Custom PAM module not working correctly
Darren Tucker
dtucker at zip.com.au
Fri Oct 21 10:17:30 AEDT 2016
On Thu, Oct 20, 2016 at 12:19 PM, Diogo Vieira <dfv at eurotux.com> wrote:
> Hello,
>
> I've developed a custom PAM module which only allows a user to authenticate
> to the server only if another user of the same machine also authenticates
> succesfully. It's currently a simple module which also works as a PAM aware
> application since it authenticates each user with PAM itself. Both the
> pamtester utility and su can use this module correctly. However, when I try
> to use it with my openssh server the authentication fails after the first
> prompt.
My guess is that you're using pam_set_data/pam_get_data.
Unfortunately this doesn't currently work with challenge-response
authentication because the PAM calls are made in a subprocess that
terminates, and thus the changes are lost. See:
https://bugzilla.mindrot.org/show_bug.cgi?id=688
https://bugzilla.mindrot.org/show_bug.cgi?id=2548
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list