Success/Fail bug when calling modules more than once?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think I'd suggest (downloading Linux-PAM-0.76, and/or) compiling this 
module:

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/modules/pam_warn/pam_warn.c?rev=1.2&content-type=text/vnd.viewcvs-markup

And placing it in the pam stack as optional before, between and after 
each line in your auth stack. This should give you some idea of which 
modules are being invoked and which aren't.

What I'm wondering is whether the pam_krb5.so module can be invoked 
twice in the same stack without confusing itself (it might be trampling 
on its own pam_[gs]et_data() items for example...?).

Hope that helps

Andrew


Cole, John wrote:
> Thanks for your response Andrew.
> 
> I'm not sure actually!  How should I go about checking this?  As mentioned,
> the first pam config file below does succeed, so I think auth is the right
> thing to be using.
> 
> John
> 
> -----Original Message-----
> From: Andrew Morgan 
> 
> Are you sure that it is the 'auth' sequence that is causing the failure 
> or the 'setcred' sequence?
> 
> Cheers
> 
> Andrew
> 
> Cole, John wrote:
> 
>>I'm trying to implement login authentication via multiple KRB5 realms for
> 
> an
> 
>>application.  Currently using RedHat 7.2 with pam-0.75-19.rpm  [Let me
> 
> know
> 
>>what other version info might be needed!]
>>
>>I'm observing some very strange behavior when using the same module more
>>than once.   Although the module seems to succeed (per debug messages),
> 
> PAM
> 
>>seems to return failure to the applications.
>>
>>The following PAM file is used with success (which verifies I'm talking to
>>the krb server a-ok)
>>#%PAM-1.0
>>auth        required      /lib/security/pam_env.so debug
>>auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
>>auth        required   /lib/security/pam_deny.so debug
>>
>>What I'd like to do is something like:
>>#%PAM-1.0
>>auth        required      /lib/security/pam_env.so debug
>>auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
>>auth        sufficient /lib/security/pam_krb5.so debug realm=B.COMPANY.COM
>>auth        required   /lib/security/pam_deny.so debug
>>
>>but it fails every time.
>>
>>I've tried two different things, in an effort to debug WHY this happens.
> 
> My
> 
>>first thought is that it'd be bad to authenticate again after getting a
>>success.  So I changed things to:
>>
>>#%PAM-1.0
>>auth        required      /lib/security/pam_env.so debug
>>auth        [success=2 default=ok] /lib/security/pam_krb5.so debug
>>realm=A.COMPANY.COM
>>auth        [success=1 default=ok] /lib/security/pam_krb5.so debug
>>realm=B.COMPANY.COM
>>auth        required   /lib/security/pam_deny.so debug
>>
>>but that doesn't seem to work as the documentation I've seen indicates;
> 
> i.e.
> 
>>that we'd skip over B realm if A realm passed.  I think my ultimate
> 
> solution
> 
>>should be something like this, but I'm not sure where I went wrong.
>>
>>So, in an effort to divide and conquer my problem, I changed to a case
> 
> that
> 
>>I expected to succeed.  Making two requests to the realm that can
>>authenticate the user.  Debug results from the krb module reports success
>>both times, but PAM still returns failure!!!
>>#%PAM-1.0
>>auth        required      /lib/security/pam_env.so debug
>>auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
>>auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
>>auth        required   /lib/security/pam_deny.so debug
>>
>>I'm not sure if I've stumbled across 1-2 bugs, or if I'm way off base.
> 
> Any
> 
>>help would be appreciated!
>>
>>John
> 
> 
> 
> 
> _______________________________________________
> 
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
> 
> 






[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux