Re: Custom PAM module not working correctly

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

I actually don't use pam_set_data/pam_get_data directly but it's possible that they're used by the library itself maybe? I use calls like pam_start, pam_end, pam_get_user and pam_authenticate so I assume at least one of them actually uses those (I glanced their source code but couldn't find anything).
Do you expect this to be fixed in an upcoming release? I saw the patch in the referenced bug report, so I would guess so.
I resolved the issue for now since I just wanted to authenticate users with UNIX password by not using PAM to authenticate them and use getspnam/getpwnam directly, but it could be useful in the future to use other authentication methods. 

Thank you for your help.

Best regards,
Diogo Vieira
On Sex, Out 21, 2016 at 12:17 , Darren Tucker <dtucker@xxxxxxxxxx> wrote:
On Thu, Oct 20, 2016 at 12:19 PM, Diogo Vieira <dfv@xxxxxxxxxxx> wrote: 
 Hello,
I've developed a custom PAM module which only allows a user to authenticate to the server only if another user of the same machine also authenticates succesfully. It's currently a simple module which also works as a PAM aware application since it authenticates each user with PAM itself. Both the pamtester utility and su can use this module correctly. However, when I try to use it with my openssh server the authentication fails after the first 
 prompt.


My guess is that you're using pam_set_data/pam_get_data.
Unfortunately this doesn't currently work with challenge-response
authentication because the PAM calls are made in a subprocess that
terminates, and thus the changes are lost. See:

https://bugzilla.mindrot.org/show_bug.cgi?id=688
https://bugzilla.mindrot.org/show_bug.cgi?id=2548

--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience 
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux