Custom PAM module not working correctly

Diogo Vieira dfv at eurotux.com
Sat Oct 22 01:33:29 AEDT 2016


I actually don't use pam_set_data/pam_get_data directly but it's 
possible that they're used by the library itself maybe? I use calls 
like pam_start, pam_end, pam_get_user and pam_authenticate so I assume 
at least one of them actually uses those (I glanced their source code 
but couldn't find anything).

Do you expect this to be fixed in an upcoming release? I saw the patch 
in the referenced bug report, so I would guess so.

I resolved the issue for now since I just wanted to authenticate users 
with UNIX password by not using PAM to authenticate them and use 
getspnam/getpwnam directly, but it could be useful in the future to use 
other authentication methods.

Thank you for your help.

Best regards,
Diogo Vieira


On Sex, Out 21, 2016 at 12:17 , Darren Tucker <dtucker at zip.com.au> 
wrote:
> On Thu, Oct 20, 2016 at 12:19 PM, Diogo Vieira <dfv at eurotux.com> 
> wrote:
>>  Hello,
>> 
>>  I've developed a custom PAM module which only allows a user to 
>> authenticate
>>  to the server only if another user of the same machine also 
>> authenticates
>>  succesfully. It's currently a simple module which also works as a 
>> PAM aware
>>  application since it authenticates each user with PAM itself. Both 
>> the
>>  pamtester utility and su can use this module correctly. However, 
>> when I try
>>  to use it with my openssh server the authentication fails after the 
>> first
>>  prompt.
> 
> My guess is that you're using pam_set_data/pam_get_data.
> Unfortunately this doesn't currently work with challenge-response
> authentication because the PAM calls are made in a subprocess that
> terminates, and thus the changes are lost. See:
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=688
> https://bugzilla.mindrot.org/show_bug.cgi?id=2548
> 
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA 
> (new)
>     Good judgement comes with experience. Unfortunately, the 
> experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list