LinuxPAM and sshd: changing conversation function doesn't work but claims to.
Darren Tucker
dtucker at zip.com.au
Thu Jun 3 15:43:11 EST 2004
Darren Tucker wrote:
[about PAM calling the wrong conversation function]
> I have not been able to replicate this behaviour in a minimal test
> case, but I'm hoping someone will be able to explain it.
OK, here's a smallish testcase that demonstrates the problem, run on
Redhat 9 and Solaris 8. Note that on Redhat, the call to chauthtok
(incorrectly) generates a second call to my_conv1, whereas on Solaris
myconv2 is (correctly) called in the second case.
Thanks,
-Daz.
$ uname -svr; rpm -q pam
Linux 2.4.20-31.9 #1 Tue Apr 13 17:41:45 EDT 2004
pam-0.75-48
$ gcc wrong-conv-function.c -lpam
$ sudo ./a.out
[673]: pam_start result 0 (Success)
[673]: my_conv1 called
[673]: pam_acct_mgmt result 12 (Authentication token is no longer valid;
new one required.)
[674]: pam_set_item result 0 (Success)
[674]: my_conv1 called
[674]: pam_chauthtok result 20 (Authentication token manipulation error)
For comparison, here is the same code run on Solaris 8:
$ uname -svr
SunOS 5.8 Generic_117350-02
$ sudo ./a.out
[20837]: pam_start result 0 (Success)
[20837]: pam_acct_mgmt result 9 (Authentication failed)
[20838]: pam_set_item result 0 (Success)
[20838]: my_conv2 called
[20838]: pam_chauthtok result 6 (Conversation failure)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list