[Bug 2408] Expose authentication information to PAM

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 22 21:12:59 AEDT 2017


--- Comment #22 from Vincent Brillault <git at lerya.net> ---
Dear all,

Sorry for the long absence of comment.

We (CERN) have been using RedHat's patch (see e.g.
and it's working perfectly for us (I need to update the github page). I
had seen yours commits in June (which made sense but I didn't have time
to review then) but completely missed your commits in July, thanks for
both and sorry for the absence of reply/review.

I've tried to take a look at the patches right now.

I understand that you have added "expose_authinfo" calls to the
do_pam_session & do_pam_account function to make sure that the data is
up to date at these points in time. I think this was missing in the
patch I submitted, thanks! However, as Radek found out, one important
step is missed: the authentication part of pam.

What is important for the 2FA case is that this variable is set when
calling pam_authenticate, to allow pam modules to make a choice
depending on what already happened. In my case (CERN), it's simply
skipping the standard password authentication part if there was a
successful authentication). Calling "expose_authinfo" just before the
pam thread is started, as proposed by Radek, should resolve this
problem. I have not tested it, but this is what my patch was doing (see
and what RedHat is doing

Sorry again and thanks for all your work,

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list