openssh bugs - Mar 2016 - [Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication

https://bugzilla.mindrot.org/show_bug.cgi?id=2549

            Bug ID: 2549
           Summary: [PATCH] Allow PAM conversation for pam_setcred for
                    keyboard-interactive authentication
           Product: Portable OpenSSH
           Version: 7.1p2
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tomas.kuthan at oracle.com

Currently OpenSSH runs pam_setcred with 'fake' conversation function
sshpam_store_conv. If some PAM module actually tries to converse for
pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR.

But there are/will be real world PAM modules, that actually need to
converse for pam_setcred. This bugs asks for making that possible for
keyboard-interactive authentication.

Allowing pam_setcred conversation for other user auths (pubkey,
password, hostbased, gssapi-with-mic, ...) would be significantly
harder, because for other auth there is no support from promts and
replies in SSH authentication protocol.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2549

--- Comment #1 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
Created attachment 2797
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2797&action=edit
Allow PAM conversation for pam_setcred

This patch moves calling pam_setcred to the end of actual PAM
authentication, where there still is a real conversation function
available.
If pam_setcred was already called, doesn't call it the second time in
do_pam_setcred.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2549

--- Comment #2 from Tomas Kuthan <tomas.kuthan at oracle.com> ---
I should have noted the following to the proposed patch above:

Although the patch applies, builds and runs standalone, it has an
implicit dependency on fix for #2548. Without that fix, it only makes
the issue described in #2548 worse: on top of pam_authenticate,
pam_acct_mgmt and pam_chautok it would add pam_setcred too into the
separate address space of the auxiliary PAM process. That would cause
some substantive implications, such as invalid audit context and
damaged audit records.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.