On 5 Mar 2009, at 10:18 AM, Ian Ward Comfort wrote:
I have a real-world scenario in which I'd like to use pam_succeed_if to skip setcred for some modules under certain circumstances.
On 5 Mar 2009, at 10:45 AM, Thorsten Kukuk wrote:
The way the auth stack is navigated in order to evaluate the pam_setcred() function call, independent of the pam_sm_setcred() return codes, is exactly the same way that it was navigated when evaluating the pam_authenticate() library call.
So what you wish to do is not possible.
On 5 Mar 2009, at 11:12 AM, Ian Ward Comfort wrote:
Ah, thanks; obviously I missed that section. (I must be missing something else, too, as I thought I had my pam_authenticate stack skipping this module, but that's for me to investigate.)
I found the problem, thanks to your pointer. My pam_authenticate stack is skipping the module, but the stack is being navigated in an sshd privsep child. When the pam_setcred stack runs later, in the parent process, the child's state is of course lost, so the whole stack is re-run with no cached retvals and use_cached_chain == _PAM_MAY_BE_FROZEN.
(Actually, the same thing happens without privilege separation on my RHEL 5.3 system; I'm not sure what's happening with the pthreads there.)
So, it looks like in this case, making pam_succeed_if's pam_sm_setcred functional would actually provide the behavior I want. However it also appears that _PAM_MAY_BE_FROZEN is only intended for backward compatibility, so perhaps the fix should really be to OpenSSH, or my distro's build of it. Thoughts?
-- Ian Ward Comfort <icomfort@xxxxxxxxxxxxxxxxxxxx> System Administrator, Student Computing, Stanford University _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
