| Summary: | new PAM code only calls pam_acct_mgmt for challenge-response clients | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Damien Miller <djm> | ||||
| Component: | PAM support | Assignee: | OpenSSH Bugzilla mailing list <openssh-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | normal | Keywords: | patch | ||||
| Priority: | P2 | ||||||
| Version: | -current | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 627 | ||||||
| Attachments: |
|
||||||
|
Description
Damien Miller
2003-05-14 14:51:35 AEST
Maybe UsePAM should be a tri-state: "kbd-int", "no" or "always". This is ugly - suggestions wanted. Created attachment 369 [details]
Perform PAM account checks
This patch adds PAM account checks after authentication. Tested with passwd and
pubkey auth, protos 1 and 2, with and without privsep.
Doesn't make PAM chauthtok work - that is tricky with privsep.
I've looked at patch id #369.
This part is useless:
diff -u -r1.246 session.c
--- session.c 13 Aug 2003 10:31:05 -0000 1.246
+++ session.c 24 Aug 2003 12:44:32 -0000
@@ -719,6 +719,11 @@
if (options.use_pam && is_pam_password_change_required()) {
print_pam_messages();
do_pam_chauthtok();
+
+ /* Permit forwardings if we succeed here */
+ no_port_forwarding_flag &= ~2;
+ no_agent_forwarding_flag &= ~2;
+ no_x11_forwarding_flag &= ~2;
}
#endif
By the time that runs, you are in the process that later execs the user's shell.
The forwarding flags you need to reset are in its parent.
The patch regress tested OK on Redhat 8.
Something funny is wrong on HP-UX & Solaris (dynamic forwarding tests fail, not
sure why yet).
Comment on attachment 369 [details]
Perform PAM account checks
The problem with Solaris and HP-UX was with the tests, the code itself is fine.
Passed regression on Solaris 8 & HP-UX 11.00.
ok dtucker@, but the code in session.c should be removed or commented that it
can't work.
Comment on attachment 369 [details]
Perform PAM account checks
The problem with Solaris and HP-UX was with the tests, the code itself is fine.
Passed regression on Solaris 8 & HP-UX 11.00.
ok dtucker@, but the code in session.c should be removed or commented that it
can't work.
Applied Mass change of RESOLVED bugs to CLOSED |