[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] pam_oath and openssh
|
From: |
Fanis Dokianakis |
|
Subject: |
[OATH-Toolkit-help] pam_oath and openssh |
|
Date: |
Mon, 25 Apr 2011 12:49:43 +0300 |
|
User-agent: |
KMail/1.13.6 (Linux/2.6.38-matrix; KDE/4.6.1; x86_64; ; ) |
Hello to all,
It seems that pam-oath cannot be used out of the box for ssh logins, since I
always get the following error after successfull authentication:
fatal: PAM: pam_setcred(): Authentication service cannot retrieve user
credentials
I've used versions 1.4.6 (debian package) and 1.6.2 and I located the problem
with the pam_sm_setcred() function in pam_oath/pam_oath.c. The openssh server
probably does not use the same process for pam_sm_authenticate and
pam_sm_setcred, so it is possible that you cannot check for the return value
of authentication from within the pam_sm_setcred().
I searched the list archives and some guy in January also mentioned this, so I
solved this with always returning PAM_SUCCESS from the function. But I do not
know anything about pam to be certain if this is not a security hole or if it
does not cripples functionality (kerberors tickets etc).
Thank you,
Fanis
signature.asc
Description: This is a digitally signed message part.
- [OATH-Toolkit-help] pam_oath and openssh,
Fanis Dokianakis <=