Another round of testing calls.
mouring at etoh.eviladmin.org
mouring at etoh.eviladmin.org
Thu Oct 25 07:03:40 EST 2001
How do you enforce PAM limits without opening a session then?
- Ben
On Wed, 24 Oct 2001, Ed Phillips wrote:
> Is it possible that this is a direct result of using the kludge -
> specifying a bogus tty name which can't possibly be used to fetch a
> password? Probably, sshd should not call pam_open_session() in the case
> where we are running in non-interactive mode - and sshd should just exit
> with a "password expired" error if the password needs to be changed
> in.rshd on Sol8 does not does not call the PAM session stuff.
> pam_unix.so on Sol8 has a pam_sm_open_session() which requires the tty
> name to be available (and my guess is that it must be valid as well -
> hence the problems with not passing a tty name). Sure, it's a bug in Sol8
> pam_unix.so, but the docs are pretty thin regarding what
> pam_sm_open_session() is supposed to do and whether the PAM_TTY is
> required. My guess that PAM_TTY is actually a required parameter (if
> you're going to do PAM session stuff) and unexpected results will occur if
> you just fill it with a bogus string.
>
> Ed
>
> On Wed, 24 Oct 2001 mouring at etoh.eviladmin.org wrote:
>
> > Date: Wed, 24 Oct 2001 09:27:48 -0500 (CDT)
> > From: mouring at etoh.eviladmin.org
> > Cc: "Dost, Alexander" <Alexander.Dost at drkw.com>, openssh-unix-dev at mindrot.org
> > Subject: Re: Another round of testing calls.
> >
> >
> > If PAM is doing the password change, then I have to agree with Markus.
> > Could one of our Lurking Sun experts reproduce this and check if there is
> > a bug in their PAM code or if we are missing a bit of code?
> >
> > - Ben
> >
> > On Wed, 24 Oct 2001, Markus Friedl wrote:
> >
> > > On Wed, Oct 24, 2001 at 10:46:57AM +0200, Dost, Alexander wrote:
> > > > Is the problem with clear-text passwords after using the kludge on Sol8
> > > > known and will it be fixed ?
> > > > I didn't see any reply on this problem.
> > >
> > > this is probably a bug in the PAM: either they should
> > > not depend on the TTY kludge or not ask for a password
> > > if there is not TYY.
> > >
> > > -m
> > >
> >
>
> Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l ed at polycut.nss.udel.edu for PGP public key
>
>
More information about the openssh-unix-dev
mailing list