Date: Tue, 5 Mar 2002 09:05:59 -0800 From: "Leonard Chung" <leonardc@cs.berkeley.edu> To: "Jiri Mikulas" <jiri@mikulas.com> Cc: <questions@freebsd.org> Subject: RE: pam_set_item: NULL pam handle passed? Message-ID: <HHEKIBIGHICPGLHFMKKJCEBLCNAA.leonardc@cs.berkeley.edu> In-Reply-To: <3C849BF5.5020700@mikulas.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jiri, Yes, I used mergemaster. My pam.conf hasn't been modified, and should be the one in the CVS tree. The relevant section is: # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so #sshd auth sufficient pam_kerberosIV.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_skey.so I've attached the rest of it just for completeness. Thanks, Leonard # Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD: src/etc/pam.conf,v 1.6.2.13 2001/12/19 16:47:46 sobomax Exp $ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. login auth sufficient pam_skey.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass login auth required pam_unix.so try_first_pass login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so # Same requirement for ftpd as login ftpd auth sufficient pam_skey.so ftpd auth requisite pam_cleartext_pass_ok.so #ftpd auth sufficient pam_kerberosIV.so try_first_pass ftpd auth required pam_unix.so try_first_pass # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so #sshd auth sufficient pam_kerberosIV.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_skey.so # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' telnetd auth required pam_unix.so try_first_pass # Don't break startx xserver auth required pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm auth required pam_unix.so #xdm auth sufficient pam_kerberosIV.so try_first_pass xdm account required pam_unix.so try_first_pass xdm session required pam_deny.so xdm password required pam_deny.so # GDM (GNOME Display Manager) gdm auth required pam_unix.so #gdm auth sufficient pam_kerberosIV.so try_first_pass gdm account required pam_unix.so try_first_pass gdm session required pam_permit.so gdm password required pam_deny.so # Mail services imap auth required pam_unix.so try_first_pass pop3 auth required pam_unix.so try_first_pass # If we don't match anything else, default to using getpwnam(). other auth required pam_unix.so try_first_pass other account required pam_unix.so try_first_pass -----Original Message----- From: Jiri Mikulas [mailto:jiri@mikulas.com] Sent: Tuesday, March 05, 2002 2:21 AM To: Leonard Chung Subject: Re: pam_set_item: NULL pam handle passed? Hi. Did you update /etc/pam.conf .. the ssh section ? (i use mergemastrer for updating etc files). what was your previous version? Jiri. > > >I recently upgraded to 4.5 Release off source. I'm having a problem where I >can't login to the machine over ssh using any accounts although I am using >known good passwords. > >The error message I get is: > >Mar 5 00:02:28 mercury sshd[146]: pam_set_item: NULL pam handle passed >Mar 5 00:02:31 mercury last message repeated 3 times > >A quick search of mailing list archives and the website revealed nothing. >Has anybody seen this particular problem before? > >Here's some basic info: > >mercury# uname -a >FreeBSD mercury.my.domain 4.5-RELEASE-p1 FreeBSD 4.5-RELEASE-p1 #0: Mon Mar >4 19:01:49 PST 2002 >root@mercury.my.domain:/usr/obj/usr/src/sys/MERCURY_KERN i386 > >Thanks, > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HHEKIBIGHICPGLHFMKKJCEBLCNAA.leonardc>