Custom PAM module not working correctly

Darren Tucker dtucker at zip.com.au
Fri Oct 21 10:17:30 AEDT 2016


On Thu, Oct 20, 2016 at 12:19 PM, Diogo Vieira <dfv at eurotux.com> wrote:
> Hello,
>
> I've developed a custom PAM module which only allows a user to authenticate
> to the server only if another user of the same machine also authenticates
> succesfully. It's currently a simple module which also works as a PAM aware
> application since it authenticates each user with PAM itself. Both the
> pamtester utility and su can use this module correctly. However, when I try
> to use it with my openssh server the authentication fails after the first
> prompt.

My guess is that you're using pam_set_data/pam_get_data.
Unfortunately this doesn't currently work with challenge-response
authentication because the PAM calls are made in a subprocess that
terminates, and thus the changes are lost. See:

https://bugzilla.mindrot.org/show_bug.cgi?id=688
https://bugzilla.mindrot.org/show_bug.cgi?id=2548

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list