Come on - someone must know :-))) Why can't I change the current password (AUTHTOK) using pam_set_item for the other auth modules to see ? Do I need some pam_setcred magic or... ?? Are the other modules getting a pam handle to same pam data or do they get a handle to a copy of the data ? mvh Claus Bruun -----Original Message----- From: pam-list-admin@xxxxxxxxxx [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of CB Maillist Sent: 10. december 2003 12:38 To: pam-list@xxxxxxxxxx Subject: RE: Additional input (second password) during login I implemented it yesterday, but I have problems storing the first part of the password for rest of the modules to see. I using the code. retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password); if (retval != PAM_SUCCESS) { _pam_log(LOG_ERR, "Could not retrive user's password"); return -2; } password2 = strdup(password); password3 = strchr(password2,':'); if (!password3) { _pam_log(LOG_ERR, "Could not retrive user's password (no secureid part found)"); return -2; } *password3++ = 0; retval = user_lookup(username, password3); if retval != 0) { _pam_log(LOG_ERR, "Could not verify user"); return -2; } /* Otherwise, the authentication looked good */ _pam_log(LOG_NOTICE, "user '%s' granted acces from host %s (%s)(%s)", username,rhost,password2,password3?password3:"-"); retval = pam_set_item(pamh,PAM_AUTHTOK,password2); if (retval != PAM_SUCCESS) { _pam_log(LOG_ERR, "Could not set password %1",retval); return -2; } return PAM_SUCCESS; Even though the set_item returns OK set password is not set. When I read AUTHTOK in the next module its still the original twopart password... Any ideas ? mvh Claus Bruun -----Original Message----- From: pam-list-admin@xxxxxxxxxx [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of Tobias Schaefer Sent: 9. december 2003 11:46 To: pam-list@xxxxxxxxxx Subject: RE: Additional input (second password) during login Hi Lucas, > I figured this out already. But as I understand PAM puts the > credentials in a store for all modules to read from. Where should I do > the input of the second password - in my own module ? if you think about local authentication (instead of ssh/sshd) you would use the communication function to provide a second password prompt to the user and get his response. I did this some time ago for an AFS authentication module. > > I considered something like > > 1. inputting the combined password <normalpw><onetimepw> to the login > promt 2. let my onetime password routing kick in first and if remote > is on an external net verifying <onetimepw>. > If ok modify the stored pw by stripping of the onetime part > 3. let the normal auth verify the rest. That should work. A problem might be a length restriction on the password in the communication between ssh and sshd. I don't know what a safe length would be. Tobias -- Tobias Schaefer Phone 07071-9457-0 science + computing ag FAX 07071-9457-27 Hagellocher Weg 71-75 D-72070 Tuebingen Email: T.Schaefer@xxxxxxxxxxxxxxxxxxxx WWW: http://www.science-computing.de/ _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
