1) PAM makes a copy of the password provided before supplying it all the way to the library, and pam_set_item() only modifies the temporary instance of it (for this specific module).
2) On a set item, it may not be overwriting the password, but just setting a new entry in an ITEMS table (apache-ish), and that would mean that the other modules get the original (the first entry in a table) password, rather than the modified.
The only alternative that you might have to discover what is truly happening is to look at the pam library source code.
Joe
Redhat.Pam wrote:
Hi
Since I spot some activity in the forum I try to ask once more... :-)
Happy New Year Claus
_______
Why can't I change the current password (AUTHTOK) using pam_set_item for
the other auth modules to see ? Do I need some pam_setcred magic or... ??
Are the other modules getting a pam handle to same pam data or do they
get a handle to a copy of the data ?
mvh
Claus Bruun
-----Original Message----- From: pam-list-admin@xxxxxxxxxx [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of CB Maillist Sent: 10. december 2003 12:38 To: pam-list@xxxxxxxxxx Subject: RE: Additional input (second password) during login
I implemented it yesterday, but I have problems storing the first part of the password for rest of the modules to see. I using the code.
retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password); if (retval != PAM_SUCCESS) { _pam_log(LOG_ERR, "Could not retrive user's password"); return -2; } password2 = strdup(password); password3 = strchr(password2,':'); if (!password3) { _pam_log(LOG_ERR, "Could not retrive user's password (no secureid part found)"); return -2; }
*password3++ = 0;
retval = user_lookup(username, password3);
if retval != 0) { _pam_log(LOG_ERR, "Could not verify user"); return -2; }
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' granted acces from host %s
(%s)(%s)", username,rhost,password2,password3?password3:"-");
retval = pam_set_item(pamh,PAM_AUTHTOK,password2);
if (retval != PAM_SUCCESS)
{
_pam_log(LOG_ERR, "Could not set password %1",retval);
return -2;
}
return PAM_SUCCESS;
Even though the set_item returns OK set password is not set. When I read AUTHTOK in the next module its still the original twopart
password...
Any ideas ?
mvh
Claus Bruun
-----Original Message----- From: pam-list-admin@xxxxxxxxxx [mailto:pam-list-admin@xxxxxxxxxx] On Behalf Of Tobias Schaefer Sent: 9. december 2003 11:46 To: pam-list@xxxxxxxxxx Subject: RE: Additional input (second password) during login
Hi Lucas,
I figured this out already. But as I understand PAM puts the credentials in a store for all modules to read from. Where should I do
the input of the second password - in my own module ?
if you think about local authentication (instead of ssh/sshd) you would use the communication function to provide a second password prompt to the user and get his response. I did this some time ago for an AFS authentication module.
I considered something like
1. inputting the combined password <normalpw><onetimepw> to the login
promt 2. let my onetime password routing kick in first and if remote is on an external net verifying <onetimepw>.
If ok modify the stored pw by stripping of the onetime part 3. let the normal auth verify the rest.
That should work. A problem might be a length restriction on the password in the communication between ssh and sshd. I don't know what a safe length would be.
Tobias
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
