[Bug 2408] Expose authentication information to PAM

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 22 21:12:59 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2408

--- Comment #22 from Vincent Brillault <git at lerya.net> ---
Dear all,

Sorry for the long absence of comment.

We (CERN) have been using RedHat's patch (see e.g.
https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!openssh-7.4p1-expose-pam.patch)
and it's working perfectly for us (I need to update the github page). I
had seen yours commits in June (which made sense but I didn't have time
to review then) but completely missed your commits in July, thanks for
both and sorry for the absence of reply/review.

I've tried to take a look at the patches right now.

I understand that you have added "expose_authinfo" calls to the
do_pam_session & do_pam_account function to make sure that the data is
up to date at these points in time. I think this was missing in the
patch I submitted, thanks! However, as Radek found out, one important
step is missed: the authentication part of pam.

What is important for the 2FA case is that this variable is set when
calling pam_authenticate, to allow pam modules to make a choice
depending on what already happened. In my case (CERN), it's simply
skipping the standard password authentication part if there was a
successful authentication). Calling "expose_authinfo" just before the
pam thread is started, as proposed by Radek, should resolve this
problem. I have not tested it, but this is what my patch was doing (see
e.g.
https://bugzilla.mindrot.org/attachment.cgi?id=2846&action=diff#a/auth-pam.c_sec1)
and what RedHat is doing
(https://git.centos.org/blob/rpms!openssh.git/c7/SOURCES!openssh-7.4p1-expose-pam.patch#L184).

Sorry again and thanks for all your work,
Vincent

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list