bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-07 13:05 UTC
[Bug 2549] New: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2549 Bug ID: 2549 Summary: [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication Product: Portable OpenSSH Version: 7.1p2 Hardware: Sparc OS: Solaris Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: tomas.kuthan at oracle.com Currently OpenSSH runs pam_setcred with 'fake' conversation function sshpam_store_conv. If some PAM module actually tries to converse for pam_setcred, sshpam_store_conv fails with PAM_CONV_ERR. But there are/will be real world PAM modules, that actually need to converse for pam_setcred. This bugs asks for making that possible for keyboard-interactive authentication. Allowing pam_setcred conversation for other user auths (pubkey, password, hostbased, gssapi-with-mic, ...) would be significantly harder, because for other auth there is no support from promts and replies in SSH authentication protocol. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-07 13:08 UTC
[Bug 2549] [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2549 --- Comment #1 from Tomas Kuthan <tomas.kuthan at oracle.com> --- Created attachment 2797 --> https://bugzilla.mindrot.org/attachment.cgi?id=2797&action=edit Allow PAM conversation for pam_setcred This patch moves calling pam_setcred to the end of actual PAM authentication, where there still is a real conversation function available. If pam_setcred was already called, doesn't call it the second time in do_pam_setcred. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-08 09:57 UTC
[Bug 2549] [PATCH] Allow PAM conversation for pam_setcred for keyboard-interactive authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2549 --- Comment #2 from Tomas Kuthan <tomas.kuthan at oracle.com> --- I should have noted the following to the proposed patch above: Although the patch applies, builds and runs standalone, it has an implicit dependency on fix for #2548. Without that fix, it only makes the issue described in #2548 worse: on top of pam_authenticate, pam_acct_mgmt and pam_chautok it would add pam_setcred too into the separate address space of the auxiliary PAM process. That would cause some substantive implications, such as invalid audit context and damaged audit records. -- You are receiving this mail because: You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 2548] New: Make pam_set_data/pam_get_data work with OpenSSH
- pam_setcred fails for "USE_POSIX_THREADS + non-root users + PrivSep yes"
- [Bug 789] pam_setcred() not being called as root
- [Bug 789] pam_setcred() not being called as root
- pam_setcred() without pam_authenticate()?