Patch: Solved: Re: [OpenAFS-devel] PAM / openssh 3.7.1p2
Martin MOKREJŠ
mmokrejs@natur.cuni.cz
Sat, 18 Oct 2003 02:23:19 +0200 (CEST)
On Fri, 17 Oct 2003, Dean Anderson wrote:
> Doh!
>
> This patch should be retracted. It didn't quite solve the problem. I found
> that by disabling PRIVSEP the problem was fixed. PRIVSEP somehow breaks
> setting the PAG. With PRIVSEP turned off, everything works...
Hmm, this reminds me a pacth from Jan Iven who wrote a patch I believe
for openssh-3.4 ...
To: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
Cc: OpenSSH Devel List <openssh-unix-dev@mindrot.org>
Date: 10 Dec 2002 18:05:44 +0100
Subject: Re: [PATCH] Password expiry with Privsep and PAM
>>>>> "MM" == Martin MOKREJŠ <mmokrejs@natur.cuni.cz> writes:
MM> Is this patch compatible with thsi patch from Jan Iven?
MM> http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0210/42.html
MM> Has that patch been fully integradted into cvs already? I guess PrivSep
MM> should already work if his patch is in place already... ;)
Most of that had already been implemented at the time I wrote that
patch, I just added it twice while looking at the wrong spot :-o
And it has nothing to do with the password expiry, it was only dealing
with Kerberos4/AFS vs PrivSep thingies.
Regards
Jan
>
> But there are some other complaints about openssh that I haven't provided
> patches for:
>
> Password authentication should try pam with the supplied password. Apps
> that don't support keyboard-interactive/pam and just do passwords should
> still use PAM modules. Openssh is basically useless on PAM systems, since
> many/most ssh clients do not support keyboard-interactive/pam. It looks
> like this was intentionally removed... Is there any chance it might be put
> back?
I know Darren Tucker is willing to help krb stuff, although he doesn;t use it.
In my experience he is almost the only one who respondes at all.
Martin
>
>
> --Dean
>
> On Fri, 17 Oct 2003, [iso-8859-2] Martin MOKREJŠ wrote:
>
> > On Mon, 6 Oct 2003, Dean Anderson wrote:
> >
> > HI,
> > just wanted to be sure at least some things get fixed in the portable
> > release, but this is what I got back about your patch. What do you think?
> > Will you discuss at openssh-unix-dev and submit the patch to openssh
> > developers and Cc: us? ;)
> > Thanks!
> >
> >
> > --- forwarded message
> > From: Darren Tucker <dtucker@zip.com.au>
> > To: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
> > Date: Fri, 17 Oct 2003 21:09:18 +1000
> > Subject: Re: Patch: Solved: Re: [OpenAFS-devel] PAM / openssh 3.7.1p2 (fwd)
> >
> > [ The following text is in the "iso-8859-1" character set. ]
> > [ Your display is set for the "iso-8859-2" character set. ]
> > [ Some characters may be displayed incorrectly. ]
> >
> > Martin MOKREJS wrote:
> > > how about applying this patch?
> >
> > Ten bucks says it'll break PAM on some other platform (my guess is HP-UX,
> > but maybe we should run a sweepstakes on it or something). Please post it
> > to openssh-unix-dev and see what people say.
> > -- end of forwarded message
> >
> >
> >
> > > The following patch fixes openssh-3.7.1p2 to work with the pam_afs.so
> > > module:
> > >
> > > If anyone wants the rpm spec file for redhat 7.3, let me know.
> > >
> > > --Dean
> > >
> > > [root@dakota SOURCES]# more openssh-3.7.1p2-av8.patch
> > > diff -r -u openssh-3.7.1p2.orig/session.c openssh-3.7.1p2/session.c
> > > --- openssh-3.7.1p2.orig/session.c Tue Sep 23 04:59:08 2003
> > > +++ openssh-3.7.1p2/session.c Mon Oct 6 01:25:05 2003
> > > @@ -1275,8 +1275,8 @@
> > > * Reestablish them here.
> > > */
> > > if (options.use_pam) {
> > > - do_pam_session();
> > > do_pam_setcred(0);
> > > + do_pam_session();
> > > }
> > > # endif /* USE_PAM */
> > > # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) ||
> > > defined(WITH_IRIX_ARRAY)
> > >
> > >
> > > _______________________________________________
> > > OpenAFS-devel mailing list
> > > OpenAFS-devel@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-devel
> > >
> >
> > --
> > Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
> > PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
> > MIPS / Institute for Bioinformatics <http://mips.gsf.de>
> > GSF - National Research Center for Environment and Health
> > Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
> > tel.: +49-89-3187 3683 , fax: +49-89-3187 3585
> >
>
>
--
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585