those poeple with sudo powers. Otherwise the attacker who has access to your account already could modify your authorized_keys file before calling sudo. sam > Aurelien > > Sam Clegg a écrit : > >> Hey everyone, >> >> I'm sure this question must come up a lot and there must be >> a good reason not to do it but... i'd really like to be able >> to use my ssh-agent session to authenicate sudo on remote >> machines. Then I could finally forget about all my old UNIX >> passwords once and for all! >> >> Are there any plans for this feature in your pam module? >> Any reasons why its a stupid idea? >> >> cheers, >> sam >> >> -- sam clegg :: sa...@su... :: http://superduper.net/ :: PGP : D91EE369 $superduper: .signature,v 1.13 2003/06/17 10:29:24 sam Exp $ |
|
From:
<ala...@rd...> - 2004-12-06 14:39:21
|
Juste use ssh's agent forwarding. On each machine you got the public key, you will be authenticated without any questions, unless you haven't added the key to ssh-agent on the first host. Aurelien Sam Clegg a écrit : >Hey everyone, > >I'm sure this question must come up a lot and there must be >a good reason not to do it but... i'd really like to be able >to use my ssh-agent session to authenicate sudo on remote >machines. Then I could finally forget about all my old UNIX >passwords once and for all! > >Are there any plans for this feature in your pam module? >Any reasons why its a stupid idea? > >cheers, >sam > > |
|
From: Sam C. <sa...@su...> - 2004-12-06 12:34:13
|
Hey everyone, I'm sure this question must come up a lot and there must be a good reason not to do it but... i'd really like to be able to use my ssh-agent session to authenicate sudo on remote machines. Then I could finally forget about all my old UNIX passwords once and for all! Are there any plans for this feature in your pam module? Any reasons why its a stupid idea? cheers, sam --=20 sam clegg :: sa...@su... :: http://superduper.net/ :: PGP : D91EE369=20 $superduper: .signature,v 1.13 2003/06/17 10:29:24 sam Exp $ |
|
From: Aurelien L. <ala...@rd...> - 2004-11-29 17:06:34
|
Hi list, I just inform you that a pam-ssh (actually libpam-ssh) Debian package has been sent yesterday. It will be available soon. Cheers, Aurelien |
|
From:
<ala...@rd...> - 2004-10-28 09:24:51
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So, the package is ready with that readme (1.91.0-2). Process to upload it in the real Debian archive is in progress. Aurelien - -------- Original Message -------- Subject: Re: [Pam-ssh-users] some documentation Date: Fri, 08 Oct 2004 13:51:51 +0200 From: Aurélien LABROSSE ext RD-CSRD-GRE <ala...@rd...> Organization: France Télécom division R&D To: Aurélien Labrosse <ala...@rd...> References: <415...@rd...> well, not to much more informations :) I have some problems to make pam-ssh work with Debian pam system. Did someone use it in a convenient way using Debian's '@include' system? Aurelien Aurélien Labrosse wrote: | Hi there, I packaged the 1.91 for the Debian distribution (way to | offical developer in progress) and i want to add some doc into the | package, espacially about parameters that are allowed into pam | configuration, like want_agent, allow_blank_passphrase, the key | list file and so on. Could i find these informations somewehere? | | current packages binary and source available at: | | apt-get repository : deb http://linux.freenet.ath.cx/debian | unstable main contrib non-free deb-src | http://linux.freenet.ath.cx/debian unstable main contrib non-free | | via web: http://linux.freenet.ath.cx/debian/pool/libp/libpam-ssh/ | | | thanks by advance, | | Aurelien | | | | ------------------------------------------------------- This SF.Net | email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project | Admins to receive an Apple iPod Mini FREE for your judgement on who | ports your project to Linux PPC the best. Sponsored by IBM. | Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php | _______________________________________________ Pam-ssh-users | mailing list Pam...@li... | https://lists.sourceforge.net/lists/listinfo/pam-ssh-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBgLq1cCqFswWbUPcRAjCMAJ4lL0hgnLrmU0Vw6ESxIGUVWrlWJQCeN4Vl jmlLOa0g1mnztn8YZtJXbEI= =WXFL -----END PGP SIGNATURE----- |
|
From:
<ala...@rd...> - 2004-10-27 08:12:31
|
I there,
I wrote a little readme for the Debian distribution, shipped with my
libpam-ssh package.
Please correct me if i'm wrong.
<<<<< Readme.Debian
You have to manually add include directive into your
pam script, for each service you want to use it. As sample, here
is my /etc/pam.d/gdm script:
auth requisite pam_nologin.so
auth required pam_env.so
@include common-auth
@include pam-ssh-auth
@include common-account
session required pam_limits.so
@include common-session
@include pam-ssh-session
@include common-password
pam-ssh-auth must be included after @include common-auth.
If you have more than one ssh key (with the same or empty passphrase),
you have to link them
to ~/.ssh/is_dsa{1,2,3} in order to make pam-ssh try to use them.
Basically you could have
four keys : ~/.ssh/is_dsa, ~/.ssh/is_dsa1 and so on.
<<<<< Readme.Debian
the two pam-ssh-* files :
auth:
auth optional pam_ssh.so try_first_pass
keyfiles=id_dsa,id_dsa1,id_dsa2,id_dsa3
session:
session optional pam_ssh.so
cheers,
Aurelien
|
|
From: buc <bu...@od...> - 2004-10-19 10:54:42
|
Hi,
Currently, it is impossible to use "session" module without "auth"
module, because "auth" stores "getpwnam()" results and later "session"
use this stored data instead of own getpwnam() call.
Theoretically, standalone "session" may be useful if you want to just
invoke one instance of ssh-agent (from several console logins), and add
them keys later.
Another example is my own case.
I am using self-patched version of RedHat`s pam_console, which allows
me to login with a password *once" (either console or gdm). Additional
logins don`t require password.
I use pam config like this:
auth required pam_securetty.so
auth sufficient pam_console.so
auth required pam_stack.so service=system-auth
auth optional pam_ssh.so try_first_pass
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
session optional pam_ssh.so
For the first console login, "pam_console" failed, then standard
"system-auth" are used and later "pam_ssh". For the next logins,
pam_console does success, therefore pam_ssh "auth" module is not
invoked, getpwnam() results are not stored, and pam_ssh "session" failed
because of this.
I have made a patch to resolve this problem (see below).
IMHO, the cost of additional getpwnam() calls is minimal -- either it
is access to local /etc/passwd, or nscd caching daemon is running (:-))
for nisplus or ldap etc.
--
Dmitry Butskoj <dm...@bu...>
Saint-Petersburg, Russia
Red Hat Certified Engineer 809003662809495
diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
--- pam_ssh-1.91/pam_ssh.c 2004-04-12 17:55:08.000000000 +0400
+++ pam_ssh-1.91-OK/pam_ssh.c 2004-10-04 18:45:43.000000000 +0400
@@ -350,7 +350,6 @@
#endif
const char *pass; /* passphrase */
const struct passwd *pwent; /* user's passwd entry */
- struct passwd *pwent_keep; /* our own copy */
int retval; /* from calls */
const char *user; /* username */
@@ -461,22 +460,6 @@
return PAM_AUTH_ERR;
}
- /* copy the passwd entry (in case successive calls are made) and
- save it for the session phase */
-
- if (!(pwent_keep = malloc(sizeof *pwent))) {
- pam_ssh_log(LOG_CRIT, "out of memory");
- openpam_restore_cred(pamh);
- return PAM_SERVICE_ERR;
- }
- memcpy(pwent_keep, pwent, sizeof *pwent_keep);
- if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
- ssh_cleanup)) != PAM_SUCCESS) {
- free(pwent_keep);
- openpam_restore_cred(pamh);
- return retval;
- }
-
openpam_restore_cred(pamh);
return PAM_SUCCESS;
}
@@ -515,14 +498,16 @@
int start_agent; /* start agent? */
const char *tty_raw; /* raw tty or display name */
char *tty_nodir; /* tty without / chars */
+ const char *user; /* username */
log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
/* dump output of ssh-agent in ~/.ssh */
- if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
- (const void **)(void *)&pwent))
- != PAM_SUCCESS)
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
+ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+ *pwent->pw_dir))
+ return PAM_SESSION_ERR;
retval = openpam_borrow_cred(pamh, pwent);
if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
@@ -842,10 +827,13 @@
const char *ssh_agent_pid; /* ssh-agent pid string */
const struct passwd *pwent; /* user's passwd entry */
struct stat sb; /* to check st_nlink */
+ const char *user; /* username */
- if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
- (const void **)(void *)&pwent)) != PAM_SUCCESS)
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
+ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+ *pwent->pw_dir))
+ return PAM_SESSION_ERR;
retval = openpam_borrow_cred(pamh, pwent);
if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
|
|
From: Koen V. <ko...@qi...> - 2004-09-29 13:32:16
|
Hi, On behalf of our system administrator, I was wondering if it's possible to specify a different location of the ssh keys. In our network, ssh keys are installed by the administrator, in a different location than ~/.ssh2. Thanks! Koen |
|
From:
<ala...@rd...> - 2004-09-28 08:45:46
|
Hi there, I packaged the 1.91 for the Debian distribution (way to offical developer in progress) and i want to add some doc into the package, espacially about parameters that are allowed into pam configuration, like want_agent, allow_blank_passphrase, the key list file and so on. Could i find these informations somewehere? current packages binary and source available at: apt-get repository : deb http://linux.freenet.ath.cx/debian unstable main contrib non-free deb-src http://linux.freenet.ath.cx/debian unstable main contrib non-free via web: http://linux.freenet.ath.cx/debian/pool/libp/libpam-ssh/ thanks by advance, Aurelien |
|
From: Roderick S. <rod...@ar...> - 2002-11-08 20:49:06
|
On 08 Nov 2002 11:43:48 -0800, "Charles 'Buck' Krasic" <kr...@ac...> said: > > I have pam_ssh working with console logins, but not with gdm. A few months ago I also failed to get it to work with gdm. I stalled on tracking it further, however. I went to using startx and lost gumption. I'll try to have another look at it. -- Roderick Schertler rod...@ar... |
|
From: Charles 'B. K. <kr...@ac...> - 2002-11-08 19:43:53
|
I spoke a little too soon of success. I have pam_ssh working with console logins, but not with gdm. I'm not getting anything in the system log. My /etc/pam.d/gdm is as follows: #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so auth sufficient /lib/security/pam_ssh.so no_warn try_first_pass session required /lib/security/pam_ssh.so Can anyone help me? Thanks, -- Buck |
|
From: Charlie K. <kr...@cs...> - 2002-11-02 20:12:52
|
aj...@iu... (Andrew J. Korty) writes: > Try backing out pam_ssh.c by one revision. This change was made for > the benefit of the latest OpenSSH, which wants the real and > effective user IDs to be the same. Keep watching the tree for the > fix. Yes, that worked. Thanks! -- Buck |
