path: root/auth-pam.h
AgeCommit message (Collapse)Author
2019-01-20remove PAM dependencies on old packet APIDamien Miller
Requires some caching of values, because the PAM code isn't always called with packet context.
2018-03-03upstream: switch over to the new authorized_keys options API
remove the legacy one. Includes a fairly big refactor of auth2-pubkey.c to retain less state between key file lines. feedback and ok markus@ OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
2016-10-15Remove do_pam_set_tty which is dead code.Darren Tucker
The callers of do_pam_set_tty were removed in 2008, so this is now dead code. bz#2604, pointed out by jjelen at
2016-08-17Remove obsolete CVS $Id from source files.Darren Tucker
Since -portable switched to git the CVS $Id tags are no longer being updated and are becoming increasingly misleading. Remove them.
2016-08-16add --with-pam-service to specify PAM service nameDamien Miller
Saves messing around with CFLAGS to do it.
2016-07-18Handle PAM_MAXTRIES from modules.Darren Tucker
bz#2249: handle the case where PAM returns PAM_MAXTRIES by ceasing to offer password and keyboard-interative authentication methods. Should prevent "sshd ignoring max retries" warnings in the log. ok djm@ It probably won't trigger with keyboard-interactive in the default configuration because the retry counter is stored in module-private storage which goes away with the sshd PAM process (see bz#688). On the other hand, those cases probably won't log a warning either.
2004-09-11 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output fromDarren Tucker
failing PAM session modules to user then exit, similar to the way /etc/nologin is handled. ok djm@
2004-05-30 - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c]: Bug #874: Re-add PAMDarren Tucker
support for PasswordAuthentication=yes. ok djm@
2004-03-08 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.cDarren Tucker
monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized even if keyboard-interactive is not used by the client. Prevents segfaults in some cases where the user's password is expired (note this is not considered a security exposure). ok djm@
2004-02-10 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange toDarren Tucker
change expired PAM passwords for SSHv1 connections without privsep. pam_chauthtok is still used when privsep is disabled. ok djm@
2003-11-17 - (djm) Export environment variables from authentication subprocess toDamien Miller
parent. Part of Bug #717
2003-10-07 - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new staticDarren Tucker
cleanup functions. With & ok djm@
2003-09-02 - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM sessionDamien Miller
management (now done in do_setusercontext). Largely from michael_steffens AT
2003-08-26 - (dtucker) [ acconfig.h auth-krb5.c auth-pam.c auth-pam.hDarren Tucker defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
2003-08-25 - (djm) Bug #564: Perform PAM account checks for all authentications whenDamien Miller
UsePAM=yes; ok dtucker
2003-05-19 - (djm) Sync auth-pam.h with what we actually implementDamien Miller
2003-05-10 - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge withAFTER_FREEBSD_PAM_MERGEDamien Miller
proper challenge-response module
2002-07-23 - (stevesk) [auth-pam.[ch] session.c] pam_getenvlist() must beKevin Steves
freed by the caller; add free_pam_environment() and use it.
2002-07-21 - (stevesk) [auth-pam.[ch] ssh.h] move SSHD_PAM_SERVICE to auth-pam.hKevin Steves
2002-07-21 - (stevesk) [auth-pam.h] unneeded includeKevin Steves
2002-07-21 - (stevesk) [auth-pam.h] licenseKevin Steves
2002-04-04 - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.hKevin Steves
auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.
2001-03-27 - (djm) Reestablish PAM credentials (which can be supplemental groupDamien Miller
memberships) after initgroups() blows them away. Report and suggested fix from Nalin Dahyabhai <>
2001-02-15 - (djm) Clean up PAM namespace. Suggested by Darren MoffatDamien Miller
2001-02-09 - (djm) Add CVS Id's to files that we have missedDamien Miller
2001-02-07 - (djm) Much KNF on PAM codeDamien Miller
- (djm) Revise auth-pam.c conversation function to be a little more readable. - (djm) Revise kbd-int PAM conversation function to fold all text messages to before first prompt. Fixes hangs if last pam_message did not require a reply. - (djm) Fix password changing when using PAM kbd-int authentication
2001-01-19 - (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai <>)Damien Miller
to fix NULL pointer deref and fake authloop breakage in PAM code.
2000-12-03 - (djm) Added patch from Nalin Dahyabhai <> to enableDamien Miller
PAM authentication using KbdInteractive. - (djm) Added another TODO
2000-10-14function prototype and definition consistency cleanup.Kevin Steves
2000-10-14 - (stevesk) ~/.hushlogin shouldn't cause required password change toKevin Steves
be bypassed.
2000-09-16 - (djm) Add Steve VanDevender's <> PAMDamien Miller
password change patch. - (djm) Bring licenses on my stuff in line with OpenBSD's
2000-01-27Add const to suppress compiler warningDamien Miller
1999-12-30 - Removed most of the pam code into its own file auth-pam.[ch]. ThisDamien Miller
cleaned up sshd.c up significantly. - Several other cleanups